$ ./autogen.sh
+ cd .
+ aclocal -I m4macros
+ autoheader
+ automake --gnu --add-missing
Makefile.am: error: required file './ChangeLog' not found
+ cd /root/usr/j5shi/tinyproxy
+ set -
./configure
./autogen.sh: line 21: ./configure: No such file or directory

Configure failed or did not finish!

Could you tell me where to get the ChangeLog? I cloned your repo and ran ./autogen.sh.

The Bind directive is very nice. The node I am running tinyproxy on has two IP addresses, and I want tinyproxy to use one of them.

It works for http (etc.) queries. It does not work for DNS queries. The DNS queries are coming from the other IP address. I can see this in the log files of the nameserver.

I see in the source code you are just using getaddrinfo, which makes perfect sense. Is there a way to get getaddrinfo to bind its queries to come from a particular IP address?

Perhaps this is not a tinyproxy question, but the resolver library is difficult for me to penetrate. And it affects tinyproxy. The bind directive is much less useful when the DNS queries leak out the other interface!

Any help appreciated.

--George

Hello i am using a AWS load balancer as a proxy target to the proxy servers , can you help me with this , as the AWS Load balancer provides a DNS , can you help me out to where to config it in the tinyproxy config .

(aws)Proxy server 1&2------> (aws) Load balancer -------> internet

line 323-339, take the lock, get server_waiting and then release the lock. Logging should not be done while holding the lock.

Frankly why do we care if servers_waiting is precisely accurate when evaluating the IF?
Same issue in child_main_loop().

'Killing child' messages are more properly "marking child(self) for destruction".
Misplaced DEBUG2 at line 313

Probably could be part of a series aiming at making tinyproxy systemd-friendly.

It would be great to have the two somewhat related following features:

1. Specify the logfile on the command line. It should probably override that of the config file in that case (as a sidenote, allowing to specify the pidfile on the command line would be a good idea as well).
2. Allow logging to stdout or stderr. One possibility is to support - as a logfile name. The other would be to lift some of the checks done while creating the logfile, so /dev/stdout works. Right now, passing /dev/stdout as logfile fails with this error:

    tinyproxy: The file /dev/stdout has been changed before it could be opened
   

Proxy dies when using a large filter file. Issue can be replicated by using the "ads" domains list from "urlblacklist dot com" as the filter file.

solution: create manpage as part of "make dist" and ship it with the sources rather than make a2x a hard build dependency

It would be convenient to have these broken out so the settings can be recycled across multiple instances of the program. Or maybe just define a generic "IncludeFile" directive that will merge fragments in order?

When tinyproxy has no Listen directive declared in the configuration, it defaults to binding to all interfaces, but only does so using IPv6 on FreeBSD (10.2-RELEASE in this case):

# netstat -an | grep 8888 | grep LISTEN
tcp6       0      0 *.8888                 *.*                    LISTEN

As the Listen directive can be specified only once with a single IP address, there is no way to make tinyproxy listen on all interfaces using IPv4.

As a suggestion, could the Listen directive be modified to permit specifying a list of multiple IP address, both v4 and v6?

In pidfile_create, a compiled cygwin tinyproxy often segfaults when trying to fprintf the pid to the file handle. I don't know why this happens but I do know that disabling that code makes tinyproxy run normally otherwise.

Another case of not checking inputs till LONG after the fact. I expect there are an easy dozen more!

child.c child_pool_create() lines 384-395

First, truncate_file should be a 'char'. Unsigned int for a boolean?!
Don't just force 0600. The correct value is 0666. if you want to extra paranoid (underlying hasn't bothered to set a umask) then 0644. Or more correctly 'S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH'.

Being able to read a log or pid file by non-privileged users can be damn convenient.
And why creating files as O_RDWR when all that matters is O_WRONLY?

Hello

Look like the header of an http reply is stripped of Transfer-Encoding: chunked line when going throught tinyproxy.

