tinyproxy.conf.5: explain what a site_spec looks like

if tinyproxy serves as a HTTP server (i.e. when serving stats),
use error code 401, else error code 407.

fixes #532

.github/workflows/release_tarball.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         submodules: recursive
 
@@ -26,36 +26,15 @@ jobs:
         PKGNAME="tinyproxy-$VERSION"
         ./configure
         make dist
-        echo "::set-output name=tarball_xz::${PKGNAME}.tar.xz"
+        echo "tarball_xz=${PKGNAME}.tar.xz" >> "$GITHUB_OUTPUT"
-        echo "::set-output name=tarball_gz::${PKGNAME}.tar.gz"
+        echo "tarball_gz=${PKGNAME}.tar.gz" >> "$GITHUB_OUTPUT"
-        echo "::set-output name=tarball_bz2::${PKGNAME}.tar.bz2"
+        echo "tarball_bz2=${PKGNAME}.tar.bz2" >> "$GITHUB_OUTPUT"
 
-    - name: upload tarball_xz
+    - name: upload tarballs
-      uses: actions/upload-release-asset@v1
+      uses: softprops/action-gh-release@v2
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
-        upload_url: ${{ github.event.release.upload_url }}
+        files: |
-        asset_path: ./${{ steps.archive.outputs.tarball_xz }}
+          ${{ steps.archive.outputs.tarball_xz }}
-        asset_name: ${{ steps.archive.outputs.tarball_xz }}
+          ${{ steps.archive.outputs.tarball_gz }}
-        asset_content_type: application/x-xz
+          ${{ steps.archive.outputs.tarball_bz2 }}
 
-    - name: upload tarball_gz
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./${{ steps.archive.outputs.tarball_gz }}
-        asset_name: ${{ steps.archive.outputs.tarball_gz }}
-        asset_content_type: application/x-gzip
-
-    - name: upload tarball_bz2
-      uses: actions/upload-release-asset@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ github.event.release.upload_url }}
-        asset_path: ./${{ steps.archive.outputs.tarball_bz2 }}
-        asset_name: ${{ steps.archive.outputs.tarball_bz2 }}
-        asset_content_type: application/x-bzip2

configure.ac

@@ -173,6 +173,9 @@ fi
 dnl
 dnl Substitute the variables into the various Makefiles
 dnl
+# runstatedir isn't available for Autoconf < 2.70
+AS_IF([test -z "${runstatedir}"], [runstatedir='${localstatedir}/run'])
+AC_SUBST([runstatedir])
 AC_SUBST(CFLAGS)
 AC_SUBST(LDFLAGS)
 AC_SUBST(CPPFLAGS)
@@ -220,7 +223,6 @@ docs/Makefile
 docs/man5/Makefile
 docs/man5/tinyproxy.conf.txt
 docs/man8/Makefile
-docs/man8/tinyproxy.txt
 m4macros/Makefile
 tests/Makefile
 tests/scripts/Makefile

data/templates/debug.html

@@ -30,9 +30,6 @@
   <dt>clienthost</dt>
   <dd>{clienthost}</dd>
 
-  <dt>version</dt>
-  <dd>{version}</dd>
-
   <dt>package</dt>
   <dd>{package}</dd>
 
@@ -49,7 +46,7 @@
 
 <hr />
 
-<p><em>Generated by <a href="{website}">{package}</a> version {version}.</em></p>
+<p><em>Generated by <a href="{website}">{package}</a>.</em></p>
 
 </body>
 

data/templates/default.html

@@ -16,7 +16,7 @@
 
 <hr />
 
-<p><em>Generated by <a href="{website}">{package}</a> version {version}.</em></p>
+<p><em>Generated by <a href="{website}">{package}</a>.</em></p>
 
 </body>
 

data/templates/stats.html

@@ -2,7 +2,7 @@
 
 <html lang="en">
   <head>
-    <title>Stats [{package} v{version}]</title>
+    <title>Stats [{package}]</title>
     <meta charset="UTF-8" />
     <style type="text/css">
       body {
@@ -62,7 +62,7 @@
       <div id="inner">
         <table>
           <tr>
-            <th colspan="2">{package} v{version} statistics</th>
+            <th colspan="2">{package} statistics</th>
           </tr>
           <tr class="odd">
             <td class="right">Open connections</td>

docs/man5/tinyproxy.conf.txt.in

@@ -173,6 +173,10 @@ turns on the upstream proxy for the sites matching `site_spec`.
 
