mirror of
https://github.com/3proxy/3proxy.git
synced 2025-02-23 18:45:40 +08:00
1301 lines
34 KiB
HTML
1301 lines
34 KiB
HTML
|
|
<HTML><HEAD><TITLE>Manpage of 3proxy.cfg</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>3proxy.cfg</H1>
|
|
Section: Universal proxy server
|
|
(3)<BR>Updated: July 2009<BR><A HREF="#index">Index</A>
|
|
<A HREF="../index.html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
<B>3proxy.cfg</B>
|
|
|
|
- 3proxy configuration file
|
|
<A NAME="lbAC"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<BR> Common structure:
|
|
<BR>
|
|
|
|
Configuration file is a text file 3proxy reads configuration from. Each line
|
|
of the file is a command executed immediately, as it was given from
|
|
console. Sequence of commands is important. Configuration file as actually a
|
|
script for 3proxy executable.
|
|
Each line of the file is treated as a blank (space or tab) separated
|
|
command line. Additional space characters are ignored.
|
|
Think about 3proxy as "application level router" with console interface.
|
|
<BR>
|
|
|
|
<BR> Comments:
|
|
<BR>
|
|
|
|
Any string beginning with space character or '#' character is comment. It's
|
|
ignored. <LF>s are ignored. <CR> is end of command.
|
|
|
|
<BR>
|
|
|
|
<BR> Quotation:
|
|
<BR>
|
|
|
|
Quotation character is " (double quote). Quotation must be used to quote
|
|
spaces or another special characters. To use quotation character inside
|
|
quotation character must be dubbed (BASIC convention). For example to use
|
|
HELLO "WORLD" as an argument you should use it as "HELLO ""WORLD""".
|
|
Good practice is to quote any argument you use.
|
|
<BR>
|
|
|
|
<BR> File inclusion:
|
|
<BR>
|
|
|
|
You can include file by using $FILENAME macro (replace FILENAME with a path
|
|
to file, for example $/usr/local/etc/3proxy/conf.incl or
|
|
<BR> $"c:\Program Files\3proxy\include.cfg" Quotation is
|
|
required in last example because path contains space character.
|
|
For included file <CR> (end of line characters) is treated as space character
|
|
(arguments delimiter instead of end of command delimiter).
|
|
Thus, include files are only useful to store long signle-line commands
|
|
(like userlist, network lists, etc).
|
|
To use dollar sign somewhere in argument it must be quoted.
|
|
Recursion is not allowed.
|
|
<BR>
|
|
|
|
<BR> Next commands start gateway services:
|
|
<BR>
|
|
|
|
<B>proxy</B>
|
|
|
|
[options]
|
|
<BR>
|
|
|
|
<B>socks</B>
|
|
|
|
[options]
|
|
<BR>
|
|
|
|
<B>pop3p</B>
|
|
|
|
[options]
|
|
<BR>
|
|
|
|
<B>ftppr</B>
|
|
|
|
[options]
|
|
<BR>
|
|
|
|
<B>admin</B>
|
|
|
|
[options]
|
|
<BR>
|
|
|
|
<B>dnspr</B>
|
|
|
|
[options]
|
|
<BR>
|
|
|
|
<B>tcppm</B>
|
|
|
|
[options]
|
|
<SRCPORT> <DSTADDR> <DSTPORT>
|
|
<BR>
|
|
|
|
<B>udppm</B>
|
|
|
|
[options]
|
|
<SRCPORT> <DSTADDR> <DSTPORT>
|
|
<BR>
|
|
|
|
<BR> Descriptions:
|
|
<BR>
|
|
|
|
<B>proxy</B>
|
|
|
|
- HTTP/HTTPS proxy (default port 3128)
|
|
<BR>
|
|
|
|
<B>socks</B>
|
|
|
|
- SOCKS 4/4.5/5 proxy (default port 1080)
|
|
<BR>
|
|
|
|
<B>pop3p</B>
|
|
|
|
- POP3 proxy (default port 110)
|
|
<BR>
|
|
|
|
<B>ftppr</B>
|
|
|
|
- FTP proxy (default port 21)
|
|
<BR>
|
|
|
|
<B>admin</B>
|
|
|
|
- Web interface (default port 80)
|
|
<BR>
|
|
|
|
<B>dnspr</B>
|
|
|
|
- caching DNS proxy (default port 53)
|
|
<BR>
|
|
|
|
<B>tcppm</B>
|
|
|
|
- TCP portmapper
|
|
<BR>
|
|
|
|
<B>udppm</B>
|
|
|
|
- UDP portmapper
|
|
<BR>
|
|
|
|
|
|
<BR> Options:
|
|
<BR>
|
|
|
|
<B>-pNUMBER</B>
|
|
|
|
change default server port to NUMBER
|
|
<BR>
|
|
|
|
<B>-n</B>
|
|
|
|
disable NTLM authentication (required if passwords are stored in Unix crypt format.
|
|
<BR>
|
|
|
|
<B>-s</B>
|
|
|
|
(for admin) - allow only secure operations (currently only traffic counters
|
|
view without ability to reset).
