推荐一款轻量级 HTTP/HTTPS 代理 TinyProxy
众所周知,我们常用的Nginx/Apache都可以很方便的用来做为正向或反向代理服务器使用。但是它们都并不支持HTTPS的正向代理。
Nginx做为正向代理不支持HTTPS的原因是因为Nginx没有实现HTTP1.1Connect方法。隧道的含义大约就是帮助无法完成TLS握手的代理服务器透传可以完成TLS握手的客户端请求,而不再解析流量中的内容。
关于Connect和隧道技术,可详见以下文章:
?RFC2817(http://t.cn/EaoC0qf)
?什么是HTTP隧道,怎么理解HTTP隧道呢?(http://t.cn/EaoCveH)
今天我们来介绍一款同时支持HTTP/HTTPS的轻量级代理软件TinyProxy,TinyProxy支持以下功能特性:
?支持匿名模式。?支持HTTPS,可以通过CONNECT请求来转发HTTPS连接。?远程监视:可远程查看日志和访问信息。?负载监视:可配置成当负载达到某个程度时,拒绝新的代理请求。?访问控制:可设置特定的IP地址或者IP段才可访问。?安全:不需要root权限。?轻量化:只需要极小的系统资源。?支持基于URL的过滤。?支持透明代理。?支持多级代理。
安装TinyProxy
1.通过软件包安装
TinyProxy目前已支持大多数发行版通过软件包安装,下面介绍下比较常用的几个平台的安装方式。
?CentOS/RHEL
#需要EPEL仓库$yuminstall-ytinyproxy
?Ubuntu/Debian
$sudoapt-get-yinstalltinyproxy
如果你使用的是其它平台,更多的安装方式可直接参考官方文档:https://tinyproxy.github.io/
2.通过源码安装
如果你使用的平台,官方还不支持通过软件包安装。你也可以通过源码进行编译安装。
$gitclonehttps://github.com/tinyproxy/tinyproxy.git$cdtinyproxy$./autogen.sh$./configure$make$makeinstall
配置TinyProxy
TinyProxy默认配置文件路径为/etc/tinyproxy/tinyproxy.conf。如果你要自定义配置文件位置,可以在启动TinyProxy时通过-c参数来指定。
$cat/etc/tinyproxy/tinyproxy.conf
####tinyproxy.conf--tinyproxydaemonconfigurationfile####Thisexampletinyproxy.conffilecontainsexamplesettings##withexplanationsincomments.Fordecriptionsofall##parameters,seethetinproxy.conf(5)manualpage.##
##User/Group:Thisallowsyoutosettheuserandgroupthatwillbe#usedfortinyproxyaftertheinitialbindingtotheporthasbeendone#astherootuser.EithertheuserorgroupnameortheUIDorGID#numbermaybeused.#UsernobodyGroupnobody
##Port:Specifytheportwhichtinyproxywilllistenon.Pleasenote#thatshouldyouchoosetorunonaportlowerthan1024youwillneed#tostarttinyproxyusingroot.#Port8888
##Listen:Ifyouhavemultipleinterfacesthisallowsyoutobindto#onlyone.Ifthisiscommentedout,tinyproxywillbindtoall#interfacespresent.##Listen192.168.0.1
##Bind:Thisallowsyoutospecifywhichinterfacewillbeusedfor#outgoingconnections.Thisisusefulformulti-home'dmachineswhere#youwantalltraffictoappearoutgoingfromoneparticularinterface.##Bind192.168.0.1
##BindSame:Ifenabled,tinyproxywillbindtheoutgoingconnectiontothe#ipaddressoftheincomingconnection.##BindSameyes
##Timeout:Themaximumnumberofsecondsofinactivityaconnectionis#allowedtohavebeforeitisclosedbytinyproxy.#Timeout600
##ErrorFile:DefinestheHTMLfiletosendwhenagivenHTTPerror#occurs.Youwillprobablyneedtocustomizethelocationtoyour#particularinstall.Theusuallocationstocheckare:#/usr/local/share/tinyproxy#/usr/share/tinyproxy#/etc/tinyproxy##ErrorFile404"/usr/share/tinyproxy/404.html"#ErrorFile400"/usr/share/tinyproxy/400.html"#ErrorFile503"/usr/share/tinyproxy/503.html"#ErrorFile403"/usr/share/tinyproxy/403.html"#ErrorFile408"/usr/share/tinyproxy/408.html"
##DefaultErrorFile:TheHTMLfilethatgetssentifthereisno#HTMLfiledefinedwithanErrorFilekeywordfortheHTTPerror#thathasoccured.#DefaultErrorFile"/usr/share/tinyproxy/default.html"
##StatHost:ThisconfiguresthehostnameorIPaddressthatistreated#asthestathost:Wheneverarequestforthishostisreceived,#Tinyproxywillreturnaninternalstatisticspageinsteadof#forwardingtherequesttothathost.ThedefaultvalueofStatHostis#tinyproxy.stats.##StatHost"tinyproxy.stats"#
