Ti
Networking Azure

Tinyproxy on Ubuntu 24.04 on Azure User Guide

| Product: Tinyproxy on Ubuntu 24.04 LTS on Azure

Overview

This guide covers the deployment and configuration of Tinyproxy on Ubuntu 24.04 on Azure using cloudimg Azure Marketplace images. Tinyproxy is a small, fast, low footprint HTTP and HTTPS forward proxy daemon. It sits between clients and the wider web, forwarding outbound requests while applying access control over which clients may use it. Its tiny resource footprint makes it a common choice for a simple outbound web gateway, a jump host proxy, or controlled egress in a private network where a full caching proxy would be overkill.

The image installs Tinyproxy 1.11.1 from the Ubuntu 24.04 archive and configures it as a responsible, secure by default forward proxy for use inside your own network. Unattended security upgrades remain enabled on the running VM so the package keeps receiving patches.

Security by design, not an open proxy. An open forward proxy that will relay requests for anyone on the internet is abused for spam relaying, anonymisation and attack laundering. This image ships two independent locks. First, a source address ACL so the proxy answers only the machine itself (localhost) and hosts on private, RFC1918 ranges; every other source, including the public internet, is refused. There is deliberately no Allow 0.0.0.0/0. Second, mandatory HTTP Basic proxy authentication: every request must carry a valid username and password, so even a client on an allowed subnet is refused unless it authenticates. CONNECT tunnels are restricted to TLS ports only, and the Via header is disabled to reduce information leakage.

Security by design, no bootstrap credential. No proxy password is baked into the image. On first boot the VM generates a unique per VM password and writes it to a root only credentials file. Every VM you deploy gets its own password; nothing is shared and there is no default credential to leak.

What is included:

  • Tinyproxy 1.11.1 from the Ubuntu 24.04 archive, run under systemd as the unprivileged tinyproxy user (tinyproxy.service), listening on TCP 8888

  • A secure forward proxy configuration: source address ACLs (localhost plus RFC1918 only), mandatory per VM Basic authentication, CONNECT restricted to TLS ports, and the Via header disabled

  • A unique proxy password generated on first boot and stored in /root/tinyproxy-credentials.txt (root only), never baked into the image

  • A shipped self test tool, tinyproxy-roundtrip.sh, that proves an anonymous request is refused (HTTP 407) and an authenticated request succeeds (HTTP 200)

  • Ubuntu 24.04 LTS base with latest security patches applied at build time, and unattended security upgrades kept enabled

  • Azure Linux Agent for seamless cloud integration and SSH key injection

  • 24/7 cloudimg support with a guaranteed 24 hour response SLA

Prerequisites

  • Active Azure subscription, SSH public key, VNet and subnet in the target region

  • Subscription to the Tinyproxy listing on Azure Marketplace

  • Network Security Group rules allowing TCP 22 (admin) and TCP 8888 (proxy) from the client networks that will use the proxy

Recommended virtual machine size: Standard_B2s (2 vCPU, 4 GB RAM) is ample for a lightweight forward proxy serving a local network. Sites with very high request volumes can use Standard_D2s_v5 or larger, and can raise MaxClients in the configuration.

Step 1: Deploy from the Azure Portal

Search Tinyproxy in Marketplace, select the cloudimg publisher, and click Create. Configure the Network Security Group to allow TCP 8888 (proxy) from your client subnets, and TCP 22 for administration. Keep 8888 restricted to trusted client networks only; never expose it to the public internet.

Step 2: Deploy from the Azure CLI

RG="proxy-prod"; LOCATION="eastus"; VM_NAME="tinyproxy1"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/tinyproxy-ubuntu-24-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"
az group create --name "$RG" --location "$LOCATION"
az vm create \
  --resource-group "$RG" --name "$VM_NAME" \
  --image "$GALLERY_IMAGE_ID" \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values "$SSH_KEY" \
  --public-ip-sku Standard
# Open the proxy and admin ports on the VM's NSG (restrict 8888 to your client subnet):
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 8888 --priority 1001
az vm open-port --resource-group "$RG" --name "$VM_NAME" --port 22 --priority 1002

Step 3: First boot

On first boot the image resolves the VM address, generates a unique per VM proxy password, injects it into the Tinyproxy configuration, asserts the secure defaults (not an open proxy), starts the service, and proves an anonymous request is refused while an authenticated request succeeds. This completes within a minute. SSH in as azureuser and read the credentials:

sudo cat /root/tinyproxy-credentials.txt

Expected output (the password is unique to your VM):

proxy.user=cloudimg
proxy.pass=<per-VM-password>
proxy.host=10.0.0.18
proxy.endpoint=10.0.0.18:8888

