Re: small proxy

2017-05-31 Thread Jorge Almeida
On Wed, May 31, 2017 at 5:33 AM, Jonathan de Boyne Pollard
 wrote:
> Jorge Almeida:
>> As said in the first mail, I need to redirect some targets to a ssh tunnel,
>> and let everything else go its way. Rather than using a proxy, the solution
>> seems obvious: [...]
>
> ... use a Proxy Auto-Configuration script, as that is the function of PAC
> scripts.
>
> * http://jdebp.eu./FGA/web-browser-auto-proxy-configuration.html

Looks the best solution. I will try to understand how to write the
script. The page doesn't mention https, though.

Thanks

Jorge


Re: small proxy

2017-05-31 Thread Jonathan de Boyne Pollard
Jorge Almeida:
> As said in the first mail, I need to redirect some targets to a ssh tunnel,
> and let everything else go its way. Rather than using a proxy, the solution
> seems obvious: [...]

... use a Proxy Auto-Configuration script, as that is the function of PAC
scripts.

* http://jdebp.eu./FGA/web-browser-auto-proxy-configuration.html


Re: small proxy

2017-05-31 Thread Jorge Almeida
On Wed, May 31, 2017 at 2:54 AM, Martin "eto" Misuth  wrote:
> Heh proxies,
>
> yeah I spent too much time tweaking my polipo and privoxy setups.
>


>
>> This kind of situation usually means that I'm trying to use the wrong
>> tool. As said in the first mail, I need to redirect some targets to a
>> ssh tunnel, and let everything else go its way. Rather than using a
>> proxy, the solution seems obvious: setup a different browser profile
>> for the special targets and set the browser proxy for that profile to
>> the ssh tunnel.
>
> Depends on your usecases and level of isolation you want to achieve.

My needs are not security related. I use a ssh tunnel to a computer
@work in order to access some pages behind paywalls. Other traffic
goes through no proxy at all. Until recently, I used privoxy to sort
it out. Problem is, privoxy seems to be slow. I'm tired of reading
"waiting for proxy tunnel..." at the bottom of the page. Keeping a
special profile for traffic directed to the ssh tunnel should do the
job (not yet tested).
>

>
> Finally, if you are bent on modifying your own HTTP traffic in-flight,
> I strongly suggest you to look into privoxy. Maintaining this one will
> consume most of your time.
>
> It's not lightweight, but it is supervision firendly, and comes with
> incredibly nice magic bag of tricks.

Yep. But see above. (Of course, I'm not sure the slowness is privoxy's fault...)

Jorge


Re: small proxy

2017-05-31 Thread Martin "eto" Misuth
Heh proxies, 

yeah I spent too much time tweaking my polipo and privoxy setups.

On Tue, 30 May 2017 22:49:19 +0100
Jorge Almeida  wrote:

> On Tue, May 30, 2017 at 10:22 PM, Laurent Bercot
>  wrote:
> >> The Polipo author's reasoning may apply to your application as well, my
> >> memory is essentially the value of HTTP proxies has declined a lot now that
> >> so much of the web is behind HTTPS.  

You can still do HTTPS proxying and filtering, if you do SSL MITM trickery on
"yourself". All commercial DPI engines, I have seen (not many), use this
trick to pierce into private connections. Makes you wonder about 
employees and (other peoples) right to privacy when used on site.

> >  Yes. And if it is about HTTP, then the clients' ISPs will proxy the
> > data for them. They may even add some extra friendly stuff in the data,
> > such as ads and announcement banners! The lengths they will go to for
> > their users.
> >
> >  Bottom line: HTTP proxies *are* on the way out, for good reason.

I came to conclusion, that by default, if you want "unrestricted movement",
you don't use anything from your ISP, besides base transport layer.

ISP sins, I belive, we all experienced:
 - shitty DNS
 - shitty "included" email services
 - shitty "included" webhosting services
 - shitty transparent proxies to "speed up" (read trace and slowdown) HTTP
   access

If your ISP is so paranoid, that they won't allow you go "out",
other way than through their transparent proxy, for all reasons mentioned
and more, it's bad ISP and you should terminate all contracts with them.
used to be case with certain mobile operators in my country.

Sometimes one has to wonder, what actually some ISP do "right".

