best practices - 5 min Read

Simple Proxy Setup with Appetize: A Step-by-Step Guide

Simple Proxy Setup with Appetize: A Step-by-Step Guide

Enhancing your application’s security doesn’t have to be complex. With Appetize and a few simple configurations, you’ll quickly control network access, block unauthorized connections, and keep your data protected.

In this blog post, we’ll guide you through the process of filtering network connections using Appetize and a proxy server. We’ll explore how to set up a proxy that not only controls network access but also safeguards your application from potential threats.

By the end of this post, you’ll have a clear understanding of how to create and implement a proxy server to ensure that only the connections you trust are allowed through Appetize.

Key Concepts

Before diving into the details, let’s go over a few key concepts and terms that will help throughout this post.

Proxy Server

A proxy server is a system that acts as a gateway between users and the internet, handling internet requests on behalf of the user. When someone requests a web page, for example, the proxy intercepts that request, connects to the destination server, retrieves the data, and then forwards it to the user. Proxy servers are commonly used to enhance security, manage network access, and improve browsing speed by caching frequently requested content.

Access Control List (ACL)

An access control list (ACL) is a set of rules that controls network access. In the context of proxy servers, ACLs tell whether a request should be allowed or blocked.

Allowlist

A type of ACL configuration that blocks network access by default, except to those explicitly permitted. This approach ensures that only trusted connections can reach your network.

Create a proxy server

There are several tools available to create a proxy server. In this blog post, we’ll show you how to use Squid Proxy to set up an allowlist.

Setting up Squid Proxy

Squid Proxy is an open source HTTP proxy server. It’s often used for content filtering, improving network performance by caching frequently accessed content, and restricting access based on ACLs.

Linux

To install Squid on a Linux machine, run the following command:

sudo apt install squid
MacOS

To install Squid on a macOS machine we’ll use Homebrew. Run:

brew install squid
Windows

To install Squid on a Windows machine visit https://squid.diladele.com/, download Squid Proxy MSI, and follow the installation instructions.

Filter network requests

With Squid Proxy now set up, let’s configure it to grant access only to google.com and appetize.io.

Create the Squid configuration file

Squid configuration files define the rules the proxy server follows. Although Squid comes with a default configuration file, we’ll create a custom configuration file that sets up an allowlist. Here’s how to create and apply each step.

Step 1: Create the File

Create a new file called allowlist.conf. In here we will store the configuration for the allowlist that grants access to google.com and appetize.io.

Step 2: Define the Allowlist

In allowlist.conf, create an ACL named allowlist with the acl directive. Here, the dstdomain type specifies that this ACL applies to destination domains google.com and * *appetize.io**.

acl allowlist dstdomain .google.com
acl allowlist dstdomain .appetize.io

Step 3: Allow Connections to the ‘allowlist’ ACL

Use the http_access directive to define a rule that allows connection to the allowlist ACL. All requests matching the domains declared in the ACL (google.com and appetize.io) will pass through Squid Proxy.

http_access allow allowlist

Step 4: Block All Access by Default

Next, add a rule with the http_access directive that blocks all connections to any destination not declared previously in the allowlist ACL.

http_access deny all

Step 5: Specify the Port Number Where The Proxy Will Listen

Finally, specify the port number that Squid will listen on for incoming requests. Here, we’ll set it to 3126 using the http_port directive.

http_port 3126

Configuration File Result

After completing these steps, your allowlist.conf configuration file should look like this:

#
# ALLOWLIST CONFIGURATION FILE EXAMPLE
#
    
# 1) Define the allowed domains (create the allowlist)
acl allowlist dstdomain .google.com
acl allowlist dstdomain .appetize.io
    
# 2) Allow connections to the 'allowlist' acl
http_access allow allowlist
    
# 3) Block all access by default
http_access deny all
    
# 4) Port number where Squid proxy will listen
http_port 3126

Test the Proxy Server Locally

To run the proxy server with the configuration we just created, copy and paste the following command in your terminal:

squid -f allowlist.conf -N

The -f option specifies the configuration file for Squid, and the -N argument runs the master process in the foreground.

Now that our proxy server is running, we can test it.

1. Verify Connection to Appetize.io

To confirm that our proxy allows access to appetize.io, we’ll use curl, a command line tool for making HTTP requests. Here, we’ll add the -x option, which tells curl to route the request through the proxy server. Run the following command in your terminal to verify the connection through the proxy:

curl -x http://127.0.0.1:3126 https://appetize.io

If everything works as expected, the output of this command should be the HTML for appetize.io.

2. Verify Blocked Access to Other Websites

Next, test that network requests to any other website other than google.com or appetize.io are blocked. Use the following command in the terminal to verify that access to youtube.com is blocked through the proxy server:

curl -x http://127.0.0.1:3126 https://youtube.com

The output should display a message similar to curl: (56) CONNECT tunnel failed, response 403, confirming that the access was blocked by the proxy server.

Using Our Proxy with Appetize

Appetize provides a proxy feature that allows users running their applications to seamlessly integrate with the proxy server we just created and manage network requests performed by the device.

Expose the proxy server

The proxy server will need an accessible URL for Appetize to re route network requests through it. The tool we’ll use to do this in this blog post is ngork.

Open a new terminal tab and run the following command to create a TCP redirector with ngrok that points to the proxy server running on port 3126:

ngrok tcp 3126

If successful, the output should include an exposed URL that forwards requests to port 3126.

Forwarding  tcp://4.tcp.ngrok.io:18129 -> localhost:3126 # When using the url replace "tcp" with "http"

Test the proxy server in the Appetize

For testing purposes, we’ll use the Appetize demo application. However, these steps will work for any other application uploaded to Appetize.

In your browser, paste the following URL and replace the <proxy url> placeholder with the ngrok URL.

https://appetize.io/demo?proxy=<proxy url>

For example, using the ngrok URL created earlier:

https://appetize.io/demo?proxy=http://4.tcp.ngrok.io:18129

Note: In this URL, replace tcp:// with http://. For example, the exposed URL tcp://4.tcp.ngrok.io:18129 should be changed to http://4.tcp.ngrok.io:18129 for compatibility with Appetize.

Start the Appetize session, and you’ll notice that the Wikipedia application can’t load any content because it’s not allowed in our ACL. Then, navigate to the device browser and enter google.com. This request will go through, as the domain and its subdomains are allowed by our proxy server.

Ready to test it with your own application? We’re here to help!

If you’re already a user, head over to appetize.io/login. If you’re new, visit appetize.io/signupto create an account and upload your first application.

Words by

Augusto Alonso

Software Engineer

Our Product

Try Online Demo

share this article