 `type` can be one of `http`, `socks4`, `socks5`, `none`.
 
+a `site_spec` is either a full domain name, a domain name starting with a
+`.`, in which case it is treated as a suffix, or an ip/mask tuple.
+the `site_spec` needs to be double-quoted.
+
 =item * I<upstream none "site_spec">
 turns off upstream support for sites matching `site_spec`, that means the
 connection is done directly.
@@ -239,6 +243,14 @@ access is only granted for authenticated users.
 
     BasicAuth user password
 
+=item B<BasicAuthRealm>
+
+In case "BasicAuth" is configured, the "realm" information.
+"Proxy Authentication Required" status http 407 "error-response" can be
+customized.
+
+- defaults in code to "Tinyproxy" (PACKAGE_NAME), if not configured.
+
 =item B<AddHeader>
 
 Configure one or more HTTP request headers to be added to outgoing
@@ -420,7 +432,7 @@ This manpage was written by the Tinyproxy project team.
 
 =head1 COPYRIGHT
 
-Copyright (c) 1998-2020 the Tinyproxy authors.
+Copyright (c) 1998-2024 the Tinyproxy authors.
 
 This program is distributed under the terms of the GNU General Public
 License version 2 or above. See the COPYING file for additional

docs/man8/Makefile.am

@@ -9,6 +9,17 @@ M_NAME=TINYPROXY
 man_MANS = \
 	$(MAN8_FILES:.txt=.8)
 
+edit = sed \
+	-e 's|@localstatedir[@]|$(localstatedir)|g' \
+	-e 's|@runstatedir[@]|$(runstatedir)|g' \
+	-e 's|@sysconfdir[@]|$(sysconfdir)|g' \
+	-e 's|@TINYPROXY_STATHOST[@]|$(TINYPROXY_STATHOST)|g'
+
+tinyproxy.txt: $(top_srcdir)/docs/man8/tinyproxy.txt.in Makefile
+	@rm -f $@ $@.tmp
+	$(AM_V_GEN) $(edit) $(top_srcdir)/docs/man8/$@.in > $@.tmp
+	@mv $@.tmp $@
+
 .txt.8:
 if HAVE_POD2MAN
 	$(AM_V_GEN) $(POD2MAN) --center="Tinyproxy manual" \

docs/man8/tinyproxy.txt.in

@@ -156,7 +156,11 @@ configuration variable `StatFile`.
 
 =head1 FILES
 
-`/etc/tinyproxy/tinyproxy.conf`, `/var/run/tinyproxy/tinyproxy.pid`, `/var/log/tinyproxy/tinyproxy.log`
+F<@sysconfdir@/tinyproxy/tinyproxy.conf>
+
+F<@runstatedir@/tinyproxy/tinyproxy.pid>
+
+F<@localstatedir@/log/tinyproxy/tinyproxy.log>
 
 =head1 BUGS
 

etc/Makefile.am

@@ -12,6 +12,7 @@ edit = sed \
 	-e 's|@datarootdir[@]|$(datarootdir)|g' \
 	-e 's|@pkgsysconfdir[@]|$(pkgsysconfdir)|g' \
 	-e 's|@localstatedir[@]|$(localstatedir)|g' \
+	-e 's|@runstatedir[@]|$(runstatedir)|g' \
 	-e 's|@pkgdatadir[@]|$(pkgdatadir)|g' \
 	-e 's|@prefix[@]|$(prefix)|g' \
 	-e 's|@TINYPROXY_STATHOST[@]|$(TINYPROXY_STATHOST)|g'

etc/tinyproxy.conf.in

@@ -124,7 +124,7 @@ LogLevel Info
 # can be used for signalling purposes.
 # If not specified, no pidfile will be written.
 #
-#PidFile "@localstatedir@/run/tinyproxy/tinyproxy.pid"
+#PidFile "@runstatedir@/tinyproxy/tinyproxy.pid"
 
 #
 # XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
@@ -205,6 +205,13 @@ Allow ::1
 # users.
 #BasicAuth user password
 