Here's a request and reply going through tinyproxy (and a work proxy behind):

$ mojo get -v http://ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080/fco_curly/date-time/v1/health 
GET http://ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080/fco_curly/date-time/v1/health HTTP/1.1
Host: ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080
Accept-Encoding: gzip
User-Agent: Mojolicious (Perl)
Content-Length: 0

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Fri, 02 Dec 2016 10:00:36 GMT
x-application-context: application
Via: 1.1 tinyproxy (tinyproxy/1.8.3)
x-response-time: 10
Content-Type: application/json;charset=UTF-8
Age: 0

Mojolicious user agent does not display the content of the reply (which may be a bug). On the other hand curl grumbles about missing chunk, size or close and displays a content:

$ curl -v http://ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080/fco_curly/date-time/v1/health 
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)
> GET http://ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080/fco_curly/date-time/v1/health HTTP/1.1
> Host: ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080
> User-Agent: curl/7.51.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 OK
< Via: 1.1 tinyproxy (tinyproxy/1.8.3)
< server: Apache-Coyote/1.1
< Age: 0
< content-type: application/json;charset=UTF-8
< date: Fri, 02 Dec 2016 10:03:08 GMT
< x-application-context: application
< x-response-time: 9
* no chunk, no close, no size. Assume close to signal end
< 
* Curl_http_done: called premature == 0
* Closing connection 0
{"status":"UP","date-time":"2016-12-02 10:03:08","hostname":"crs-datetime-3959791383-2e3jz","version":"1.0.3"}

Here's the same http request going through work proxy:

 mojo get -v http://ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080/fco_curly/date-time/v1/health 
GET http://ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080/fco_curly/date-time/v1/health HTTP/1.1
Accept-Encoding: gzip
Host: ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080
Content-Length: 0
User-Agent: Mojolicious (Perl)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Proxy-Connection: Keep-Alive
x-response-time: 9
Transfer-Encoding: chunked
Connection: Keep-Alive
Age: 0
x-application-context: application
Content-Type: application/json;charset=UTF-8
Date: Fri, 02 Dec 2016 09:48:54 GMT

{"status":"UP","date-time":"2016-12-02 09:48:54","hostname":"crs-datetime-3959791383-2e3jz","version":"1.0.3"}

For reference, here's the same request without any proxy:

$ mojo get -v http://ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080/fco_curly/date-time/v1/health
GET /fco_curly/date-time/v1/health HTTP/1.1
User-Agent: Mojolicious (Perl)
Accept-Encoding: gzip
Host: ac16b1ef2b86f11e696e70a9555a0db2-1423136989.us-west-2.elb.amazonaws.com:8080
Content-Length: 0

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
x-response-time: 11
x-application-context: application
Server: Apache-Coyote/1.1
Date: Fri, 02 Dec 2016 09:42:27 GMT
Connection: keep-alive
Transfer-Encoding: chunked

{"status":"UP","date-time":"2016-12-02 09:42:27","hostname":"crs-datetime-3959791383-2e3jz","version":"1.0.3"}

Is this a bug with tinyproxy ? Or did I miss something ?

All the best

"Documentation

Manpages are the primary documentation for Tinyproxy. After installing Tinyproxy, run the following command to see its manpages:

man tinyproxy tinyproxy.conf"

This does nothing to help people evaluate the software for their needs. To be entirely straightforward with my opinion, a copy/paste of the man page would still be insufficient, but is easy, requires no significant additional work, and would have given me the information I was looking for.

Hello,

im currently using socks 5 SSH proxy according to this tutorial and i assume thanks to SSH, the data are encrypted.

As i read Tinyproxy readme, i found no mention about encryption of the data. So i assume data i sent to the proxy and from the proxy are fully readable (plain text), not encrypted and also it wont be able to instruct Tinyproxy to encrypt them?

