141 lines
4.8 KiB
Markdown
141 lines
4.8 KiB
Markdown
# Privoxy TLS
|
|
## A proxy wrapper that adds HTTPS capabilities to Privoxy
|
|
|
|
## How it works
|
|
|
|
|
|
+---------+ +-----------+ +----------------+
|
|
| | | | | |
|
|
| Browser +<---------HTTP--------->+ Privoxy +<---------HTTP--------->+ HTTP webserver |
|
|
| | | | | |
|
|
+----+----+ +---+---+---+ +----------------+
|
|
^ ^ ^
|
|
| | |
|
|
| +--------------------------------------------------+
|
|
| | | | |
|
|
| | +---------+ | | +--------+ | +-----------------+
|
|
| | | | | | | | | | |
|
|
+---HTTPS--->+ Front +<--HTTP*--+ +---HTTP-->+ Rear +<---HTTPS--->+ HTTPS webserver |
|
|
| | | | | | | |
|
|
| +---------+ +--------+ | +-----------------+
|
|
| |
|
|
+--------------------------------------------------+
|
|
|
|
Transparent MitM
|
|
|
|
* Tagged for forwarding
|
|
|
|
## Setup in NixOS
|
|
|
|
1. Import to the file ./service.nix in your configuration by adding:
|
|
```nix
|
|
imports = [
|
|
(fetchGit https://maxwell.ydns.eu/git/rnhmjoj/privoxy-tls + "/service.nix")
|
|
];
|
|
```
|
|
or, better, copy it locally.
|
|
|
|
2. Create a CA. For example with GnuTLS:
|
|
```
|
|
certtool --generate-privkey --outfile ca.key
|
|
certtool --generate-self-signed --load-privkey ca.key --outfile ca.crt
|
|
```
|
|
or use the tool ./cert.py provided
|
|
```
|
|
python src/cert.py -f output
|
|
```
|
|
In the latter the "output" file will contain both private key and certificate;
|
|
split the file and store them separately.
|
|
|
|
3. Configure the proxy with the option set `services.privoxy.tls-wrapper`, for example
|
|
```nix
|
|
services.privoxy.tls-wrapper = {
|
|
enable = true;
|
|
caCert = /path/to/ca.crt; # these won't be included in the store
|
|
caKey = /path/to/ca.key;
|
|
noVerify = [ "self-signed.example" ];
|
|
passthru = [ "localhost" "*.local" ];
|
|
};
|
|
};
|
|
```
|
|
More options are available and documented in ./service.nix
|
|
|
|
### Notes
|
|
|
|
- The CA will be automatically installed in the system trust store but
|
|
applications may use their own store and won't trust it.
|
|
You will need to add the CA manually in that case.
|
|
|
|
## Configuration settings
|
|
|
|
Below is an example configuration file that shows all settings:
|
|
|
|
```ini
|
|
[GENERAL]
|
|
; The URL of privoxy
|
|
proxAddr = http://localhost:8080
|
|
|
|
; The port the front proxy will bind to
|
|
frontPort = 8079
|
|
|
|
; The port the rear proxy will bind to
|
|
rearPort = 8081
|
|
|
|
; An upstream HTTP proxy if required by the network
|
|
DefaultProxy = http://127.0.0.1:8118
|
|
|
|
; The Logging level: either ERROR, WARNING, INFO or DEBUG
|
|
LogLevel = INFO
|
|
|
|
; Proxy the following URLs to this HTTP or SOCKS proxy.
|
|
; This option can be repeated.
|
|
; Python regular expression are also allowed.
|
|
[proxy http://192.168.178.1:8123]
|
|
https?://*.test.com
|
|
|
|
; Skip TLS certificate verification for these URLS.
|
|
; This is dangerous, use with care.
|
|
[noVerify]
|
|
self-signed.example.com
|
|
|
|
; Block requests to the following URLs
|
|
[blacklist]
|
|
*.ads.example.net
|
|
|
|
; Passthrough the MitM proxying and Privoxy,
|
|
; but still use the default proxy for these URLs.
|
|
[passthru]
|
|
broken.example.com
|
|
|
|
; Bypass all proxying for these URLs
|
|
[bypassURL]
|
|
http://www.example.com/*
|
|
*.zip
|
|
*.pdf
|
|
```
|
|
|
|
## License
|
|
|
|
|
|
The MIT License (MIT)
|
|
|
|
Copyright (c) 2015 wheever
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
in the Software without restriction, including without limitation the rights
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
The above copyright notice and this permission notice shall be included in all
|
|
copies or substantial portions of the Software.
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
SOFTWARE.
|