|
|
<BR>
|
|
|
|
<B>-a</B>
|
|
|
|
(for proxy) - anonymous proxy (no information about client reported)
|
|
<BR>
|
|
|
|
<B>-a1</B>
|
|
|
|
(for proxy) - anonymous proxy (random client information reported)
|
|
<BR>
|
|
|
|
<BR> Also, all options mentioned for
|
|
<B><A HREF="../man8/proxy.8.html">proxy</A></B>(8)
|
|
|
|
<B><A HREF="../man8/socks.8.html">socks</A></B>(8)
|
|
|
|
<B><A HREF="../man8/pop3p.8.html">pop3p</A></B>(8)
|
|
|
|
<B><A HREF="../man8/tcppm.8.html">tcppm</A></B>(8)
|
|
|
|
<B><A HREF="../man8/udppm.8.html">udppm</A></B>(8)
|
|
|
|
<B><A HREF="../man8/ftppr.8.html">ftppr</A></B>(8)
|
|
|
|
<BR> are also supported.
|
|
<BR>
|
|
|
|
<BR> Portmapping services listen at SRCPORT and connect to DSTADDR:DSTPORT
|
|
HTTP and SOCKS proxies are standard.
|
|
<BR>
|
|
|
|
<BR> POP3 proxy must be configured as POP3 server and requires username in the form of:
|
|
<A HREF="mailto:pop3username@pop3server">pop3username@pop3server</A>. If POP3 proxy access must be authenticated, you can
|
|
specify username as proxy_username:proxy_password:<A HREF="mailto:POP3_username@pop3server">POP3_username@pop3server</A>
|
|
<BR>
|
|
|
|
<BR> DNS proxy resolves any types of records but only hostnames are cached. It
|
|
requires nserver/nscache to be configured.
|
|
<BR>
|
|
|
|
<BR> FTP proxy can be used as FTP server in any FTP client or configured as FTP
|
|
proxy on a client with FTP proxy support. Username format is one of
|
|
<BR>
|
|
|
|
<BR> <A HREF="mailto:FTPuser@FTPServer">FTPuser@FTPServer</A>
|
|
<BR>
|
|
|
|
<BR> FTPuser:<A HREF="mailto:FTPpassword@FTPserver">FTPpassword@FTPserver</A>
|
|
<BR>
|
|
|
|
<BR> proxyuser:proxypassword:FTPuser:<A HREF="mailto:FTPpassword@FTPserver">FTPpassword@FTPserver</A>
|
|
<BR>
|
|
|
|
<BR> Please note, if you use FTP client interface for FTP proxy
|
|
do not add FTPpassword and FTPServer to username, because
|
|
FTP client does it for you. That is, if you use 3proxy with
|
|
authentication use
|
|
proxyuser:proxypassword:FTPuser
|
|
as FTP username, otherwise do not change original FTP user name<TT> </TT><BR>
|
|
|
|
<B>include</B>
|
|
|
|
<path>
|
|
<BR>
|
|
|
|
Include config file
|
|
|
|
<BR>
|
|
|
|
<B>config</B>
|
|
|
|
<path>
|
|
<BR>
|
|
|
|
Path to configuration file to use on 3proxy restart or to save configuration.
|
|
|
|
<BR>
|
|
|
|
<B>writable</B>
|
|
|
|
<BR>
|
|
|
|
ReOpens configuration file for write access via Web interface,
|
|
and re-reads it. Usually should be first command on config file
|
|
but in combination with "config" it can be used anywhere to open
|
|
alternate config file. Think twice before using it.
|
|
|
|
<BR>
|
|
|
|
<B>end</B>
|
|
|
|
<BR>
|
|
|
|
End of configuration
|
|
|
|
<BR>
|
|
|
|
<B>log</B>
|
|
|
|
[[@|&]logfile] [<LOGTYPE>]
|
|
<BR>
|
|
|
|
sets logfile for all gateways
|
|
<BR>
|
|
|
|
<BR> @ - (for Unix) use syslog, filename is used as ident name
|
|
<BR>
|
|
|
|
<BR> & - use ODBC, filename consists of comma-delimited datasource,username,password (username and password are optional)
|
|
<BR>
|
|
|
|
<BR> LOGTYPE is one of:
|
|
<BR>
|
|
|
|
<BR> M - Monthly
|
|
<BR>
|
|
|
|
<BR> W - Weekly (starting from Sunday)
|
|
<BR>
|
|
|
|
<BR> D - Daily
|
|
<BR>
|
|
|
|
<BR> H - Hourly
|
|
<BR>
|
|
|
|
if logfile is not specified logging goes to stdout. You can specify individual logging options for gateway by using
|
|
-l option in gateway configuration.
|
|
<BR>
|
|
|
|
"log" command supports same format specifications for filename template
|
|
as "logformat" (if filename contains '%' sign it's believed to be template).
|
|
As with "logformat" filename must begin with 'L' or 'G' to specify Local or
|
|
Grinwitch time zone for all time-based format specificators.
|
|
|
|
<BR>
|
|
|
|
<B>rotate</B>
|
|
|
|
<n>
|
|
how many archived log files to keep
|
|
|
|
<BR>
|
|
|
|
<B>logformat</B>
|
|
|
|
<format>
|
|
|
|
Format for log record. First symbol in format must be L (local time)
|
|
or G (absolute Grinwitch time).
|
|
It can be preceeded with -XXX+Y where XXX is list of characters to be
|
|
filtered in user input (any non-printable characters are filtered too
|
|
in this case) and Y is replacement character. For example, "-,%+ L" in
|
|
the beginning of logformat means comma and percent are replaced
|
|
with space and all time based elemnts are in local time zone.
