Tinyproxy is a lightweight, open-source HTTP/HTTPS proxy server designed for minimal resource consumption on Linux systems. It provides basic proxy functionality suitable for embedded devices, personal use, or small-scale network environments where resource efficiency is critical.
Overview and Use Cases
Tinyproxy prioritizes a small footprint and straightforward configuration over extensive features like advanced caching, comprehensive authentication methods, or SOCKS proxy capabilities found in larger proxy solutions. It functions primarily as an HTTP/HTTPS (CONNECT method) proxy.
Typical use cases for Tinyproxy include:
- Personal Proxy: Shielding client IP addresses or bypassing basic geo-restrictions for individual users.
- Embedded Systems: Providing proxy services on devices with limited CPU, RAM, and storage resources.
- Development Environments: Local testing of proxy-aware applications or network traffic inspection.
- Small Network Gateway: A simple, non-caching proxy for a limited number of clients.
- Chaining Proxies: Acting as an intermediary in a multi-proxy setup.
Installation
Tinyproxy is available in the standard package repositories of most Linux distributions.
Debian/Ubuntu
sudo apt update
sudo apt install tinyproxy
RHEL/CentOS/Fedora
sudo dnf install tinyproxy
# Or for older CentOS/RHEL:
# sudo yum install tinyproxy
After installation, Tinyproxy typically starts automatically and listens on port 8888.
Configuration
Tinyproxy's configuration is managed through a single file, typically located at /etc/tinyproxy/tinyproxy.conf. All directives are commented within the default file, providing self-documentation.
Essential Directives
-
Port: Specifies the port Tinyproxy listens on.
Port 8888
Changing this requires restarting the Tinyproxy service. -
Listen: Binds Tinyproxy to a specific IP address. By default, it listens on all available interfaces (0.0.0.0). Specifying an address restricts access.
Listen 192.168.1.10 -
Allow: Defines IP addresses or subnets permitted to connect to the proxy. MultipleAllowdirectives can be used. If noAllowdirectives are specified, Tinyproxy allows connections from all hosts. Explicitly denying all and then allowing specific ranges is a common security practice.
# Deny all by default (if no Allow directives are present, this is implicitly false) # Allow 127.0.0.1 # Allow 192.168.1.0/24 -
Timeout: Sets the idle timeout for connections in seconds.
Timeout 600 -
User/Group: Specifies the user and group Tinyproxy should drop privileges to after startup. Running as a non-root user is a security best practice.
User tinyproxy Group tinyproxy -
LogLevel: Controls the verbosity of logging. Options includeCritical,Error,Warning,Notice,Info,Debug.
LogLevel Info -
LogFile: Specifies the path to the log file.
LogFile "/var/log/tinyproxy/tinyproxy.log" -
MaxClients: Sets the maximum number of simultaneous client connections Tinyproxy will handle. Exceeding this limit results in connection rejection.
MaxClients 100 -
DisableViaHeader: When enabled, Tinyproxy will not add aViaheader to outgoing requests. This can enhance privacy by preventing the disclosure of the proxy's presence.
DisableViaHeader Yes -
ConnectPort: Specifies which ports Tinyproxy will allow forCONNECTrequests (used for HTTPS tunneling). MultipleConnectPortdirectives can be used.
ConnectPort 443 ConnectPort 563
Advanced Configuration Directives
-
Upstream: Chains Tinyproxy to another proxy server. This directive specifies an upstream proxy for specific domains or all traffic.
```
# Use upstream_proxy.example.com:8080 for all requests
Upstream http upstream_proxy.example.com:8080Use a different upstream for specific domains
Upstream http 10.0.0.1:3128 "example.com"
Upstream http 10.0.0.1:3128 ".example.org"
`` Thehttpkeyword indicates an HTTP proxy.Upstream` directives are processed in order; the first match applies. -
NoCache: Prevents Tinyproxy from sending specific HTTP headers that could cause client-side caching. This does not imply Tinyproxy itself has a caching mechanism.
NoCache -
Filter/FilterURLs/FilterBypass: Provides basic content filtering based on regular expressions.Filter "/etc/tinyproxy/filter.txt": Specifies a file containing regular expressions for URLs to block.FilterURLs Yes: Enables URL filtering.FilterBypass "192.168.1.0/24": Allows specified clients to bypass filtering.
The
filter.txtfile would contain one regular expression per line. For example, to block Facebook:
.*facebook\.com.*
This is a rudimentary filtering mechanism and not a replacement for dedicated content filtering solutions.
Service Management
After modifying tinyproxy.conf, the Tinyproxy service must be restarted for changes to take effect.
Systemd (Modern Linux Distributions)
sudo systemctl restart tinyproxy
sudo systemctl enable tinyproxy # Ensure it starts on boot
sudo systemctl status tinyproxy
SysVinit (Older Linux Distributions)
sudo /etc/init.d/tinyproxy restart
sudo /etc/init.d/tinyproxy status
Testing the Proxy
After configuration and service restart, the proxy can be tested.
Using curl
curl -x http://localhost:8888 http://ipinfo.io/ip
Replace localhost:8888 with the Tinyproxy server's IP and port if testing from a different machine. The output should reflect the Tinyproxy server's public IP address, not the client's.
Browser Configuration
Configure your web browser (e.g., Firefox, Chrome) to use an HTTP proxy at the Tinyproxy server's IP address and port. Access a website to confirm connectivity.
Security Considerations
- Access Control: Always restrict access to the proxy using the
Allowdirective. By default, Tinyproxy may allow connections from all hosts if noAllowdirectives are present. - Firewall: Configure your system's firewall (e.g.,
ufw,firewalld) to only allow inbound connections to the Tinyproxy port from trusted IP ranges.
bash # Example using ufw sudo ufw allow from 192.168.1.0/24 to any port 8888 sudo ufw enable - Non-Root User: Ensure Tinyproxy runs as a non-root user (
UserandGroupdirectives) to minimize potential security risks. - Logging: Monitor Tinyproxy logs for unusual activity.
DisableViaHeader: Consider enabling this for increased privacy, though it does not provide anonymity.
Comparison with Squid
Tinyproxy and Squid are both HTTP proxy servers for Linux, but they target different use cases and offer distinct feature sets.
| Feature | Tinyproxy | Squid |
|---|---|---|
| Primary Goal | Minimal resource usage, simplicity | High performance, extensive features, caching |
| Resource Usage | Very low CPU/RAM footprint | Moderate to high CPU/RAM, especially with large caches and high traffic |
| Caching | No built-in caching | Extensive, configurable caching for HTTP objects |
| Authentication | None natively | Basic, Digest, NTLM, Kerberos, external helpers |
| Access Control | IP-based (Allow directive) |
Highly granular ACLs based on IP, domain, URL, user, time, methods, etc. |
| Protocols | HTTP, HTTPS (CONNECT) | HTTP, HTTPS (CONNECT), FTP, Gopher, SOCKS (client side for upstream) |
| Transparency | No transparent proxy support | Full transparent proxy support |
| Complexity | Simple configuration, few directives | Complex configuration, many directives, powerful scripting capabilities |
| Typical Use | Embedded systems, personal proxy, small LAN | Enterprise networks, ISPs, large organizations, content filtering, security |
Troubleshooting
- Check Logs: The
LogFiledirective specifies where Tinyproxy writes its logs. IncreaseLogLeveltoDebugfor more detailed output during troubleshooting.
bash sudo tail -f /var/log/tinyproxy/tinyproxy.log - Service Status: Verify Tinyproxy is running using
systemctl status tinyproxyor/etc/init.d/tinyproxy status. - Firewall: Confirm that your firewall is not blocking connections to the Tinyproxy port. Temporarily disable the firewall for testing if necessary.
- Configuration Syntax: Review
tinyproxy.conffor any syntax errors. Tinyproxy will often fail to start or report errors in its logs if the configuration is malformed. - Network Connectivity: Ensure the Tinyproxy server has network connectivity to its intended destinations.