> This kind of situation usually means that I'm trying to use the wrong
> tool. As said in the first mail, I need to redirect some targets to a
> ssh tunnel, and let everything else go its way. Rather than using a
> proxy, the solution seems obvious: setup a different browser profile
> for the special targets and set the browser proxy for that profile to
> the ssh tunnel.

Depends on your usecases and level of isolation you want to achieve.

If you just want to "project" yourself somewhere use ssh.

Most modern browsers support SOCKS proxies and ssh/sshd has **great** SOCKS
based server and tunneling builtin. This can act as poor man's VPN.

If you are using firefox based crap, you can make even dns go thorugh socks, 
completetely "teleporting" your apparent location to SOCKS exit point. 

I with js enabled, I believe, there are still some reflection attacks 
possible, so it's best to put whole browser thing (not just using
separate profile) into some kind of container, that are in vogue these days. 
Or use per process iptables (not sure if nftables can do it yet) rules, 
to allow only SOCKS traffic for given browser instance.

Modern js pages can, in certain cases, scan your network, so best is 
to never give browser process even an option to do that. 
Might break some things.

More complicated option is to use VPN, but it's not as easy and comfortable as
ssh.

Finally, if you are bent on modifying your own HTTP traffic in-flight,
I strongly suggest you to look into privoxy. Maintaining this one will 
consume most of your time.

It's not lightweight, but it is supervision firendly, and comes with 
incredibly nice magic bag of tricks.

  eto


Re: small proxy

2017-05-30 Thread Jorge Almeida
On Tue, May 30, 2017 at 10:22 PM, Laurent Bercot
 wrote:
>> The Polipo author's reasoning may apply to your application as well, my
>> memory is essentially the value of HTTP proxies has declined a lot now that
>> so much of the web is behind HTTPS.
>
>
>  Yes. And if it is about HTTP, then the clients' ISPs will proxy the
> data for them. They may even add some extra friendly stuff in the data,
> such as ads and announcement banners! The lengths they will go to for
> their users.
>
>  Bottom line: HTTP proxies *are* on the way out, for good reason.
>

This kind of situation usually means that I'm trying to use the wrong
tool. As said in the first mail, I need to redirect some targets to a
ssh tunnel, and let everything else go its way. Rather than using a
proxy, the solution seems obvious: setup a different browser profile
for the special targets and set the browser proxy for that profile to
the ssh tunnel.

Cheers

Jorge


Re: small proxy

2017-05-30 Thread Laurent Bercot
The Polipo author's reasoning may apply to your application as well, my 
memory is essentially the value of HTTP proxies has declined a lot now 
that so much of the web is behind HTTPS.


 Yes. And if it is about HTTP, then the clients' ISPs will proxy the
data for them. They may even add some extra friendly stuff in the data,
such as ads and announcement banners! The lengths they will go to for
their users.

 Bottom line: HTTP proxies *are* on the way out, for good reason.

--
 Laurent



Re: small proxy

2017-05-30 Thread 39066dd5
On Tue, May 30, 2017 at 07:27:09PM +0100, Jorge Almeida wrote:
> On Tue, May 30, 2017 at 7:01 PM,  <39066...@gmail.com> wrote:
> > On Tue, May 23, 2017 at 01:07:13PM +0100, Jorge Almeida wrote:
> >> Is there any small proxy that is supervision-friendly?
> >
> > Polipo is no longer maintained but overall quite nice. Good support for 
> > pipelining etc.
> 
> Well, the author doesn't seem very enthusiastic about it :)
> 
> I was kind of hoping that someone with the musl/dietlibc/... mindset
> would have written something of the kind, but I guess it's not the
> case...
> 
> Thanks
> 
> Jorge

The Polipo author's reasoning may apply to your application as well, my memory 
is essentially the value of HTTP proxies has declined a lot now that so much of 
the web is behind HTTPS.


Re: small proxy

2017-05-30 Thread Jorge Almeida
On Tue, May 30, 2017 at 7:01 PM,  <39066...@gmail.com> wrote:
> On Tue, May 23, 2017 at 01:07:13PM +0100, Jorge Almeida wrote:
>> Is there any small proxy that is supervision-friendly?
>
> Polipo is no longer maintained but overall quite nice. Good support for 
> pipelining etc.

Well, the author doesn't seem very enthusiastic about it :)

I was kind of hoping that someone with the musl/dietlibc/... mindset
would have written something of the kind, but I guess it's not the
case...

