Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
doc:howto:proxy.tinyproxy [2014/10/03 08:30] – fix minor error lynusdocs:guide-user:services:proxy:tinyproxy [2022/01/10 21:17] – Updated it throughout torxgewinde
Line 1: Line 1:
 ====== Tinyproxy ====== ====== Tinyproxy ======
-[[wp>Tinyproxy]] is a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems. Designed from the ground up to be fast and yet small, it is an ideal solution for use cases such as embedded deployments where a full featured HTTP proxy is required, but the system resources for a larger proxy are unavailable. +[[wp>Tinyproxy]] is a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems. Designed from the ground up to be fast and yet small, it is an ideal solution for use cases such as embedded deployments where a full featured HTTP proxy is required, but the system resources for a larger proxy are unavailable. In a typical scenario it consumes 5-10M RAM and when installed to an OpenWRT enabled router
-  * https://banu.com/tinyproxy/+  * https://tinyproxy.github.io/
  
  
-====Enable Transparent Proxy for Backfire 10.03==== +==== Installing ==== 
-If a full featured HTTP proxy is required, the tinyproxy package is an ideal solution for you as a larger proxy might be unavailable in this environment.+To install tinyproxy follow these steps:
  
   - install software packages:<code>   - install software packages:<code>
Line 17: Line 17:
 /etc/init.d/tinyproxy restart /etc/init.d/tinyproxy restart
 </code> </code>
 +
 +=== Detailed configuration ===
 +If you like to finetune the other options you can also use an editor like VI or nano to edit ''/etc/config/tinyproxy''. The following configuration example blocks per default, a whitelist-file ''/etc/config/tinyproxy_whitelist.txt'' can contain FQDN / Hostnames as regular expression:<code>
 +config tinyproxy
 + option User 'nobody'
 + option Group 'nogroup'
 + option Port '8888'
 + option Timeout '600'
 + option DefaultErrorFile '/usr/share/tinyproxy/default.html'
 + option StatFile '/usr/share/tinyproxy/stats.html'
 + option LogFile '/var/log/tinyproxy.log'
 + option LogLevel 'Info'
 + option MaxClients '100'
 + option MinSpareServers '5'
 + option MaxSpareServers '20'
 + option StartServers '10'
 + option MaxRequestsPerChild '0'
 + option ViaProxyName 'tinyproxy'
 + list ConnectPort '443'
 + list ConnectPort '563'
 + option enabled '1'
 + list Allow '192.168.1.0/24'
 + list Allow '127.0.0.1'
 + option Filter '/etc/config/tinyproxy_whitelist.txt'
 + option FilterDefaultDeny '1'
 +</code>
 +
 +The whitelist file ''/etc/config/tinyproxy_whitelist.txt'' can whitelist OpenWRT website like this:<code>
 +# filter exactly cnn.com
 +# ^cnn\.com$
 + 
 +# filter all subdomains of cnn.com, but not cnn.com itself
 +# .*\.cnn.com$
 + 
 +# filter any domain that has cnn.com in it, like xcnn.comfy.org
 +# cnn\.com
 + 
 +# filter any domain that ends in cnn.com
 +# cnn\.com$
 + 
 +# filter any domain that starts with adserver
 +# ^adserver
 +
 +^openwrt\.org$
 +.*\.openwrt\.org$
 +
 +^127\.0\.0\.1$
 +^localhost$
 +</code>
 +
 +Please note that only the FQDN / hostname can be filtered for HTTPS and HTTP. URL filtering with tinyproxy only works for unencrypted HTTP traffic because HTTPS-traffic is opaque to the proxy. It controls if the ''CONNECT'' command to a HTTPS server is accepted or rejected. The content of the transmission between client and server remains opaque and encrypted.
 +
 +=== Configure Firewall ===
 +Configure the firewall to filter/block client traffic aimed directly to the WAN. Clients must still be able to reach the proxy from the LAN side, but not the WAN. If this step is omitted clients can reconfigure their proxy settings to not use a proxy and bypass the proxy without any effort.
 +
 +=== Configure the clients ===
 +Configure the clients to use the proxy. Browsers like Firefox / Chromium / Brave need the IP or hostname of the device where ''tinyproxy'' is installed to and the port. The proxy is the same for HTTP and HTTPS traffic. Many commands line clients like ''opkg'', ''wget'' or ''curl'' make use of the environment variable ''https_proxy=http://IP:8888''.
 +
 +=== Transparent HTTP proxy ===
 +This steps is optional and nowadays that most websites use encryption it is as useful as it was anymore. Prefer configuring the proxy at the client side, most browsers allow configuring the proxy manually for HTTP and HTTPS.
 +For unencrypted HTTP connections the firewall can redirect traffic to the proxy. Client devices do not need to be configured to make use of the proxy server, but it only works for HTTP traffic. Encrypted HTTPS traffic cannot be handled this way.
   - configure transparent proxy redirection:<code>   - configure transparent proxy redirection:<code>
 uci add firewall redirect uci add firewall redirect
  • Last modified: 2023/10/14 08:22
  • by vgaetera