Setting up a restricted (whitelist) proxy

[wlanboy]

Running a public proxy is quite a trouble making decision. Ok it is not as dump as posting your ssh credentials on twitter, but please read the TOS of your provider first. Your hoster does not bite - talk with him/her.

Sometimes a restricted proxy can be usefull too. E.g. secure the internet connection of your childs, or just to allow some friends to visit a defined set of webpages. So please do not run a public proxy.

Back to topic:

Everytime I read a post about someone telling how good his blacklist is I just start smiling. You cannot maintain a list of all bad words that should be filtered. In my opinion only a whitelist of allowed domains can really secure your internet connection.

Searching for an easy to configure http only proxy which is supporting whitelisting you might find "tinyproxy".

Installation is simple:


apt-get install tinyproxy

Configuration is simple too (single file):


nano /etc/tinyproxy.conf

This you should alter following parameters:

• Listen
  The ip address used by the proxy to accept connections.
  E.g.: "Listen 127.0.0.1"
• Bind 192.168.0.1
  The ip address used by the proxy to connect to the internet
  
• MinSpareServers
  MaxSpareServers
  StartServers
  Well the minimum and maximum number of threads started by the proxy. Each thread can handle one request at the same time. Startservers is handling the number of threads that are started by the proxy without any requests. Default values are ok, but can consume too much RAM for small vps.
  
• 
  Allow
  The ip address of allowed clients.
  E.g.: Allow 127.0.0.1 or Allow 192.168.0.0/16
  
  This is quite important. Limit this to the ips of the pcs using the proxy.
  
• 
  ConnectPort 443
  ConnectPort 563
  
  To allow SSL connections.
  

At the end of the file add following lines to enable whitelisting:


FilterExtended On
FilterURLs On
FilterDefaultDeny Yes
Filter "/etc/tinyproxy/whitelist"

So all requests will be denied except the ones defined in the filter file.

Now add the domains you want to allow:


nano /etc/tinyproxy-whitelist.conf

Content like:


twitter.com
twimg.com

That's it.

If someone knows a way to force a desktop user to use a proxy (for Windows/Mac/Linux) just add a post with a small howto.

 

[A Jump From Let]

You cannot maintain a list of all bad words that should be filtered. In my opinion only a whitelist of allowed domains can really secure your internet connection.

That's wise B) I love using Tinyproxy but I've never thought of that use. 

I also like how you can restrict who can access and thus make it work as private. And I've found adding ports other than standard ports is sometimes required to open some pages, like control panels.

 

[Chronic]

Thanks for the guide, might come useful.

On a similar note, is there any proxy solution out there that uses a username/password authorization system and allows for a monthly data transfer limit?

I'm sure something could be worked out by using SSH tunneling with jailed accounts and then set the data transfer limit per account, but surely there must be a simpler way?

 

[wlanboy]

First note about forcing someone to user your proxy:

• Linux iptables
  

  iptables -t nat -A PREROUTING -i eth0 -s ! proxy-ip -p tcp --dport 80 -j DNAT --to proxy-ip:8888
  iptables -t nat -A POSTROUTING -o eth0 -s local-network -d proxy-ip -j SNAT --to local-ip
  iptables -A FORWARD -s local-network -d proxy-ip -i eth0 -o eth0 -p tcp --dport 8888 -j ACCEPT

 

[drmike]

@wlanboy, yet another bookmarked submission from you.

This is a really good, quick, free, safe solution.   Can see using this for the young ones and for anything that is a kiosk