A Tinyproxy Transparent Installation on Ubuntu 12.04 with HTTPS Support

[alert style=”red”]Update: It appears as of June 2013 that the Ubuntu repositories now have compiled Tinyproxy with transparent support.  So unless you want to build from source for any other reason you may be better off following my tutorial on installing Tinyproxy on Ubuntu (just remember to change the default port numbers as appropriate).[/alert]

[alert style=”red”] If you want an easier way to get Tinyproxy working and don’t want to use transparent support try this post to install Tinyproxy on Ubuntu.[/alert]

The repositories for Ubuntu don’t have Transparent Support enabled for Tinyproxy.  Some firewalls and corporate installations need to use transparent proxies if they are internally redirecting.  This post will guide you through building Tinyproxy from source on Ubuntu 12.04 as a complete installation and working system.

I couldn’t find any decent guides out there on how to make this work, so I thought I’d put one together.  Hopefully my research will come in useful for someone else…  Warning this is a little more in-depth than my usual tutorials, but I promise it will be worth it in the end.

SSH onto your Ubuntu Box as normal, and lets install our compilers.

apt-get install build-essential

asciidoc is a requirement for Tinyproxy, but we don’t want to install it’s recommended updates (no thank you to 500Mb+ of other files…).

apt-get install asciidoc

We’ll build Tinyproxy in the recommended place on Ubuntu:

cd /usr/local/src

Download the tarball:

wget https://banu.com/pub/tinyproxy/1.8/tinyproxy-1.8.3.tar.bz2

Extract the aforementioned tarball:

tar xvjf tinyproxy-1.8.3.tar.bz2

Enter the directory we’ve just created:

cd tinyproxy-1.8.3

Lets run the configuration files with the all important “–enable-transparent” switch in there:

./configure –localstatedir=”/var” –sysconfdir=”/etc” –enable-xtinyproxy –enable-filter –enable-upstream –enable-reverse –enable-transparent –program-prefix=”” –enable-debug –program-suffix=””

Next one build up the libraries:

make

Now lets compile Tinyproxy:

make install

So far so good, now lets create the initialisation file so that Tinyproxy will start when we reboot the machine:

nano /etc/init.d/tinyproxy

Now paste the next whole file in Nano, please note that this text is taken directly from the Ubuntu repository:

#! /bin/sh
### BEGIN INIT INFO
# Provides: tinyproxy
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Tinyproxy HTTP proxy
# Description: Start, stop or reload tinyproxy.
### END INIT INFO
#
# Tinyproxy init.d script
# Ed Boraas 1999
#

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
CONFIG=/etc/tinyproxy.conf
DAEMON=/usr/sbin/tinyproxy
DESC=tinyproxy
FLAGS=
NAME=tinyproxy

if [ -r /etc/default/tinyproxy ]; then
. /etc/default/tinyproxy
fi

test -f $DAEMON || exit 0

set -e

# assert pidfile directory and permissions
if [ “$1” != “stop” ]; then
if [ -f “$CONFIG” ]; then
USER=$(grep -i ‘^User[[:space:]]’ “$CONFIG” | awk ‘{print $2}’)
GROUP=$(grep -i ‘^Group[[:space:]]’ “$CONFIG” | awk ‘{print $2}’)
PIDFILE=$(grep -i ‘^PidFile[[:space:]]’ “$CONFIG” | awk ‘{print $2}’ |\
sed -e ‘s/”//g’)
PIDDIR=`dirname “$PIDFILE”`
if [ -n “$PIDDIR” -a “$PIDDIR” != “/var/run” ]; then
if [ ! -d “$PIDDIR” ]; then
mkdir “$PIDDIR”
fi
if [ “$USER” ]; then
chown “$USER” “$PIDDIR”
fi
if [ “$GROUP” ]; then
chgrp “$GROUP” “$PIDDIR”
fi
fi
fi
fi
case “$1” in
start)
echo -n “Starting $DESC: ”
start-stop-daemon –start –quiet -o –exec $DAEMON — $FLAGS
echo “$NAME.”
;;
stop)
echo -n “Stopping $DESC: ”
start-stop-daemon –stop –quiet -o –exec $DAEMON
echo “$NAME.”
;;
reload|force-reload)
echo “Reloading $DESC configuration files.”
start-stop-daemon –stop –signal 1 –quiet -o –exec $DAEMON
;;
restart)
echo -n “Restarting $DESC: ”
start-stop-daemon –stop –quiet -o –exec $DAEMON
sleep 1
start-stop-daemon –start –quiet -o –exec $DAEMON — $FLAGS
echo “$NAME.”
;;
*)
N=/etc/init.d/$NAME
echo “Usage: $N {start|stop|restart|reload|force-reload}” >&2
exit 1
;;
esac