I'm getting the following error when running make on the latest git version:

Making all in etc
make[2]: Entering directory '/home/user/builds/source/tinyproxy-1.8.3/etc'
  GEN    tinyproxy.conf
make[2]: Leaving directory '/home/user/builds/source/tinyproxy-1.8.3/etc'
Making all in docs
make[2]: Entering directory '/home/user/builds/source/tinyproxy-1.8.3/docs'
Making all in man5
make[3]: Entering directory '/home/user/builds/source/tinyproxy-1.8.3/docs/man5'
  GEN    tinyproxy.conf.5
: line 43: cd: a2x.py: Not a directory
a2x: ERROR: xmllint --nonet --noout --valid /home/user/builds/source/tinyproxy-1.8.3/docs/man5/tinyproxy.conf.xml returned non-zero exit status 4
Makefile:446: recipe for target 'tinyproxy.conf.5' failed
make[3]: **\* [tinyproxy.conf.5] Error 1
make[3]: Leaving directory '/home/user/builds/source/tinyproxy-1.8.3/docs/man5'
Makefile:256: recipe for target 'all-recursive' failed
make[2]: **\* [all-recursive] Error 1
make[2]: Leaving directory '/home/user/builds/source/tinyproxy-1.8.3/docs'
Makefile:300: recipe for target 'all-recursive' failed
make[1]: **\* [all-recursive] Error 1
make[1]: Leaving directory '/home/user/builds/source/tinyproxy-1.8.3'
Makefile:238: recipe for target 'all' failed
make: **\* [all] Error 2

This is on a "Debian like" arm device.

Edit this is the output from version 1.8.3, but I get the same error from the git version.

It is customary to be able to specify for example 'eth0' in such circumstances. Requiring IP address not only makes the configuration file non-reusable and brittle, but may not be valid over the course of the host's lifetime. Think AWS or other cloud/dynamic environments or just plain ol' DHCP in use.

Listen and Bind should default to the first IP address returned by querying the interface, if not otherwise specified.

Q: is there any code to handle the interface IP changing over time? Or does it just exit with "tinyproxy: Could not create listening socket." BTW that should read 'ERROR ...' we know it's tinyproxy doing the logging. Or maybe this is a separate bug wherein logging to stdout and syslog is not differentiated when running in '-d' debug mode.

Docs also imply "Access control can be based on an Interface" but provides no example, and testing bears out that "The administrator of this proxy has not configured it to service requests from your host" if 'Allow eth0' is used. If the feature is not supported, shouldn't it at least result in a parse warning?

Hi,

Could Tinyproxy have new option to support timeout when connecting to upstream? For now, the timeout is very long and it's not very convenient for daily use.

( I've tried to use non-blocking connect (in src/sock.c) but I couldn't make it work. )

Thanks a lot.

I've got 2 interfaces and I'm trying to ensure the outbound traffic goes through a specific interface. I found a few references to this online but most of them pointed to your old mailing list or bugzilla which are offline, so I could not research this. Is there a specific reason that Bind cannot be used with transparent support?

tinyproxy 1.8.4

[development@dev tinyproxy]$autoconf
configure.ac:26: error: possibly undefined macro: AM_INIT_AUTOMAKE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:55: error: possibly undefined macro: AM_CONDITIONAL
configure.ac:183: error: possibly undefined macro: AC_UNP_CHECK_TYPE
configure.ac:214: error: possibly undefined macro: AS_COMPILER_FLAG

Values in configuration files need to be verified first and program aborted if invalid. Not wait until trying to drop privs.

!!FIXME!!
if config.user or config.group are not set or or empty string it SKIPS over setuid() and setgroups().

When an autogenerated configure script runs on platforms without ld -z, the script may wrongly assume the regexec() function is broken. Commenting out the change in LDFLAGS results in a successfuly ./configure, but this is a dirty workaround.

This is a question and documentation update request.

Or perhaps instead of introducing new keywords and files to parse, perhaps by appending a '!' (separated by a space) to a rule so that it negates the default action.

(aside: Extrapolating further, this concept could be applied to making rules time/day dependent)

Say you're running in FilterDefaultDeny=Yes and you've white-listed 'microsoft.com'. But you want to block 'developer.microsoft.com' just because. Now sure, one can come up with a regex to allow all the zillion other microsoft sub-domains but deny just this one or a handful. However it would be a darn sight more convenient to have a FilterDeny file that gets processed first and short-circuits further evaluation on a hit.

Of course any unintended overlap between FilterDeny and Filter[Allow] can be considered operator error.