|
|
<BR>
|
|
|
|
You can use:
|
|
|
|
<BR>
|
|
|
|
<BR> %y - Year in 2 digit format
|
|
<BR>
|
|
|
|
<BR> %Y - Year in 4 digit format
|
|
<BR>
|
|
|
|
<BR> %m - Month number
|
|
<BR>
|
|
|
|
<BR> %o - Month abbriviature
|
|
<BR>
|
|
|
|
<BR> %d - Day
|
|
<BR>
|
|
|
|
<BR> %H - Hour
|
|
<BR>
|
|
|
|
<BR> %M - Minute
|
|
<BR>
|
|
|
|
<BR> %S - Second
|
|
<BR>
|
|
|
|
<BR> %t - Timstamp (in seconds since 01-Jan-1970)
|
|
<BR>
|
|
|
|
<BR> %. - milliseconds
|
|
<BR>
|
|
|
|
<BR> %z - timeZone (from Grinvitch)
|
|
<BR>
|
|
|
|
<BR> %D - request duration (in milliseconds)
|
|
<BR>
|
|
|
|
<BR> %b - average send rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager.
|
|
<BR>
|
|
|
|
<BR> %B - average receive rate per request (in Bytes per second) this speed is typically below connection speed shown by download manager.
|
|
<BR>
|
|
|
|
<BR> %U - Username
|
|
<BR>
|
|
|
|
<BR> %N - service Name
|
|
<BR>
|
|
|
|
<BR> %p - service Port
|
|
<BR>
|
|
|
|
<BR> %E - Error code
|
|
<BR>
|
|
|
|
<BR> %C - Client IP
|
|
<BR>
|
|
|
|
<BR> %c - Client port
|
|
<BR>
|
|
|
|
<BR> %R - Remote IP
|
|
<BR>
|
|
|
|
<BR> %r - Remote port
|
|
<BR>
|
|
|
|
<BR> %e - External IP used to establish connection
|
|
<BR>
|
|
|
|
<BR> %Q - Requested IP
|
|
<BR>
|
|
|
|
<BR> %q - Requested port
|
|
<BR>
|
|
|
|
<BR> %n - requested hostname
|
|
<BR>
|
|
|
|
<BR> %I - bytes In
|
|
<BR>
|
|
|
|
<BR> %O - bytes Out
|
|
<BR>
|
|
|
|
<BR> %h - Hops (redirections) count
|
|
<BR>
|
|
|
|
<BR> %T - service specific Text
|
|
<BR>
|
|
|
|
<BR> %N1-N2T - (N1 and N2 are positive numbers) - log only fields from N1 thorugh N2 of service specific text
|
|
<BR>
|
|
|
|
in case of ODBC logging logformat specifies SQL statement, for exmample:
|
|
<BR>
|
|
|
|
<BR> logformat "-'+_Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values ('%d-%m-%Y %H:%M:%S', '%U', '%N', %I, %O, '%T')"
|
|
|
|
<BR>
|
|
|
|
<B>logdump</B>
|
|
|
|
<in_traffic_limit> <out_traffic_limit>
|
|
<BR>
|
|
|
|
Immediately creates additional log records if given amount of incoming/outgoing
|
|
traffic is achieved for connection, without waiting for connection to finish.
|
|
It may be useful to prevent information about long-lasting downloads on server
|
|
shutdown.
|
|
|
|
<BR>
|
|
|
|
<B>archiver</B>
|
|
|
|
<ext> <commandline>
|
|
<BR>
|
|
|
|
Archiver to use for log files. <ext> is file extension produced by
|
|
archiver. Filename will be last argument to archiver, optionally you
|
|
can use %A as produced archive name and %F as filename.
|
|
|
|
<BR>
|
|
|
|
<B>timeouts</B>
|
|
|
|
<BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN>
|
|
<BR>
|
|
|
|
Sets timeout values
|
|
<BR>
|
|
|
|
<BR> BYTE_SHORT - short timeout for single byte, is usually used for receiving single byte from stream.
|
|
<BR>
|
|
|
|
<BR> BYTE_LONG - long timeout for single byte, is usually used for receiving first byte in frame (for example first byte in socks request).
|
|
<BR>
|
|
|
|
<BR> STRING_SHORT - short timeout, for character string within stream (for example to wait between 2 HTTP headers)
|
|
<BR>
|
|
|
|
<BR> STRING_LONG - long timeout, for first string in stream (for example to wait for HTTP request).
|
|
<BR>
|
|
|
|
<BR> CONNECTION_SHORT - inactivity timeout for short connections (HTTP, POP3, etc).
|
|
<BR>
|
|
|
|
<BR> CONNECTION_LONG - inactivity timeout for long connection (SOCKS, portmappers, etc).
|
|
<BR>
|
|
|
|
<BR> DNS - timeout for DNS request before requesting next server
|
|
<BR>
|
|
|
|
<BR> CHAIN - timeout for reading data from chained connection
|
|
<BR>
|
|
|
|
|
|
<BR>
|
|
|
|
<B>nserver</B>
|
|
|
|
<BR> <ipaddr>
|
|
<BR>
|
|
|
|
Nameserver to use for name resolutions. If none spcified system
|
|
or name server fails system routines for name resolution will be
|
|
used. It's better to specify nserver because gethostbyname() may
|
|
be thread unsafe.