Thanks

Jorge


Re: small proxy

2017-05-30 Thread 39066dd5
On Tue, May 23, 2017 at 01:07:13PM +0100, Jorge Almeida wrote:
> Is there any small proxy that is supervision-friendly?

Polipo is no longer maintained but overall quite nice. Good support for 
pipelining etc.


Re: small proxy

2017-05-23 Thread Jorge Almeida
On Wed, May 24, 2017 at 6:35 AM, Jorge Almeida  wrote:

>
> Your README doesn't mention logging. Is that what your version does?

I replied too soon. I just saw it in "docs". You even stripped the
silly PID file :)
>
Jorge


Re: small proxy

2017-05-23 Thread Jorge Almeida
On Wed, May 24, 2017 at 6:06 AM, Roger Pate  wrote:
> On Tue, May 23, 2017 at 8:59 AM, Kamil Cholewiński  
> wrote:
>> On Tue, 23 May 2017, Jorge Almeida  wrote:
>>> Basically, tinyproxy does this. What it does not do is sensible
>>> logging. It seems to be brain damaged in this departement: it either
>>> logs to syslog or to a file, which it insists in opening. /dev/stderr
>>> does not work (it says that file has changed). It also has  a -d flag,
>>> that prevents backgrounding (and wtf should it go to background, to
>>> begin with??) but does nothing at all regarding logs.
>>
>> Take the source, rip out the parts you don't like?
>
> It's satisfying to delete code,
I imagine so. I would try to do it myself, if I were more than an amateur.

though I mostly left it in disabled
> for now: https://github.com/rdpate/tinyproxy-suped/tree/suped
>
> It's 1am here now; I likely missed something.  Let me know.

Your README doesn't mention logging. Is that what your version does?

Jorge


Re: small proxy

2017-05-23 Thread Roger Pate
On Tue, May 23, 2017 at 8:59 AM, Kamil Cholewiński  wrote:
> On Tue, 23 May 2017, Jorge Almeida  wrote:
>> Basically, tinyproxy does this. What it does not do is sensible
>> logging. It seems to be brain damaged in this departement: it either
>> logs to syslog or to a file, which it insists in opening. /dev/stderr
>> does not work (it says that file has changed). It also has  a -d flag,
>> that prevents backgrounding (and wtf should it go to background, to
>> begin with??) but does nothing at all regarding logs.
>
> Take the source, rip out the parts you don't like?

It's satisfying to delete code, though I mostly left it in disabled
for now: https://github.com/rdpate/tinyproxy-suped/tree/suped

It's 1am here now; I likely missed something.  Let me know.


Re: small proxy

2017-05-23 Thread Jorge Almeida
On Tue, May 23, 2017 at 6:28 PM, Ciprian Dorin Craciun
 wrote:
> On Tue, May 23, 2017 at 3:07 PM, Jorge Almeida  wrote:
>> Is there any small proxy that is supervision-friendly?
>
>
> HAProxy?  http://www.haproxy.org/
>
> Not quite "small" and only recently "supervision-friendly", but it
> does wonders.  Also it's not quite a forward-proxy, but it does have a
> "transparent" mode, which with some `iptables` magic could do the
> trick.
>
Thank you. I'll take a look.

Jorge


Re: small proxy

2017-05-23 Thread Ciprian Dorin Craciun
On Tue, May 23, 2017 at 3:07 PM, Jorge Almeida  wrote:
> Is there any small proxy that is supervision-friendly?


HAProxy?  http://www.haproxy.org/

Not quite "small" and only recently "supervision-friendly", but it
does wonders.  Also it's not quite a forward-proxy, but it does have a
"transparent" mode, which with some `iptables` magic could do the
trick.

Ciprian.


Re: small proxy

2017-05-23 Thread Kamil Cholewiński
On Tue, 23 May 2017, Jorge Almeida  wrote:
> Basically, tinyproxy does this. What it does not do is sensible
> logging. It seems to be brain damaged in this departement: it either
> logs to syslog or to a file, which it insists in opening. /dev/stderr
> does not work (it says that file has changed). It also has  a -d flag,
> that prevents backgrounding (and wtf should it go to background, to
> begin with??) but does nothing at all regarding logs.

Take the source, rip out the parts you don't like?

Unless the code is a monstrosity, in which case you probably shouldn't
be running it anyway.

<3,K.