##StatFile:TheHTMLfilethatgetssentwhenarequestismade#forthestathost.Ifthisfiledoesn'texistabasicpageis#hardcodedintinyproxy.#StatFile"/usr/share/tinyproxy/stats.html"
##LogFile:Allowsyoutospecifythelocationwhereinformationshould#beloggedto.Ifyouwouldprefertologtosyslog,thendisablethis#andenabletheSyslogdirective.Thesedirectivesaremutually#exclusive.IfneitherSyslognorLogFilearespecified,outputgoes#tostdout.#LogFile"/var/log/tinyproxy/tinyproxy.log"
##Syslog:Telltinyproxytousesysloginsteadofalogfile.This#optionmustnotbeenablediftheLogfiledirectiveisbeingused.#Thesetwodirectivesaremutuallyexclusive.##SyslogOn
##LogLevel:Warning##Setthelogginglevel.Allowedsettingsare:#Critical(leastverbose)#Error#Warning#Notice#Connect(tologconnectionswithoutInfo'snoise)#Info(mostverbose)##TheLogLevellogsfromthesetlevelandabove.Forexample,ifthe#LogLevelwassettoWarning,thenalllogmessagesfromWarningto#Criticalwouldbeoutput,butNoticeandbelowwouldbesuppressed.#LogLevelInfo
##PidFile:WritethePIDofthemaintinyproxythreadtothisfilesoit#canbeusedforsignallingpurposes.#Ifnotspecified,nopidfilewillbewritten.#PidFile"/var/run/tinyproxy/tinyproxy.pid"
##XTinyproxy:TellTinyproxytoincludetheX-Tinyproxyheader,which#containstheclient'sIPaddress.##XTinyproxyYes
##Upstream:##Turnsonupstreamproxysupport.##Theupstreamrulesallowyoutoselectivelyrouteupstreamconnections#basedonthehost/domainofthesitebeingaccessed.##Syntax:upstreamtype(user:pass@)ip:port("domain")#Or:upstreamnone"domain"#Thepartsinparensareoptional.#Possibletypesarehttp,socks4,socks5,none##Forexample:##connectiontotestdomaingoesthroughtestproxy#upstreamhttptestproxy:8008".test.domain.invalid"#upstreamhttptestproxy:8008".our_testbed.example.com"#upstreamhttptestproxy:8008"192.168.128.0/255.255.254.0"###upstreamproxyusingbasicauthentication#upstreamhttpuser:pass@testproxy:8008".test.domain.invalid"###noupstreamproxyforinternalwebsitesandunqualifiedhosts#upstreamnone".internal.example.com"#upstreamnone"www.example.com"#upstreamnone"10.0.0.0/8"#upstreamnone"192.168.0.0/255.255.254.0"#upstreamnone"."###connectiontotheseboxesgothroughtheirDMZfirewalls#upstreamhttpcust1_firewall:8008"testbed_for_cust1"#upstreamhttpcust2_firewall:8008"testbed_for_cust2"###defaultupstreamisinternetfirewall#upstreamhttpfirewall.internal.example.com:80##YoumayalsouseSOCKS4/SOCKS5upstreamproxies:#upstreamsocks4127.0.0.1:9050#upstreamsocks5socksproxy:1080##TheLASTmatchingrulewinstheroutedecision.Asyoucansee,you#canuseahost,oradomain:#namematcheshostexactly#.namematchesanyhostindomain"name"#.matchesanyhostwithnodomain(in'empty'domain)#IP/bitsmatchesnetwork/mask#IP/maskmatchesnetwork/mask##Upstreamhttpsome.remote.proxy:port
##MaxClients:Thisistheabsolutehighestnumberofthreadswhichwill#becreated.Inotherwords,onlyMaxClientsnumberofclientscanbe#connectedatthesametime.#MaxClients100
##MinSpareServers/MaxSpareServers:Thesesettingssettheupperand#lowerlimitforthenumberofspareserverswhichshouldbeavailable.##IfthenumberofspareserversfallsbelowMinSpareServersthennew#serverprocesseswillbespawned.Ifthenumberofserversexceeds#MaxSpareServersthentheextraswillbekilledoff.#MinSpareServers5MaxSpareServers20
