path: root/net-proxy/oops/files/oops.cfg

##
#  nameservers. Use your own, not our.
## 

nameserver 195.114.128.50
nameserver 193.219.193.130

##
#  Ports and address to use for HTTP and ICP
##

#bind		ip_addr|hostname
http_port	3128
icp_port	3130

##
## Change euid to that user
##
## WARNING: if you use 'userid, then you 'reconfigure will not be able to
##	    open new sockets on reserved (< 1024) ports and will not be able
##	    to return to original userid.
##
userid	squid

##
## Change root directory. If don't know exactly what are you doing -
## leave commented.
#chroot		???

##
#  Logfile - just debug output
#  When used in form 'filename [{N S}] [[un]buffered]'
#  will be rotated automatically (up to N files up to S bytes in size)
##
logfile		/var/log/oops/oops.log
#logfile	/usr/oops/logs/oops.log { 3 1m } unbuffered

##
#  Accesslog - the same as for squid. Re rotating - see note for logfile
##
accesslog	/var/log/oops/oops.access
#accesslog	/usr/oops/logs/access.log

##
#  Pidfile. for kill -1 `cat oops.pid` and for locking.
##
pidfile		/var/run/oops/oops.pid

##
# Statistics file - once per minute flush some statistics to this file
##
statistics	/var/log/oops/oops_statfile

##
#  icons - where to find link.gif, dir.gif, binary.gif and so on (for 
#  ftp lists). If omitted - name of running host will be used. But
#  using explicit names is better way.
##

#icons-host	ss5.paco.net
#icons-port	80
#icons-path	icons

##
#  When total object volume in memory grow over this (this mean
#  that cachable data from network came faster then we can save on disk)
#  drop objects (without attempt to save on disk).
##
mem_max		64m

##
#  Hint, how much cached objects keep in memory.
#  When total amount become larger then this limit - start
#  swaping cachable objects to disk
##
lo_mark		8m

##
# start random early drop when number of clients reach some level.
# this can protect you against attacks and against situation when
# oops cant handle too much connections. By default - 0 (or no limits).
##
#start_red	0

##
# refuse any connection when number of already connected clients reach some
# level. By default - 0 (or no limits).
##
#refuse_at	0

##
#  if document contain no Expires: then expire after (in days)
#  ftp-expire-value - expire time for ftp (in days)
##
default-expire-value    7
ftp-expire-value	7

##
# Maximum expite time - doc will not keep in cache more then
# this number of days (except if defaiult-expire-value used for this documeny)
##
max-expire-value        30

##
# in which proportion time passed since last document modification
# will accounted in expire time. For example, if last-modified-factor=5
# and there was passed 10 days since document modification, then expiration
# will be setted to 2 days in future (but no nore then max-expire-value)
##
last-modified-factor	5

##
# If you want not cache replies without Last-Modified:
# uncomment next line.
##
#dont_cache_without_last_modified

#  run expire every ( in hours )
##
default-expire-interval 1

##
#  icp_timeout - how long to wait icp reply from peer (in ms, e.g 1000 = 1sec)
##
icp_timeout	1000

##
#  start disk cache cleanup when free space will be (in %%)
#  As on the very large storages 1% is large space (1% from 9G is
#  90M), then on such storages you can set both disk-low-free and
#  disk-ok-free to 0. Oops will start cleanup if it have less then 256
#  free blocks(1M), and stop when it reach 512 bree blocks(2M).
##
disk-low-free	3

##
#  stop disk cache cleanup when free space will be (in %%)
##
disk-ok-free	5

##
#  Force_http11 - turn on http/1.1 for each request to document server
#  This option required if module 'vary' used.
##
force_http11

##
#  Always check document freshness, even it is not stale or expired
#  This force Oops behave like squid - first check cached doc, then send
##
#always_check_freshness

##
#  If user-requestor aborted connection to proxy, but there was received more
#  then some percent ot the document - then continue.
#  default value - 75%
##
force_completion 75

##
#  maximum size of the object we will cache
##
maxresident	1m

insert_x_forwarded_for	yes
insert_via		yes

##
#  If host have several interfaces or aliases, use exactly
#  this name when connecting to server:
##
#connect-from	proxy.paco.net

