Create an SSL proxy at home with nph-proxy.cgi and IIS7

Ever want to set up a proxy at home that encrypts your web traffic when you’re at work/school/wherever? There are plenty of tutorials on how to do it through apache, but not iis.

Here’s how you do it:

This will work with either Windows Server 2008 or Vista. I’ll be doing it on my 2008 server at home.

– First we have a couple preliminary things to take care of. You’ll need to get yourself set up with a dynamic dns record. I have an account with http://www.dyndns.com/ and my netgear router at home has a dyndns client already set up out of the box. If yours doesn’t do the same you will have to research the available windows clients that do the same.

– Next set up your router to forward port 443 to your machine that will run the proxy.

– Download the following:

CGIProxy 2.1beta18 http://www.jmarshall.com/tools/cgiproxy/

ActivePerl http://www.activestate.com/Products/ActivePerl/

Finally we can get started…

– Open Server Manager and go to Roles. Click add roles. Select Web Server (IIS), add required features, and click next.

– Select CGI, ISAPI Extensions, ISAPI filters, and Windows Authentication.

Then you can let it install.

– Create a directory called ‘proxy’ under c:\inetpub. Right click properties the proxy directory and go to the security tab. You want to edit the permissions and add the ‘IIS_IUSRS’ group and give it read & execute permissions.

– Take the cgiproxy.2.1beta18.tar.gz file we downloaded earlier and use winrar to extract the contents into our new proxy directory.

– Install the activeperl program we downloaded earlier. I accepted all of the defaults except for creating the virtual directory for sample data.

– Click start, type ‘inetmgr’ into the search menu, and hit enter. Click on your server in the tree menu on the left, then double click server certificates.

Click ‘Create Self-Signed Certificate’ on the right. Enter ‘ProxyCertificate’ for the certificate’s friendly name.

– Right click Sites on the left tree menu, select ‘add website’. Enter the site name of ‘Proxy’. Enter ‘c:\inetpub\proxy’ for the physical path. Binding type should be https, ip address all unassigned, and port 443. Select your proxy certificate we just created.

– Click on your new proxy site on the left tree menu. Double click Handler Mappings, then click ‘Add Script Map’ on the right. Request path should be ‘*.cgi’, executable should be ‘c:\perl\bin\perlis.dll’, and you can name it CGI.

– Click on the proxy site again, and then double click Authentication. Enable Windows Authentication and disable Anonymous Authentication.

– Click on the proxy site again, and then double click Default Document. Add ‘nph-proxy.cgi’.

– That’s pretty much it. Open your browser to https://localhost now and you should get the certificate error. We want this. Being that it’s not a public certificate your browser doesn’t trust it. Since it’s yours and you know the source you can accept it.

Log in with your local user credentials and the page should be up.

Note: If you’re using x64 version of windows you have to go to the advanced settings of your application pool and enable 32 bit applications.