In a similar vein, if FilterDefaultDeny=No, blocking 'developer.microsoft.com' is trivial. But what if I really just want to allow 'updates.microsoft.com' out of all sub-domains? FilterAllow would get processed first and likewise short-circuit.

Why, you ask? The world isn't so simple that a binary approach is reasonable. And folks writing the rules are unlikely to be REGEX experts.

main() knows how it was invoked. So why force 'tinyproxy' into path names when argv[0] can be used?

It looks like somebody has already done the work: https://github.com/koolshare/tinyproxy

Just seems a tad odd this is the only 2-word directive out of the entire list. The parser regex enforces a space (+). How about go with space optional?

(gdb) bt
#0  0x00000037b46e96b2 in recv () from /lib64/libc.so.6
#1  0x00000000004060c7 in recv (fd=7, whole_buffer=0x7fff12796830) at /usr/include/bits/socket2.h:45
#2  readline (fd=7, whole_buffer=0x7fff12796830) at network.c:167
#3  0x000000000040774d in process_server_headers (fd=<value optimized out>) at reqs.c:966
#4  handle_connection (fd=<value optimized out>) at reqs.c:1498
#5  0x0000000000402e05 in child_main (ptr=0x7f65b2a9f0fc) at child.c:237
#6  child_make (ptr=0x7f65b2a9f0fc) at child.c:296
#7  0x0000000000402fe2 in child_main_loop () at child.c:414
#8  0x0000000000409219 in main (argc=<value optimized out>, argv=0x7fff127969d8) at main.c:462

I think need set idle_timeout as socket receive time-out also. @obnoxxx

I have connect to Tinyproxy with SHH tunnel. And I commit the "Allow 127.0.0.01",but when I connect from other computers without SSH or tunnel, it can establish a TCP connection. But if I visit a website like google.com,it will be disconnected immediately.
Could you tell me what can i do for this?

Tinyproxy does well while dealing with my computer's request, however,it return a error "501" when I use my
smartphone.

The default config uses nobody as uid/gid. This results in an odd behavior that if I use the default config provided by tinyproxy I have allow rw access for the user nobody to the log and pid files. From a security point of view I'd like to avoid any files to be accessible from the nobody user.

main.c explicitly mentions, that log and pid files are opened after dropping privileges. So I guess it's a desired behavior. What's the reason for this and is there a chance to change the behavior?

$ ./configure | wc -l
246

$ time ./configure >/dev/null

real    0m7.701s
user    0m0.002s
sys     0m0.000s

$ time make -j2 > /dev/null 2>&1

real    0m3.347s
user    0m0.000s
sys     0m0.000s

as you can see, time wasted in configure is more than 2x time needed to build. difference is even bigger with more cores used. there are about 30 configure test just checking if different warning options are supported. imo that doesnt make sense. just use -Wall -Wextra and leave it at that. there are also a lot of tests for things that just must be there. i mean if your libc doesn't have memcpy, you cannot compile anything anyway.
there are also a lot of tests for headers like stddef.h, stdio.h etc that are standard C. what's the point in testing for them ? is there even a fallback if not there ? i doubt it.
probably configure will fail with an error message that you need stdio.h. but that's no better than failing during make invocation with a message from the compiler that stdio.h could not be found.

I have been working on updating Tinyproxy in FreeBSD's ports collection from 1.8.3 to 1.8.4, but in the course of testing the newer version I have been encountering problems.

The new port version builds OK and Tinyproxy starts up and correctly listens on multiple specified interfaces, as fixed in 1.8.4, but after several hours of running, although still accepting client connections, it stops responding to requests. At this point, it takes a restart to get it working again.

I have updated the port to use the source tree on Github under the 1.8.4 tag, instead of the tarball from https://download.banu.com/tinyproxy/1.8/tinyproxy-1.8.3.tar.gz and have updated a few of the port's patches to account for the differences in the source files. See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207051 for details.

Would the developer be able to advise on how to diagnose this problem? I'm happy to gather any diagnostic information or perform any testing necessary.