+# BasicAuthRealm : In case BasicAuth is configured, the "realm" information.
+# "Proxy Authentication Required" status http 407 "error-response" can be
+# customized.
+#
+# - defaults in code to "Tinyproxy" (PACKAGE_NAME), if not configured.
+#BasicAuthRealm "Tinyproxy"
+
 #
 # AddHeader: Adds the specified headers to outgoing HTTP requests that
 # Tinyproxy makes. Note that this option will not work for HTTPS
@@ -320,6 +327,3 @@ ViaProxyName "tinyproxy"
 # If not set then no rewriting occurs.
 #
 #ReverseBaseURL "http://localhost:8888/"
-
-
-

src/conf-tokens.c

@@ -57,6 +57,7 @@ config_directive_find (register const char *str, register size_t len)
       {"connectport", CD_connectport},
       {"logfile", CD_logfile},
       {"basicauth", CD_basicauth},
+      {"basicauthrealm", CD_basicauthrealm},
       {"addheader", CD_addheader},
       {"maxrequestsperchild", CD_maxrequestsperchild}
     };

src/conf-tokens.gperf

@@ -44,6 +44,7 @@ allow, CD_allow
 deny, CD_deny
 bind, CD_bind
 basicauth, CD_basicauth
+basicauthrealm, CD_basicauthrealm
 errorfile, CD_errorfile
 addheader, CD_addheader
 filter, CD_filter

src/conf-tokens.h

@@ -29,6 +29,7 @@ CD_allow,
 CD_deny,
 CD_bind,
 CD_basicauth,
+CD_basicauthrealm,
 CD_errorfile,
 CD_addheader,
 CD_filter,

src/conf.c

@@ -122,6 +122,7 @@ static HANDLE_FUNC (handle_disabled_feature)
 
 static HANDLE_FUNC (handle_allow);
 static HANDLE_FUNC (handle_basicauth);
+static HANDLE_FUNC (handle_basicauthrealm);
 static HANDLE_FUNC (handle_anonymous);
 static HANDLE_FUNC (handle_bind);
 static HANDLE_FUNC (handle_bindsame);
@@ -193,6 +194,7 @@ struct {
         regex_t *cre;
 } directives[] = {
         /* string arguments */
+        STDCONF (basicauthrealm, STR, handle_basicauthrealm),
         STDCONF (logfile, STR, handle_logfile),
         STDCONF (pidfile, STR, handle_pidfile),
         STDCONF (anonymous, STR, handle_anonymous),
@@ -294,6 +296,7 @@ void free_config (struct config_s *conf)
         char *k;
         htab_value *v;
         size_t it;
+        safefree (conf->basicauth_realm);
         safefree (conf->logf_name);
         safefree (conf->stathost);
         safefree (conf->user);
@@ -481,6 +484,7 @@ static void initialize_config_defaults (struct config_s *conf)
          * (FIXME: Should have a better API for all this)
          */
         conf->errorpages = NULL;
+        conf->basicauth_realm = safestrdup (PACKAGE_NAME);
         conf->stathost = safestrdup (TINYPROXY_STATHOST);
         conf->idletimeout = MAX_IDLE_TIME;
         conf->logf_name = NULL;
@@ -634,6 +638,11 @@ set_int_arg (unsigned int *var, const char *line, regmatch_t * match)
  *
  ***********************************************************************/
 
+static HANDLE_FUNC (handle_basicauthrealm)
+{
+        return set_string_arg (&conf->basicauth_realm, line, &match[2]);
+}
+
 static HANDLE_FUNC (handle_logfile)
 {
         return set_string_arg (&conf->logf_name, line, &match[2]);

src/conf.h

@@ -39,6 +39,7 @@ typedef struct {
  */
 struct config_s {
         sblist *basicauth_list;
+        char *basicauth_realm;
         char *logf_name;
         unsigned int syslog;    /* boolean */
         unsigned int port;

src/html-error.c

@@ -140,14 +140,14 @@ int send_http_headers (
 {
         const char headers[] =
             "HTTP/1.%u %d %s\r\n"
-            "Server: %s/%s\r\n"
+            "Server: %s\r\n"
             "Content-Type: text/html\r\n"
             "%s"
             "Connection: close\r\n" "\r\n";
 
         return (write_message (connptr->client_fd, headers,
                                connptr->protocol.major != 1 ? 0 : connptr->protocol.minor,
-                               code, message, PACKAGE, VERSION,
+                               code, message, PACKAGE,
                                extra));
 }
 
@@ -169,24 +169,34 @@ int send_http_error_message (struct conn_s *connptr)
             "<h1>%s</h1>\n"
             "<p>%s</p>\n"
             "<hr />\n"
-            "<p><em>Generated by %s version %s.</em></p>\n" "</body>\n"
+            "<p><em>Generated by %s.</em></p>\n" "</body>\n"
             "</html>\n";
 
