Tinyproxy -- A must for many Ubuntu users

[SuperMike]

At my house, I'm a dad who uses Linux. I have some kids. They're starting to grow up and go to more questionable sites on the Internet (on urging from friends) and it's my job to police it. I am one of these dads who think that kids get enough exposure to bad stuff from TV, movies, and the public schools, and I don't think they need any more influences until their minds are mature enough to handle it. I also limit the kinds of movies they watch and the kinds of TV shows too. With my oldest child, I have let her watch a bit more than her younger brother, so I mean to say that I'm not the meanest dad in the world. I really do let a kid grow up -- I just try to wait until I think their minds are mature enough to wrap around certain concepts and strong enough to fend off peer pressure.

Anyway, I had to secure their Internet surfing. I needed to introduce a proxy. At my office, I spent a lot of time learning Squid proxy and it was frustrating but possible to get it going. That's when I discovered tinyproxy. With this, I was able to get going much, much faster. It's not as robust, but it's got just enough features to get you going.

Here's my cheat sheet on getting tinyproxy going at your home. Note that I recommend you stick with Squid if you plan on controlling more than 50 people with a proxy, and even at that, I recommend multiple network cards and/or multiple proxy servers behind a load balancer device for some real performance gains. But for average household use, tinyproxy is probably the tool for you.

1. From your home Linux system, type:

sudo gedit /etc/apt/sources.list &

2. Uncomment the universe options (temporarily) and save and quit editor.

3. Type:

sudo apt-get update

(WARNING: Ignore if Ubuntu pops open a window asking you to update your system -- if you update, you might end up pulling from the universe source and it could make your system more unstable. We'll undo this in a moment.)

sudo apt-get install tinyproxy
sudo gedit /etc/apt/sources.list &

4. Comment the universe options and save and quit the editor.

5. Type:

sudo apt-get update
sudo gedit /etc/tiny*/*.conf &

6. Uncomment these lines:

Filter "/etc/tinyproxy/filter"
FilterURLs On

7. Don't close your editor just yet. Think about your home subnet. Is it "192.168.0.x"? (In many cases this is the case if you are using Windows or are behind a Cable\DSL router. See what IP addresses your home PCs use and that should help you define your subnet. If you don't have a subnet, then that's beyond the discussion here about how to set up your own home subnet. Look elsewhere in Ubuntu Forums for that.)

8. In your tinyproxy.conf file that you're still editing, add a line like this for your current subnet, assuming it's "192.168.0.x":

Allow 192.168.0.0/24

9. The /24 stands for the "netmask". The short of it is that it allows 0-255 on the last part of the IP address, meaning, usually, your entire home subnet. I've got you going with a shortcut. If you want more help on netmasks, that's beyond the discussion here. I had to Google for it with keywords "squid and netmask" because tinyproxy and Squid use the same kind of "Allow" statement.

10. Now save your tinyproxy.conf file.

11. Type:

sudo cp /usr/share/tinyproxy/default.html /usr/share/tinyproxy/default.html.ORIGINAL
sudo gedit /usr/share/tinyproxy/default.html &

12. Now you see an HTML page. The reason I took you here is because this is the template page one sees when they have violated the proxy and gone somewhere they should not have. By default, this page is fairly ugly, and, frankly, confusing for young eyes to see. If you know a little HTML, edit this file to make it less confusing for children. Just note that this HTML is special in that it cannot load images -- it's just text you can put in here. Also watch out for the {} statements -- these are fillers that get filled in by the proxy. Now save the file when done.

13. Type:

sudo gedit /etc/tiny*/filter &

14. Now you're editing the filter file. In this part, it's actually pretty hillarious. I don't recommend you let anyone see you type this. You have to think up all the vile keywords on the planet that are not part of another word. For instance, if you look closely at the word "grapes", there's a vile word in there. The same with "advertisement" if you look close enough. So you can't filter on those kinds of vile words (that are inside "advertisement" and "grapes".) However, you can filter on other vile words. So, you can only use keywords that are not part of some other word. That discussion is beyond the discussion of this forum. And hey, if you don't have to type this vile list, but can find it on the Internet and download it, then that's your choice and will probably save you the hassle. You can also put in stuff like "http://www.dontgohere.com" for sites like "dontgohere.com" when you don't want users going there. When done, save the file.

15. Now we bounce the tinyproxy by doing:

sudo /etc/init.d/tinyproxy restart
sudo gedit /etc/crontab &

(Note it's a space after "tinyproxy" and before "restart".)

16. In crontab, add this line to bounce the tinyproxy at night so that you can kill any chance of a memory leak and make it run faster:

0 22 * * * root /etc/init.d/tinyproxy restart

Note that I did a <TAB KEY> after 22 and after the last * and after "root". Also, make certain there's a line wrap at the end of the line after "restart" or it probably won't "take". Note also I have a space between "tinyproxy" and "restart". Now save this file.

