|
 |
f783ca4 |
# Yes, 3proxy.cfg can be executable, in this case you should place
|
|
|
f783ca4 |
# something like
|
|
|
f783ca4 |
#config /usr/local/3proxy/3proxy.cfg
|
|
|
f783ca4 |
# to show which configuration 3proxy should re-read on realod.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#system "echo Hello world!"
|
|
|
f783ca4 |
# you may use system to execute some external command if proxy starts
|
|
|
f783ca4 |
|
|
|
f783ca4 |
# We can configure nservers to avoid unsafe gethostbyname() usage
|
|
|
f783ca4 |
#nserver 10.1.2.1
|
|
|
f783ca4 |
#nserver 10.2.2.2
|
|
|
f783ca4 |
# nscache is good to save speed, traffic and bandwidth
|
|
|
f783ca4 |
nscache 65536
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#nsrecord porno.security.nnov.ru 0.0.0.0
|
|
|
f783ca4 |
# nobody will be able to access porno.security.nnov.ru by the name.
|
|
|
f783ca4 |
#nsrecord wpad.security.nnov.ru www.security.nnov.ru
|
|
|
f783ca4 |
# wpad.security.nnov.ru will resolve to www.security.nnov.ru for
|
|
|
f783ca4 |
# clients
|
|
|
f783ca4 |
|
|
|
f783ca4 |
|
|
|
f783ca4 |
timeouts 1 5 30 60 180 1800 15 60
|
|
|
f783ca4 |
# Here we can change timeout values
|
|
|
f783ca4 |
|
|
|
f783ca4 |
users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1"
|
|
|
f783ca4 |
# note that "" required, overvise $... is treated as include file name.
|
|
|
f783ca4 |
# $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format.
|
|
|
f783ca4 |
#users $/usr/local/etc/3proxy/passwd
|
|
|
f783ca4 |
# this example shows you how to include passwd file. For included files
|
|
|
f783ca4 |
# <CR> and <LF> are treated as field separators.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
daemon
|
|
|
f783ca4 |
# now we will not depend on any console (daemonize). daemon must be given
|
|
|
f783ca4 |
# before any significant command on *nix.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#service
|
|
|
f783ca4 |
# service is required under NT if you want 3proxy to start as service
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#log /usr/local/etc/3proxy/logs/3proxy.log D
|
|
|
f783ca4 |
log /var/log/3proxy/3proxy.log
|
|
|
f783ca4 |
# log allows to specify log file location and rotation, D means logfile
|
|
|
f783ca4 |
# is created daily
|
|
|
f783ca4 |
|
|
|
f783ca4 |
# in log file we want to have underscores instead of spaces
|
|
|
f783ca4 |
logformat "- +_L%t.%. %N.%p %E %U %C:%c %R:%r %O %I %h %T"
|
|
|
f783ca4 |
#logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
|
|
|
f783ca4 |
#logformat "Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values ('%d-%m-%Y %H:%M:%S', '%U', '%N', %I, %O, '%T')"
|
|
|
f783ca4 |
|
|
|
f783ca4 |
archiver gz /bin/gzip %F
|
|
|
f783ca4 |
#archiver zip zip -m -qq %A %F
|
|
|
f783ca4 |
#archiver zip pkzipc -add -silent -move %A %F
|
|
|
f783ca4 |
#archiver rar rar a -df -inul %A %F
|
|
|
f783ca4 |
# if archiver specified log file will be compressed after closing.
|
|
|
f783ca4 |
# you should specify extension, path to archiver and command line, %A will be
|
|
|
f783ca4 |
# substituted with archive file name, %f - with original file name.
|
|
|
f783ca4 |
# Original file will not be removed, so archiver should care about it.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