-        const char p_auth_str[] =
-            "Proxy-Authenticate: Basic realm=\""
-            PACKAGE_NAME "\"\r\n";
-
-        const char w_auth_str[] =
-            "WWW-Authenticate: Basic realm=\""
-            PACKAGE_NAME "\"\r\n";
-
 	/* according to rfc7235, the 407 error must be accompanied by
            a Proxy-Authenticate header field. */
-        const char *add = connptr->error_number == 407 ? p_auth_str :
+        const char *auth_str_type = 
-                          (connptr->error_number == 401 ? w_auth_str : "");
+                connptr->error_number == 407 ? "Proxy-Authenticate" :
+                (connptr->error_number == 401 ? "WWW-Authenticate" : "");
+
+        const char auth_str_tpl[] = "%s: Basic realm=\"%s\"\r\n";
+        char* auth_str_add = NULL;
+
+        if (auth_str_type[0] != 0) {
+                int auth_str_size = snprintf (NULL, 0, auth_str_tpl, 
+                                        auth_str_type, config->basicauth_realm) + 1;
+                if (auth_str_size > 0) {
+                        auth_str_add = safemalloc (auth_str_size);
+                        if (auth_str_add != NULL) {
+                                snprintf (auth_str_add, auth_str_size, auth_str_tpl,
+                                        auth_str_type, config->basicauth_realm);
+                        }
+                }
+        }
 
         send_http_headers (connptr, connptr->error_number,
-                           connptr->error_string, add);
+                           connptr->error_string, auth_str_add ? auth_str_add : "");
+
+        if (auth_str_add) safefree (auth_str_add);
 
         error_file = get_html_file (connptr->error_number);
         if (!error_file || !(infile = fopen (error_file, "r"))) {
@@ -199,7 +209,7 @@ int send_http_error_message (struct conn_s *connptr)
                                        connptr->error_number,
                                        connptr->error_string,
                                        connptr->error_string,
-                                       detail, PACKAGE, VERSION));
+                                       detail, PACKAGE));
         }
 
         ret = send_html_file (infile, connptr);

src/reqs.c

@@ -308,7 +308,7 @@ static int send_connect_method_response (struct conn_s *connptr)
 {
         return write_message (connptr->client_fd,
                               "HTTP/1.%u 200 Connection established\r\n"
-                              "Proxy-agent: " PACKAGE "/" VERSION "\r\n"
+                              "Proxy-agent: " PACKAGE "\r\n"
                               "\r\n", connptr->protocol.major != 1 ? 0 :
                                       connptr->protocol.minor);
 }
@@ -881,15 +881,14 @@ write_via_header (int fd, orderedmap hashofheaders,
         data = orderedmap_find (hashofheaders, "via");
         if (data) {
                 ret = write_message (fd,
-                                     "Via: %s, %hu.%hu %s (%s/%s)\r\n",
+                                     "Via: %s, %hu.%hu %s (%s)\r\n",
-                                     data, major, minor, hostname, PACKAGE,
+                                     data, major, minor, hostname, PACKAGE);
-                                     VERSION);
 
                 orderedmap_remove (hashofheaders, "via");
         } else {
                 ret = write_message (fd,
-                                     "Via: %hu.%hu %s (%s/%s)\r\n",
+                                     "Via: %hu.%hu %s (%s)\r\n",
-                                     major, minor, hostname, PACKAGE, VERSION);
+                                     major, minor, hostname, PACKAGE);
         }
 
 done:
@@ -1287,6 +1286,7 @@ static void relay_connection (struct conn_s *connptr)
         return;
 }
 
+#ifdef UPSTREAM_SUPPORT
 static int
 connect_to_upstream_proxy(struct conn_s *connptr, struct request_s *request)
 {
@@ -1403,7 +1403,7 @@ connect_to_upstream_proxy(struct conn_s *connptr, struct request_s *request)
 
 	return establish_http_connection(connptr, request);
 }
-
+#endif
 
 /*
  * Establish a connection to the upstream proxy server.
@@ -1559,6 +1559,19 @@ static void handle_connection_failure(struct conn_s *connptr, int got_headers)
         }
 }
 
