Browsing Onion sites using Tinyproxy

1.0 Motivation                                                           line 13
2.0 Bill of materials                                                    line 29
3.0 Tinyproxy configuration and testing                                  line 40

This is a short guide showing how to set up the HTTP proxy Tinyproxy (
https://tinyproxy.github.io ) to access Onion services (
https://support.torproject.org/onionservices/ ) while accessing other sites
directly.


    1.0 Motivation

Tor ( https://www.torproject.org ) itself exposes a SOCKS5 proxy, so if that is
all that is needed, you might as well stop reading this file now. Tinyproxy is a
lightweight HTTP/HTTPS proxy, so this is for those cases where SOCKS is not
available or practical. Onion sites must be accessed through Tor, but browsing
the web in general through Tor circuits is quite slow and wastes electricity if
you do not need Tor's features. Also, you might be in a situation reading from a
computer where running torsocks or a Tor service is not an option, which is
quite common in retrocomputing.

The idea is setting up Tinyproxy to just pass-through traffic for the ordinary
web, while passing traffic directed to the Scary Dark Web to a locally running
Tor service.


    2.0 Bill of materials

I used a Fedora Linux desktop to run Tor and Tinyproxy, but I assume this is all
the same on pretty much any Freenix or UNIX system.

    1. A Freenix box to run Tor and Tinyproxy
    2. A Tor installation
    3. Tinyproxy
    4. A browser which supports a HTTP proxy, I used Lynx


    3.0 Tinyproxy configuration and testing

For the Tor service, default configuration (at least on my system) was perfectly
fine. It fires up a SOCKS server on port 9050 on localhost, which gives the
following "tinyproxy.conf" file:

    # Basic connection parameters, only browsing from localhost in this example
    Port 8888
    Listen 127.0.0.1
    Timeout 600
    Allow 127.0.0.1

    # The quotes are mandatory, I did not know that first
    Upstream socks5 127.0.0.1:9050 ".onion"

    # Some mandatory settings where I used more or less arbitrary values
    MaxClients 10
    StartServers 2
    MinSpareServers 1
    MaxSpareServers 8

Those 9 settings above is it. Those lines are the entire point of this whole
document. Obviously, it is in the line starting with "Upstream" the action
happens, and it means what it locks like. If the request has anything to do with
the "onion" top-level domain, route it through the SOCKS5 proxy running locally
on port 9050. Since that is the only Upstream rule, all other traffic will just
pass through.

As for testing it, this should work:

    1. Make sure Tor is running. If using systemd:

       systemctl start tor

    2. Start Tinyproxy in a shell with the experimental config file:

       tinyproxy -d -c tinyproxy.conf

    3. Try to access the Tor projects own Onion site with Lynx:

       http_proxy=http://127.0.0.1:8888/ lynx http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/index.html

    4. Try to access the Tor project's conventional site:

       http_proxy=http://127.0.0.1:8888/ lynx http://www.torproject.org

In step 3, you should get the Tor project's home page, as you should in step 4.
The difference is in the tinyproxy log output to standard out. In step 3, it
should say something like "Found upstream proxy socks5 127.0.0.1:9050 for
2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion". In step 4, it
should report on no upstream, "No upstream proxy for www.torproject.org". (It
then connects to the site, which redirects to HTTPS. Then nothing more is
logged, as our proxy is left out of the rest of the equation as the example has
no "https_proxy" setting.)

Steinar Knutsen, 20231004T171926Z, 8C17C712