17. Now go to your kid's home PCs and change the settings in them so that they use this proxy. In my firefox, that's under a button in the Preferences dialog called "Connection Settings". Just point it to your IP address of the Linux proxy and set the port to 8888. I wouldn't bother with anything except HTTP proxy. Don't bother with SSL, FTP, all SOCKS, etc. Test this with yourself, first, of course, and see how it works. Note that your spouse might not like this proxy with amazon.com, ebay.com, or her banking sites, so you might want to put exceptions in the browser settings to not use the proxy when visiting these sites.

18. Note when you have to change your filter file, you have to restart the tinyproxy by doing:

sudo /etc/init.d/tinyproxy restart

19. When you want to debug what's going on, or simply to check up on your kids browsing habits, look in:

sudo /var/log/tinyproxy.log

20. Note that you can edit the log level to make it less verbose -- just read the info on that in your tinyproxy.conf file.

Enjoy!

[ssalman]

Thank you so much, your how to helped me a great deal in setting up my proxy/filter server. Do you know where I can find more filtering details to setup my rules? Thanks.

[SuperMike]

Quote:

Originally Posted by ssalman Thank you so much, your how to helped me a great deal in setting up my proxy/filter server. Do you know where I can find more filtering details to setup my rules? Thanks.

Very good question. You can see the /etc/tinyproxy/tinyproxy.conf file has some notes inside, and you can 'man tinyproxy', but I'll admit that it's not very clear for newbies and I had to do some experimenting. I'd like to suggest you contact tinyproxy's most active maintainer...

rjkaes@users.sourceforge.net

...to ask where the preferred system op documentation is kept.

[Ptero-4]

Hi. Does tinyproxy work on a computer that connects to the internet through dialup?

[SuperMike]

Dialup? Yes. It's a service (aka once called a "daemon" back in the olden days) and your browser points to it in the proxy settings on a certain TCP port number. It then checks the filter for authorized access and only permits out traffic that you have permitted.

Things also to note:

* There *might* be a way to see if someone knows how to change the option in Firefox's "about:config" URL such that you cannot override the proxy settings. Another route, although it takes some reading up on what a "chrome" is and how to design a tiny one in the "XUL" language, you can feed this XUL-based chrome file to firefox-bin, instead, and it will show a new kind of browser window with only the buttons and fields you want, thereby limiting one's access to edit the settings.

* I'm not 100% certain of this, but there *might* be a way in the tinyproxy or iptables firewall configuration such that it forces all network traffic on the system to not permit any network activity except that which travels through the proxy. I think I have heard of this before as an option somewhere. (Anyone else have any answer on this, guys?)

[ssalman]

Thanks SuperMike. But I have just hit a wall in my setup, I have a windows machine connected to tinyproxy which has an outlook email program, and I could not setup outlook to go through the proxy, I know it's not a linux question, but do anyone have a hint on connecting an email program through a proxy, I can replace outlook with whatever program I can get to work... googling turned out SocksCap but I couldn't get it to work yet!

Any help is appreciated.

Thanks.

[SuperMike]

Quote:

Originally Posted by ssalman Thanks SuperMike. But I have just hit a wall in my setup, I have a windows machine connected to tinyproxy which has an outlook email program, and I could not setup outlook to go through the proxy, I know it's not a linux question, but do anyone have a hint on connecting an email program through a proxy, I can replace outlook with whatever program I can get to work... googling turned out SocksCap but I couldn't get it to work yet!

Set IE to use the proxy for all activity (not just web) and OE inherits the settings.

However, you won't get much benefit -- tinyproxy is designed to just look at URLs, not emails. If an email pulls from something remotely over HTTP/HTTPS, then yes, you may get some benefit.

A better approach would be to ensure you have SpamAssassin on your mail server and then switch to Mozilla Thunderbird. Then, turn on Junk Mail Controls in Thunderbird because it's turned off by default.

[ssalman]

Thanks SuperMike, I tryed to go that direction but it didn't work, I used the following site howto to setup a SocksCap on the machine, but still was not able to get OE to work.

My goal is just to get emails and not to filter them, so I don't really need SpamAssassin or TinyProxy to filter the incoming messages, I just need to be able to connect to the SMTP and POP3 servers through the proxy machine as it is the only machine in the network with internet access... any ideas... Thanks!!

[peanut butter]

can you access the internet (with a web browser) on your windows machine without the proxy configured?

if you can then i would suggest using an old machine as the proxy instead of your gateway also acting as a proxy.

[ssalman]

Okay, here is my setup...

Internet <===> Ubuntu Proxy PC <===> Wireless Router <===> Windows PCs

So you see, without a proxy there is no internet connection at the Windows PCs. But when using the proxy I can surf the internet from any of the windows PCs, the trick is how do I setup the SMPT/POP services so that it goes through the proxy too? knowing that Outlook Exchange (OE) probably does not have Proxy settings... and I tried to do the SocksCap thing and it didn't work for me...

Any ideas... thanks.