Server Setup

Beyond Privoxy

by ,

We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

There is software that we all know and love, and more often than not, forget about it.

Privoxy is one of them. It allows you to filter ads and is also a go-to solution for anonymous browsing when it is coupled with Tor.

With the arrival of adblock plugins in Chrome, and the web increasingly using TLS encryption, the filtering power of Privoxy has lessened.

Why, is that, at least by default, it cannot tinker with encrypted traffic between your browser and a remote server.
Fixing Privoxy filtering for TLS connections (which are prevalent nowadays), requires making it a “man-in-the-middle”,
and ensuring trust between the browser and Privoxy’s own TLS certificate.

All that in mind, the Privoxy’s function of being a forwarding proxy between different protocols (HTTP to SOCKS5) is quite capable.
It is used with Tor, and you can use it also for clients which are not capable of talking to SOCKS 5 proxies.

Before we review on using those functions, let’s install Privoxy in CentOS 8 machine:

Install Privoxy in CentOS/RHEL 8

sudo dnf -y install
sudo dnf install privoxy
sudo systemctl start privoxy

Using Privoxy

Making apps SOCKS5 capable

Privoxy can be used as a forwarding proxy for clients that do not support SOCKS5 proxies.

Let’s take a real-life example, Postman app. It’s a great app for developing/working with APIs. In my case:

  • I have SOCKS5 proxy via autossh tunnel
  • I want to use the Postman app for developing a Telegram bot. The servers are blocked in Russia, so I need to forward Postman requests through the proxy
  • Fact: Postman cannot talk to SOCKS5 proxies

We are looking to make things work like this:

Postman -> HTTP proxy (Privoxy) -> Socks5 SSH tunnel -> remote SSH server.

This can easily be set in Privoxy config by putting the following at the bottom of /etc/privoxy/config:

forward-socks5 .

The configuration above tells Privoxy to forward requests to (or, to SOCKS5 proxy at port 8123 on the same machine.
The dot tells it to make HTTP requests over that SOCKS5 proxy.
Ensure config is applied with systemctl restart privoxy.

The SOCKS5 proxy, being an “autossh tunnel”, in terms of the configuration, is just a one-liner config file at /etc/autossh/

OPTIONS=-M 0 -o ControlPersist=no -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -D 8123 -C -N

Where is FQDN of remote SSH server to connect to, john is the SSH username to connect with, and 8123 is the local port where the SOCKS5 will listen on.
You, sure enough, need to have autossh installed and running, but I’m not touching this in this post.

By default, Privoxy listens on port 8118. So configuring Postman like the following:

Postman Privoxy Config
Postman Privoxy Config

And now making requests from Postman becomes a success:

Postman to Telegram API
Postman to Telegram API

Filtering SSL

You can have Privoxy filter your SSL traffic and be as powerful as Adblock Plus.
This implies taking strong security measures in securing the “Privoxy parent certificates”, especially if you plan to deploy this in LAN.

I put the links here for later investigation of the options available for SSL filtering, and expand the article as I try them:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: