# # config file for 3proxy # enter gateway commands line-by-line # # You can include files by using $ macro. For included file new line # character treated as space character. # # proxy # socks # pop3p # tcppm # udppm # # starts proxy services # proxy - HTTP/HTTPS proxy (default port 3128) # socks - SOCKS 4/4.5/5 proxy (default port 1080) # pop3p - POP3 proxy (default port 110) # tcppm - TCP portmapper # udppm - UDP portmapper # # you can change default port with -pNUMBER option. # portmapping services listen at SRCPORT and connect to DSTADDR:DSTPORT # HTTP and SOCKS proxies are standard. POP3 proxy must be configured # as POP3 server and requires username in the form of: # pop3username@pop3server # if POP3 proxy access must be authenticated, you can specify username # as # proxy_username:proxy_password:POP3_username@pop3server # # # # # log [[@|&]logfile] [] # sets logfile for all gateways # @ - (for Unix) use syslog, filename is used as ident name # & - use ODBC, filename consists of comma-delimited # datasource,username,password (username and password are # optional) # LOGTYPE is one of: # M - Monthly # W - Weekly (starting from Sunday) # D - Daily # H - Hourly # if logfile is not specified logging goes to stdout # You can specify individual logging options for gateway by using # -l option in gateway configuration. # # rotate # how many archived log files to keep # # logformat # Format for log record. First symbol in format must be L (local time) # or G (absolute Grinwitch time) You can use: # # %y - Year in 2 digit format # %Y - Year in 4 digit format # %m - Month number # %d - Day # %H - Hour # %M - Minute # %S - Second # %t - Timstamp (in seconds since 01-Jan-1970) # %. - milliseconds # %z - timeZone (from Grinvitch) # # %U - Username # %N - service Name # %p - service Port # %E - Error code # %C - Client IP # %c - Client port # %R - Remote IP # %r - Remote port # %I - bytes In # %O - bytes Out # %h - Hops (redirections) count # %T - service specific Text # in case of ODBC logging logformat specifies SQL statement, for exmample: # logformat "Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) # values ('%d-%m-%Y %H:%M:%S', '%U', '%N', %I, %O, '%T')" # # archiver # Archiver to use for log files. is file extension produced by # archiver. Filename will be last argument to archiver, optionally you # can use %A as archive name and %F as filename. # # timeouts # Sets timeout values # BYTE_SHORT - short timeout for single byte, is usually used for # receiving single byte from stream. # BYTE_LONG - long timeout for single byte, is usually used for # receiving first byte in frame (for example first byte # in socks request). # STRING_SHORT - short timeout, for character string within stream # (for example to wait between 2 HTTP headers) # STRING_LONG - long timeout, for first string in stream (for example # to wait for HTTP request). # CONNECTION_SHORT - inactivity timeout for short connections (HTTP, # POP3, etc). # CONNECTION_LONG - inactivity timeout for long connection (SOCKS, # portmappers, etc). # DNS - timeout for DNS request before requesting next server # CHAIN - timeout for reading data from chained connection # # nserver # Nameserver to use for name resolutions. If none spcified system # or name server fails system routines for name resolution will be # used. It's better to specify nserver because gethostbyname() may # be thread unsafe. # # nscache # Cache records for name resolution. Cachesize usually # should be large enougth (for example 65536). # # nsrecord # Adds static record to nscache. nscache must be enabled. If # is used as a hostaddr host will never resolve. # # dialer # Execute progname if external name can't be resolved. # Hint: if you use nscache, dialer may not work, because names will # be resolved through cache. In this case you can use something like # http://dial.right.now/ from browser to set up connection. # # # internal # sets ip address of internal interface. This IP address will be used # to bind gateways. Alternatively you can use -i option for individual # gateways # # external # sets ip address of external interface. This IP address will be source # address for all connections made by proxy. Alternatively you can use # -e option to specify individual address for gateway. # # service # Should be specified to launch as NT/2000/XP service, no effect for # Unix. # # daemon # Should be specified to close console (needn't for service). # At least under FreeBSD 'daemon' should preceed any proxy service # to avoid sockets problem. # # auth # Type of user authorization. Currently supported: # none - no authorization required # iponly - authorization by source/destination IP and ports # nbname - iponly + authorization by NetBIOS name. Messanger # service should be started on user's machine. Note, that # Windows 95/98 hosts do not have messanger service by default, # WinPopup program need to be started. # NB: there is no any password check, name may be spoofed. # Think about it as about ident for Windows. # Q: Will ident authorization be implemented? # A: Yes, as soon as it will be required by someone. # strong - username/password authentication required. It will work only # with SOCKSv5 and HTTP proxy. # # allow # deny # redirect redirect_ip redirect_port # Access control entries. All lists