Step 4: Confirm the service is running

tinyproxy.service is active and owns port 8888. ss confirms the tinyproxy process is the listener on :8888.

systemctl is-active tinyproxy.service
sudo ss -tulnp | grep -E ':8888 '

Expected output:

active
tcp   LISTEN 0      1024          0.0.0.0:8888      0.0.0.0:*    users:(("tinyproxy",pid=26937,fd=3))

tinyproxy.service reports active, and ss shows the tinyproxy process listening on TCP port 8888, confirming the forward proxy is up and ready to accept authenticated client connections

Step 5: Make a request through the proxy

Point a request at the proxy with curl -x. A request without credentials is refused with HTTP 407 (Proxy Authentication Required). A request with the per VM credentials succeeds with HTTP 200. Read the username and password from the credentials file, then run the shipped self test tool.

PROXY_USER="$(sudo grep -E '^proxy\.user=' /root/tinyproxy-credentials.txt | cut -d= -f2-)"
PROXY_PASS="$(sudo grep -E '^proxy\.pass=' /root/tinyproxy-credentials.txt | cut -d= -f2-)"
curl -x "http://127.0.0.1:8888" -s -o /dev/null -w 'anonymous request: HTTP %{http_code}\n' http://example.com/
curl -x "http://$PROXY_USER:$PROXY_PASS@127.0.0.1:8888" -s -o /dev/null -w 'authenticated request: HTTP %{http_code}\n' http://example.com/
sudo /usr/local/sbin/tinyproxy-roundtrip.sh

Expected output:

anonymous request: HTTP 407
authenticated request: HTTP 200
round-trip OK: anonymous request refused (HTTP 407), authenticated request with the per-VM password succeeded (HTTP 200); the shipped proxy is not open (localhost + RFC1918 only) and enforces per-VM BasicAuth

A request through the proxy without credentials is refused with HTTP 407, a request with the per-VM username and password returns HTTP 200, and the tinyproxy-roundtrip self test confirms the anonymous request was refused and the authenticated request succeeded, proving proxy authentication is enforced

Step 6: Review the configuration

The cloudimg configuration is the whole of /etc/tinyproxy/tinyproxy.conf (the stock file is backed up to tinyproxy.conf.orig). The version is 1.11.1 from the Ubuntu archive. The BasicAuth line carries this VM's unique password (masked below).

tinyproxy -v | head -1
grep -vE '^[[:space:]]*#|^[[:space:]]*$' /etc/tinyproxy/tinyproxy.conf

Expected output (comments and blank lines stripped for brevity; password masked):

tinyproxy 1.11.1
User tinyproxy
Group tinyproxy
Port 8888
Timeout 600
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogFile "/var/log/tinyproxy/tinyproxy.log"
LogLevel Info
PidFile "/run/tinyproxy/tinyproxy.pid"
MaxClients 100
Allow 127.0.0.1
Allow ::1
Allow 10.0.0.0/8
Allow 172.16.0.0/12
Allow 192.168.0.0/16
Allow fc00::/7
ViaProxyName "cloudimg"
DisableViaHeader Yes
ConnectPort 443
ConnectPort 563
BasicAuth cloudimg <per-VM-password>

tinyproxy version 1.11.1 reported and the tinyproxy.conf listing shows the Allow ACLs restricted to localhost and private ranges, the 8888 listener, CONNECT restricted to the TLS ports 443 and 563, the disabled Via header, and the per-VM BasicAuth line

Step 7: Verify the responsible defaults

This is the key security property. The Allow rules permit only localhost and the private RFC1918 ranges, there is no Allow 0.0.0.0/0, and the BasicAuth line forces every request to authenticate. A request without valid credentials is actively refused with HTTP 407.

grep -E '^[[:space:]]*(Allow|BasicAuth|ConnectPort|DisableViaHeader)' /etc/tinyproxy/tinyproxy.conf
curl -x http://127.0.0.1:8888 -s -o /dev/null -w 'anonymous request: HTTP %{http_code}\n' http://example.com/
sudo grep -E '^proxy\.(user|host|endpoint)=' /root/tinyproxy-credentials.txt

Expected output (password masked):

