3proxy PCRE (Perl Compatible Regular Expressions) Filtering
Note: Since version 0.9.7, PCRE filtering is built into 3proxy and does not require
a separate plugin. All pcre_* commands are available directly when 3proxy is compiled with
PCRE2 support (WITH_PCRE). The plugin line is no longer needed.
This filtering functionality can be used to create matching and replacement
rules with regular expressions for client requests, client and
server headers, and client and server data. It adds 3 additional
configuration commands:
pcre TYPE FILTER_ACTION REGEXP [ACE]
pcre_rewrite TYPE FILTER_ACTION REGEXP REWRITE_EXPRESSION [ACE]
pcre_extend FILTER_ACTION [ACE]
pcre_options OPTION1 [...]
pcre - allows applying a rule for matching
pcre_rewrite - in addition to 'pcre', allows substituting substrings
pcre_extend - extends the ACL of the last pcre or pcre_rewrite command by
adding an additional ACE (like with allow/deny configuration commands).
pcre_options - allows setting matching options. Available options are:
PCRE_CASELESS,
PCRE_MULTILINE,
PCRE_DOTALL,
PCRE_EXTENDED,
PCRE_ANCHORED,
PCRE_DOLLAR_ENDONLY,
PCRE_EXTRA,
PCRE_NOTBOL,
PCRE_NOTEOL,
PCRE_UNGREEDY,
PCRE_NOTEMPTY,
PCRE_UTF8,
PCRE_NO_AUTO_CAPTURE,
PCRE_NO_UTF8_CHECK,
PCRE_AUTO_CALLOUT,
PCRE_PARTIAL,
PCRE_DFA_SHORTEST,
PCRE_DFA_RESTART,
PCRE_FIRSTLINE,
PCRE_DUPNAMES,
PCRE_NEWLINE_CR,
PCRE_NEWLINE_LF,
PCRE_NEWLINE_CRLF,
PCRE_NEWLINE_ANY,
PCRE_NEWLINE_ANYCRLF,
PCRE_BSR_ANYCRLF,
PCRE_BSR_UNICODE
- TYPE - type of filtered data. May contain one or more
(comma-delimited list) values:
- request - content of the client's request, e.g., the HTTP GET request string.
(known problem: changing the request string doesn't change the IP of the host to connect to)
- cliheader - content of the client request headers, e.g., HTTP request headers.
- srvheader - content of the server's reply headers, e.g., HTTP status and headers.
- clidata - data received from the client, e.g., HTTP POST request data
- srvdata - data received from the server, e.g., an HTML page
- FILTER_ACTION - action on match
- allow - allow this request without checking the rest of the rules for the given type
- deny - deny this request without checking the rest of the rules
- dunno - continue with the rest of the rules (useful with pcre_rewrite)
- REGEXP - PCRE (Perl) regular expression. Use * if no regexp matching
is required.
- REWRITE_EXPRESSION - substitution string. May contain Perl-style
substrings
(not tested) $1, $2. $0 means the whole matched string. \r and \n may be used
to insert new strings; the string may be empty ("").
- ACE - access control entry (user names, source IPs, destination IPs,
ports, etc.), absolutely identical to allow/deny/bandlimin commands.
The regular expression is only matched if the ACL matches the connection data.
Warning:
Regular expressions don't require authentication and cannot replace
authentication and/or allow/deny ACLs.
Example:
pcre request deny "porn|sex" user1,user2,user3 192.168.0.0/16
pcre srvheader deny "Content-type: application"
pcre_rewrite clidata,srvdata dunno "porn|sex|pussy" "***" baduser
pcre_extend deny * 192.168.0.1/16
© Vladimir Dubrovin, License: BSD style