How to create a RPi public terminal with proxy server

In addition to a writer, I'm a librarian and geek. I have been working on a project that has been bugging me, so in the event someone else is working on public terminals using raspberry pi, I thought I would share what I've come up with.

What I wanted in my catalog terminal

  • A web browser
    • to open full screen
    • to launch on startup to a default page
    • to reset to that default page after a certain amount of inactivity
  • A proxy server so I can restrict what urls the browser can access
  • The ability to keep the browser tab bar
  • The user should have no access to the desktop or other programs, like minecraft

This quick tutorial assumes a fresh Raspian install. I recommend starting with NOOBS because of the recovery mode feature (holding down the shift key on startup).

Run through the usual first configuration steps (location, overscan, overclocking, keyboard, etc) but on #3, leave it at the default to require a log in. We are not going to use a traditional desktop, which improves control if we don’t want people using this catalog terminal as anything other than a catalog terminal.

Most of the instructions came from this site:

https://github.com/MobilityLab/TransitScreen/wiki/Raspberry-Pi

This project hasn’t been touched in a long time, and there are a few changes I made to get things working the way I wanted them.

For auto login I used the instructions found here: http://elinux.org/RPi_Debian_Auto_Login

In Terminal:

sudo nano /etc/inittab

Scroll down to: (this line may look a little different depending on the versio of Raspian, but it’s the first one that starts “1:2345”)

1:2345:respawn:/sbin/getty 115200 tty1

and change to (comment it out)

#1:2345:respawn:/sbin/getty 115200 tty1

Under that line add:

1:2345:respawn:/bin/login -f pi tty1 </dev/tty1 >/dev/tty1 2>&1

Ctrl+X to exit, Y to save followed by enter twice

 

midoristartup

From the instructions on the Transitscreen project page, there is a simple script to run the browser. The code is below. “-a” is for the url you want as the default page. “-i” is the inactivity-reset time, in seconds. After 75 seconds, as configured below, the browser restarts to the default page, closing any open tabs.

There is one change that I made to the code. In the code on the Transitscreen project page and when you search for tutorials on midori and kiosk mode, you will see “-e Fullscreen” in that line that begins with “midori”.

I have not included this because for some reason, opening in fullscreen mode prevents the browser from working with proxy server.

#!/bin/sh
xset -dpms
xset s off
matchbox-window-manager &
while true; do
midori –a [url] –i 75
done

 

The “xset” lines relate to x11-xserver-utils and will disable the screensaver and screen blanking. If you want the screensaver and screen blanking to work, comment out/omit these lines.

 

With this setup, there is no desktop used; so I don’t have to worry about users getting to other programs. If the browser crashes for some reason, matchbox automatically restarts it.

Stuff to install

Raspian no longer comes with midori, in favor of Epiphany which does not have a kiosk node, nor can it take a proxy server (however, we will be adding the proxy server details to the environment variables which might work). Midori also can be reset after a period of inactivity.

Before installation, enter the following to update your Raspian installation:

sudo apt-get update && sudo apt-get upgrade -y

Enter the following to install the programs needed for this.

sudo apt-get install midori privoxy x11-xserver-utils –y

(although it looks like x11-xserver-utils was already installed)

 

Configuring privoxy

In our situation, we need the terminal to be able to access two other urls, for a couple of resource-sharing websites. If we didn’t, I wouldn’t use a proxy server at all. I would stick with midori in Fullscreen mode. Without fullscreen, navigation controls are available; but the proxy server prevents usage of the terminal for general web searching.

There are a lot ways to use the privoxy proxy server, like blocking ads from websites, but since I want to restrict access to all but a couple of URLs, I use the “trustfile” configuration which blocks everything except a list of accepted URLs.

When editing privoxy files, use Ctrl+W as these files are massive and scrolling to the right area will take a long time.

Find “enforce-blocks” and set it to 1. Otherwise users only get a warning when they try to go to another site, and can click on a link to go to the site anyway.

Find “listen-address” and change “localhost” to 127.0.0.1. I read somewhere that privoxy prefers the numerical address to “localhost”, and may reject some connections.

In /etc/privoxy/config uncomment the line

#trustfile trust

The trustfile is the mechanism for allowing sites to be accessed. The file /etc/privoxy/trust has been edited to allow access only to the library’s catalog and one other website. To edit the trustfile

sudo nano /etc/privoxy/trust

To allow access to a site, add a “+” and the allowed url as noted below.

+library.catalog.org
+othersite.org

Other domains can be added beneath it, just make sure to prepend a “+” symbol. More instructions can be found, and more edits can be made, by entering the following at the command line:

In /etc/privoxy/config, make sure enforce-blocks is set to 1, or the user will get a link that allow them to continue to a site.

 

Configuring midori

By default, midori doesn’t display the tab bar. It appears that this setting has to be changed outside of kiosk mode or the change won’t be saved. Getting settings to save in midori and have them apply in kiosk mode appears to be an issue, but what I’ve done works.

From the command line type startx.

Open midori from the menu button: menu->internet->midori

To access the preferences settings for midori, hit ctrl+alt+p

Set the homepage on the General tab.

Click on the “Browsing” tab and check the box that says “always display tab bar” and make sure that urls open in new tabs.

Maximize the browser for it to open maximized on startup.

Open up a terminal and type sudo reboot.

 

Launching on startup

From the command line enter:

sudo nano /etc/profile

Scroll to the bottom.

By entering the proxy settings here, they affect the whole system.

Enter the following proxy server settings

export http_proxy=”http://127.0.0.1:8118
export https_proxy=”http://127.0.0.1:8118

Next, type the following to launch the midoristartup script

xinit ./midoristartup

 

To return to a command line

Since there is no desktop, there is no task manager. The only way to perform maintenance on the machine is to get back to the command line. hit Ctrl + Alt + f2 and enter the login information.

In Conclusion

So, this configuration is giving me what I want in a restricted public terminal.

But doesn’t this make me a stodgy jerk for not letting people play around with the raspberry pi? I suppose, yes it would if we didn’t have a special station where people can play with the raspberry pi. Behold, our Raspberry Pi makerStation!

 

image of raspberry pi makerstation

I took an old self-check machine that was destined for the landfill/recycling center. Our awesome building services department replaced the badly-worn desktop. I even kept the old receipt printer to see if I can get the RPi to print to it. Maybe people can print achievement badges related to their RPi knowledge.

Actually, we have two makerStations. I took another old self-check machine and configured it to explore Arduino and Mint Cinnamon.

They aren’t out on the floor yet as we have to make some space for them.