This lets autogen.sh fail:

$ ./autogen.sh                                                               
+ cd .
+ aclocal -I m4macros
+ autoheader
+ automake --gnu --add-missing
Makefile.am: error: required file './ChangeLog' not found
+ cd /data/obnox/devel/tinyproxy/tinyproxy
+ set -
./configure
./autogen.sh: line 21: ./configure: No such file or directory

Configure failed or did not finish!
$ 

checking whether the system's regex library is broken... yes
configure: error: Your system's regexec() function is broken.

in configure:

if test "$cross_compiling" = yes; then :
tinyproxy_cv_regex_broken=yes

solution: assume tinyproxy_cv_regex_broken=no for crosscompiles since its pretty unlikely

Minor, but right now there are a few references to "Please read the INSTALL file" even though an INSTALL file doesn't actually exist.

Hi

Is there a commercial support available ?
TinyProxy is listed as commercial software in wikipedia but I am not seeing any commercial support on gitub for TinyProxy.

Thanks

is it possible to add http authentication?

This signal is a pretty common mechanism to dump simple status information.
Construct a simple 1-liner like:
open:num requests:num bad:num denied:num refused:num
and perhaps defined by 'StatusLine' keyword which would be parsed for known tokens.

Would be output to LogFile or Syslog as appropriate and STDOUT if running attached to a terminal.

First, please forgive my English is very poor.

I found that tinyproxy always send HTTP/1.0 to upstream，but upstream server not always reponse HTTP/1.0， when upstream server reponse HTTP/1.1, then tinyproxy transfer HTTP/1.1 to client，and removed connection header，if the client is curl， it will show warnning like：

no chunk, no close, no size. Assume close to signal end

So， whether the tinyproxy should force response HTTP/1.0 ?

like this： in function static int process_server_headers (struct conn_s *connptr)
// Add the following three lines if (response_line[7] == '1') { response_line[7] = '0'; } /* Send the saved response line first */ ret = write_message (connptr->client_fd, "%s\r\n", response_line);

the function of relay_connection is synchronous to read/write data from/to socket. can change it.

Hello,

having installed transparent tinyproxy on Openwrt ChaosCalmer, my home router now produces a log.
CONNECT Jan 30 21:31:06 [28446]: Connect (file descriptor 6): ::ffff:192.168.1.144 [::ffff:192.168.1.144]

To provide better readability/usability of the produced log I would rather have (host)names instead of ip adresses in the log. Furthermore using Dhcp the ip adresses might change and one cannot easily identitfy the corresponding user to the ip in the log. Is there a technique(other than static leases to Ip and hostname) which allows to receive the “computernames”, which devices have somehow anyway, in the log? i.e. my Android tablet has a name “PeterTablet” or my Win8 PC has a computername “cruncher” – those names should appear in the log.

tinyproxy logging calls getnameinfo to the OS, I believe.
Then which config do I have to do, in order to tinyproxy calling getnameinfo returning proper hostnames?

I appreciate any hint as to achieve that!

do reload_config_file()
if ret == 0 then shutdown_logging() followed by setup_logging().

It's listed as a feature but not actually explained. Maybe some examples?
Should it be assumed the user intuitively knows to install Tiny on the network's gateway? Or resort to tricks like IPtables to intercept and Dest-NAT?
Can it be used for HTTPS? In which case, any special configuration?
How to play nice with AWS Elastic-loadbalancers' HTTP health checks? (aside: doesn't appear to work)

The attached tinyproxy.conf file produces the error

$ /usr/local/sbin/tinyproxy -c /ram/tinyproxy.conf
Syntax error on line 305
Unable to parse config file. Not starting.

I can't seem to get reverse proxy function to work on OS X (installed via homebrew: tinyproxy-1.8.3.el_capitan.bottle.2.tar.gz)

tinyproxy.txt

It seems like non of the install scripts are at the root folder. Could you update us on the new way to install from this repository ?

even if FilterDefaultDeny=Yes

The BindSame feature is very useful and easy to use(While squid needs to add many tcp_outgoing_address lines for all interfaces)!

Can you add another feature "BindRandom"?
If enabled, tinyproxy will bind the outgoing connection to a random interface(eth0, eth1, eth2, eth3, ....).