##StartServers:Thenumberofserverstostartinitially.#StartServers10
##MaxRequestsPerChild:Thenumberofconnectionsathreadwillhandle#beforeitiskilled.Inpractisethisshouldbesetto0,which#disablesthreadreaping.Ifyoudonoticeproblemswithmemory#leakage,thensetthistosomethinglike10000.#MaxRequestsPerChild0
##Allow:Customizationofauthorizationcontrols.Ifthereareany#accesscontrolkeywordsthenthedefaultactionistoDENY.Otherwise,#thedefaultactionisALLOW.##Theorderofthecontrolsareimportant.Allincomingconnectionsare#testedagainstthecontrolsbasedonorder.#Allow127.0.0.1
#BasicAuth:HTTP"BasicAuthentication"foraccessingtheproxy.#Ifthereareanyentriesspecified,accessisonlygrantedforauthenticated#users.#BasicAuthuserpassword
##AddHeader:AddsthespecifiedheaderstooutgoingHTTPrequeststhat#Tinyproxymakes.NotethatthisoptionwillnotworkforHTTPS#traffic,asTinyproxyhasnocontroloverwhatheadersareexchanged.##AddHeader"X-My-Header""PoweredbyTinyproxy"
##ViaProxyName:The"Via"headerisrequiredbytheHTTPRFC,butusing#therealhostnameisasecurityconcern.Ifthefollowingdirective#isenabled,thestringsuppliedwillbeusedasthehostnameinthe#Viaheader;otherwise,theserver'shostnamewillbeused.#ViaProxyName"tinyproxy"
##DisableViaHeader:Whenthisissettoyes,TinyproxydoesNOTadd#theViaheadertotherequests.ThisvirtuallyputsTinyproxyinto#stealthmode.NotethatRFC2616requiresproxiestosettheVia#header,sobyenablingthisoption,youbreakcompliance.#Don'tdisabletheViaheaderunlessyouknowwhatyouaredoing...##DisableViaHeaderYes
##Filter:Thisallowsyoutospecifythelocationofthefilterfile.#Filter"/etc/tinyproxy/filter"
##FilterURLs:FilterbasedonURLsratherthandomains.##FilterURLsOn
##FilterExtended:UsePOSIXExtendedregularexpressionsratherthan#basic.##FilterExtendedOn
##FilterCaseSensitive:Usecasesensitiveregularexpressions.##FilterCaseSensitiveOn
##FilterDefaultDeny:Changethedefaultpolicyofthefilteringsystem.#Ifthisdirectiveiscommentedout,orissetto"No"thenthedefault#policyistoalloweverythingwhichisnotspecificallydeniedbythe#filterfile.##However,bysettingthisdirectiveto"Yes"thedefaultpolicybecomes#todenyeverythingwhichis_not_specificallyallowedbythefilter#file.##FilterDefaultDenyYes
##Anonymous:IfanAnonymouskeywordispresent,thenanonymousproxying#isenabled.Theheaderslistedareallowedthrough,whileallothers#aredenied.IfnoAnonymouskeywordispresent,thenallheadersare#allowedthrough.Youmustincludequotesaroundtheheaders.##Mostsitesrequirecookiestobeenabledforthemtoworkcorrectly,so#youwillneedtoallowCookiesthroughifyouaccessthosesites.##Anonymous"Host"#Anonymous"Authorization"#Anonymous"Cookie"
##ConnectPort:Thisisalistofportsallowedbytinyproxywhenthe#CONNECTmethodisused.TodisabletheCONNECTmethodaltogether,set#thevalueto0.IfnoConnectPortlineisfound,allportsare#allowed.##ThefollowingtwoportsareusedbySSL.##ConnectPort443#ConnectPort563
##ConfigureoneormoreReversePathdirectivestoenablereverseproxy#support.Withreverseproxyingit'spossibletomakeanumberof#sitesappearasiftheywerepartofasinglesite.##Ifyouuncommentthefollowingtwodirectivesandruntinyproxy#onyourowncomputeratport8888,youcanaccessGoogleusing#http://localhost:8888/google/andWiredNewsusing#http://localhost:8888/wired/news/.Neitherwillactuallywork#untilyouuncommentReverseMagicastheyuseabsolutelinking.##ReversePath"/google/""http://www.google.com/"#ReversePath"/wired/""http://www.wired.com/"
