Proxy

From Segfault
Jump to navigation Jump to search

Polipo

Note: as of 2016-11-06, polipo is no longer maintained![1]

A minimal Polipo configuration:

Note: the on-disk cache is never purged and has to be cleaned up manually.

Privoxy

Source

Privoxy should be included in most distributions. To install from source, do:

cvs     -d:pserver:anonymous@ijbswa.cvs.sourceforge.net:/cvsroot/ijbswa login
cvs -z3 -d:pserver:anonymous@ijbswa.cvs.sourceforge.net:/cvsroot/ijbswa co -P current
mv current privoxy-cvs && cd privoxy-cvs

autoheader && autoconf
./configure --prefix=/opt/privoxy
make
sudo make -i install

Configuration

Although the default configuration can be used almost w/o any further configuration, we really like to disable most of the filters now and start with a somewhat minimal configuration:

$ cat config 
[...]
confdir                        /etc/privoxy
actionsfile                    match-all.action     # Actions applied to all sites,
                                                    # maybe overruled later on.
# actionsfile                  default.action       # Main actions file
# actionsfile                  user.action          # User customizations
filterfile                     default.filter       # Default filter file
logdir                         /var/log/privoxy
logfile                        logfile
hostname                       dinosaur
listen-address                 localhost:8118
toggle                         0       # Ad blocking and content filtering are disabled
# enable-remote-toggle         0       # Web-based toggle feature may not be used
# enable-remote-http-toggle    0       # Do not recognize special HTTP headers
# enable-edit-actions          0       # The web-based actions file editor may not be used
# enforce-blocks               0       # The user is allowed to ignore blocks
buffer-limit                   4096
forwarded-connect-retries      0       # How often Privoxy retries if a forwarded connection request fails
# accept-intercepted-requests  0       # Intercepted requests should be treated as valid
# allow-cgi-request-crunching  0       # Whether requests to Privoxy's CGI pages can be blocked or redirected
# split-large-forms            0       # Whether the CGI interface should stay compatible with broken HTTP clients
keep-alive-timeout             5       # Keep the connection to Privoxy alive
# handle-as-empty-doc-returns-ok 1   # Workaround for #492459
$ cat match-all.action
{
 +change-x-forwarded-for{block} \
 +filter{refresh-tags} \
 +filter{webbugs} \
 +hide-from-header{block} \
 +hide-referrer{forge} \
 +hide-user-agent{Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/14.0} \
 +session-cookies-only \
}

Socat

Socat can not act[2] as a proxy, but only talk to a proxy server. For example, a SOCKS proxy:

ssh -NC -D 127.0.0.1:8080 bob@remote.domain.com

This will open a SOCKS4/SOCKS5 proxy on :8080 where a browser can connect to. Also, socat can talk to this proxy, but it cannot know the destination to connect to. In this example we're using dest.example.com:

socat TCP-LISTEN:1234,fork SOCKS4:127.0.0.1:dest.example.com:80,socksport=8080

Now a browser can connect to :1234 (socat) which will in turn connect to :8080 (ssh) which will in turn direct traffic to remote.domain.com to fetch content from dest.example.com.

Squid

A sample squid.conf:

acl manager proto    cache_object
acl localhost  src   127.0.0.1/32 ::1
acl localnet   src   10.10.0.0/24
acl SSL_ports  port  443
acl Safe_ports port  21
acl Safe_ports port  80
acl Safe_ports port  443
acl CONNECT method   CONNECT

http_access allow    manager localhost
http_access deny     manager
http_access deny     !Safe_ports
http_access deny     CONNECT !SSL_ports
http_access allow    localnet
http_access allow    localhost
http_access deny     all

http_port            10.10.0.10:3128

cache_dir ufs        /var/spool/squid3 1024 16 256
minimum_object_size  0 KB
maximum_object_size  65536 KB
access_log           /var/log/squid3/access.log squid
coredump_dir         /var/spool/squid3

cache_mgr            webmaster@example.org
visible_hostname     proxy.example.org
err_page_stylesheet  none

Tinyproxy

A simple Tinyproxy configuration:

$ grep ^[A-Z] /etc/tinyproxy/tinyproxy_vpn.conf 
User    tinyproxy
Group   tinyproxy

Port    1234
Listen  127.0.0.1
Timeout 600

StatHost   "tinyproxy_vpn.stats"
LogFile    "/var/log/tinyproxy/tinyproxy_vpn.log"
Syslog     Off
LogLevel   Warning
PidFile    "/var/run/tinyproxy/tinyproxy_vpn.pid"

Allow 127.0.0.0/8

ViaProxyName "tinyproxy"
DisableViaHeader Yes                       # See also RFC 7230[3]

ConnectPort 443
ConnectPort 563

See also

References