+static void auth_error(struct conn_s *connptr, int code) {
+        const char *tit = code == 401 ? "Unauthorized" : "Proxy Authentication Required";
+        const char *msg = code == 401 ?
+        "The administrator of this proxy has not configured it to service requests from you." :
+        "This proxy requires authentication.";
+
+        update_stats (STAT_DENIED);
+        log_message (LOG_INFO,
+                     "Failed auth attempt (file descriptor: %d), ip %s",
+                     connptr->client_fd,
+                     connptr->client_ip_addr);
+        indicate_http_error (connptr, code, tit, "detail", msg, NULL);
+}
 
 /*
  * This is the main drive for each connection. As you can tell, for the
@@ -1677,12 +1690,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
                 }
 
                 if (!authstring) {
-                        if (stathost_connect) goto e401;
+                        auth_error(connptr, stathost_connect ? 401 : 407);
-                        update_stats (STAT_DENIED);
-                        indicate_http_error (connptr, 407, "Proxy Authentication Required",
-                                             "detail",
-                                             "This proxy requires authentication.",
-                                             NULL);
                         HC_FAIL();
                 }
                 if ( /* currently only "basic" auth supported */
@@ -1691,17 +1699,7 @@ void handle_connection (struct conn_s *connptr, union sockaddr_union* addr)
                         basicauth_check (config->basicauth_list, authstring + 6) == 1)
                                 failure = 0;
                 if(failure) {
-e401:
+                        auth_error(connptr, stathost_connect ? 401 : 407);
-                        update_stats (STAT_DENIED);
-                        log_message (LOG_INFO,
-                                     "Failed auth attempt (file descriptor: %d), ip %s",
-                                     connptr->client_fd,
-                                     connptr->client_ip_addr);
-                        indicate_http_error (connptr, 401, "Unauthorized",
-                                             "detail",
-                                             "The administrator of this proxy has not configured "
-                                             "it to service requests from you.",
-                                             NULL);
                         HC_FAIL();
                 }
                 orderedmap_remove (hashofheaders, "proxy-authorization");

src/stats.c

@@ -87,9 +87,9 @@ err_minus_one:
                    "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.1//EN\" "
                    "\"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd\">\n"
                    "<html>\n"
-                   "<head><title>%s version %s run-time statistics</title></head>\n"
+                   "<head><title>%s run-time statistics</title></head>\n"
                    "<body>\n"
-                   "<h1>%s version %s run-time statistics</h1>\n"
+                   "<h1>%s run-time statistics</h1>\n"
                    "<p>\n"
                    "Number of open connections: %lu<br />\n"
                    "Number of requests: %lu<br />\n"
@@ -98,13 +98,13 @@ err_minus_one:
                    "Number of refused connections due to high load: %lu\n"
                    "</p>\n"
                    "<hr />\n"
-                   "<p><em>Generated by %s version %s.</em></p>\n" "</body>\n"
+                   "<p><em>Generated by %s.</em></p>\n" "</body>\n"
                    "</html>\n",
-                   PACKAGE, VERSION, PACKAGE, VERSION,
+                   PACKAGE, PACKAGE,
                    stats->num_open,
                    stats->num_reqs,
                    stats->num_badcons, stats->num_denied,
-                   stats->num_refused, PACKAGE, VERSION);
+                   stats->num_refused, PACKAGE);
 
                 if (send_http_message (connptr, 200, "OK",
                                        message_buffer) < 0) {

src/utils.c

@@ -39,7 +39,7 @@ send_http_message (struct conn_s *connptr, int http_code,
                    const char *error_title, const char *message)
 {
         static const char *headers[] = {
-                "Server: " PACKAGE "/" VERSION,
+                "Server: " PACKAGE,
                 "Content-type: text/html",
                 "Connection: close"
         };

tests/scripts/webclient.pl

@@ -26,9 +26,8 @@ use Pod::Usage;
 
 my $EOL = "\015\012";
 
-my $VERSION = "0.1";
 my $NAME = "Tinyproxy-Web-Client";
-my $user_agent = "$NAME/$VERSION";
+my $user_agent = "$NAME";
 my $user_agent_header = "User-Agent: $user_agent$EOL";
 my $http_version = "1.0";
 my $method = "GET";

tests/scripts/webserver.pl

@@ -31,9 +31,8 @@ use Getopt::Long;
 use Pod::Usage;
 use Fcntl ':flock'; # import LOCK_* constants
 
-my $VERSION = "0.1";
 my $NAME = "Tinyproxy-Test-Web-Server";
-my $server_header = "Server: $NAME/$VERSION";
+my $server_header = "Server: $NAME";
 
 my $EOL = "\015\012";