Up ../

Linux Transparent Proxy Patch for Tinyproxy

A few lines to patch tinyproxy to get transparent proxying working.

Patch — files/tinyproxy-1.9.0-p1.txt

Essentially same patch with additional support for FreeBSD 10.3 / PF

Patch — files/tinyproxy-1.9.0-p2.txt

Tinyproxy is just one half of the tranparent proxy arrangement.

The tcp packets destined for the remote web server have to be redirected by NETFILTER on the Linux router that tinyproxy is running.

Looks like NetBSD and OpenBSD support the same pf functionality so this patch could probably be applied to those systems.

FreeBSD also has an alternative firewalling module ipfw (?) which I think doesn't need a patch.

On further reading I think recent OpenBSD and FreeBSD pf implementations used the divert-to rule instead of rdr and as a consequence getsockname() returns the correct destination without the need for superuser permissions to open /dev/pf or any patch to tinyproxy.

Note: while I could add a divert-to rule to /etc/pf.conf on FreeBSD 10.3-RELEASE-p18 I couldn't get it to return the correct destination with getsockname(). Presumably works in FreeBSD 11.x.

Example Routing rules for Linux

Assume tinyproxy is listening on port 8888 
and is servicing requests to web servers on port 80
from an internal network 192.168.1.0/24

iptables -t nat -A PREROUTING -p tcp \
	-s 192.168.1.0/24 \! -d 192.168.1.0/24 --dport 80 \
	-j REDIRECT --to-port 8888

Example RDR rules for PF FreeBSD

# @(#) /etc/pf.conf

rdr pass on em1 proto tcp from 192.168.1.0/24 to !192.168.1.0/24 port = 80 -> 127.0.0.1 port 8888

# Filter rules follow

Notes

You might wonder why one wouldn't just SNAT these connections?

If your clients do not support proxies and between you and the world there is a mandatory non transparent (corporate) web proxy then you need to intercalate a transparent proxy such as tinyproxy to intercept the client's requests and transform them into proxy requests which are passed onto the corporate proxy.

This was a common situation a decade ago.

Also see tproxy which was hacked from transproxy for just this situation.

Example logs from the unpatched tinyproxy-transparent-stock.txt and patched tinyproxy-transparent-patched.txt

LICENSE
Creative Commons CC0 http://creativecommons.org/publicdomain/zero/1.0/legalcode

AUTHOR
James Sainsbury