|
|
|
|
<BR>
|
|
|
|
<B>nscache</B>
|
|
|
|
<cachesize>
|
|
<BR>
|
|
|
|
|
|
Cache <cachesize> records for name resolution. Cachesize usually
|
|
should be large enougth (for example 65536).
|
|
|
|
<BR>
|
|
|
|
<B>nsrecord</B>
|
|
|
|
<hostname> <hostaddr>
|
|
<B></B>
|
|
|
|
Adds static record to nscache. nscache must be enabled. If 0.0.0.0
|
|
is used as a hostaddr host will never resolve, it can be used to
|
|
blacklist something or together with
|
|
<B>dialer</B>
|
|
|
|
command to set up UDL for dialing.
|
|
|
|
<BR>
|
|
|
|
<B>fakeresolve</B>
|
|
|
|
<B></B>
|
|
|
|
All names are resolved to 127.0.0.2 address. Usefull if all requests are
|
|
redirected to parent proxy with http, socks4+, connect+ or socks5+.
|
|
|
|
<BR>
|
|
|
|
<B>dialer</B>
|
|
|
|
<progname>
|
|
<BR>
|
|
|
|
Execute progname if external name can't be resolved.
|
|
Hint: if you use nscache, dialer may not work, because names will
|
|
be resolved through cache. In this case you can use something like
|
|
<A HREF="http://dial.right.now/">http://dial.right.now/</A> from browser to set up connection.
|
|
|
|
|
|
<BR>
|
|
|
|
<B>internal</B>
|
|
|
|
<ipaddr>
|
|
<BR>
|
|
|
|
sets ip address of internal interface. This IP address will be used
|
|
to bind gateways. Alternatively you can use -i option for individual
|
|
gateways
|
|
|
|
<BR>
|
|
|
|
<B>external</B>
|
|
|
|
<ipaddr>
|
|
<BR>
|
|
|
|
sets ip address of external interface. This IP address will be source
|
|
address for all connections made by proxy. Alternatively you can use
|
|
-e option to specify individual address for gateway.
|
|
<BR>
|
|
<BR>
|
|
|
|
<B>maxconn</B>
|
|
|
|
<number>
|
|
<BR>
|
|
|
|
sets maximum number of simulationeous connections to each services
|
|
started after this command. Default is 100.
|
|
|
|
<BR>
|
|
|
|
<B>service</B>
|
|
|
|
<BR>
|
|
|
|
(depricated). Indicates 3proxy to behave as Windows 95/98/NT/2000/XP
|
|
service, no effect for Unix. Not required for 3proxy 0.6 and above. If
|
|
you upgraded from previous version of 3proxy use --remove and --install
|
|
to reinstall service.
|
|
|
|
<BR>
|
|
|
|
<B>daemon</B>
|
|
|
|
<BR>
|
|
|
|
Should be specified to close console. Do not use 'daemon' with 'service'.
|
|
At least under FreeBSD 'daemon' should preceed any proxy service
|
|
and log commands to avoid sockets problem. Always place it in the beginning
|
|
of the configuration file.
|
|
|
|
<BR>
|
|
|
|
<B>auth</B>
|
|
|
|
<authtype> [...]
|
|
<BR>
|
|
|
|
Type of user authorization. Currently supported:
|
|
<BR>
|
|
|
|
<BR> none - no authentication or authorization required.
|
|
<BR> Note: is auth is none any ip based limitation, redirection, etc will not work.
|
|
<BR> This is default authentication type
|
|
<BR>
|
|
|
|
<BR> iponly - authentication by access control list with username ignored.
|
|
<BR> Appropriate for most cases
|
|
<BR>
|
|
|
|
<BR> useronly - authentication by username without checking for any password with
|
|
authorization by ACLs. Useful for e.g. SOCKSv4 proxy and icqpr (icqpr set UIN /
|
|
AOL screen name as a username)
|
|
<BR>
|
|
|
|
<BR> dnsname - authentication by DNS hostnname with authorization by ACLs.
|
|
DNS hostname is resolved via PTR (reverse) record and validated (resolved
|
|
name must resolve to same IP address). It's recommended to use authcache by
|
|
ip for this authentication.
|
|
NB: there is no any password check, name may be spoofed.
|
|
<BR>
|
|
|
|
<BR> nbname - authentication by NetBIOS name with authorization by ACLs.
|
|
Messanger service should be started on user's machine. Note, that
|
|
Windows 95/98 hosts do not have messanger service by default,
|
|
WinPopup program need to be started. It's recommended to use authcache by
|
|
ip for this authentication.
|
|
NB: there is no any password check, name may be spoofed.
|
|
<BR>
|
|
|
|
<BR> strong - username/password authentication required. It will work with
|
|
SOCKSv5, FTP, POP3 and HTTP proxy.
|
|
<BR>
|
|
|
|
<BR> cache - cached authentication, may be used with 'authcache'.
|
|
<BR>
|
|
|
|
Plugins may add additional authentication types.
|
|
<BR>
|
|
|
|
|
|
<BR> It's possible to use few authentication types in the same commands. E.g.
|
|
<BR>
|
|
|
|
auth iponly strong
|
|
<BR>
|
|
|
|
In this case 'strong' authentication will be used only in case resource
|
|
access can not be performed with 'iponly' authentication, that is username is
|
|
required in ACL. It's usefull to protect access to some resources with
|
|
password allowing passwordless access to another resources, or to use
|
|
IP-based authentication for dedicated laptops and request username/password for
|
|
shared ones.
