Here's a comprehensive guide for installing and configuring Tinyproxy on Linux, including setting up an upstream proxy and configuring bypass rules for specific domains and IPs.
sudo apt update
sudo apt install tinyproxy# For CentOS/RHEL
sudo yum install epel-release
sudo yum install tinyproxy
# For Fedora
sudo dnf install tinyproxysudo pacman -S tinyproxyTinyproxy's configuration file is typically located at /etc/tinyproxy/tinyproxy.conf. Let's create a backup before making changes:
sudo cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.backupNow edit the configuration file:
sudo nano /etc/tinyproxy/tinyproxy.confHere are key settings to customize:
-
Port: Change the listening port if needed
Port 8888 -
Access Control: Restrict which IP addresses can use the proxy
# Allow connections from local network only Allow 127.0.0.1 Allow 192.168.0.0/16 -
Logging: Configure logging level and location
LogLevel Info LogFile "/var/log/tinyproxy/tinyproxy.log" -
Connection Settings:
# Maximum number of clients MaxClients 100 # Timeout settings (in seconds) Timeout 600
To forward traffic to another proxy, add the Upstream directive:
# Format: Upstream host:port
Upstream proxy.example.com:3128
If your upstream proxy requires authentication, you can specify it as:
Upstream username:[email protected]:3128
Tinyproxy handles bypass rules through two mechanisms:
The ConnectPort directive controls which ports can be accessed directly (bypassing the upstream proxy) for CONNECT methods. By default, it allows ports 443 and 563:
ConnectPort 443
ConnectPort 563
# Add more ports as needed
ConnectPort 80
For more granular control, including domain-specific and IP-specific bypass rules, we'll use the filtering capabilities:
-
Create a filter file:
sudo mkdir -p /etc/tinyproxy/bypass sudo nano /etc/tinyproxy/bypass/no_proxy.filter
-
Add the domains and IPs that should bypass the upstream proxy:
# Format for domains (one per line): .example.com example.org subdomain.example.net # Format for IP addresses: 192.168.1.0/24 10.0.0.1 -
In the tinyproxy.conf file, add:
Filter "/etc/tinyproxy/bypass/no_proxy.filter" FilterDefaultDeny No FilterType Reverse FilterCaseSensitive No
The FilterType Reverse setting means that the listed domains will bypass the upstream proxy (opposite of regular filtering).
For more advanced control, you can use a custom script. Create a file /usr/local/bin/tinyproxy-bypass.sh:
sudo nano /usr/local/bin/tinyproxy-bypass.shAdd this content:
#!/bin/bash
# Extract domain/IP from the request line
HOST=$(echo "$1" | grep -oP '(?<=Host: ).*(?=\r)')
CONNECT=$(echo "$1" | grep -oP 'CONNECT \K[^:]+')
TARGET=${CONNECT:-$HOST}
# Check if the target should bypass the proxy
if grep -q "$TARGET" /etc/tinyproxy/bypass/no_proxy.filter; then
exit 1 # Bypass upstream proxy
else
exit 0 # Use upstream proxy
fiMake it executable:
sudo chmod +x /usr/local/bin/tinyproxy-bypass.shThen add to tinyproxy.conf:
FilterExtended On
FilterExtendedStatus 1
FilterExtendedExecPath "/usr/local/bin/tinyproxy-bypass.sh"
HTTPS traffic requires special handling as Tinyproxy acts as a tunnel rather than a proxy for such requests. Add the following to your configuration:
# Allow HTTPS connections
ConnectPort 443
# If your upstream proxy has HTTPS support
# Uncomment and adjust the upstream directive:
# Upstream https://proxy.example.com:3128
sudo systemctl start tinyproxysudo systemctl enable tinyproxysudo systemctl status tinyproxysudo systemctl restart tinyproxysudo tail -f /var/log/tinyproxy/tinyproxy.logcurl -x http://localhost:8888 http://httpbin.org/ip# Should use direct connection (bypass)
curl -x http://localhost:8888 http://example.com
# Should use upstream proxy
curl -x http://localhost:8888 http://google.comexport http_proxy=http://localhost:8888
export https_proxy=http://localhost:8888
export no_proxy=example.com,192.168.1.0/24
curl http://httpbin.org/ip # Should use proxy
curl http://example.com # Should bypass proxy- Verify Tinyproxy is running:
sudo systemctl status tinyproxy - Check if the firewall is blocking:
sudo ufw allow 8888/tcp(for Ubuntu) - Verify the config doesn't have typos:
sudo tinyproxy -d -c /etc/tinyproxy/tinyproxy.conf
- Verify upstream proxy is accessible:
telnet proxy.example.com 3128 - Check authentication details if used
- Ensure proper format in the configuration file
- Increase log level to Debug:
LogLevel Debug - Verify domains/IPs are correctly formatted in the filter file
- Restart Tinyproxy after changes
Here's a full example configuration that includes all the elements discussed:
# Basic settings
User nobody
Group nogroup
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogFile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/var/run/tinyproxy/tinyproxy.pid"
MaxClients 100
MinSpareServers 5
MaxSpareServers 20
StartServers 10
MaxRequestsPerChild 0
# Access control
Allow 127.0.0.1
Allow 192.168.0.0/16
# Upstream proxy configuration
Upstream proxy.example.com:3128
# Direct connection ports
ConnectPort 443
ConnectPort 563
ConnectPort 80
# No proxy rules using filtering
Filter "/etc/tinyproxy/bypass/no_proxy.filter"
FilterDefaultDeny No
FilterType Reverse
FilterCaseSensitive No
# Optional extended filtering using custom script
FilterExtended On
FilterExtendedStatus 1
FilterExtendedExecPath "/usr/local/bin/tinyproxy-bypass.sh"
# SOCKS5 support (if needed)
# Uncomment to enable SOCKS5 forwarding
# Socks5Proxy proxy.example.com:1080
To get the best performance from Tinyproxy:
-
Increase MaxClients if you have many connections:
MaxClients 200 -
Adjust server pool for your system's resources:
MinSpareServers 10 MaxSpareServers 30 StartServers 15 -
Enable buffer limits to prevent memory issues:
AddHeader "X-Forwarded-For" "${remote-ip}" ReversePath "/example" "http://example.org/" -
Configure ViaProxyName to disguise the proxy:
ViaProxyName "proxy"
This configuration should give you a lightweight and efficient proxy setup that forwards traffic to your upstream proxy while bypassing it for specified domains and IP addresses.