Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:proxy.tinyproxy [2014/10/03 08:30] – fix minor error lynusdocs:guide-user:services:proxy:tinyproxy [2023/10/14 08:22] (current) – update vgaetera
Line 1: Line 1:
 ====== Tinyproxy ====== ====== Tinyproxy ======
-[[wp>Tinyproxy]] is a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems. Designed from the ground up to be fast and yet small, it is an ideal solution for use cases such as embedded deployments where a full featured HTTP proxy is required, but the system resources for a larger proxy are unavailable. +[[wp>Tinyproxy]] is a light-weight HTTP/HTTPS proxy daemon for POSIX operating systems. Designed from the ground up to be fast and yet small, it is an ideal solution for use cases such as embedded deployments where a full featured HTTP proxy is required, but the system resources for a larger proxy are unavailable. In a typical scenario it consumes 5-10M RAM and when installed to an OpenWRT enabled router
-  * https://banu.com/tinyproxy/+  * https://tinyproxy.github.io/
  
 +==== Installing ====
 +To install tinyproxy follow these steps:
  
-====Enable Transparent Proxy for Backfire 10.03==== +Install software packages:
-If a full featured HTTP proxy is required, the tinyproxy package is an ideal solution for you as a larger proxy might be unavailable in this environment.+
  
-  - install software packages:<code>+<code bash>
 opkg update opkg update
 opkg install tinyproxy luci-app-tinyproxy opkg install tinyproxy luci-app-tinyproxy
 </code> </code>
-  - configure ''tinyproxy'':<code>+ 
 +Configure Tinyproxy: 
 + 
 +<code bash>
 uci set tinyproxy.@tinyproxy[0].enabled=1 uci set tinyproxy.@tinyproxy[0].enabled=1
 uci commit uci commit
-/etc/init.d/tinyproxy enable +service tinyproxy enable 
-/etc/init.d/tinyproxy restart+service tinyproxy restart
 </code> </code>
-  configure transparent proxy redirection:<code>+ 
 +=== Detailed configuration === 
 +If you like to finetune the other options you can also use an editor like VI or nano to edit ''/etc/config/tinyproxy''. The following configuration example blocks per default, a whitelist-file ''/etc/config/tinyproxy_whitelist.txt'' can contain FQDN / Hostnames as regular expression: 
 + 
 +<code bash> 
 +config tinyproxy 
 + option User 'nobody' 
 + option Group 'nogroup' 
 + option Port '8888' 
 + option Timeout '600' 
 + option DefaultErrorFile '/usr/share/tinyproxy/default.html' 
 + option StatFile '/usr/share/tinyproxy/stats.html' 
 + option LogFile '/var/log/tinyproxy.log' 
 + option LogLevel 'Info' 
 + option MaxClients '100' 
 + option MinSpareServers '5' 
 + option MaxSpareServers '20' 
 + option StartServers '10' 
 + option MaxRequestsPerChild '0' 
 + option ViaProxyName 'tinyproxy' 
 + list ConnectPort '443' 
 + list ConnectPort '563' 
 + option enabled '1' 
 + list Allow '192.168.1.0/24' 
 + list Allow '127.0.0.1' 
 + option Filter '/etc/config/tinyproxy_whitelist.txt' 
 + option FilterDefaultDeny '1' 
 +</code> 
 + 
 +The whitelist file ''/etc/config/tinyproxy_whitelist.txt'' can whitelist OpenWRT website like this: 
 + 
 +<code bash> 
 +# filter exactly cnn.com 
 +# ^cnn\.com$ 
 +  
 +# filter all subdomains of cnn.com, but not cnn.com itself 
 +# .*\.cnn.com$ 
 +  
 +# filter any domain that has cnn.com in it, like xcnn.comfy.org 
 +# cnn\.com 
 +  
 +# filter any domain that ends in cnn.com 
 +# cnn\.com$ 
 +  
 +# filter any domain that starts with adserver 
 +# ^adserver 
 + 
 +^openwrt\.org$ 
 +.*\.openwrt\.org$ 
 + 
 +^127\.0\.0\.1$ 
 +^localhost$ 
 +</code> 
 + 
 +Please note that only the FQDN / hostname can be filtered for HTTPS and HTTP. 
 +URL filtering with tinyproxy only works for unencrypted HTTP traffic because HTTPS-traffic is opaque to the proxy. 
 +It controls if the ''CONNECT'' command to a HTTPS server is accepted or rejected. 
 +The content of the transmission between client and server remains opaque and encrypted. 
 + 
 +=== Configure firewall === 
 +Configure the firewall to filter/block client traffic aimed directly to the WAN. 
 +Clients must still be able to reach the proxy from the LAN side, but not the WAN. 
 +If this step is omitted clients can reconfigure their proxy settings to not use a proxy and bypass the proxy without any effort. 
 + 
 +=== Configure the clients === 
 +Configure the clients to use the proxy. 
 +Browsers like Firefox / Chromium / Brave need the IP or hostname of the device where ''tinyproxy'' is installed to and the port. 
 +The proxy is the same for HTTP and HTTPS traffic. 
 +Many commands line clients like ''opkg'', ''wget'' or ''curl'' make use of the environment variable ''https_proxy=http://IP:8888''
 + 
 +=== Transparent HTTP proxy === 
 +This steps is optional and nowadays, that most websites use encryption, it is not as useful as it was anymore. 
 +Prefer configuring the proxy at the client side, most browsers allow configuring the proxy manually for HTTP and HTTPS. 
 +For unencrypted HTTP connections the firewall can redirect traffic to the proxy. 
 +Client devices do not need to be configured to make use of the proxy server, but it only works for HTTP traffic. 
 +Encrypted HTTPS traffic cannot be handled this way. 
 + 
 +Configure transparent proxy redirection: 
 + 
 +<code bash>
 uci add firewall redirect uci add firewall redirect
 uci set firewall.@redirect[0].name='Transparent Proxy Redirect' uci set firewall.@redirect[0].name='Transparent Proxy Redirect'
Line 27: Line 110:
 uci set firewall.@redirect[0].dest_ip=192.168.1.1 uci set firewall.@redirect[0].dest_ip=192.168.1.1
 uci commit firewall uci commit firewall
-/etc/init.d/firewall restart+service firewall restart
 </code> </code>
  
-:!: Note that the **''firewall.@redirect[0].src_dip=!192.168.1.1''** option is important, if you missed this option you may not connect to LuCI. I can't find this option in the LuCI "Network => Firewall => Traffic Redirectionpage, so be careful if you're using LuCI.+:!: Note that the **''firewall.@redirect[0].src_dip=!192.168.1.1''** option is important, if you missed this option you may not connect to LuCI. I can't find this option in the **LuCI -> Network -> Firewall -> Traffic Redirection** page, so be careful if you're using LuCI.
  
 Note also that by default tinyproxy does not allow connections from other hosts so you will need to enable this. One way is to comment out the "Allow" line from the config. Note also that by default tinyproxy does not allow connections from other hosts so you will need to enable this. One way is to comment out the "Allow" line from the config.
  
-====Notes on Attitude Adjustment 12.09 and maybe IPv6====+==== Notes on Attitude Adjustment 12.09 and maybe IPv6 ====
 If you're using Attitude Adjustment 12.09 and maybe setup IPv6 on your OpenWrt box then this may be helpful. These notes only have a few hours of testing; second opinions, better advice welcomed: If you're using Attitude Adjustment 12.09 and maybe setup IPv6 on your OpenWrt box then this may be helpful. These notes only have a few hours of testing; second opinions, better advice welcomed:
-  * The "Traffic Redirection" page can be found at Network => Firewall => Port Forwards on 12.09+  * The "Traffic Redirection" page can be found at **Network -> Firewall -> Port Forwards** on 12.09
   * The **''firewall.@redirect[0].src_dip=!192.168.1.1''** LuCI option is called "External IP address" in 12.09 and you'll have to enter a --custom-- value to enter the leading !    * The **''firewall.@redirect[0].src_dip=!192.168.1.1''** LuCI option is called "External IP address" in 12.09 and you'll have to enter a --custom-- value to enter the leading ! 
-  * Add "[[http://en.wikipedia.org/wiki/IPv6_address#Transition_from_IPv4|::ffff:0:0/96]]" so the "Allowed Clients" conaints both "127.0.0.1" and "::ffff:0:0/96" . Find at Services => Tinyproxy => Configuration => Filtering and ACLs.+  * Add "[[http://en.wikipedia.org/wiki/IPv6_address#Transition_from_IPv4|::ffff:0:0/96]]" so the "Allowed Clients" conaints both "127.0.0.1" and "::ffff:0:0/96" . Find at **Services -> Tinyproxy -> Configuration -> Filtering and ACLs**.
  
 Some help with tinyproxy logging and log analysis here: http://www.farville.com/?p=314 Some help with tinyproxy logging and log analysis here: http://www.farville.com/?p=314
- 
- 
  
  • Last modified: 2023/10/14 08:22
  • by vgaetera