|
|
<BR>
|
|
|
|
<B>authcache</B>
|
|
|
|
<cachtype> <cachtime>
|
|
<BR>
|
|
|
|
Cache authentication information to given amount of time (cachetime) in seconds.
|
|
Cahtype is one of:
|
|
<BR>
|
|
|
|
<BR> ip - after successful authentication all connections during caching time
|
|
from same IP are assigned to the same user, username is not requested.
|
|
<BR>
|
|
|
|
<BR> ip,user username is requested and all connections from the same IP are
|
|
assigned to the same user without actual authentication.
|
|
<BR>
|
|
|
|
<BR> user - same as above, but IP is not checked.
|
|
<BR>
|
|
|
|
<BR> user,password - both username and password are checked against cached ones.
|
|
<BR>
|
|
|
|
Use auth type 'cache' for cached authentication
|
|
<BR>
|
|
|
|
<B>allow</B>
|
|
|
|
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<weekdayslist> <timeperiodslist>
|
|
<BR>
|
|
|
|
<B>deny</B>
|
|
|
|
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<weekdayslist> <timeperiodslist>
|
|
<BR>
|
|
|
|
Access control entries. All lists are comma-separated, no spaces are
|
|
allowed. Usernames are case sensitive (if used with authtype nbname
|
|
username must be in uppercase). Source and target lists may contain
|
|
IP addresses (W.X.Y.Z) or CIDRs (W.X.Y.Z/L). Since 0.6, targetlist may also
|
|
contain host names, instead of addresses. It's possible to use wildmask in
|
|
the begginning and in the the end of hostname, e.g. *badsite.com or
|
|
*badcontent*. Hostname is only checked if hostname presents in request.
|
|
Targetportlist may contain ports (X) or port ranges lists (X-Y). For any field
|
|
* sign means "ANY" If access list is empty it's assumed to be
|
|
<BR>
|
|
|
|
<BR> allow *
|
|
<BR>
|
|
|
|
<BR> If access list is not empty last item in access list is assumed to be
|
|
<BR>
|
|
|
|
<BR> deny *
|
|
<BR>
|
|
|
|
<BR> You may want explicitly add "deny *" to the end of access list to prevent
|
|
HTTP proxy from requesting user's password.
|
|
Access lists are checked after user have requested any resource.
|
|
If you want 3proxy to reject connections from specific addresses
|
|
immediately without any conditions you should either bind proxy
|
|
to appropriate interface only or to use ip filters.
|
|
<BR>
|
|
|
|
|
|
Operation is one of:
|
|
<BR>
|
|
|
|
<BR> CONNECT - establish outgoing TCP connection
|
|
<BR>
|
|
|
|
<BR> BIND - bind TCP port for listening
|
|
<BR>
|
|
|
|
<BR> UDPASSOC - make UDP association
|
|
<BR>
|
|
|
|
<BR> ICMPASSOC - make ICMP association (for future use)
|
|
<BR>
|
|
|
|
<BR> HTTP_GET - HTTP GET request
|
|
<BR>
|
|
|
|
<BR> HTTP_PUT - HTTP PUT request
|
|
<BR>
|
|
|
|
<BR> HTTP_POST - HTTP POST request
|
|
<BR>
|
|
|
|
<BR> HTTP_HEAD - HTTP HEAD request
|
|
<BR>
|
|
|
|
<BR> HTTP_CONNECT - HTTP CONNECT request
|
|
<BR>
|
|
|
|
<BR> HTTP_OTHER - over HTTP request
|
|
<BR>
|
|
|
|
<BR> HTTP - matches any HTTP request except HTTP_CONNECT
|
|
<BR>
|
|
|
|
<BR> HTTPS - same as HTTP_CONNECT
|
|
<BR>
|
|
|
|
<BR> FTP_GET - FTP get request
|
|
<BR>
|
|
|
|
<BR> FTP_PUT - FTP put request
|
|
<BR>
|
|
|
|
<BR> FTP_LIST - FTP list request
|
|
<BR>
|
|
|
|
<BR> FTP_DATA - FTP data connection. Note: FTP_DATA requires access to dynamic
|
|
<BR> non-ptivileged (1024-65535) ports on remote side.
|
|
<BR>
|
|
|
|
<BR> FTP - matches any FTP/FTP Data request
|
|
<BR>
|
|
|
|
<BR> ADMIN - access to administration interface
|
|
<BR>
|
|
|
|
|
|
Weeksdays are week days numbers or periods (0 or 7 means Sunday, 1 is Monday,
|
|
1-5 means Monday through Friday). Timeperiodlists is a list of time
|
|
periods in HH:MM:SS-HH:MM:SS format. For example,
|
|
<BR> 00:00:00-08:00:00,17:00:00-24:00:00
|
|
lists non-working hours.
|
|
<TT> </TT><BR>
|
|
<BR>
|
|
|
|
<B>parent</B>
|
|
|
|
<weight> <type> <ip> <port> <username> <password>
|
|
<BR>
|
|
|
|
this command must follow "allow" rule. It extends last allow rule to
|
|
build proxy chain. Proxies may be grouped. Proxy inside the
|
|
group is selected randomly. If few groups are specified one proxy
|
|
is randomly picked from each group and chain of proxies is created
|
|
(that is second proxy connected through first one and so on).
