Hi, thanks to all of you for your help and sorry for this late reply, but I had quite much work during past weeks.
I managed to make it all work. I noticed that the problem came from my redirector program: Tinyproxy (or the iptables?) adds the port number to the URL; my redirector program had too strict rules and was not accepting this, so there was no match an the request was no redirected. I'm now using this configuration - iptables->tinyproxy->polipo - (on an Asus WL500-G Premium) for a few days, and I must say that I can't feel a huge loss of speed while browsing (although some tests showed me that it is about 5 times slower than before), unfortunately there are still some bugs that I have to solve (youtube videos can't be found,..) Cheers, Raoul Tom Lee wrote: > Hi Raoul, > > I'm the author of that post on labs.echoditto.com > <http://labs.echoditto.com>. I don't know if you got to it > beforehand, but I see that the config files attached to it are > currently returning 404s -- sorry about that. I'm afraid I don't have > them on hand any longer, but I do have some slightly-outdated notes > that I made about how I got the squid/polipo configuration working. > I'm pasting those notes into the bottom of this email; I hope they're > helpful. Let me add two suggestions: > > First, as is probably already obvious, it sounds like your problem is > either collecting data that should be sent to tinyproxy, or sending > that data on from tinyproxy to polipo. Since the latter step is > pretty straightforward (see below for confirmation of a working config > directive), I suspect it's the former. Can you successfully send > traffic through tinyproxy when polipo is removed from the equation? > You should be able to diagnose this by looking at the http headers of > the resulting request. > > Second, a word of warning: I was not ultimately able to find a stable > configuration using tinyproxy and polipo. Redirection is very > finicky, for one thing, although it can be made to work. But any load > testing (or just heavy web-browsing use) will exhaust your available > memory and slow everything to a crawl. If you can find a set of > configuration directives that avoid this problem, please post them to > the list! But at the moment it's my belief that the WRT just doesn't > have enough memory to make the dual-proxy setup workable under > real-world use. I think it's more feasible to just have the OWRT box > work as a transparent proxy that sends traffic to a beefier squid box > upstream. > > Good luck, and please report back if you have success. > > Transparent proxy stuff: > > > 1. polipo & conf file (/etc/polipo/polipo.conf) > diskCacheRoot="" > chunkHighMark=4194304 > logFile=/var/log/polipo.log > daemonise=true > allowedClients=192.168.1.0/24 <http://192.168.1.0/24> > proxyAddress=192.168.1.1 > redirector=/etc/polipo/redirector.pl > > 2. tinyproxy & conf file (/etc/tinyproxy/tinyproxy.conf) > ## > ## tinyproxy.conf -- tinyproxy daemon configuration file > ## > > # > # Name of the user the tinyproxy daemon should switch to after the port > # has been bound. > # > User nobody > Group nogroup > > # > # Port to listen on. > # > Port 8888 > > # > # If you have multiple interfaces this allows you to bind to only one. > If > # this is commented out, tinyproxy will bind to all interfaces present. > # > Listen 192.168.1.1 > > # > # The Bind directive allows you to bind the outgoing connections to a > # particular IP address. > # > #Bind 192.168.0.1 > > # > # Timeout: The number of seconds of inactivity a connection is allowed > to > # have before it closed by tinyproxy. > # > Timeout 600 > > # > # ErrorFile: Defines the HTML file to send when a given HTTP error > # occurs. You will probably need to customize the location to your > # particular install. The usual locations to check are: > # /usr/local/share/tinyproxy > # /usr/share/tinyproxy > # /etc/tinyproxy > # > # ErrorFile 404 "/usr/share/tinyproxy/404.html" > # ErrorFile 400 "/usr/share/tinyproxy/400.html" > # ErrorFile 503 "/usr/share/tinyproxy/503.html" > # ErrorFile 403 "/usr/share/tinyproxy/403.html" > # ErrorFile 408 "/usr/share/tinyproxy/408.html" > > # > # DefaultErrorFile: The HTML file that gets sent if there is no > # HTML file defined with an ErrorFile keyword for the HTTP error > # that has occured. > # > DefaultErrorFile "/usr/share/tinyproxy/default.html" > > # > # StatFile: The HTML file that gets sent when a request is made > # for the stathost. If this file doesn't exist a basic page is > # hardcoded in tinyproxy. > # > StatFile "/usr/share/tinyproxy/stats.html" > > # > # Where to log the information. Either LogFile or Syslog should be set, > # but not both. > # > Logfile "/var/log/tinyproxy.log" > # Syslog On > > # > # Set the logging level. Allowed settings are: > # Critical (least verbose) > # Error > # Warning > # Notice > # Connect (to log connections without Info's noise) > # Info (most verbose) > # The LogLevel logs from the set level and above. For example, if the > LogLevel > # was set to Warning, than all log messages from Warning to Critical > would be > # output, but Notice and below would be suppressed. > # > LogLevel Info > > # > # PidFile: Write the PID of the main tinyproxy thread to this file so it > # can be used for signalling purposes. > # > PidFile "/var/run/tinyproxy.pid" > > # > # Include the X-Tinyproxy header, which has the client's IP address when > # connecting to the sites listed. > # > #XTinyproxy mydomain.com <http://mydomain.com> > > # > # Turns on upstream proxy support. > # > # The upstream rules allow you to selectively route upstream connections > # based on the host/domain of the site being accessed. > # > # For example: > # # connection to test domain goes through testproxy > # upstream testproxy:8008 ".test.domain.invalid" > # upstream testproxy:8008 ".our_testbed.example.com > <http://our_testbed.example.com>" > # upstream testproxy:8008 "192.168.128.0/255.255.254.0 > <http://192.168.128.0/255.255.254.0>" > # > # # no upstream proxy for internal websites and unqualified hosts > # no upstream ".internal.example.com <http://internal.example.com>" > # no upstream "www.example.com <http://www.example.com>" > # no upstream "10.0.0.0/8 <http://10.0.0.0/8>" > # no upstream "192.168.0.0/255.255.254.0 > <http://192.168.0.0/255.255.254.0>" > # no upstream "." > # > # # connection to these boxes go through their DMZ firewalls > # upstream cust1_firewall:8008 "testbed_for_cust1" > # upstream cust2_firewall:8008 "testbed_for_cust2" > # > # # default upstream is internet firewall > # upstream firewall.internal.example.com:80 > <http://firewall.internal.example.com:80> > # > # The LAST matching rule wins the route decision. As you can see, you > # can use a host, or a domain: > # name matches host exactly > # .name matches any host in domain "name" > # . matches any host with no domain (in 'empty' domain) > # IP/bits matches network/mask > # IP/mask matches network/mask > # > #Upstream some.remote.proxy:port > upstream 192.168.1.1:8123 <http://192.168.1.1:8123> > ".manifestdensity.net <http://manifestdensity.net>" > > # > # This is the absolute highest number of threads which will be created. > In > # other words, only MaxClients number of clients can be connected at the > # same time. > # > MaxClients 100 > > # > # These settings set the upper and lower limit for the number of > # spare servers which should be available. If the number of spare > servers > # falls below MinSpareServers then new ones will be created. If the > number > # of servers exceeds MaxSpareServers then the extras will be killed off. > # > MinSpareServers 5 > MaxSpareServers 20 > > # > # Number of servers to start initially. > # > StartServers 10 > > # > # MaxRequestsPerChild is the number of connections a thread will handle > # before it is killed. In practise this should be set to 0, which > disables > # thread reaping. If you do notice problems with memory leakage, then > set > # this to something like 10000 > # > MaxRequestsPerChild 0 > > # > # The following is the authorization controls. If there are any access > # control keywords then the default action is to DENY. Otherwise, the > # default action is ALLOW. > # > # Also the order of the controls are important. The incoming connections > # are tested against the controls based on order. > # > Allow 127.0.0.1 > Allow 192.168.1.0/24 <http://192.168.1.0/24> > > # > # The "Via" header is required by the HTTP RFC, but using the real host > name > # is a security concern. If the following directive is enabled, the > string > # supplied will be used as the host name in the Via header; otherwise, > the > # server's host name will be used. > # > ViaProxyName "tinyproxy" > > # > # The location of the filter file. > # > #Filter "/etc/tinyproxy/filter" > > # > # Filter based on URLs rather than domains. > # > #FilterURLs On > > # > # Use POSIX Extended regular expressions rather than basic. > # > #FilterExtended On > > # > # Use case sensitive regular expressions. > # > > #FilterCaseSensitive On > > # > # Change the default policy of the filtering system. If this directive > is > # commented out, or is set to "No" then the default policy is to allow > # everything which is not specifically denied by the filter file. > # > # However, by setting this directive to "Yes" the default policy > becomes to > # deny everything which is _not_ specifically allowed by the filter > file. > # > #FilterDefaultDeny Yes > > # > # If an Anonymous keyword is present, then anonymous proxying is > enabled. > # The headers listed are allowed through, while all others are denied. > If > # no Anonymous keyword is present, then all header are allowed through. > # You must include quotes around the headers. > # > #Anonymous "Host" > #Anonymous "Authorization" > > # > # This is a list of ports allowed by tinyproxy when the CONNECT method > # is used. To disable the CONNECT method altogether, set the value to > 0. > # If no ConnectPort line is found, all ports are allowed (which is not > # very secure.) > # > # The following two ports are used by SSL. > # > ConnectPort 443 > ConnectPort 563 > > > 3. startup script for proxies > #!/bin/sh /etc/rc.common > # proxy startup script > # Copyright (C) 2007 OpenWrt.org > > START=10 > STOP=15 > > start() > { > echo start > # commands to launch application > tinyproxy > polipo -c /etc/polipo/polipo.conf > } > > > stop() > { > echo stop > # commands to kill application > killall polipo > killall tinyproxy > } > > > 4. microperl & redirect script > #!/usr/bin/microperl > $|=1; > while (<>) > { > #open(FILE,'>>/var/log/redirector'); > #print FILE $_; > #close(FILE); > s...@http://.*\....@http://server.com/something.jpg@; > #print FILE; > print; > } > > 5. iptables-mod-nat and kmod-ipt-nat to allow iptables redirect > > 6. /etc/firewall.user to include > iptables -A PREROUTING -t nat -p tcp --destination-port 80 -j REDIRECT > --to-ports 8888 > > > > On Thu, Dec 11, 2008 at 7:40 AM, Raoul NEU <[email protected] > <mailto:[email protected]>> wrote: > > Hi all, > > I read the thread about the tinyproxy-polipo-alternative of squid on > OpenWRT > > http://www.mail-archive.com/[email protected]/msg00213.html > && > http://labs.echoditto.com/proxy-based-mischief-with-openwrt > > > Unfortunately I didn't manage to configure tinyproxy correctly: > I use a redirector with polipo, and this works well if I connect > (Firefox,..) directly to polipo. > (or if I tell my local squid to connect to polipo) > > If I connect polipo as a parent proxy to tinyproxy via an upstream, it > loads websites -but the original ones, not those that my redirector > should output. > > Iptables, Tinyproxy and Polipo all run on a Kamikaze 7.09 > (Linux 2.4) > OpenWRT > > > Anybody has an idea what's wrong? > > > > Cheers, > rn > _______________________________________________ > openwrt-users mailing list > [email protected] > <mailto:[email protected]> > http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users > > > ------------------------------------------------------------------------ > > _______________________________________________ > openwrt-users mailing list > [email protected] > http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users > _______________________________________________ openwrt-users mailing list [email protected] http://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
