amuck-landowner

Setting up a restricted (whitelist) proxy

wlanboy

Content Contributer
Running a public proxy is quite a trouble making decision. Ok it is not as dump as posting your ssh credentials on twitter, but please read the TOS of your provider first. Your hoster does not bite - talk with him/her.

Sometimes a restricted proxy can be usefull too. E.g. secure the internet connection of your childs, or just to allow some friends to visit a defined set of webpages. So please do not run a public proxy.

Back to topic:

Everytime I read a post about someone telling how good his blacklist is I just start smiling. You cannot maintain a list of all bad words that should be filtered. In my opinion only a whitelist of allowed domains can really secure your internet connection.

Searching for an easy to configure http only proxy which is supporting whitelisting you might find "tinyproxy".

Installation is simple:


apt-get install tinyproxy

Configuration is simple too (single file):


nano /etc/tinyproxy.conf

This you should alter following parameters:

  • Listen
    The ip address used by the proxy to accept connections.
    E.g.: "Listen 127.0.0.1"
  • Bind 192.168.0.1
    The ip address used by the proxy to connect to the internet
  • MinSpareServers
    MaxSpareServers
    StartServers
    Well the minimum and maximum number of threads started by the proxy. Each thread can handle one request at the same time. Startservers is handling the number of threads that are started by the proxy without any requests. Default values are ok, but can consume too much RAM for small vps.

  • Allow
    The ip address of allowed clients.
    E.g.: Allow 127.0.0.1 or Allow 192.168.0.0/16

    This is quite important. Limit this to the ips of the pcs using the proxy.

  • ConnectPort 443
    ConnectPort 563

    To allow SSL connections.
At the end of the file add following lines to enable whitelisting:


FilterExtended On
FilterURLs On
FilterDefaultDeny Yes
Filter "/etc/tinyproxy/whitelist"

So all requests will be denied except the ones defined in the filter file.

Now add the domains you want to allow:


nano /etc/tinyproxy-whitelist.conf

Content like:


twitter.com
twimg.com

That's it.

If someone knows a way to force a desktop user to use a proxy (for Windows/Mac/Linux) just add a post with a small howto.
 

A Jump From Let

New Member
You cannot maintain a list of all bad words that should be filtered. In my opinion only a whitelist of allowed domains can really secure your internet connection.
That's wise B) I love using Tinyproxy but I've never thought of that use. 

I also like how you can restrict who can access and thus make it work as private. And I've found adding ports other than standard ports is sometimes required to open some pages, like control panels.
 
Last edited by a moderator:

Chronic

Member
Thanks for the guide, might come useful.

On a similar note, is there any proxy solution out there that uses a username/password authorization system and allows for a monthly data transfer limit?

I'm sure something could be worked out by using SSH tunneling with jailed accounts and then set the data transfer limit per account, but surely there must be a simpler way?
 
Last edited by a moderator:

wlanboy

Content Contributer
First note about forcing someone to user your proxy:

  • Linux iptables
    Code:
    iptables -t nat -A PREROUTING -i eth0 -s ! proxy-ip -p tcp --dport 80 -j DNAT --to proxy-ip:8888
    iptables -t nat -A POSTROUTING -o eth0 -s local-network -d proxy-ip -j SNAT --to local-ip
    iptables -A FORWARD -s local-network -d proxy-ip -i eth0 -o eth0 -p tcp --dport 8888 -j ACCEPT
 

drmike

100% Tier-1 Gogent
@wlanboy, yet another bookmarked submission from you.

This is a really good, quick, free, safe solution.   Can see using this for the young ones and for anything that is a kiosk :)
 
Top
amuck-landowner