|
|
Weight is used to group proxies. Weigt is a number between 1 and 1000.
|
|
Weights are summed and proxies are grouped together untill weight of
|
|
group is 1000. That is:
|
|
<BR>
|
|
|
|
<BR> allow *
|
|
<BR>
|
|
|
|
<BR> parent 500 socks5 192.168.10.1 1080
|
|
<BR>
|
|
|
|
<BR> parent 500 connect 192.168.10.1 3128
|
|
<BR>
|
|
|
|
<BR> makes 3proxy to randomly choose between 2 proxies for all outgoing
|
|
connections. These 2 proxies form 1 group (summarized weight is 1000).
|
|
<BR>
|
|
|
|
<BR> allow * * * 80
|
|
<BR>
|
|
|
|
<BR> parent 1000 socks5 192.168.10.1 1080
|
|
<BR>
|
|
|
|
<BR> parent 1000 connect 192.168.20.1 3128
|
|
<BR>
|
|
|
|
<BR> parent 300 socks4 192.168.30.1 1080
|
|
<BR>
|
|
|
|
<BR> parent 700 socks5 192.168.40.1 1080
|
|
<BR>
|
|
|
|
<BR> creates chain of 3 proxies: 192.168.10.1, 192.168.20.1 and third
|
|
is (192.168.30.1 with probability of 0.3 or 192.168.40.1
|
|
with probability of 0.7) for outgoing web connections.
|
|
|
|
<BR>
|
|
|
|
<BR> type is one of:
|
|
<BR>
|
|
|
|
<BR> tcp - simply redirect connection. TCP is always last in chain.
|
|
<BR>
|
|
|
|
<BR> http - redirect to HTTP proxy. HTTP is always last chain.
|
|
<BR>
|
|
|
|
<BR> pop3 - redirect to POP3 proxy (only local redirection is supported, can not be
|
|
used for chaining)
|
|
<BR>
|
|
|
|
<BR> ftp - redirect to FTP proxy (only local redirection is supported, can not be
|
|
used for chaining)
|
|
<BR>
|
|
|
|
<BR> connect - parent is HTTP CONNECT method proxy
|
|
<BR>
|
|
|
|
<BR> connect+ - parent is HTTP CONNECT proxy with name resolution
|
|
<BR>
|
|
|
|
<BR> socks4 - parent is SOCKSv4 proxy
|
|
<BR>
|
|
|
|
<BR> socks4+ - parent is SOCKSv4 proxy with name resolution (SOCKSv4a)
|
|
<BR>
|
|
|
|
<BR> socks5 - parent is SOCKSv5 proxy
|
|
<BR>
|
|
|
|
<BR> socks5+ - parent is SOCKSv5 proxy with name resolution
|
|
<BR>
|
|
|
|
<BR> socks4b - parent is SOCKS4b (broken SOCKSv4 implementation with shortened
|
|
server reply. I never saw this kind ofservers byt they say there are).
|
|
Normally you should not use this option. Do not mess this option with
|
|
SOCKSv4a (socks4+).
|
|
<BR>
|
|
|
|
<BR> socks5b - parent is SOCKS5b (broken SOCKSv5 implementation with shortened
|
|
server reply. I think you will never find it useful). Never use this option
|
|
unless you know exactly you need it.
|
|
<BR>
|
|
|
|
<BR> admin - redirect request to local 'admin' service (with -s parameter).
|
|
<BR>
|
|
|
|
<BR> Use "+" proxy only with "fakeresolve" option
|
|
<BR>
|
|
|
|
|
|
<BR> IP and port are ip addres and port of parent proxy server.
|
|
If IP is zero, ip is taken from original request, only port is changed.
|
|
If port is zero, it's taken from original request, only IP is changed.
|
|
If both IP and port are zero - it's a special case of local redirection,
|
|
it works only with
|
|
<B>socks</B>
|
|
|
|
proxy. In case of local redirection request is redirected to different service,
|
|
<B>ftp</B>
|
|
|
|
locally redirects to
|
|
<B>ftppr</B>
|
|
|
|
<B>pop3</B>
|
|
|
|
locally redirects to
|
|
<B>pop3p</B>
|
|
|
|
<B>http</B>
|
|
|
|
locally redurects to
|
|
<B>proxy</B>
|
|
|
|
<B>admin</B>
|
|
|
|
locally redirects to admin -s service.
|
|
<BR>
|
|
|
|
|
|
<BR> Main purpose of local redirections is to have requested resource
|
|
(URL or POP3 username) logged and protocol-specific filters to be applied.
|
|
In case of local redirection ACLs are revied twice: first, by SOCKS proxy up to
|
|
|
|
redirected (HTTP, FTP or POP3) after 'parent' command. It means,
|
|
additional 'allow' command is required for redirected requests, for
|
|
example:
|
|
<BR>
|
|
|
|
<BR> allow * * * 80
|
|
<BR>
|
|
|
|
<BR> parent 1000 http 0.0.0.0 0
|
|
<BR>
|
|
|
|
<BR> allow * * * 80 HTTP_GET,HTTP_POST
|
|
<BR>
|
|
|
|
<BR> socks
|
|
<BR>
|
|
|
|
redirects all SOCKS requests with target port 80 to local HTTP proxy,
|
|
local HTTP proxy parses requests and allows only GET and POST requests.
