rofl0r
commented
2 years ago ...doesn't work on public hostnames that resolve to localhost
an example for such is fbi.com
With an upstream null route for 127.0.0.1/8 and ::1, Tinyproxy will not prevent access to localhost if a hostname resolves to localhost.
did you already try to come up with an iptables rule ?
Ideally, Tinyproxy should attempt to resolve hostnames before determining if an upstream directive is valid.
this is changing the existing behaviour quite intrusively and needs careful thought to not break other usescases.
$tinyproxy -v tinyproxy 1.11.1
Blocking 127.0.0.1 or ::1 via null routed upstream directives doesn't work on public hostnames that resolve to localhost
On a private proxy with restricted access, it may be desirable to allow tinyproxy to access ports on localhost; for a public proxy service, this is probably not desirable and is potentially a security risk. With an upstream null route for 127.0.0.1/8 and ::1, Tinyproxy will not prevent access to localhost if a hostname resolves to localhost. For example, http://localhost:{port} will still work unless that specific hostname is blocked, and there are numerous other hostnames that will also bypass the upstream directive (eg. fuf.me, fbi.com etc).
Ideally, Tinyproxy should attempt to resolve hostnames before determining if an upstream directive is valid.