Proxy
Polipo
Note: as of 2016-11-06, polipo is no longer maintained![1]
A minimal Polipo configuration:
$ cat /etc/polipo/config proxyAddress = "127.0.0.1" # ::1 resp. ::0 for IPv6 proxyPort = 8123 allowedClients = 127.0.0.1, 10.2.0.0/16 allowedPorts = 80,443,1001-1010 tunnelAllowedPorts = 443,1443 # parentProxy = "squid.example.org:3128" # socksParentProxy = "localhost:9050" # socksProxyType = socks5 censoredHeaders = from, accept-language # Might break some sites censorReferer = maybe diskCacheRoot = "" # Disable on-disk cache # localDocumentRoot = "" # Disable local webserver logFile = /var/log/polipo/polipo.log logLevel = 4 scrubLogs = 1
Note: the on-disk cache is never purged and has to be cleaned up manually.
Privoxy
Source
Privoxy should be included in most distributions. To install from source, do:
cvs -d:pserver:anonymous@ijbswa.cvs.sourceforge.net:/cvsroot/ijbswa login cvs -z3 -d:pserver:anonymous@ijbswa.cvs.sourceforge.net:/cvsroot/ijbswa co -P current mv current privoxy-cvs && cd privoxy-cvs autoheader && autoconf ./configure --prefix=/opt/privoxy make sudo make -i install
Configuration
Although the default configuration can be used almost w/o any further configuration, we really like to disable most of the filters now and start with a somewhat minimal configuration:
$ cat config [...] confdir /etc/privoxy actionsfile match-all.action # Actions applied to all sites, # maybe overruled later on. # actionsfile default.action # Main actions file # actionsfile user.action # User customizations filterfile default.filter # Default filter file logdir /var/log/privoxy logfile logfile hostname dinosaur listen-address localhost:8118 toggle 0 # Ad blocking and content filtering are disabled # enable-remote-toggle 0 # Web-based toggle feature may not be used # enable-remote-http-toggle 0 # Do not recognize special HTTP headers # enable-edit-actions 0 # The web-based actions file editor may not be used # enforce-blocks 0 # The user is allowed to ignore blocks buffer-limit 4096 forwarded-connect-retries 0 # How often Privoxy retries if a forwarded connection request fails # accept-intercepted-requests 0 # Intercepted requests should be treated as valid # allow-cgi-request-crunching 0 # Whether requests to Privoxy's CGI pages can be blocked or redirected # split-large-forms 0 # Whether the CGI interface should stay compatible with broken HTTP clients keep-alive-timeout 5 # Keep the connection to Privoxy alive # handle-as-empty-doc-returns-ok 1 # Workaround for#492459
$ cat match-all.action
{
+change-x-forwarded-for{block} \
+filter{refresh-tags} \
+filter{webbugs} \
+hide-from-header{block} \
+hide-referrer{forge} \
+hide-user-agent{Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/14.0} \
+session-cookies-only \
}
Socat
Socat can not act[2] as a proxy, but only talk to a proxy server. For example, a SOCKS proxy:
ssh -NC -D 127.0.0.1:8080 bob@remote.domain.com
This will open a SOCKS4/SOCKS5 proxy on :8080 where a browser can connect to. Also, socat can talk to this proxy, but it cannot know the destination to connect to. In this example we're using dest.example.com:
socat TCP-LISTEN:1234,fork SOCKS4:127.0.0.1:dest.example.com:80,socksport=8080
Now a browser can connect to :1234 (socat) which will in turn connect to :8080 (ssh) which will in turn direct traffic to remote.domain.com to fetch content from dest.example.com.
Squid
A sample squid.conf:
acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl localnet src 10.10.0.0/24 acl SSL_ports port 443 acl Safe_ports port 21 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all http_port 10.10.0.10:3128 cache_dir ufs /var/spool/squid3 1024 16 256 minimum_object_size 0 KB maximum_object_size 65536 KB access_log /var/log/squid3/access.log squid coredump_dir /var/spool/squid3 cache_mgr webmaster@example.org visible_hostname proxy.example.org err_page_stylesheet none
Tinyproxy
A simple Tinyproxy configuration:
$ grep ^[A-Z] /etc/tinyproxy/tinyproxy_vpn.conf User tinyproxy Group tinyproxy Port 1234 Listen 127.0.0.1 Timeout 600 StatHost "tinyproxy_vpn.stats" LogFile "/var/log/tinyproxy/tinyproxy_vpn.log" Syslog Off LogLevel Warning PidFile "/var/run/tinyproxy/tinyproxy_vpn.pid" Allow 127.0.0.0/8 ViaProxyName "tinyproxy" DisableViaHeader Yes # See also RFC 7230[3] ConnectPort 443 ConnectPort 563