|
|
<BR>
|
|
|
|
<BR> parent 1000 http 1.2.3.4 0
|
|
<BR>
|
|
|
|
Changes external address for given connection to 1.2.3.4
|
|
(an equivalent to -e1.2.3.4)
|
|
|
|
<BR> Optional username and password are used to authenticate on parent
|
|
proxy. Username of '*' means username must be supplied by user.
|
|
|
|
|
|
<BR>
|
|
|
|
<B>nolog</B>
|
|
|
|
<n>
|
|
extends last allow or deny command to prevent logging, e.g.
|
|
<BR>
|
|
|
|
allow * * 192.168.1.1
|
|
<BR>
|
|
|
|
nolog
|
|
|
|
|
|
<BR>
|
|
|
|
<B>weight</B>
|
|
|
|
<n>
|
|
extends last allow or deny command to set weight for this request
|
|
<BR>
|
|
|
|
allow * * 192.168.1.1
|
|
<BR>
|
|
|
|
weight 100
|
|
<BR>
|
|
|
|
Weight may be used for different purposes.
|
|
|
|
<BR>
|
|
|
|
<B>bandlimin</B>
|
|
|
|
<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<BR>
|
|
|
|
<B>nobandlimin</B>
|
|
|
|
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<B>bandlimout</B>
|
|
|
|
<rate> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<BR>
|
|
|
|
<B>nobandlimout</B>
|
|
|
|
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<BR>
|
|
|
|
<BR> bandlim sets bandwith limitation filter to <rate> bps (bits per second)
|
|
(if you want to specife bytes per second - multiply your value to 8).
|
|
bandlim rules act in a same manner as allow/deny rules except
|
|
one thing: bandwidth limiting is applied to all services, not to some
|
|
specific service.
|
|
bandlimin and nobandlimin applies to incoming traffic
|
|
bandlimout and nobandlimout applies to outgoing traffic
|
|
If tou want to ratelimit your clients with ip's 192.168.10.16/30 (4
|
|
addresses) to 57600 bps you have to specify 4 rules like
|
|
<BR>
|
|
|
|
<BR> bandlimin 57600 * 192.168.10.16
|
|
<BR>
|
|
|
|
<BR> bandlimin 57600 * 192.168.10.17
|
|
<BR>
|
|
|
|
<BR> bandlimin 57600 * 192.168.10.18
|
|
<BR>
|
|
|
|
<BR> bandlimin 57600 * 192.168.10.19
|
|
<BR>
|
|
|
|
<BR> and every of you clients will have 56K channel.<TT> </TT>if you specify<BR>
|
|
<BR>
|
|
|
|
<BR> bandlimin 57600 * 192.168.10.16/30
|
|
<BR>
|
|
|
|
<BR> you will have 56K channel shared between all clients.
|
|
if you want, for example, to limit all speed ecept access to POP3 you can use
|
|
<BR>
|
|
|
|
<BR> nobandlimin * * * 110
|
|
<BR>
|
|
|
|
<BR> before the rest of bandlim rules.
|
|
|
|
<BR>
|
|
|
|
<B>counter</B>
|
|
|
|
<filename> <reporttype> <repotname>
|
|
<BR>
|
|
|
|
<B>countin</B>
|
|
|
|
<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<BR>
|
|
|
|
<B>nocountin</B>
|
|
|
|
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<BR>
|
|
|
|
<B>countout</B>
|
|
|
|
<number> <type> <limit> <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<BR>
|
|
|
|
<B>nocountout</B>
|
|
|
|
<userlist> <sourcelist> <targetlist> <targetportlist> <operationlist>
|
|
<BR>
|
|
|
|
|
|
<BR> counter, countin, nocountin, countout, noucountout commands are
|
|
used to set traffic limit
|
|
in MB for period of time (day, week or month). Filename is a path
|
|
to a special file where traffic information is permanently stored.
|
|
number is sequential number of record in this file. If number is 0
|
|
no traffic information on this counter is saved in file (that is
|
|
if proxy restarted all information is loosed) overwise it should be
|
|
unique sequential number.
|
|
Type specifies a type of counter. Type is one of:
|
|
<BR>
|
|
|
|
<BR> D - counter is resetted daily
|
|
<BR>
|
|
|
|
<BR> W - counter is resetted weekly
|
|
<BR>
|
|
|
|
<BR> M - counter is resetted monthely
|
|
<BR>
|
|
|
|
<BR> reporttype/repotname may be used to generate traffic reports.
|
|
Reporttype is one of D,W,M,H(hourly) and repotname specifies filename
|
|
template for reports. Report is text file with counter values in
|
|
format:
|
|
<BR>
|
|
|
|
<BR> <COUNTERNUMBER> <TRAF*4GB> <TRAF>
|
|
<BR>
|
|
|
|
<BR> The rest of parameters is identical to bandlim/nobandlim.
|
|
|
|
<BR>
|
|
|
|
<B>users</B>
|
|
|
|
username[:pwtype:password] ...
|
|
<BR>
|
|
|
|
pwtype is one of:
|
|
<BR>
|
|
|
|
<BR> none (empty) - use system authentication
|
|
<BR>
|
|
|
|
<BR> CL - password is cleartext
|
|
<BR>
|
|
|
|
<BR> CR - password is crypt-style password
|
|
<BR>
|
|
|
|
<BR> NT - password is NT password (in hex)
|
|
<BR>
|
|
|
|
example:
|
|
<BR>
|
|
|
|
<BR> users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49."