##Whenusingtinyproxyasareverseproxy,itisSTRONGLYrecommended#thatthenormalproxyisturnedoffbyuncommentingthenextdirective.##ReverseOnlyYes
##Useacookietotrackreverseproxymappings.Ifyouneedtoreverse#proxysiteswhichhaveabsolutelinksyoumustuncommentthis.##ReverseMagicYes
##TheURLthat'susedtoaccessthisreverseproxy.TheURLisusedto#rewriteHTTPredirectssothattheywon'tescapetheproxy.Ifyou#haveachainofreverseproxies,you'llneedtoputtheoutermost#URLhere(theaddresswhichtheendusertypesintohis/herbrowser).##Ifnotsetthennorewritingoccurs.##ReverseBaseURL"http://localhost:8888/"
下面我们来看下几个主要的配置参数:
?User
指定运行TinyProxy的用户,默认为nobody。
Usernobody
?Group
指定运行TinyProxy的用户组,默认为nobody。
Groupnobody
?Listen
指定TinyProxy绑定的网卡接口,默认是绑定到所有可用的网卡接口的。
#Listen192.168.0.1
如需绑定到指定网卡接口,只需去掉对应的注释并指定网卡对应IP地址即可。
Listen192.168.1.100
?Port
指定TinyProxy的监听端口,默认为8888。
Port8888
?Allow
指定可访问TinyProxy设备的IP或网段,默认仅允许本机访问。
Allow127.0.0.1
如果你想允许所有人使用该代理,注释Allow选项即可。
#Allow127.0.0.1
如果你想增加多个可访问的网段,可以用多个Allow选项同时定义不同网段即可。
#添加多段IP地址Allow10.10.6.0/24Allow192.168.8.0/24Allow172.16.1.13
?BindSame
在多网卡的情况下,设置出口IP是否与入口IP相同。默认情况下是关闭的。
例如:服务器上存在IP1.2.3.4,当你请求该IP对应的Tinyproxy代理时,也通过1.2.3.4做为出口访问目标网站。
#BindSameyes
?StartServers
指定TinyProxy初始启动的子进程数量,默认是10个。
StartServers10
?MaxClients
设置最大客户端链接数,默认为100。
MaxClients100
?Logfile
指定日志文件位置,默认为/var/log/tinyproxy/tinyproxy.log。
LogFile/var/log/tinyproxy/tinyproxy.log
?Syslog
指定TinyProxy是否开启Syslog来记录日志,默认为关闭的。
#SyslogOn
注:Logfile和Syslog只能同时启用一个。如果两个都不启用的话TinyProxy会将日志直接输出到终端的标准输出。
?PidFile
指定Pid文件位置,默认为/var/run/tinyproxy/tinyproxy.pid,在PidFile文件不存在时会运行失败。
PidFile"/var/run/tinyproxy/tinyproxy.pid"
?DisableViaHeader
指定是否在Header中显示Tinyproxy相关信息,默认是关闭的。如果开启将不会在Header中显示Tinyproxy相关信息,相当于Tinyproxy是隐身模式。
#DisableViaHeaderYes
?Filter
指定设置过滤内容文件的位置,默认为/etc/tinyproxy/filter。
Filter"/etc/tinyproxy/filter"
?FilterURLs
设置使用URL或是域名方式进行过滤,默认是基于URL方式过滤的。域名过滤只检查域名段,URL过滤则检查整个URL。
FilterURLsOn
?FilterExtended
设置使用POSIX基本或者扩展的正则表达式来匹配过滤规则,默认为使用基本的。
#FilterExtendedOn
?FilterCaseSensitive
设置是否使用区分大小写的正则表达式,默认为不区分大小写。
#FilterCaseSensitiveOn
?FilterDefaultDeny
设置默认过滤策略。如果将该指令注释掉或设为No,过滤规则为禁止访问规则。该值默认为Yes,过滤规则为只允许访问过滤文件中的地址。
FilterDefaultDenyYes
过滤规则配置示例:
1.在/etc/tinyproxy/filter文件中添加代理允许或拒绝的域名地址。
hi-linux.com
过滤文件中的域名地址也是支持正则表达式的。
\.google\.com$^hi-linux\.com$
2.仅允许代理请求hi-linux.com的内容,配置如下:
Filter"/etc/tinyproxy/filter"FilterURLsOnFilterDefaultDenyYes
3.仅允许代理请求除hi-linux.com域名以外的内容,配置如下:
Filter"/etc/tinyproxy/filter"FilterURLsOnFilterDefaultDenyNo
运行TinyProxy
?运行TinyProxy非常简单,使用官方提供的脚本即可。
#启动TinyProxy$servicetinyproxystart
#停止TinyProxy$servicetinyproxystop
#重启TinyProxy$servicetinyproxyrestart
?如果服务器有启用防火墙,记得开放相应的TinyProxy端口
$iptables-IINPUT-ptcp–dport8888-jACCEPT
?测试代理是否正常工作
$curl--proxy192.168.1.100:8888-khttps://www.hi-linux.com/
如果出现对应网页的源代码,则证明代理工作正常。
?查看TinyProxy请求日志
$tail-f/var/log/tinyproxy/tinyproxy.log
参考文档
https://www.google.com
http://t.cn/Eaat4mz
http://t.cn/EaXdVh9
http://t.cn/Eao7ll2
http://t.cn/EaobIbE
http://t.cn/EaoK33b