Cant get it working

[Chapp3rz]

Sorry to bother you - please delete if not wanted, but im really stuck with getting this to work. It used to work months ago but now its broken. Have a log below DSM>docker - can`t work out what to do

2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: Starting main loop. Accepting connections. 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: Setting the various signals. 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: Not running as root, so not changing UID/GID. 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: listening on fd [4] 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: trying to listen on host[::], family[10], socktype[1], proto[6] 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: listening on fd [3] 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: trying to listen on host[0.0.0.0], family[2], socktype[1], proto[6] 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: listen_sock called with addr = '(NULL)' 2024/06/27 20:40:18 | stdout | NOTICE    Jun 27 20:40:18.758 [1]: Reloading config file finished 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: Disabling transmission of the "Via" header. 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: Setting "Via" header to 'tinyproxy' 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: Added basic auth user : xxxx 2024/06/27 20:40:18 | stdout | INFO      Jun 27 20:40:18.758 [1]: Stathost set to "tinyproxy.stats" 2024/06/27 20:40:18 | stdout | NOTICE    Jun 27 20:40:18.758 [1]: Reloading config file (/etc/tinyproxy/tinyproxy.conf) 2024/06/27 20:40:18 | stdout | NOTICE    Jun 27 20:40:18.757 [1]: Initializing tinyproxy ...

Happy to pay for some beers if anyone can help

[kalaksi]

That looks like a normal startup. Maybe something external changed like docker compose configuration or network setup?

Have you tried connecting to tinyproxy from the same host with e.g. curl -v http://localhost:8888 (replace port 8888 if needed) or curl -v http://10.0.0.1:8888 (or whatever your interface address is since connecting to localhost may not work in all situations, if I remember right).

Maybe also confirm that netstat -tlnp shows docker-proxy (if running with docker) listening in the expected address and port.

(Happy to receive some beer money, but not sure how :). I do have bitcoin and ethereum addresses listed in my profile for donations.)

[Chapp3rz]

Thanks Kalaksi, i`ll work out the bitcoin thing.

My results from running those commands:

tcp 0 0 0.0.0.0:8888 0.0.0.0: LISTEN tcp 0 0 0.0.0.0:444 0.0.0.0: LISTEN same on tcp6

GET / HTTP/1.1 Host: localhost:8888 User-Agent: curl/7.86.0 Accept: /

< HTTP/1.0 407 Proxy Authentication Required < Server: tinyproxy/1.11.2 < Content-Type: text/html < Proxy-Authenticate: Basic realm="Tinyproxy" < Connection: close < <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

Proxy Authentication Required

This proxy requires authentication.

---

Generated by tinyproxy version 1.11.2.

With auth and username # out < HTTP/1.0 400 Bad Request < Server: tinyproxy/1.11.2 < Content-Type: text/html <

Bad Request

You tried to connect to the machine the proxy is running on

Does that look normal? extra lines in the log for the auth enabled one 2024/06/28 11:29:46 | stdout | CONNECT   Jun 28 11:29:46.946 [1]: Request (file descriptor 5): GET / HTTP/1.1 2024/06/28 11:29:46 | stdout | CONNECT   Jun 28 11:29:46.946 [1]: Connect (file descriptor 5): 172.22.0.1

[kalaksi]

That confirms that tinyproxy is running and should work. The error about bad request is because of the HTTP request being sent directly to the proxy instead of using it as a proxy. Next, for a proper test you should try e.g. curl -v -x http://localhost:8888 https://duckduckgo.com (and providing the auth credentials).

If that works (it probably will), your issue is elsewhere, maybe outside of the proxy host, because tinyproxy and docker's port mapping seem to work.

And don't worry about the bitcoin if you're not already familiar, it's probably not worth the hassle. I should probably figure out additional ways to receive donations.

[Chapp3rz]

CONNECT duckduckgo.com:443 HTTP/1.1 Host: duckduckgo.com:443 User-Agent: curl/7.86.0 Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established < Proxy-agent: tinyproxy/1.11.2 <

• TLSv1.0 (OUT), TLS header, Certificate Status (22):
• TLSv1.3 (OUT), TLS handshake, Client hello (1):

So, looks like its working locally. So is the issue going to be with my windows machine on the local network im trying to point through the proxy? I can access all the other service im hosting in this docker project (arrs, qbitorrent) over the local network. I`m using SwitchyOemga to route traffic - are there further test I can do now from the client (windows PC)?

I`ll work the BTC thing out.