exit 0

[ctrl]+o to save, then [ctrl]+x to exit.

Now let’s make the file executable:

chmod +x /etc/init.d/tinyproxy

Now we need to add the user account that we’ll be running Tinyproxy as:

useradd -r -m tinyproxy

Lets give the user account a group, services get lonely if they’re not in a group:

usermod -G tinyproxy -a tinyproxy

Now we need to make the appropriate directories for Tinyproxy to run in:

mkdir /var/log/tinyproxy && mkdir /var/run/tinyproxy && touch /var/log/tinyproxy/tinyproxy.log

Lets make sure our Tinyproxy user can use the directories we’ve just created:

chown tinyproxy:tinyproxy /var/log/tinyproxy/ /var/run/tinyproxy /usr/sbin/tinyproxy

Now let’s make it so Ubuntu will call Tinyproxy on startup:

update-rc.d tinyproxy defaults 02 02

Since we’re running transparently, we’ll need to forward the HTTPS port to the HTTP port on the server:

iptables -t nat -A PREROUTING -p tcp –destination-port 443 -j REDIRECT –to-ports 80

Lets create a save file for the above rule:

sh -c “iptables-save > /etc/iptables.rules”

Now we need to make sure the rules are read on startup, we do this by editing the network interfaces file:

nano /etc/network/interfaces

Underneath the interface you want to use for Tinyproxy paste the following onto it’s own line:

pre-up iptables-restore < /etc/iptables.rules

[ctrl]+o to save, and [ctrl]+x to exit.

Now we need to change the config file for Tinyproxy to reflect all the changes we have made:

nano /etc/tinyproxy.conf

I’ll only focus on the bits we need for this tutorial.  Change the following section:

#
# User/Group: This allows you to set the user and group that will be
# used for tinyproxy after the initial binding to the port has been done
# as the root user. Either the user or group name or the UID or GID
# number may be used.
#
User nobody
Group nobody

To:

#
# User/Group: This allows you to set the user and group that will be
# used for tinyproxy after the initial binding to the port has been done
# as the root user. Either the user or group name or the UID or GID
# number may be used.
#
User tinyproxy
Group tinyproxy

Since we’ve gone to all this effort to build Tinyproxy with transparent support you’ll probably want to change this section:

#
# Port: Specify the port which tinyproxy will listen on. Please note
# that should you choose to run on a port lower than 1024 you will need
# to start tinyproxy using root.
#
Port 8888

To:

#
# Port: Specify the port which tinyproxy will listen on. Please note
# that should you choose to run on a port lower than 1024 you will need
# to start tinyproxy using root.
#
Port 80

Uncomment the PID line:

#
# PidFile: Write the PID of the main tinyproxy thread to this file so it
# can be used for signalling purposes.
#
#PidFile “/var/run/tinyproxy/tinyproxy.pid”

Uncomment the PID line:

#
# PidFile: Write the PID of the main tinyproxy thread to this file so it
# can be used for signalling purposes.
#
PidFile “/var/run/tinyproxy/tinyproxy.pid”

Change (or uncomment) the Allow rules as per your own network:

#
# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1
Allow 192.168.0.0/24

That’s it, [crl]+o to save, and [ctrl]+x to exit.

Right now we have built Tinyproxy from source.  If you’ve got this far without any problems then you deserve a big well done!

Now, you can either start the Tinyproxy service:

service tinyproxy start

Or reboot the server to make sure all our efforts have been a success:

shutdown -r now

You can test by putting the server address in your proxy settings as usual, or by pushing traffic through it.

Is there anything I’ve left out?  Or anything wrong?  Anything could be done differently better?  Let me know in the comments.