A Tinyproxy Transparent Installation on Ubuntu 12.04 with HTTPS Support
[alert style=”red”]Update: It appears as of June 2013 that the Ubuntu repositories now have compiled Tinyproxy with transparent support. So unless you want to build from source for any other reason you may be better off following my tutorial on installing Tinyproxy on Ubuntu (just remember to change the default port numbers as appropriate).[/alert]
[alert style=”red”] If you want an easier way to get Tinyproxy working and don’t want to use transparent support try this post to install Tinyproxy on Ubuntu.[/alert]
The repositories for Ubuntu don’t have Transparent Support enabled for Tinyproxy. Some firewalls and corporate installations need to use transparent proxies if they are internally redirecting. This post will guide you through building Tinyproxy from source on Ubuntu 12.04 as a complete installation and working system.
I couldn’t find any decent guides out there on how to make this work, so I thought I’d put one together. Hopefully my research will come in useful for someone else… Warning this is a little more in-depth than my usual tutorials, but I promise it will be worth it in the end.
SSH onto your Ubuntu Box as normal, and lets install our compilers.
apt-get install build-essential
asciidoc is a requirement for Tinyproxy, but we don’t want to install it’s recommended updates (no thank you to 500Mb+ of other files…).
apt-get install asciidoc
We’ll build Tinyproxy in the recommended place on Ubuntu:
cd /usr/local/src
Download the tarball:
wget https://banu.com/pub/tinyproxy/1.8/tinyproxy-1.8.3.tar.bz2
Extract the aforementioned tarball:
tar xvjf tinyproxy-1.8.3.tar.bz2
Enter the directory we’ve just created:
cd tinyproxy-1.8.3
Lets run the configuration files with the all important “–enable-transparent” switch in there:
./configure –localstatedir=”/var” –sysconfdir=”/etc” –enable-xtinyproxy –enable-filter –enable-upstream –enable-reverse –enable-transparent –program-prefix=”” –enable-debug –program-suffix=””
Next one build up the libraries:
make
Now lets compile Tinyproxy:
make install
So far so good, now lets create the initialisation file so that Tinyproxy will start when we reboot the machine:
nano /etc/init.d/tinyproxy
Now paste the next whole file in Nano, please note that this text is taken directly from the Ubuntu repository:
#! /bin/sh
### BEGIN INIT INFO
# Provides: tinyproxy
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Tinyproxy HTTP proxy
# Description: Start, stop or reload tinyproxy.
### END INIT INFO
#
# Tinyproxy init.d script
# Ed Boraas 1999
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
CONFIG=/etc/tinyproxy.conf
DAEMON=/usr/sbin/tinyproxy
DESC=tinyproxy
FLAGS=
NAME=tinyproxyif [ -r /etc/default/tinyproxy ]; then
. /etc/default/tinyproxy
fitest -f $DAEMON || exit 0
set -e
# assert pidfile directory and permissions
if [ “$1” != “stop” ]; then
if [ -f “$CONFIG” ]; then
USER=$(grep -i ‘^User[[:space:]]’ “$CONFIG” | awk ‘{print $2}’)
GROUP=$(grep -i ‘^Group[[:space:]]’ “$CONFIG” | awk ‘{print $2}’)
PIDFILE=$(grep -i ‘^PidFile[[:space:]]’ “$CONFIG” | awk ‘{print $2}’ |\
sed -e ‘s/”//g’)
PIDDIR=`dirname “$PIDFILE”`
if [ -n “$PIDDIR” -a “$PIDDIR” != “/var/run” ]; then
if [ ! -d “$PIDDIR” ]; then
mkdir “$PIDDIR”
fi
if [ “$USER” ]; then
chown “$USER” “$PIDDIR”
fi
if [ “$GROUP” ]; then
chgrp “$GROUP” “$PIDDIR”
fi
fi
fi
fi
case “$1” in
start)
echo -n “Starting $DESC: ”
start-stop-daemon –start –quiet -o –exec $DAEMON — $FLAGS
echo “$NAME.”
;;
stop)
echo -n “Stopping $DESC: ”
start-stop-daemon –stop –quiet -o –exec $DAEMON
echo “$NAME.”
;;
reload|force-reload)
echo “Reloading $DESC configuration files.”
start-stop-daemon –stop –signal 1 –quiet -o –exec $DAEMON
;;
restart)
echo -n “Restarting $DESC: ”
start-stop-daemon –stop –quiet -o –exec $DAEMON
sleep 1
start-stop-daemon –start –quiet -o –exec $DAEMON — $FLAGS
echo “$NAME.”
;;
*)
N=/etc/init.d/$NAME
echo “Usage: $N {start|stop|restart|reload|force-reload}” >&2
exit 1
;;
esacexit 0
[ctrl]+o to save, then [ctrl]+x to exit.