Pulled a log - this was from changing the proxy in windows not omega - tried both ports 8888 and 444

2024/06/28 14:27:12	stdout	INFO      Jun 28 14:27:12.691 [1]: Not sending client headers to remote machine
2024/06/28 14:27:12	stdout	CONNECT   Jun 28 14:27:12.691 [1]: Established connection to host "www.whatsmyip.org" using file descriptor 6.
2024/06/28 14:27:12	stdout	INFO      Jun 28 14:27:12.564 [1]: opensock: getaddrinfo returned for www.whatsmyip.org:443
2024/06/28 14:27:12	stdout	INFO      Jun 28 14:27:12.261 [1]: opensock: opening connection to www.whatsmyip.org:443
2024/06/28 14:27:12	stdout	INFO      Jun 28 14:27:12.261 [1]: No upstream proxy for www.whatsmyip.org
2024/06/28 14:27:12	stdout	CONNECT   Jun 28 14:27:12.261 [1]: Request (file descriptor 5): CONNECT www.whatsmyip.org:443 HTTP/1.1
2024/06/28 14:27:12	stdout	CONNECT   Jun 28 14:27:12.261 [1]: Connect (file descriptor 5): 172.22.0.1
2024/06/28 14:27:00	stdout	INFO      Jun 28 14:27:00.872 [1]: process_server_headers failed: Resource temporarily unavailable. host "update.googleapis.com" using file descriptor 24.

[kalaksi]

From the windows host, you could try to directly access the proxy's address using a web browser (similar to the first test we tried).

Since you're able to access other services on the same server, it's probably not a routing issue, so the issue could be a firewall. What is the problem exactly you're facing? A timeout or some kind of error?

[Chapp3rz]

I added a log above after your reply. Using chrome to access the local ip - port 444 cant be reached, unexpectedly closed. 8888 has been spinning for a while now (5 mins) CONNECT   Jun 28 14:32:05.912 [1]: Established connection to host "192.168.0.11" using file descriptor 204. -- | -- | -- 2024/06/28 14:32:09 | stdout | INFO      Jun 28 14:32:05.911 [1]: opensock: getaddrinfo returned for 192.168.0.11:8888 2024/06/28 14:32:09 | stdout | INFO      Jun 28 14:32:05.911 [1]: opensock: opening connection to 192.168.0.11:8888 2024/06/28 14:32:09 | stdout | INFO      Jun 28 14:32:05.911 [1]: No upstream proxy for 192.168.0.11 2024/06/28 14:32:09 | stdout | INFO      Jun 28 14:32:05.911 [1]: process_request: trans Host GET http://192.168.0.11:8888/ for 203 2024/06/28 14:32:09 | stdout | CONNECT   Jun 28 14:32:05.911 [1]: Request (file descriptor 203): GET / HTTP/1.1 2024/06/28 14:32:09 | stdout | CONNECT   Jun 28 14:32:05.911 [1]: Connect (file descriptor 203): 172.22.0.1 2024/06/28 14:32:09 | stdout | WARNING   Jun 28 14:32:05.911 [1]: Maximum number of connections reached. Refusing new connections.

Its going to be something simple isnt it and its going to be me being an idiot im sure :) I am running wireguard, but I've added 444 and 8888 to its ports and all other services linked can access the wider web correctly.

[kalaksi]

Make sure chrome doesn't do proxying when testing the connection to tinyproxy. Also, do you set MAX_CLIENTS yourself? I'm thinking maybe it's set too low.

[Chapp3rz]

Max Clients is at 100 amigo. Proxy auto detect is off and so is manual in windows. Chrome setting just open the windows ones.

Here is my yaml - the ports are opened in the Wireguard section - don`t mean to keep drip feeding info, but this version is running dsm in proxmox if it makes a diff.

ports: (wireguard section)

  - 8888:8888 # TinyProxy
  - 444:444 #tinyp https

tinyproxy: image: docker.io/kalaksi/tinyproxy:latest container_name: tinyproxy

You can also use GitLab as an alternative to Docker Hub:

# image: registry.gitlab.com/kalaksi-containers/tinyproxy
restart: always

depends_on:

- wireguard

network_mode: "service:wireguard"
cap_drop:
  - NET_ADMIN
#ports:
  #- 8888:8888
  #- 444:444
  # See tinyproxy.conf for better explanation of these values.
environment:
  # Set to "yes" to disable the Via-header, set to empty to leave it enabled.
  DISABLE_VIA_HEADER: 'yes'
  # Set this to e.g. tinyproxy.stats to enable stats-page on that address
  STAT_HOST: tinyproxy.stats
  MAX_CLIENTS: 100
  # A space separated list:
  ALLOWED_NETWORKS: 172.0.0.0/0 192.168.0.0/0
  # One of Critical, Error, Warning, Notice, Connect, Info
  LOG_LEVEL: Info
  # Maximum number of seconds idle connections are allowed to remain open
  TIMEOUT: 900
  # Username for BasicAuth
 # AUTH_USER: 'xxxx'
  # Password for BasicAuth (letters and digits only)
  # Prefer secrets-mechanisms instead of environment variables.
 # AUTH_PASSWORD: 'xxxx'

