欢迎您光临本站,如有问题请及时联系我们。

推荐一款轻量级 HTTP/HTTPS 代理 TinyProxy

  众所周知,我们常用的Nginx/Apache都可以很方便的用来做为正向或反向代理服务器使用。但是它们都并不支持HTTPS的正向代理。


  Nginx做为正向代理不支持HTTPS的原因是因为Nginx没有实现HTTP1.1Connect方法。隧道的含义大约就是帮助无法完成TLS握手的代理服务器透传可以完成TLS握手的客户端请求,而不再解析流量中的内容。


  关于Connect和隧道技术,可详见以下文章:


  ?RFC2817(http://t.cn/EaoC0qf)


  ?什么是HTTP隧道,怎么理解HTTP隧道呢?(http://t.cn/EaoCveH)


  今天我们来介绍一款同时支持HTTP/HTTPS的轻量级代理软件TinyProxy,TinyProxy支持以下功能特性:


  ?支持匿名模式。?支持HTTPS,可以通过CONNECT请求来转发HTTPS连接。?远程监视:可远程查看日志和访问信息。?负载监视:可配置成当负载达到某个程度时,拒绝新的代理请求。?访问控制:可设置特定的IP地址或者IP段才可访问。?安全:不需要root权限。?轻量化:只需要极小的系统资源。?支持基于URL的过滤。?支持透明代理。?支持多级代理。


  安装TinyProxy

  1.通过软件包安装


  TinyProxy目前已支持大多数发行版通过软件包安装,下面介绍下比较常用的几个平台的安装方式。


  ?CentOS/RHEL


  #需要EPEL仓库$yuminstall-ytinyproxy

  ?Ubuntu/Debian


  $sudoapt-get-yinstalltinyproxy

  如果你使用的是其它平台,更多的安装方式可直接参考官方文档:https://tinyproxy.github.io/


  2.通过源码安装


  如果你使用的平台,官方还不支持通过软件包安装。你也可以通过源码进行编译安装。


  $gitclonehttps://github.com/tinyproxy/tinyproxy.git$cdtinyproxy$./autogen.sh$./configure$make$makeinstall

  配置TinyProxy

  TinyProxy默认配置文件路径为/etc/tinyproxy/tinyproxy.conf。如果你要自定义配置文件位置,可以在启动TinyProxy时通过-c参数来指定。


  $cat/etc/tinyproxy/tinyproxy.conf

  ####tinyproxy.conf--tinyproxydaemonconfigurationfile####Thisexampletinyproxy.conffilecontainsexamplesettings##withexplanationsincomments.Fordecriptionsofall##parameters,seethetinproxy.conf(5)manualpage.##

  ##User/Group:Thisallowsyoutosettheuserandgroupthatwillbe#usedfortinyproxyaftertheinitialbindingtotheporthasbeendone#astherootuser.EithertheuserorgroupnameortheUIDorGID#numbermaybeused.#UsernobodyGroupnobody

  ##Port:Specifytheportwhichtinyproxywilllistenon.Pleasenote#thatshouldyouchoosetorunonaportlowerthan1024youwillneed#tostarttinyproxyusingroot.#Port8888

  ##Listen:Ifyouhavemultipleinterfacesthisallowsyoutobindto#onlyone.Ifthisiscommentedout,tinyproxywillbindtoall#interfacespresent.##Listen192.168.0.1

  ##Bind:Thisallowsyoutospecifywhichinterfacewillbeusedfor#outgoingconnections.Thisisusefulformulti-home'dmachineswhere#youwantalltraffictoappearoutgoingfromoneparticularinterface.##Bind192.168.0.1

  ##BindSame:Ifenabled,tinyproxywillbindtheoutgoingconnectiontothe#ipaddressoftheincomingconnection.##BindSameyes

  ##Timeout:Themaximumnumberofsecondsofinactivityaconnectionis#allowedtohavebeforeitisclosedbytinyproxy.#Timeout600

