|
NAMEffproxy —
filtering HTTP/HTTPS proxy server
SYNOPSIS
DESCRIPTIONffproxy is a filtering HTTP/HTTPS proxy server. It is
able to filter by host, URL, and header. Custom header entries can be filtered
and added. It can even drop its privileges and optionally
chroot(2)
to some directory. Logging to
syslog(3)
is supported, as is using another auxiliary proxy server. An HTTP accelerator
feature (acting as a front-end to an HTTP server) is included. Contacting IPv6
servers as well as binding to IPv6 is supported and allows transparent IPv6
over IPv4 browsing (and vice versa).
Remind that there is an alternative to command line options by using configuration files. See ffproxy.conf(5) and sample.config for details. It allows options that are not available on command line. The following command line options are recognized. They specify general settings like IP to bind to or place of the db/ and html/ directories. Note that arguments to options must be seperated from the option by spaces, as are such options from each other.
THE DB/ DIRECTORYThe db/ directory contains files that control the behaviour of ffproxy. The files for filtering are prefixed by `filter'. Access to the proxy server is controlled by files with prefix `host'.FilteringRequests or header entries to be filtered are matched by extended regular expressions or case insensitive by strings.ffproxy is able to filter requests by host, header, remote header, and URL. The specific files are
Files ending in `drop' specify requests to be completely filtered (dropped). Files ending in `entry' specify header entries to be removed from the header. They are matched case insensitive without extended regular expressions. Files ending in `match' specify extended regular expressions to be matched against header entries, host, or URL. Adding custom header entries is also supported. The entries of file filter.header.add will be added to every outgoing request. Access ControlAccess to the proxy is controlled through the files prefixed `host'.host.dyndns contains host names with dynamic IPv4 addresses. The host names are resolved to IPv4 addresses and compared to the client's IP. If it matches, access is granted. host.ip contains static IPv4 and IPv6 address. host.name contains official hostnames (reverse lookup). Except for host.dyndns, the files contain extended regular expressions. If any of the entries matches, access is granted. Layout of db/ FilesEvery mentioned file above must exist, although it may be empty. Every entry is exactly one line. Empty lines are ignored, as are lines beginning with a # (comments).The location of the db/ directory may be specified by an argument to the command line option -D. If this option and configuration file option db_files_path are not used, ffproxy will search for db/ and html/ in /usr/local/share/ffproxy. ffproxy comes with sample db/ files. They also contain needed and suggested entries, as described next. Suggested db/ file entriesThe file filter.header.entry should contain following entries for the program's proper operationAccept-Encoding: Accept: Connection: Proxy-Connection: Host: First two lines are needed for browsers that send out Accept*: Headers but don't understand encoded data coming back from the proxy. Host: has to be removed, since proxies require absolute URIs (Host: is redundant). filter.header.add should contain Connection: close Proxy-Connection: close We removed the two entries through filter.header.entry and now implant our own to force disconnection after each request. filter.rheader.entry should contain Connection: Proxy-Connection: Whatever the server answered, we remove it. THE HTML/ DIRECTORYThis directory contains files with HTTP header and HTML that are sent to the user's browser if either an error occured or a request was filtered. In the files, the variable $u will be replaced by the URL, $h by the host to connect to, and $c by the hostname of the client.Since the files are loaded into memory for faster execution, the size of each file is limited to about 8 kB (what is more than enough, the default files are under 1 kB). The specific files are (every file must exist)
HTTP ACCELERATORffproxy may also be used as a HTTP accelerator, that is, connecting to just one HTTP server and beeing a front-end to that. Use accel_host and accel_port in configuration file or command line options -a and -A to use this feature.Default behaviour is *not* sending Host: header to allow insertion of a custom one via filter.header.add (see section THE DB/ DIRECTORY) or keeping the original one used by connecting client (`Host:' hast to be removed from default filter.header.entry, of course). To change this, use `accel_user_host no' in the configuration file. ``Host: accel_host:accel_port'' will be used then. TRANSPARENT OPERATIONIt is possible to redirect all HTTP traffic, that is, traffic to port 80, to the proxy's listening port. It will then transparently act as a HTTP proxy, the client not even knowing it is connecting to a proxy.On OpenBSD one could enable this by adding a line like rdr on rl0 proto tcp from any to any port 80 -> 127.0.0.1 port 8080 to /etc/pf.conf. In this example, rl0 is the local interface. All traffic coming from rl0 directed to port 80 (HTTP standard port) is sent to 127.0.0.1:8080 where ffproxy is supposed to be listening. KEEP ALIVEThe program supports keep alive on client to proxy connections. This is used automatically by default and may be disabled by setting `use_keep_alive no' in the configuration file.HTTPS OPERATIONThe proxy allows HTTPS proxying via implementation of the CONNECT request method. By default, only port 443 is allowed for CONNECT. This may be changed by using `unrestricted_connect yes' in the configuration file. Timeout may also be tuned by `timeout_connect seconds'.RELOADING CONFIGURATIONSend a SIGHUP to the pid of the ffproxy master process to let it reload db/ files, html/ files, *and* configuration file. If no configuration file was specified, /usr/local/etc/ffproxy.conf is tried. Of course, only some changes to the program can be done at runtime. See ffproxy.conf(5) for details on options that may be changed at runtime.If daemonized, the master process writes the pid file ffproxy.pid to the working directory, that is, the directory specified by db_files_path or the command line parameter -D. It defaults to /usr/local/share/ffproxy. The program will terminate if writing fails. LOGGINGBy default, the proxy logs incorrect and filtered requests. To log all requests, use the configuration file keyword `log_all_requests yes'. Please make sure that you seperate the programs log output from that of other programs by modifying syslog.conf(5), since the output is very noisy.FILESBehaviour of ffproxy is determined by
If daemonized, ffproxy writes the pid of its master process to the file named ffproxy.pid in its working directory -- /usr/local/share/ffproxy by default. SEE ALSOsample.config for a sample configuration file/usr/local/etc/ffproxy.conf for default configuration file ffproxy.conf(5) for details on config file ffproxy.quick(7) for a short description of how to set up the proxy http://faith.eu.org/programs.html for latest version and patches CONTRIBUTORSDobrica Pavlinusic <dpavlin@rot13.org> provided patches for http accelerator featureVERSIONThis manual documents ffproxy 1.6 (2005-01-05).Send bug reports, comments, suggestions to <niklas@noxa.de> AUTHORNiklas Olmes <niklas@noxa.de>
Visit the GSP FreeBSD Man Page Interface. |