How to Implement Basic HTTP Authentication in Tinyproxy for Secure Proxy Access


8 views

When deploying Tinyproxy in production environments, IP-based restrictions often prove insufficient. The recommended approach is implementing Basic HTTP authentication, which requires clients to provide valid credentials before accessing the proxy service.

Edit your tinyproxy.conf file (typically located at /etc/tinyproxy/tinyproxy.conf) and add these directives:

# Enable authentication
BasicAuth username password

# Optionally specify an htpasswd file
# BasicAuth /etc/tinyproxy/.htpasswd

For better security and multi-user support, create an htpasswd file:

# Install htpasswd utility (Debian/Ubuntu)
sudo apt-get install apache2-utils

# Create password file
htpasswd -c /etc/tinyproxy/.htpasswd username1
htpasswd /etc/tinyproxy/.htpasswd username2

Then configure Tinyproxy:

BasicAuth /etc/tinyproxy/.htpasswd

After restarting Tinyproxy (sudo systemctl restart tinyproxy), test with curl:

curl -x http://username:password@localhost:8888 http://example.com

Or configure in browser settings:

Proxy: 127.0.0.1:8888
Authentication: username/password

If authentication fails:

  • Verify file permissions: chmod 640 /etc/tinyproxy/.htpasswd
  • Check Tinyproxy logs: tail -f /var/log/tinyproxy/tinyproxy.log
  • Confirm service reload: sudo systemctl reload tinyproxy

For enhanced security:

  • Use HTTPS for authentication to prevent credential sniffing
  • Rotate passwords regularly
  • Consider combining with IP whitelisting for defense in depth

Tinyproxy supports Basic HTTP authentication through the BasicAuth directive in its configuration file. Unlike IP-based restrictions, this method validates users through username/password credentials before granting proxy access.

# Create password file (use htpasswd or openssl)
sudo htpasswd -c /etc/tinyproxy/passwords proxyuser

# Alternative using openssl:
echo "proxyuser:$(openssl passwd -crypt P@ssw0rd123)" | sudo tee /etc/tinyproxy/passwords

Edit your /etc/tinyproxy/tinyproxy.conf:

# Enable authentication
BasicAuth /etc/tinyproxy/passwords

# Recommended additional security
Timeout 600
MaxClients 50
DisableViaHeader Yes

After restarting TinyProxy (sudo systemctl restart tinyproxy), test with curl:

curl -x http://your-proxy-ip:8888 -U proxyuser:P@ssw0rd123 http://example.com

For multiple users or groups:

# Create group file
echo "developers: user1 user2" | sudo tee /etc/tinyproxy/groups

# Update tinyproxy.conf
BasicAuth /etc/tinyproxy/passwords /etc/tinyproxy/groups

Always ensure:

  • The password file has strict permissions (600)
  • Use HTTPS for the proxy connection when possible
  • Regularly rotate credentials
  • Monitor authentication logs at /var/log/tinyproxy/tinyproxy.log

If authentication fails:

  1. Verify file permissions: sudo chmod 600 /etc/tinyproxy/passwords
  2. Check logs: sudo tail -f /var/log/tinyproxy/tinyproxy.log
  3. Test credentials directly: htpasswd -vb /etc/tinyproxy/passwords username password