I tried out this tool to set up a forward proxy on the client side of the communication and a reverse proxy on the server side. I wanted to use this so that I could do experiments on the network between the forward proxy and reverse proxy, without the client and server’s involvement.
Reverse proxies are mostly used as a load balancer, where we connect with a reverse proxy which then decides to which machine it should send the request.
“(…) With reverse proxying it’s possible to make a number of sites appear as if they were part of a single site (…)”
from the manual of the configuration file of Tinyproxy.
The following requirements represent what I used in my experiment:
- An image with a Linux OS distribution — I used a Debian GNU/Linux 8.9 (Jessie);
- 4 virtual machines to serve as client, forward proxy, reverse proxy and server — I used VirtualBox to run these machines, with the Debian’s OS image;
- The server has to run a Web Server — I used Apache HTTP server, to return the default HTML page saying “It works!”;
- The client has to have a browser or a command-line tool installed such as curl, to do HTTP requests;
- The forward and reverse proxy machines should have tinyproxy installed — Next I’ll show how to install it on the Debian machines. The version I used was 1.8.3.
I created isabelcosta/testing-tiny-proxy repository on Github with the configuration files needed to run both roles of forward proxy and reverse proxy.
VirtualBox lets you configure the network settings of the virtual machines. I used Nat Network setting which allowed me to have all the machines within the same network. These were the IP assigned to each machine.
- Client — 10.0.2.33
- Forward Proxy — 10.0.2.35
- Reverse Proxy — 10.0.2.36
- Server — 10.0.2.34
These IP addresses will be important, because they will appear in the examples of how to test the system.
To install Tinyproxy, you have to type the following command into the forward and reverse proxy machines’s terminal:
apt-get install tinyproxy
Setting up the system
Tinyproxy works according to configuration files. I wrote two configurations, one for the forward proxy and another for the reverse proxy.
Forward proxy configuration files:
## forwardproxy.conf -- tinyproxy daemon configuration file User nobody Group nogroup Port 8888 Listen 10.0.2.35 BindSame yes Timeout 600 DefaultErrorFile "/usr/share/tinyproxy/default.html" StatFile "/usr/share/tinyproxy/stats.html" Logfile "/var/log/tinyproxy/tinyproxy.log" #Syslog On LogLevel Info PidFile "/var/run/tinyproxy/tinyproxy.pid" # Comment to use only the forward proxy # Uncomment to forward the traffic to the reverse proxy #Upstream 10.0.2.36:8888 MaxClients 100 MinSpareServers 2 MaxSpareServers 5 StartServers 2 MaxRequestsPerChild 0 Allow 127.0.0.1 Allow 10.0.2.0/24 ViaProxyName "tinyproxy1" ConnectPort 8888 ConnectPort 80 # The following two ports are used by SSL. ConnectPort 443 ConnectPort 563
Reverse proxy configuration files:
## reverseproxy.conf -- tinyproxy daemon configuration file User nobody Group nogroup Port 8888 Listen 10.0.2.36 BindSame yes Timeout 600 StatFile "/usr/share/tinyproxy/stats.html" Logfile "/var/log/tinyproxy/tinyproxy.log" #Syslog On LogLevel Info PidFile "/var/run/tinyproxy/tinyproxy.pid" MaxClients 5 MinSpareServers 2 MaxSpareServers 5 StartServers 2 MaxRequestsPerChild 0 Allow 127.0.0.1 Allow 10.0.2.0/24 Allow 10.0.2.35 ViaProxyName "tinyproxy2" ConnectPort 8888 ConnectPort 80 # The following two ports are used by SSL. ConnectPort 443 ConnectPort 563 ReversePath "/test/" "http://10.0.2.34:80/" #ReversePath "/" "http://10.0.2.34:80/" ReversePath "/wired/" "http://www.wired.com/" ReverseOnly Yes ReverseMagic Yes ReverseBaseURL "http://10.0.2.36:8888/"
To run tinyproxy with a specific configuration just do the following:
tinyproxy -c <configuration-file>
E.g.: tinyproxy -c forwardproxy.conf
Testing the system
First make sure that the server is running accordingly and you can access the server with the following command, from any of the machines, since all of them are in the same network. You can test this using curl command line tool or on a browser:
Now to test the whole system, if you want to use curl you can type this on the client machine console:
curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888/
This is the output of the previous command:
root@debian:/home/debian# curl -v --proxy http://10.0.2.35:8888 http://10.0.2.36:8888 * Rebuilt URL to: http://10.0.2.36:8888/ * Hostname was NOT found in DNS cache * Trying 10.0.2.35... * Connected to 10.0.2.35 (10.0.2.35) port 8888 (#0) > GET http://10.0.2.36:8888/ HTTP/1.1 > User-Agent: curl/7.38.0 > Host: 10.0.2.36:8888 > Accept: */* > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 OK < Via: 1.0 tinyproxy2 (tinyproxy/1.8.3), 1.1 tinyproxy1 (tinyproxy/1.8.3) < Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT < Date: Tue, 12 Dec 2017 23:01:37 GMT < Content-Type: text/html < ETag: "2d-432a5e4a73a80" < Set-Cookie: yummy_magical_cookie=/; path=/ * Server Apache/2.4.29 (Unix) is not blacklisted < Server: Apache/2.4.29 (Unix) < Content-Length: 45 < Accept-Ranges: bytes < <html><body><h1>It works!</h1></body></html> * Connection #0 to host 10.0.2.35 left intact
Another way to see that this is working, is by using Wireshark tool. This tool allows you to see network traffic. Before testing the system start running Wireshark. By testing in a local network you can see the whole traffic from the client to the server. After requesting and receiving the response from the server, if you filter the Wireshark captures by “http”, you should see a result similar to the following image.
In this Wireshark capture you can see the traffic in both directions: client ↔ forward proxy ↔ reverse proxy ↔ server.
To check log file and the forward and reverse proxies, you can type the following on either the machines:
If you want to test this in another way you can change the proxies’ configuration files on isabelcosta/testing-tiny-proxy repository.
Tips & Notes
- If you want to set up other paths you can do it with the “ReversePath” keyword. E.g.: ReversePath “/test” “http://10.0.2.34:80/” — in this way you can access the server by typing “http://10.0.2.36:8888/test”
- I was always getting the error 400 Bad Request, because I was using this tool in the wrong way. I was using curl to connect with the server as the endpoint instead of the reverse proxy. The reverse proxy does not work as a forward proxy, so don’t use the “upstream” keyword to forward the traffic to the reverse proxy.