# secrets:
#   - auth_password
# # With Alpine base image, this is required, for some reason, or /run/secrets won't get mounted.
# tmpfs:
#   - /run
# healthcheck:
# test: ["CMD", "curl", "-I", "-H", "Host: tinyproxy.stats", "http://localhost:8888"]
#  interval: 5m
#  timeout: 10s
#  retries: 1
# volumes:
#   # If not using docker-compose for secrets, you can still manually mount a file containing the password.
#   - ./secrets/auth_password:/run/secrets/auth_password:ro

Secret for AUTH_PASSWORD

secrets:

auth_password:

file: ./secrets/auth_password

Soz, can`t see how to post that as plain text

[kalaksi]

To me, it looked like the test connection to proxy was routed through the proxy itself too and causing a loop or something. But at least it looked like the connection to proxy arrived, so it looks like it should be working. What if you try to connect some other site through proxy? What does the tinyproxy log say?

Also, what is that port 444? Tinyproxy should only use 1 port, afaik.

(Btw, I too have some experience with wireguard and have noticed that wireguard might say that the tunnel is up and running when in fact something is wrong and nothing gets through. But in this case, I think we're already seeing the connection go through according to those logs.)

[Chapp3rz]

Hey man, hope you had a good weekend.

For some reason I though it needed a separate port for https :) - Wireguard VPN is up.

I can only get one site to work - which bizarrely is the only one that fails to load when not on a vpn (torrent site) and says - This site can’t provide a secure connection. Trying through the proxy works first time. Every other site times out.

2024/07/01 20:25:31	stdout	INFO      Jul 01 20:25:31.693 [1]: Not sending client headers to remote machine
2024/07/01 20:25:31	stdout	CONNECT   Jul 01 20:25:31.693 [1]: Established connection to host "www.workingsite.org" using file descriptor 10.
2024/07/01 20:25:31	stdout	INFO      Jul 01 20:25:31.670 [1]: opensock: getaddrinfo returned for www.workingsite.org:443
2024/07/01 20:25:31	stdout	INFO      Jul 01 20:25:31.645 [1]: opensock: opening connection to www.workingsite.org:443
2024/07/01 20:25:31	stdout	INFO      Jul 01 20:25:31.645 [1]: No upstream proxy for www.workingsite.org
2024/07/01 20:25:31	stdout	CONNECT   Jul 01 20:25:31.645 [1]: Request (file descriptor 9): CONNECT www.workingsite.org:443 HTTP/1.1
2024/07/01 20:25:31	stdout	CONNECT   Jul 01 20:25:31.645 [1]: Connect (file descriptor 9): 172.18.0.1

And one that fails for good measure

24/07/01 20:26:55	stdout	INFO      Jul 01 20:26:54.544 [1]: Closed connection between local client (fd:23) and remote client (fd:24)
2024/07/01 20:26:55	stdout	INFO      Jul 01 20:26:54.262 [1]: Not sending client headers to remote machine
2024/07/01 20:26:55	stdout	CONNECT   Jul 01 20:26:54.262 [1]: Established connection to host "www.youtube.com" using file descriptor 18.
2024/07/01 20:26:55	stdout	INFO      Jul 01 20:26:54.240 [1]: opensock: getaddrinfo returned for www.youtube.com:443
2024/07/01 20:26:55	stdout	INFO      Jul 01 20:26:54.218 [1]: opensock: opening connection to www.youtube.com:443
2024/07/01 20:26:55	stdout	INFO      Jul 01 20:26:54.218 [1]: No upstream proxy for www.youtube.com
2024/07/01 20:26:55	stdout	CONNECT   Jul 01 20:26:54.218 [1]: Request (file descriptor 17): CONNECT www.youtube.com:443 HTTP/1.1
2024/07/01 20:26:55	stdout	CONNECT   Jul 01 20:26:54.218 [1]: Connect (file descriptor 17): 172.18.0.1

Honestly at this point pal - i`m willing to ship you my PC if you thought you could fix it :)

[kalaksi]

Hmm, something working a little randomly and then timeouting sounds like an MTU size issue, but it's very hard to say. Do you set MTU manually in any wireguard configs (or for network interfaces or anything)?

[Chapp3rz]

Yeah, I try and set everything to 1500 where I can

[kalaksi]

1500 is normal for a regular network interface, but wireguard should have something like 1420 on it's interface (I think that's the default if not setting it in wireguard config), since the tunneling protocol has some extra overhead which gets added on top when packet leaves the regular interface.

[Chapp3rz]

No f'ing way, the MTU thing has fixed it!

Commented out the line in my Wireguard config where I'd forced it to 1500, so it now uses whatever default is and everything seems to be connecting. You ruddy legend! Thank you so much. I`m going to go and learn how to send you some BTC :)

[kalaksi]

You're welcome!