|
|
<BR>
|
|
|
|
<BR> users test3:NT:BD7DFBF29A93F93C63CB84790DA00E63
|
|
<BR>
|
|
|
|
(note: double quotes are requiered because password contains $ sign).<TT> </TT><BR>
|
|
|
|
<BR>
|
|
|
|
<B>flush</B>
|
|
|
|
<BR>
|
|
|
|
empty active access list. Access list must be flushed avery time you creating
|
|
new access list for new service. For example:
|
|
<BR>
|
|
|
|
<BR> allow *
|
|
<BR>
|
|
|
|
<BR> pop3p
|
|
<BR>
|
|
|
|
<BR> flush
|
|
<BR>
|
|
|
|
<BR> allow * 192.168.1.0/24
|
|
<BR>
|
|
|
|
<BR> socks
|
|
<BR>
|
|
|
|
sets different ACLs for
|
|
<B>pop3p</B>
|
|
|
|
and
|
|
<B>socks</B>
|
|
|
|
|
|
<BR>
|
|
|
|
<B>system</B>
|
|
|
|
<BR>
|
|
|
|
execute system command
|
|
|
|
<BR>
|
|
|
|
<B>pidfile</B>
|
|
|
|
<filename>
|
|
<BR>
|
|
|
|
write pid of current process to file. It can be used to manipulate
|
|
3proxy with signals under Unix. Currently next signals are available:
|
|
|
|
<BR>
|
|
|
|
<B>monitor</B>
|
|
|
|
<filename>
|
|
<BR>
|
|
|
|
If file monitored changes in modification time or size, 3proxy reloads
|
|
configuration within one minute. Any number of files may be monitored.
|
|
|
|
<BR>
|
|
|
|
<B>setuid</B>
|
|
|
|
<uid>
|
|
<BR>
|
|
|
|
calls setuid(uid), uid must be numeric. Unix only. Warning: under some Linux
|
|
kernels setuid() works onle for current thread. It makes it impossible to suid
|
|
for all threads.
|
|
|
|
<BR>
|
|
|
|
<B>setgid</B>
|
|
|
|
<gid>
|
|
<BR>
|
|
|
|
calls setgid(gid), gid must be numeric. Unix only.
|
|
|
|
<BR>
|
|
|
|
<B>chroot</B>
|
|
|
|
<path>
|
|
<BR>
|
|
|
|
calls chroot(path). Unix only.
|
|
<A NAME="lbAD"> </A>
|
|
<H2>PLUGINS</H2>
|
|
|
|
|
|
<BR>
|
|
|
|
<B>plugin</B>
|
|
|
|
<path_to_shared_library> <function_to_call> [<arg1> ...]
|
|
<BR>
|
|
|
|
Loads specified library and calls given export function with given arguments,
|
|
as
|
|
<BR>
|
|
|
|
int functions_to_call(struct pluginlink * pl, int argc, char * argv[]);
|
|
<BR>
|
|
|
|
function_to_call must return 0 in case of success, value > 0 to indicate error.
|
|
|
|
<BR>
|
|
|
|
<B>filtermaxsize</B>
|
|
|
|
<max_size_of_data_to_filter>
|
|
<BR>
|
|
|
|
If Content-length (or another data length) is greater than given value, no
|
|
data filtering will be performed thorugh filtering plugins to avoid data
|
|
corruption and/or Content-Length chaging. Default is 1MB (1048576).
|
|
|
|
|
|
<A NAME="lbAE"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<A HREF="../man8/3proxy.8.html">3proxy</A>(8), <A HREF="../man8/proxy.8.html">proxy</A>(8), <A HREF="../man8/ftppr.8.html">ftppr</A>(8), <A HREF="../man8/socks.8.html">socks</A>(8), <A HREF="../man8/pop3p.8.html">pop3p</A>(8), <A HREF="../man8/tcppm.8.html">tcppm</A>(8), <A HREF="../man8/udppm.8.html">udppm</A>(8), <A HREF="../man8/syslogd.8.html">syslogd</A>(8),
|
|
<BR>
|
|
|
|
<A HREF="http://3proxy.ru/">http://3proxy.ru/</A>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>TRIVIA</H2>
|
|
|
|
3APA3A is pronounced as ``zaraza''.
|
|
<A NAME="lbAG"> </A>
|
|
<H2>AUTHORS</H2>
|
|
|
|
3proxy is designed by 3APA3A
|
|
(<I><A HREF="mailto:3APA3A@security.nnov.ru">3APA3A@security.nnov.ru</A></I>),
|
|
|
|
Vladimir Dubrovin
|
|
(<I><A HREF="mailto:vlad@sandy.ru">vlad@sandy.ru</A></I>)
|
|
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT><A HREF="#lbAB">NAME</A><DD>
|
|
<DT><A HREF="#lbAC">DESCRIPTION</A><DD>
|
|
<DT><A HREF="#lbAD">PLUGINS</A><DD>
|
|
<DT><A HREF="#lbAE">SEE ALSO</A><DD>
|
|
<DT><A HREF="#lbAF">TRIVIA</A><DD>
|
|
<DT><A HREF="#lbAG">AUTHORS</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
using the manual pages.<BR>
|
|
Time: 21:23:57 GMT, April 07, 2014
|
|
</BODY>
|
|
</HTML>
|