  ##ErrorFile:DefinestheHTMLfiletosendwhenagivenHTTPerror#occurs.Youwillprobablyneedtocustomizethelocationtoyour#particularinstall.Theusuallocationstocheckare:#/usr/local/share/tinyproxy#/usr/share/tinyproxy#/etc/tinyproxy##ErrorFile404"/usr/share/tinyproxy/404.html"#ErrorFile400"/usr/share/tinyproxy/400.html"#ErrorFile503"/usr/share/tinyproxy/503.html"#ErrorFile403"/usr/share/tinyproxy/403.html"#ErrorFile408"/usr/share/tinyproxy/408.html"

  ##DefaultErrorFile:TheHTMLfilethatgetssentifthereisno#HTMLfiledefinedwithanErrorFilekeywordfortheHTTPerror#thathasoccured.#DefaultErrorFile"/usr/share/tinyproxy/default.html"

  ##StatHost:ThisconfiguresthehostnameorIPaddressthatistreated#asthestathost:Wheneverarequestforthishostisreceived,#Tinyproxywillreturnaninternalstatisticspageinsteadof#forwardingtherequesttothathost.ThedefaultvalueofStatHostis#tinyproxy.stats.##StatHost"tinyproxy.stats"#

  ##StatFile:TheHTMLfilethatgetssentwhenarequestismade#forthestathost.Ifthisfiledoesn'texistabasicpageis#hardcodedintinyproxy.#StatFile"/usr/share/tinyproxy/stats.html"

  ##LogFile:Allowsyoutospecifythelocationwhereinformationshould#beloggedto.Ifyouwouldprefertologtosyslog,thendisablethis#andenabletheSyslogdirective.Thesedirectivesaremutually#exclusive.IfneitherSyslognorLogFilearespecified,outputgoes#tostdout.#LogFile"/var/log/tinyproxy/tinyproxy.log"

  ##Syslog:Telltinyproxytousesysloginsteadofalogfile.This#optionmustnotbeenablediftheLogfiledirectiveisbeingused.#Thesetwodirectivesaremutuallyexclusive.##SyslogOn

  ##LogLevel:Warning##Setthelogginglevel.Allowedsettingsare:#Critical(leastverbose)#Error#Warning#Notice#Connect(tologconnectionswithoutInfo'snoise)#Info(mostverbose)##TheLogLevellogsfromthesetlevelandabove.Forexample,ifthe#LogLevelwassettoWarning,thenalllogmessagesfromWarningto#Criticalwouldbeoutput,butNoticeandbelowwouldbesuppressed.#LogLevelInfo

  ##PidFile:WritethePIDofthemaintinyproxythreadtothisfilesoit#canbeusedforsignallingpurposes.#Ifnotspecified,nopidfilewillbewritten.#PidFile"/var/run/tinyproxy/tinyproxy.pid"

  ##XTinyproxy:TellTinyproxytoincludetheX-Tinyproxyheader,which#containstheclient'sIPaddress.##XTinyproxyYes