Allow 127.0.0.1
Allow ::1
Allow 10.0.0.0/8
Allow 172.16.0.0/12
Allow 192.168.0.0/16
Allow fc00::/7
DisableViaHeader Yes
ConnectPort 443
ConnectPort 563
BasicAuth cloudimg <per-VM-password>
anonymous request: HTTP 407
proxy.user=cloudimg
proxy.host=10.0.0.18
proxy.endpoint=10.0.0.18:8888

The Allow rules show only localhost and the private RFC1918 ranges with the per-VM BasicAuth line, an anonymous request is refused with HTTP 407, and the per-VM endpoint notes list the proxy user, host and port, confirming the proxy is not open and enforces authentication

Step 8: Point clients at the proxy

Configure the clients on your local network to use the VM as their HTTP and HTTPS proxy, including the credentials in the URL. On a Linux client, set the standard proxy environment variables (replace <proxy-ip> with the VM public IP, or its private IP inside the VNet, and use the username and password from the credentials file):

export http_proxy="http://cloudimg:<per-VM-password>@<proxy-ip>:8888"
export https_proxy="http://cloudimg:<per-VM-password>@<proxy-ip>:8888"

Because of the source address ACLs, only clients on a private (RFC1918) subnet, or the box itself, are served, so keep the proxy and its clients on the same VNet or a peered network. For an application, set its proxy setting to http://cloudimg:<per-VM-password>@<proxy-ip>:8888.

Step 9: Allow additional client networks (optional)

If your clients are on a network range that is not one of the default RFC1918 ranges, add an Allow line for it. Edit /etc/tinyproxy/tinyproxy.conf and add your own network alongside the existing Allow lines:

# allow an extra trusted client subnet
Allow 100.72.0.0/16

Apply with sudo systemctl restart tinyproxy. Only ever allow networks you control, and never add Allow 0.0.0.0/0. Because Basic authentication is enforced regardless of source address, clients on the new subnet still need the proxy password.

Step 10: Rotate or add proxy credentials (optional)

The per VM password lives on the BasicAuth line in /etc/tinyproxy/tinyproxy.conf. To rotate it, or to add a second username and password pair, edit that line (or add another BasicAuth <user> <password> line) and restart the service:

BasicAuth cloudimg <a-new-strong-password>
BasicAuth teammate <another-strong-password>

Apply with sudo systemctl restart tinyproxy. Keep the credentials file in step with any change you make, and never remove the BasicAuth line, which would turn off authentication.

Step 11: Restrict outbound destinations (optional)

Tinyproxy can filter which destinations clients may reach. Enable the filter in /etc/tinyproxy/tinyproxy.conf and point it at a file of allowed (or denied) domains:

Filter "/etc/tinyproxy/filter"
FilterDefaultDeny Yes

Create /etc/tinyproxy/filter with one domain regex per line (for example \.ubuntu\.com$), then apply with sudo systemctl restart tinyproxy. With FilterDefaultDeny Yes, only destinations that match the file are allowed.

Step 12: Security recommendations

  • Restrict the NSG. Allow TCP 8888 only from the client networks that need the proxy, and TCP 22 for administration only. Never expose 8888 to the public internet.

  • Keep authentication on. The shipped configuration requires a per VM password on every request; never remove the BasicAuth line.

  • Keep it closed by default. The Allow rules restrict access to localhost and private ranges; never add Allow 0.0.0.0/0.

  • Use destination filtering for egress control. Step 11 shows how to limit which sites clients may reach through the proxy.

  • Keep the OS and Tinyproxy patched. Unattended security upgrades remain enabled on the running VM.

  • Watch the logs. /var/log/tinyproxy/tinyproxy.log records connections and errors.

Step 13: Support and Licensing

Tinyproxy is free software maintained by the Tinyproxy project and contributors, distributed under the GNU General Public License, version 2 (GPL-2.0). This cloudimg image bundles the unmodified Ubuntu archive package. cloudimg provides the packaging, the secure forward proxy hardening, the not an open proxy defaults, the per VM authentication, the shipped self test tool, and 24/7 support with a guaranteed 24 hour response SLA.

cloudimg is not affiliated with or endorsed by the Tinyproxy project. Tinyproxy is used here only to identify the software.

Deploy on Azure

Find Tinyproxy on Ubuntu 24.04 LTS on the Azure Marketplace, published by cloudimg. Deploy from the Portal or the Azure CLI as shown above.

Need Help?

Email support@cloudimg.co.uk for deployment help, configuration questions, or licensing enquiries.