##
#	ACLs - currently: urlregex, urlpath, usercharset
#		port, dstdom, dstdom_regex, src_ip, time
#		each acl can be loaded from file.
##
#acl	CACHEABLECGI	urlregex	http://www\.topping\.com\.ua/cgi-bin/pingstat\.cgi\?072199131826
#acl	WWWPACO		urlregex	www\.paco\.net
#acl	NO_RLH		urlregex	zipper
#acl	REWRITEPORTS	urlregex	(www.job.ru|www.sale.ru)
#acl	REWRITEHOSTS	urlregex	(www.asm.ru|zipper\.paco)
#acl	WINUSER		usercharset	windows-1251
#acl	DOSUSER		usercharset	ibm866
#acl	UNIXUSER	usercharset	koi8-r
#acl	RUS		dstdom		ru su
#acl	UKR		dstdom		ua
#acl	BADPORTS	port		[0:79],110,138,139,513,[6000:6010]
#acl	BADDOMAIN	dstdom		baddomain1.com baddomain2.com
#acl	BADDOMREGEX	dstdom_regex	baddomain\.((com)|(org))
#acl	LOCAL_NETWORKS	src_ip		include:/etc/oops/acl_local_networks
#acl	BADNETWORKS	src_ip		192.168.10/24
#acl	WORKTIME	time		Mon,Tue:Fri 0900:1800
#acl	HTMLS		content_type	text/html
#acl	USERS		username	joe
acl	ADMINS		src_ip		127.0.0.1
acl	PURGE		method		PURGE

##
#	acl_deny [!]ACL [!]ACL ...
#	deny access for combined acl
##
acl_deny PURGE !ADMINS

##
#  Never cache objects with URL, containing...
##
stop_cache	?
stop_cache	cgi-bin

##
#	stop_cache_acl [!]ACL [!]ACL ...
#	Stop cache using ACL
##
#stop_cache_acl	WWWPACO

##
#	refresh_pattern ACLNAME min percent max
#	'min' and 'max' are limits between Expite time will be assigned
#	Iff document have no expire: header and have Last-Modified: header
#	we will use 'percent' to estimate how far in the future document will
#	be expired.
##
#refresh_pattern	CACHEABLECGI	20 50% 200
#refresh_pattern	WWWPACO		0 0% 0

##
#	bind_acl {hostname|ip} [!]ACL [!]ACL ...
#	bind to given address when connecting to server
#	if request match ACLNAME
##
#bind_acl	outname1 RUS
#bind_acl	outname2 UKR

##
#  Always check document freshness, but now on acl basis.
# You can have several such lines.
## This example will force to check freshness only for html documents.
#always_check_freshness_acl	HTMLS

##
# line 'parent ....' will force all connections (except to destinations
# in local-domain or local-networks) go through parent host
##
#parent		proxy.paco.net 3128

##
# parent_auth	login:password
# if your parent require login/password from your proxy
##
#parent_auth	login:password

# ICP peer's
#peer		proxy.paco.net	3128         3130 {
##              ^^^ peer name   ^http port   ^icp port
##		icp port can be 0, in which case we assume this is non-icp
##		proxy. We assume that non-icp peer act like parent which
##		answer MISS all th etime. If this peer refused connection
##		then it goes down for 60 seconds - it doesn't take part in
##		any peer-related decisions.
#		sibling ;
## if this peer require login/password from your proxy
#		my_auth	my_login:my_password;
## we will send requests for these domains
#		allow	dstdomain * ;
## we will NOT send requests for these domains
#		deny	dstdomain * ;
## we will send only requests matched to this acl
#		peer_access	[!]ACL1 [!]ACL2
## if (and only if) peer is not icp-capable, then , in case of fail we
## leave failed peer alone for the down_timeout interval (in seconds).
## Then we will try again
#		down_timeout	60 ;
#}

#peer		proxy.gu.net	80 3130 {
#		parent ;
#		allow	dstdomain * ;
#		deny	dstdomain paco.net odessa.ua ;
#}

##
#  Never use "parent" when connecting to server in these domains
##
local-domain	odessa.ua od.ua
local-domain	odessa.net paco.net netsy.net netsy.com te.net.ua

local-networks	195.114.128/19 10/8 192.168/16

#
# Groups
#

group	main	{
##
#	You can describe group ip adresses here, or using src_ip acl's
#	with networks_acl directive.
#	networks_acl always have higher preference (checked first) and
#	are checked in the order of appearance.
#	If host wil not fall in any networks_acl - we check in networks.
#       networks are ordered by masklen - longest masks(most specific networks)
#	are checked first.
##

#Next line enables redirection features and transparent proxying
	redir_mods	fastredir transparent;
#Change this next line to list the IP's of everyone in this group	
	networks	195.114.128/19 127/8 195.5.40.93/32 ;
	
#	networks_acl	LOCAL_NETWORKS !BAD_NETWORKS ;
	badports	[0:79],110,138,139,513,[6000:6010] ;
	miss		allow;
##
# denytime - when deny access to proxy server for this group
##
#	denytime	Sat,Sun		0642:1000
#	denytime	Mon,Thu:Fri,Sun	0900:2100
##
# Authentication modules for this group (seprated by space)
##
#	auth_mods	passwd_file;

##
# URL-Redirector (porno, ad. filtering) modules for this group (separate by
# space)
##
#	redir_mods	redir;


##
# limit whole group to 8Kbytes per sec
##
#	bandwidth	8k;

##
# limit each host 8Kbytes per sec
##
#	per_ip_bw	8k;

##
# limit connections number from each host
#
#	per_ip_conn	8;

##
# limit request rate from this group (requests per second). This is crude,
# and must be used as last resort
##
#	maxreqrate	100;