  ##Upstream:##Turnsonupstreamproxysupport.##Theupstreamrulesallowyoutoselectivelyrouteupstreamconnections#basedonthehost/domainofthesitebeingaccessed.##Syntax:upstreamtype(user:pass@)ip:port("domain")#Or:upstreamnone"domain"#Thepartsinparensareoptional.#Possibletypesarehttp,socks4,socks5,none##Forexample:##connectiontotestdomaingoesthroughtestproxy#upstreamhttptestproxy:8008".test.domain.invalid"#upstreamhttptestproxy:8008".our_testbed.example.com"#upstreamhttptestproxy:8008"192.168.128.0/255.255.254.0"###upstreamproxyusingbasicauthentication#upstreamhttpuser:pass@testproxy:8008".test.domain.invalid"###noupstreamproxyforinternalwebsitesandunqualifiedhosts#upstreamnone".internal.example.com"#upstreamnone"www.example.com"#upstreamnone"10.0.0.0/8"#upstreamnone"192.168.0.0/255.255.254.0"#upstreamnone"."###connectiontotheseboxesgothroughtheirDMZfirewalls#upstreamhttpcust1_firewall:8008"testbed_for_cust1"#upstreamhttpcust2_firewall:8008"testbed_for_cust2"###defaultupstreamisinternetfirewall#upstreamhttpfirewall.internal.example.com:80##YoumayalsouseSOCKS4/SOCKS5upstreamproxies:#upstreamsocks4127.0.0.1:9050#upstreamsocks5socksproxy:1080##TheLASTmatchingrulewinstheroutedecision.Asyoucansee,you#canuseahost,oradomain:#namematcheshostexactly#.namematchesanyhostindomain"name"#.matchesanyhostwithnodomain(in'empty'domain)#IP/bitsmatchesnetwork/mask#IP/maskmatchesnetwork/mask##Upstreamhttpsome.remote.proxy:port

  ##MaxClients:Thisistheabsolutehighestnumberofthreadswhichwill#becreated.Inotherwords,onlyMaxClientsnumberofclientscanbe#connectedatthesametime.#MaxClients100

  ##MinSpareServers/MaxSpareServers:Thesesettingssettheupperand#lowerlimitforthenumberofspareserverswhichshouldbeavailable.##IfthenumberofspareserversfallsbelowMinSpareServersthennew#serverprocesseswillbespawned.Ifthenumberofserversexceeds#MaxSpareServersthentheextraswillbekilledoff.#MinSpareServers5MaxSpareServers20

  ##StartServers:Thenumberofserverstostartinitially.#StartServers10

  ##MaxRequestsPerChild:Thenumberofconnectionsathreadwillhandle#beforeitiskilled.Inpractisethisshouldbesetto0,which#disablesthreadreaping.Ifyoudonoticeproblemswithmemory#leakage,thensetthistosomethinglike10000.#MaxRequestsPerChild0

  ##Allow:Customizationofauthorizationcontrols.Ifthereareany#accesscontrolkeywordsthenthedefaultactionistoDENY.Otherwise,#thedefaultactionisALLOW.##Theorderofthecontrolsareimportant.Allincomingconnectionsare#testedagainstthecontrolsbasedonorder.#Allow127.0.0.1

  #BasicAuth:HTTP"BasicAuthentication"foraccessingtheproxy.#Ifthereareanyentriesspecified,accessisonlygrantedforauthenticated#users.#BasicAuthuserpassword

  ##AddHeader:AddsthespecifiedheaderstooutgoingHTTPrequeststhat#Tinyproxymakes.NotethatthisoptionwillnotworkforHTTPS#traffic,asTinyproxyhasnocontroloverwhatheadersareexchanged.##AddHeader"X-My-Header""PoweredbyTinyproxy"

  ##ViaProxyName:The"Via"headerisrequiredbytheHTTPRFC,butusing#therealhostnameisasecurityconcern.Ifthefollowingdirective#isenabled,thestringsuppliedwillbeusedasthehostnameinthe#Viaheader;otherwise,theserver'shostnamewillbeused.#ViaProxyName"tinyproxy"

  ##DisableViaHeader:Whenthisissettoyes,TinyproxydoesNOTadd#theViaheadertotherequests.ThisvirtuallyputsTinyproxyinto#stealthmode.NotethatRFC2616requiresproxiestosettheVia#header,sobyenablingthisoption,youbreakcompliance.#Don'tdisabletheViaheaderunlessyouknowwhatyouaredoing...##DisableViaHeaderYes

  ##Filter:Thisallowsyoutospecifythelocationofthefilterfile.#Filter"/etc/tinyproxy/filter"

  ##FilterURLs:FilterbasedonURLsratherthandomains.##FilterURLsOn

  ##FilterExtended:UsePOSIXExtendedregularexpressionsratherthan#basic.##FilterExtendedOn