are comma-separated, no spaces are # allowed. Usernames are case sensitive (if used with authtype nbname # username must be in uppercase). Source and target lists may contain # IP addresses (W.X.Y.Z) or CIDRs (W.X.Y.Z/L). Targetportlist may # contain ports (X) or port lists (X-Y). # * sign means "ANY". # If access list is empty it's assumed to be # allow * # If access list is not empty last item in access list is assumed to be # deny * # Access lists are checked after user have requested any resource. # If you want 3proxy to reject connections from specific addresses # immediately without any conditions you should either bind proxy # to appropriate interface only or to use ip filters. # Redirect causes connection to be accepted, but outgoing connection # to be redirected to different ip/port if user's connection matches # to rule. # For example # redirect 80 * * * 80 # causes all outgoing web traffic to be redirected to web # server. IP address of all zeros means redirect to same IP as requested. # Zero port number means redirect to same port as requested. # redirect 0 # (both ip and port is zero) # has special meaning of redirection to local HTTP proxy. This type of # redirection is not logged. # Operation is one of: # CONNECT - establish outgoing TCP connection # BIND - bind TCP port for listening # UDPASSOC - make UDP association # ICMPASSOC - make ICMP association # HTTP_GET - HTTP GET request # HTTP_PUT - HTTP PUT request # HTTP_POST - HTTP POST request # HTTP_HEAD - HTTP HEAD request # HTTP_CONNECT - HTTP CONNECT request # HTTP_OTHER - over HTTP request # HTTP - matches any HTTP request except HTTP_CONNECT # HTTPS - same as HTTP_CONNECT # FTP_GET - FTP get request # FTP_PUT - FTP put request # FTP_LIST - FTP list request # FTP - matches any FTP request # # parent # this command may follow "allow" rule. It extends last allow rule to # build proxy chain. # allows to build proxy chain. Proxy may be grouped. Proxy inside the # group is selected randomely. If few groups are specified one proxy # is randomely picked from each group and chain of proxies is created # (that is second proxy connected through first one and so on). # Weight is used to group proxies. Weigt is a number between 1 and 1000. # Weights are summed and proxies are grouped together untill weight of # group is 1000. That is: # allow * # parent 500 socks5 1080 # parent 500 connect 3128 # makes 3proxy to randomely choose between 2 proxies for all outgoing # connections # allow * * * 80 # parent 1000 socks5 1080 # parent 1000 connect 3128 # parent 300 socks4 1080 # parent 700 socks5 1080 # creates chain of 3 proxies:, and third # is ( with probability of 0.3 or # with probability of 0.7) for outgoing web connections. # type is one of: # tcp - simply redirect connection. TCP is always last in chain. # allow * * * 80 # parent 1000 tcp 3128 # command pair is eqals to # redirect 3128 * * * 80 # # http - same with tcp # connect - parent is HTTP CONNECT method proxy # socks4 - parent is SOCKSv4 proxy # socks5 - parent is SOCKSv5 proxy # ip and port are ip addres and port of parent proxy server. # Optional username and password are used to authenticate on parent # proxy. # # bandlimin # nobandlimin # # bandlim sets bandwith limitation filter to bps (bits per second) # (SIC! if you wanna specife bytes per second - multiply your value to 8). # bandlim rules act in a same manner as allow/deny rules except # one thing: bandwidth limiting is applied to all services, not to some # specific service. # bandlimin and nobandlimin applies to incoming traffic # bandlimout and nobandlimout applies to outgoing traffic # If tou want to ratelimit your clients with ip's (4 # addresses) to 57600 bps you have to specify 4 rules like # bandlimin 57600 * # bandlimin 57600 * # bandlimin 57600 * # bandlimin 57600 * # and every of you clients will have 56K channel. # if you specify # bandlimin 57600 * # you will have 56K channel shared between all clients. # if you want, for example, to limit all speed ecept access to POP3 # you can use # nobandlimin * * * 110 # before the rest of bandlim rules.e # # counter # countin # nocountin # # counter, countin, nocountin commands are used to set traffic limit # in MB for period of time (day, week or month). Filename is a path # to a special file where traffic information is permanently stored. # number is sequential number of record in this file. If number is 0 # no traffic information on this counter is saved in file (that is # if proxy restarted all information is loosed) overwise it should be # unique sequential number. # Type specifies a type of counter. Type is one of: # D - counter is resetted daily # W - counter is resetted weekly # M - counter is resetted monthely # reporttype/repotname may be used to generate traffic reports. # Reporttype is one of D,W,M,H(hourly) and repotname specifies filename # template for reports. Report is text file with counter values in # format: # # The rest of parameters is identical to bandlim/nobandlim. # # # users username[:pwtype:password] ... # pwtype is one of: # none (empty) - use system authentication # CL - password is cleartext # CR - password is crypt-style password # NT - password is NT password (in hex) # example: # users test1:CL:password1 "test2:CR:$1$lFDGlder$pLRb4cU2D7GAT58YQvY49." test3:NT:BD7DFBF29A93F93C63CB84790DA00E63 # # # flush # empty active access list # # system # execute system command # # pidfile # write pid of current process to file. It can be used to manipulate # 3proxy with signals under Unix. Currently next signals are available: # CONT - pauses/continues 3proxy. In paused state new connections # are not accepted, but established connections still work. # TERM - terminates 3proxy # # setuid # call setuid(uid), uid must be numeric. Unix only. # # setgid # call setgid(gid), gid must be numeric. Unix only. # # chroot # call chroot(path). Unix only. # #system "echo Hello world!" # you may use system to execute some external command if proxy starts #nserver #nserver # We can configure nservers to avoid unsafe gethostbyname() usage timeouts 1 5 30 60 180 1800 15 60 # Here we can change timeout values users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1" # note that "" required, overvise $... is treated as include file name. # $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format. #users $/usr/local/etc/3proxy/passwd # this example shows you how to include passwd file. For included files # and are treated as field separators. service # service is required under NT if you want 3proxy to start as service #daemon # now we will not depend on any console (daemonize). #log /usr/local/etc/3proxy/logs/3proxy.log D log c:\3proxy\logs\3proxy.log D # log allows to specify log file location and rotation, D means logfile # is created daily logformat "L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T" #logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" #logformat "Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values ('%d-%m-%Y %H:%M:%S', '%U', '%N', %I, %O, '%T')" #archiver gz /bin/gzip %F #archiver zip zip -m -qq %A %F #archiver zip pkzipc -add -silent -move %A %F archiver rar rar a -df -inul %A %F # if archiver specified log file will be compressed after closing. # you should specify extension, path to archiver and command line, %A will be # substituted with archive file name, %f - with original file name. # Original file will not be removed, so archiver should care about it. rotate 30 # We will keep last 30 log files auth iponly #auth nbname #auth strong # auth specifies type of user authentication. If you specify none proxy # will not do anything to check name of the user. If you specify # nbname proxy will send NetBIOS name request packet to UDP/137 of # client and parse request for NetBIOS name of messanger service. # Strong means that proxy will check password. For strong authentication # unknown user will not be allowed to use proxy regardless of ACL. # If you do not want username to be checked but wanna ACL to work you should # specify auth iponly. #allow ADMINISTRATOR,root #allow *, * * #redirect 80 * * * 80 #allow * * 25,53,110,20-21,1024-65535 # we will allow everything if username matches ADMINISTRATOR or root or # client ip is or Overwise we will redirect any request # to port 80 to our Web-server # We will allow any outgoing connections from network to # SMTP, POP3, FTP, DNS and unprivileged ports. # Note, that redirect may also be used with proxy or portmapper. It will # allow you to redirect requests to different ports or different server # for different clients. # sharing access to internet external # external is address 3proxy uses for outgoing connections. means any # interface. Using is not good because it allows to connect to internal # internal is address of interface proxy will listen for incoming requests # means only localhost will be able to use this proxy. This is # address you should specify for clients as proxy IP. # You MAY use but you shouldn't, because it's a chance for you to # have open proxy in your network in this case. #external $./external.ip #internal $./internal.ip # this is just an alternative form fo giving external and internal address # allows you to read this addresses from files auth iponly allow * * * 80-88,8080-8088 HTTP allow * * * 443,8443 HTTPS proxy auth none pop3p # Now we starting HTTP and POP3 proxy with settings above #tcppm 25 mail.my.provider 25 #udppm -s 53 ns.my.provider 53 # we can portmap port TCP/25 to provider's SMTP server and UDP/53 # to provider's DNS. # Now we can use our proxy as SMTP and DNS server. # -s switch for UDP means "single packet" service - instead of setting # association for period of time association will only be set for 1 packet. # It's very userfull for services like DNS but not for some massive services # like multimedia streams or online games. auth strong fflush allow 3APA3A,test socks # for socks we will use password authentication and different access control - # we flush previously configured ACL list and create new one to allow users # test and 3APA3A to connect from any location # map external 80 and 443 ports to internal Web server # examples below show how to use 3proxy to publish Web server in internal # network to Internet. We must switch internal and external addresses and # flush any ACLs #auth none #flush #external $./internal.ip #internal $./external.ip #tcppm 80 websrv 80 #tcppm 443 websrv 443 #chroot /usr/local/jail #setgid 65535 #setuid 65535 # now we needn't any root rights. We can chroot and setgid/setuid. ###$Id: 3proxy.cfg.sample,v 1.7 2003/10/28 13:07:42 vlad Exp $#######