rotate 30
|
|
|
f783ca4 |
# We will keep last 30 log files
|
|
|
f783ca4 |
|
|
|
f783ca4 |
auth iponly
|
|
|
f783ca4 |
#auth nbname
|
|
|
f783ca4 |
#auth strong
|
|
|
f783ca4 |
# auth specifies type of user authentication. If you specify none proxy
|
|
|
f783ca4 |
# will not do anything to check name of the user. If you specify
|
|
|
f783ca4 |
# nbname proxy will send NetBIOS name request packet to UDP/137 of
|
|
|
f783ca4 |
# client and parse request for NetBIOS name of messanger service.
|
|
|
f783ca4 |
# Strong means that proxy will check password. For strong authentication
|
|
|
f783ca4 |
# unknown user will not be allowed to use proxy regardless of ACL.
|
|
|
f783ca4 |
# If you do not want username to be checked but wanna ACL to work you should
|
|
|
f783ca4 |
# specify auth iponly.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#allow ADMINISTRATOR,root
|
|
|
f783ca4 |
#allow * 127.0.0.1,192.168.1.1 * *
|
|
|
f783ca4 |
#redirect 192.168.1.2 80 * * * 80
|
|
|
f783ca4 |
#allow * 192.168.1.0/24 * 25,53,110,20-21,1024-65535
|
|
|
f783ca4 |
# we will allow everything if username matches ADMINISTRATOR or root or
|
|
|
f783ca4 |
# client ip is 127.0.0.1 or 192.168.1.1. Overwise we will redirect any request
|
|
|
f783ca4 |
# to port 80 to our Web-server 192.168.0.2.
|
|
|
f783ca4 |
# We will allow any outgoing connections from network 192.168.1.0/24 to
|
|
|
f783ca4 |
# SMTP, POP3, FTP, DNS and unprivileged ports.
|
|
|
f783ca4 |
# Note, that redirect may also be used with proxy or portmapper. It will
|
|
|
f783ca4 |
# allow you to redirect requests to different ports or different server
|
|
|
f783ca4 |
# for different clients.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
# sharing access to internet
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#external 10.1.1.1
|
|
|
f783ca4 |
external 0.0.0.0
|
|
|
f783ca4 |
# external is address 3proxy uses for outgoing connections. 0.0.0.0 means any
|
|
|
f783ca4 |
# interface. Using 0.0.0.0 is not good because it allows to connect to 127.0.0.1
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#internal 192.168.1.1
|
|
|
f783ca4 |
internal 127.0.0.1
|
|
|
f783ca4 |
# internal is address of interface proxy will listen for incoming requests
|
|
|
f783ca4 |
# 127.0.0.1 means only localhost will be able to use this proxy. This is
|
|
|
f783ca4 |
# address you should specify for clients as proxy IP.
|
|
|
f783ca4 |
# You MAY use 0.0.0.0 but you shouldn't, because it's a chance for you to
|
|
|
f783ca4 |
# have open proxy in your network in this case.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
auth none
|
|
|
f783ca4 |
# no authentication is requires
|
|
|
f783ca4 |
|
|
|
f783ca4 |
dnspr
|
|
|
f783ca4 |
|
|
|
f783ca4 |
# dnsproxy listens on UDP/53 to answer client's DNS requests. It requires
|
|
|
f783ca4 |
# nserver/nscache configuration.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#external $./external.ip
|
|
|
f783ca4 |
#internal $./internal.ip
|
|
|
f783ca4 |
# this is just an alternative form fo giving external and internal address
|
|
|
f783ca4 |
# allows you to read this addresses from files
|
|
|
f783ca4 |
|
|
|
f783ca4 |
auth strong
|
|
|
f783ca4 |
# We want to protect internal interface
|
|
|
f783ca4 |
deny * * 127.0.0.1,192.168.1.1
|
|
|
f783ca4 |
# and llow HTTP and HTTPS traffic.
|
|
|
f783ca4 |
allow * * * 80-88,8080-8088 HTTP
|
|
|
f783ca4 |
allow * * * 443,8443 HTTPS
|
|
|
f783ca4 |
proxy -n
|
|
|
f783ca4 |
|
|
|
f783ca4 |
auth none
|
|
|
f783ca4 |
# pop3p will be used without any authentication. It's bad choice
|
|
|
f783ca4 |
# because it's possible to use pop3p to access any port
|
|
|
f783ca4 |
pop3p
|
|
|
f783ca4 |
|
|
|
f783ca4 |
tcppm 25 mail.my.provider 25
|
|
|
f783ca4 |
#udppm -s 53 ns.my.provider 53
|
|
|
f783ca4 |
# we can portmap port TCP/25 to provider's SMTP server and UDP/53
|
|
|
f783ca4 |
# to provider's DNS.
|
|
|
f783ca4 |
# Now we can use our proxy as SMTP and DNS server.
|
|
|
f783ca4 |
# -s switch for UDP means "single packet" service - instead of setting
|
|
|
f783ca4 |
# association for period of time association will only be set for 1 packet.
|
|
|
f783ca4 |
# It's very userfull for services like DNS but not for some massive services
|
|
|
f783ca4 |
# like multimedia streams or online games.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
auth strong
|
|
|
f783ca4 |
flush
|
|
|
f783ca4 |
allow 3APA3A,test
|
|
|
f783ca4 |
maxconn 20
|
|
|
f783ca4 |
socks
|
|
|
f783ca4 |
# for socks we will use password authentication and different access control -
|
|
|
f783ca4 |
# we flush previously configured ACL list and create new one to allow users
|
|
|
f783ca4 |
# test and 3APA3A to connect from any location
|
|
|
f783ca4 |
|
|
|
f783ca4 |
|
|
|
f783ca4 |
auth strong
|
|
|
f783ca4 |
flush
|
|
|
f783ca4 |
internal 127.0.0.1
|
|
|
f783ca4 |
allow 3APA3A 127.0.0.1
|
|
|
f783ca4 |
maxconn 3
|
|
|
f783ca4 |
admin
|
|
|
f783ca4 |
#only allow acces to admin interface for user 3APA3A from 127.0.0.1 address
|
|
|
f783ca4 |
#via 127.0.0.1 address.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
# map external 80 and 443 ports to internal Web server
|
|
|
f783ca4 |
# examples below show how to use 3proxy to publish Web server in internal
|
|
|
f783ca4 |
# network to Internet. We must switch internal and external addresses and
|
|
|
f783ca4 |
# flush any ACLs
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#auth none
|
|
|
f783ca4 |
#flush
|
|
|
f783ca4 |
#external $./internal.ip
|
|
|
f783ca4 |
#internal $./external.ip
|
|
|
f783ca4 |
#maxconn 300
|
|
|
f783ca4 |
#tcppm 80 websrv 80
|
|
|
f783ca4 |
#tcppm 443 websrv 443
|
|
|
f783ca4 |
|
|
|
f783ca4 |
|
|
|
f783ca4 |
#chroot /usr/local/jail
|
|
|
f783ca4 |
#setgid 65535
|
|
|
f783ca4 |
#setuid 65535
|
|
|
f783ca4 |
# now we needn't any root rights. We can chroot and setgid/setuid.
|
|
|
f783ca4 |
|
|
|
f783ca4 |
|
|
|
c5cc3de |
###$Id: 3proxy.cfg.sample,v 1.5 2004/07/16 12:37:20 vlad Exp $#######
|