  ##FilterCaseSensitive:Usecasesensitiveregularexpressions.##FilterCaseSensitiveOn

  ##FilterDefaultDeny:Changethedefaultpolicyofthefilteringsystem.#Ifthisdirectiveiscommentedout,orissetto"No"thenthedefault#policyistoalloweverythingwhichisnotspecificallydeniedbythe#filterfile.##However,bysettingthisdirectiveto"Yes"thedefaultpolicybecomes#todenyeverythingwhichis_not_specificallyallowedbythefilter#file.##FilterDefaultDenyYes

  ##Anonymous:IfanAnonymouskeywordispresent,thenanonymousproxying#isenabled.Theheaderslistedareallowedthrough,whileallothers#aredenied.IfnoAnonymouskeywordispresent,thenallheadersare#allowedthrough.Youmustincludequotesaroundtheheaders.##Mostsitesrequirecookiestobeenabledforthemtoworkcorrectly,so#youwillneedtoallowCookiesthroughifyouaccessthosesites.##Anonymous"Host"#Anonymous"Authorization"#Anonymous"Cookie"

  ##ConnectPort:Thisisalistofportsallowedbytinyproxywhenthe#CONNECTmethodisused.TodisabletheCONNECTmethodaltogether,set#thevalueto0.IfnoConnectPortlineisfound,allportsare#allowed.##ThefollowingtwoportsareusedbySSL.##ConnectPort443#ConnectPort563

  ##ConfigureoneormoreReversePathdirectivestoenablereverseproxy#support.Withreverseproxyingit'spossibletomakeanumberof#sitesappearasiftheywerepartofasinglesite.##Ifyouuncommentthefollowingtwodirectivesandruntinyproxy#onyourowncomputeratport8888,youcanaccessGoogleusing#http://localhost:8888/google/andWiredNewsusing#http://localhost:8888/wired/news/.Neitherwillactuallywork#untilyouuncommentReverseMagicastheyuseabsolutelinking.##ReversePath"/google/""http://www.google.com/"#ReversePath"/wired/""http://www.wired.com/"

  ##Whenusingtinyproxyasareverseproxy,itisSTRONGLYrecommended#thatthenormalproxyisturnedoffbyuncommentingthenextdirective.##ReverseOnlyYes

  ##Useacookietotrackreverseproxymappings.Ifyouneedtoreverse#proxysiteswhichhaveabsolutelinksyoumustuncommentthis.##ReverseMagicYes

  ##TheURLthat'susedtoaccessthisreverseproxy.TheURLisusedto#rewriteHTTPredirectssothattheywon'tescapetheproxy.Ifyou#haveachainofreverseproxies,you'llneedtoputtheoutermost#URLhere(theaddresswhichtheendusertypesintohis/herbrowser).##Ifnotsetthennorewritingoccurs.##ReverseBaseURL"http://localhost:8888/"

  下面我们来看下几个主要的配置参数:


  ?User


  指定运行TinyProxy的用户,默认为nobody。


  Usernobody

  ?Group


  指定运行TinyProxy的用户组,默认为nobody。


  Groupnobody

  ?Listen


  指定TinyProxy绑定的网卡接口,默认是绑定到所有可用的网卡接口的。


  #Listen192.168.0.1

  如需绑定到指定网卡接口,只需去掉对应的注释并指定网卡对应IP地址即可。


  Listen192.168.1.100

  ?Port


  指定TinyProxy的监听端口,默认为8888。


  Port8888

  ?Allow


  指定可访问TinyProxy设备的IP或网段,默认仅允许本机访问。


  Allow127.0.0.1

  如果你想允许所有人使用该代理,注释Allow选项即可。


  #Allow127.0.0.1

  如果你想增加多个可访问的网段,可以用多个Allow选项同时定义不同网段即可。


  #添加多段IP地址Allow10.10.6.0/24Allow192.168.8.0/24Allow172.16.1.13

  ?BindSame


  在多网卡的情况下,设置出口IP是否与入口IP相同。默认情况下是关闭的。


  例如:服务器上存在IP1.2.3.4,当你请求该IP对应的Tinyproxy代理时,也通过1.2.3.4做为出口访问目标网站。


  #BindSameyes

  ?StartServers


  指定TinyProxy初始启动的子进程数量,默认是10个。


  StartServers10

  ?MaxClients


  设置最大客户端链接数,默认为100。


  MaxClients100

  ?Logfile


  指定日志文件位置,默认为/var/log/tinyproxy/tinyproxy.log。


  LogFile/var/log/tinyproxy/tinyproxy.log

  ?Syslog


  指定TinyProxy是否开启Syslog来记录日志,默认为关闭的。


  #SyslogOn

  注:Logfile和Syslog只能同时启用一个。如果两个都不启用的话TinyProxy会将日志直接输出到终端的标准输出。


  ?PidFile


  指定Pid文件位置,默认为/var/run/tinyproxy/tinyproxy.pid,在PidFile文件不存在时会运行失败。


  PidFile"/var/run/tinyproxy/tinyproxy.pid"

  ?DisableViaHeader


  指定是否在Header中显示Tinyproxy相关信息,默认是关闭的。如果开启将不会在Header中显示Tinyproxy相关信息,相当于Tinyproxy是隐身模式。


  #DisableViaHeaderYes

  ?Filter


  指定设置过滤内容文件的位置,默认为/etc/tinyproxy/filter。


  Filter"/etc/tinyproxy/filter"

  ?FilterURLs


  设置使用URL或是域名方式进行过滤,默认是基于URL方式过滤的。域名过滤只检查域名段,URL过滤则检查整个URL。


  FilterURLsOn

  ?FilterExtended


  设置使用POSIX基本或者扩展的正则表达式来匹配过滤规则,默认为使用基本的。


  #FilterExtendedOn

  ?FilterCaseSensitive


  设置是否使用区分大小写的正则表达式,默认为不区分大小写。


  #FilterCaseSensitiveOn

  ?FilterDefaultDeny


  设置默认过滤策略。如果将该指令注释掉或设为No,过滤规则为禁止访问规则。该值默认为Yes,过滤规则为只允许访问过滤文件中的地址。


  FilterDefaultDenyYes

  过滤规则配置示例:


  1.在/etc/tinyproxy/filter文件中添加代理允许或拒绝的域名地址。


  hi-linux.com

  过滤文件中的域名地址也是支持正则表达式的。


  \.google\.com$^hi-linux\.com$

  2.仅允许代理请求hi-linux.com的内容,配置如下:


  Filter"/etc/tinyproxy/filter"FilterURLsOnFilterDefaultDenyYes

  3.仅允许代理请求除hi-linux.com域名以外的内容,配置如下:


  Filter"/etc/tinyproxy/filter"FilterURLsOnFilterDefaultDenyNo

  运行TinyProxy

  ?运行TinyProxy非常简单,使用官方提供的脚本即可。


  #启动TinyProxy$servicetinyproxystart

  #停止TinyProxy$servicetinyproxystop

  #重启TinyProxy$servicetinyproxyrestart

  ?如果服务器有启用防火墙,记得开放相应的TinyProxy端口


  $iptables-IINPUT-ptcp–dport8888-jACCEPT

  ?测试代理是否正常工作


  $curl--proxy192.168.1.100:8888-khttps://www.hi-linux.com/

  如果出现对应网页的源代码,则证明代理工作正常。


  ?查看TinyProxy请求日志


  $tail-f/var/log/tinyproxy/tinyproxy.log

  参考文档

  https://www.google.com

  http://t.cn/Eaat4mz

  http://t.cn/EaXdVh9

  http://t.cn/Eao7ll2

  http://t.cn/EaobIbE

  http://t.cn/EaoK33b


来源:本文由E8运维原创撰写,欢迎分享本文,转载请保留出处和链接!