Now let’s make the file executable:
chmod +x /etc/init.d/tinyproxy
Now we need to add the user account that we’ll be running Tinyproxy as:
useradd -r -m tinyproxy
Lets give the user account a group, services get lonely if they’re not in a group:
usermod -G tinyproxy -a tinyproxy
Now we need to make the appropriate directories for Tinyproxy to run in:
mkdir /var/log/tinyproxy && mkdir /var/run/tinyproxy && touch /var/log/tinyproxy/tinyproxy.log
Lets make sure our Tinyproxy user can use the directories we’ve just created:
chown tinyproxy:tinyproxy /var/log/tinyproxy/ /var/run/tinyproxy /usr/sbin/tinyproxy
Now let’s make it so Ubuntu will call Tinyproxy on startup:
update-rc.d tinyproxy defaults 02 02
Since we’re running transparently, we’ll need to forward the HTTPS port to the HTTP port on the server:
iptables -t nat -A PREROUTING -p tcp –destination-port 443 -j REDIRECT –to-ports 80
Lets create a save file for the above rule:
sh -c “iptables-save > /etc/iptables.rules”
Now we need to make sure the rules are read on startup, we do this by editing the network interfaces file:
nano /etc/network/interfaces
Underneath the interface you want to use for Tinyproxy paste the following onto it’s own line:
pre-up iptables-restore < /etc/iptables.rules
[ctrl]+o to save, and [ctrl]+x to exit.
Now we need to change the config file for Tinyproxy to reflect all the changes we have made:
nano /etc/tinyproxy.conf
I’ll only focus on the bits we need for this tutorial. Change the following section:
#
# User/Group: This allows you to set the user and group that will be
# used for tinyproxy after the initial binding to the port has been done
# as the root user. Either the user or group name or the UID or GID
# number may be used.
#
User nobody
Group nobody
To:
#
# User/Group: This allows you to set the user and group that will be
# used for tinyproxy after the initial binding to the port has been done
# as the root user. Either the user or group name or the UID or GID
# number may be used.
#
User tinyproxy
Group tinyproxy
Since we’ve gone to all this effort to build Tinyproxy with transparent support you’ll probably want to change this section:
#
# Port: Specify the port which tinyproxy will listen on. Please note
# that should you choose to run on a port lower than 1024 you will need
# to start tinyproxy using root.
#
Port 8888
To:
#
# Port: Specify the port which tinyproxy will listen on. Please note
# that should you choose to run on a port lower than 1024 you will need
# to start tinyproxy using root.
#
Port 80
Uncomment the PID line:
#
# PidFile: Write the PID of the main tinyproxy thread to this file so it
# can be used for signalling purposes.
#
#PidFile “/var/run/tinyproxy/tinyproxy.pid”
Uncomment the PID line:
#
# PidFile: Write the PID of the main tinyproxy thread to this file so it
# can be used for signalling purposes.
#
PidFile “/var/run/tinyproxy/tinyproxy.pid”
Change (or uncomment) the Allow rules as per your own network:
#
# Allow: Customization of authorization controls. If there are any
# access control keywords then the default action is to DENY. Otherwise,
# the default action is ALLOW.
#
# The order of the controls are important. All incoming connections are
# tested against the controls based on order.
#
Allow 127.0.0.1
Allow 192.168.0.0/24
That’s it, [crl]+o to save, and [ctrl]+x to exit.
Right now we have built Tinyproxy from source. If you’ve got this far without any problems then you deserve a big well done!
Now, you can either start the Tinyproxy service:
service tinyproxy start
Or reboot the server to make sure all our efforts have been a success:
shutdown -r now
You can test by putting the server address in your proxy settings as usual, or by pushing traffic through it.
Is there anything I’ve left out? Or anything wrong? Anything could be done differently better? Let me know in the comments.
4 Comments
You need full asciidoc in 12.04, otherwise build fails at generating man pages.
Thanks for the tip, I’ve tested and updated the main post 🙂 Thanks again.
[email protected]:/usr/local/src/tinyproxy-1.8.3$ sudo ./configure –enable-xtinyproxy –enable-filter –enable-upstream –enable-reverse –enable-transparent –program-prefix=”” –enable-debug -enable-socks –program-suffix=””
configure: WARNING: you should use –build, –host, –target
configure: WARNING: invalid host type: –enable-xtinyproxy
configure: WARNING: you should use –build, –host, –target
configure: WARNING: invalid host type: –enable-filter
configure: WARNING: you should use –build, –host, –target
configure: WARNING: invalid host type: –enable-upstream
configure: WARNING: you should use –build, –host, –target
configure: WARNING: invalid host type: –enable-reverse
configure: WARNING: you should use –build, –host, –target
configure: WARNING: invalid host type: –enable-transparent
configure: error: invalid variable name: `–program-prefix’
[email protected]:/usr/local/src/tinyproxy-1.8.3$ uname -a
Linux nas 3.2.0-39-generic #62-Ubuntu SMP Wed Feb 27 22:05:17 UTC 2013 i686 i686 i386 GNU/Linux
Hi Dimzon,
Try:
sudo ./configure –enable-xtinyproxy –enable-filter –enable-upstream –enable-reverse –enable-transparent –program-prefix=”” –enable-debug –enable-sock –program-suffix=””
Sorry I can’t test it from my end, no where near a Linux box at the moment.
Hmmm, it doesn’t appear that the — is showing correctly (and probably won’t copy and paste), before each switch it’s suppose to be two minus signs together “- -” (without the space).
Gyp