Making an Image-Flip Proxy


There have been many articles about creating a proxy server that flips directly as a proxy or gateway server. or distorts images that pass through it. They are hilarious, but they tended to lack in certain details. This article will detail how to set up the OS, proxy and routing, giving you the option to either use it

This is also very quick and dirty. It is meant to get you started as quickly as possible. This means any longevity or security concerns are ignored. You have been warned.

The original idea came from here.

Setting Up An OS

The proxy is based off of a default install of Debian Lenny from the netinstall ISO. It can be found here.

For the OS install, you can accept the defaults for almost every option. There are two cases to watch out for. First, you will be prompted to confirm all of your partitioning options before proceeding. The default option is to cancel. The second case is the additional software options. I unchecked the “Desktop Environment” option, since this is going to be server.

Once the OS is installed, log in as root and run the following commands to prepare our environment:

apt-get install squid3 apache2 imagemagick  
chmod -R 777 /var/www

Configuring the Proxy

Open the /etc/squid3/squid.conf file in your favorite editor. Near the top of the file is a configuration option for http_port. Change it to look like the following:

http_port 3128 transparent

Next, find the line that begins with INSERT YOUR OWN RULE(S), which should be around line number 2138. Below that line, add the following to allow your private network access to your proxy. Make sure to change the it for your network.

acl lan src  
http_access allow lan

Lastly, go to the bottom of the file and add the following line. This is the magic which will flip the images for you.

redirect_program /usr/local/bin/

Save the file and exit your editor.

The Flip Script

Edit the file /usr/local/bin/ and add the following to it:


$count = 0;  
$pid = $$;  
while (<>) {  
    chomp $_;  
    if ($_ =~ /(.*)(\.jpg|\.png|\.gif)/i) {  
        $url = $1 . $2;  
        system("/usr/bin/wget", "-q", "-O","/var/www/$pid-$count$2", "$url");  
        system("/usr/bin/mogrify", "-flip","/var/www/$pid-$count$2");  
        system("/bin/chmod", "777", "/var/www/$pid-$count$2");  
        print "$pid-$count$2\n";  
    } else {  
        print "$_\n";  

The script is fairly simple. Squid passes URL’s to the script. If the URL ends in image type, it is pulled down to root of our web server. Mogrify then modifies the image in place. Lastly, it tells Squid to pull the image from our web server instead of the internet. If the URL isn’t an image, we just dump the origin URL back out.

Once the file is in place, make sure to make it executable.

chmod +x /usr/local/bin/

You should have enough to test. Restart Squid with the following:

invoke-rc.d squid3 restart

You can now set up any browser to use the server as a proxy on port

  1. If you visit a page you have been to before, make sure you refresh a couple of times. Your browser might have cached the images locally, which means they won’t go through our proxy.

Making A Transparent Gateway

The last part of the process is to make the server a gateway which will transparently redirect web requests through the proxy. Create the file /etc/network/if-up.d/00-firewall and add the following to it:



# delete all existing rules.  
iptables -F  
iptables -t nat -F  
iptables -t mangle -F  
iptables -X

# Always accept loopback traffic  
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections  
iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT  
iptables -A FORWARD -i eth0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections  
iptables -A FORWARD -i eth0 -o eth0 -j ACCEPT

# Masquerade  
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

echo 1 > /proc/sys/net/ipv4/ip_forward

Now make the script executable and restart the networking.

chmod +x /etc/network/if-up.d/00-firewall  
invoke-rc.d networking restart

At this point, you should be able to set any computer’s default gateway to the IP address of your server. You don’t need to set a proxy address for your browser. Everything is now routed and all HTTP requests are redirected through the proxy.