##
# icp acl ...
##
#	icp {
#		allow	dstdomain * ;
#	}

##
# http acl
##
	http {
##
# http acls can be in form 'allow dstdomain domainname domainname ... domainname ;
#               or in form 'allow dstdomain include:filename ;
#		            where filename - name of the file, which contain
#				  domainnames (one per line, # - comment line);
#           the same rules for 'deny'
##
		allow	dstdomain * ;
	}
}

group	world	{
	networks	0/0;
	badports	[0:79],110,138,139,513,[6000:6010];
	http {
		deny	dstdomain * ;
	}
	icp {
		deny	dstdomain * ;
	}
}

##
#  Storage section
#  Change this for your own situation. Oops can work without
#  storages (using only in-memory cache).
##

##
#  Storage description (can be several)
#  path - filename of storage. can be raw device (be carefull!)
#  size - size (of storage file). Can be smthng like 100k or 200m or 4g
#  Size used only durig format process (oops -z).
##

storage {
	path /var/lib/oops/storage/oops_storage ;
#	Size of the storage. Can be in bytes or 'auto'. Auto is
#	usefull for pre-created storages or disk slices.
#	NOTE: 'size auto' won't work for Linux on disk slices.
#	To use large ( > 2G ) files run configure with --enable-large-files

	size 100m ;

#	You have to use 'offset' in the case your raw device (or slice)
#	require that. For example if you use entire disk as storage
#	under AIX and Soalris/Sparc - you have to skip first block
#	which contain disk label (that is storage will start from
#	next 512 sector.
#	offset	512;
}

#storage {
#	path /usr/oops/storages/oops_storage1 ;
#	size 600m ;
#}

module lang {

	default_charset eng	

	# Recode tables and other charset stuff
	CharsetRecodeTable windows-1251 /etc/oops/tables/koi-win.tab
	CharsetRecodeTable ISO-8859-5 /etc/oops/tables/koi-iso.tab
	CharsetRecodeTable ibm866 /etc/oops/tables/koi-alt.tab
	CharsetAgent windows-1251 AIR_Mosaic IWENG/1 MSIE WinMosaic (Windows (WinNT;
	CharsetAgent windows-1251 (Win16; (Win95; (Win98; (16-bit) Opera/3.0
	CharsetAgent ibm866 DosLynx Lynx2/OS/2
}

module err {
	# error reporting module

	# template
	template /etc/oops/err_template.html

	# Language to use when generate Error messages
	lang eng 
}

module passwd_file {
	# password proxy-authentication module
	#
	# default realm, scheme and passwd file
	# the only thing you really want to change is 'file' and 'template'
	# you don't have to reconfigure oops if you only
	# change content passwd file or template: oops authomatically
	# reload file

	realm		oops
	scheme		Basic
	file		/etc/oops/passwd
	template	/etc/oops/auth_template.html
}

module passwd_pgsql {
	# proxy authentication using postgresql
	# "Ivan B. Yelnikov" <bahek@khspu.ru>
	#
	# host - host where database live,
	# user,password - login and password for database access
	# database - database name
	# select - file with request body
	# template - file with html doc which user will receive
	#	     during authentication
        scheme          Basic
        realm           oops
        host            <host address/name>
        user            <database_user>
        password        <user_password>
        database        <database_name>
        select          /etc/oops/select.sql
        template        /etc/oops/auth_template.html
}

module passwd_mysql {
	# proxy authentication usin mysql
	# "Ivan B. Yelnikov" <bahek@khspu.ru>
	#
	# look passwd_pgsql description
	#
        scheme          Basic
        realm           oops
        host            <host address/name>
        user            <database_user>
        password        <user_password>
        database        <database_name>
        select          /etc/oops/select.sql
        template        /etc/oops/auth_template.html
}

module redir {
	# file - regex rules.
	# each line consist of one or two fields (separated with white space)
	# 1. regular expression
	# 2. redirect-location
	# if requested (by client) url match regex then
	# if we have redirect-url then we send '302 Moved Temporary' to
	# 	redirect-location
	# if we have no redirect-location (i.e. we have no 2-nd field)
	# 	then we send template.html (%R will be substituted by rule)
	#    or some default message if we have no template.
	# you don't have to reconfigure oops each time
	# you edit rules or template, they will be reloaded authomatically

	file		/etc/oops/redir_rules
	template	/etc/oops/redir_template.html
##	mode control will redir rewrite url or send Location: header
##	with new location. Values are 'rewrite' or 'bounce'
#	mode		rewrite

	# This module can process requests which come on http_port
	# and/or on different port. For example, you wish oops
	# bind on two ports - 3128 and 3129, and all requests which come on
	# port 3129 must pass through filters, and requests which come on port
	# 3128 (common http_port) - not. Then you have to uncomment next line
	# myport 3129
	# which means exactly: bind oops to additional port 3129 and process
	# requests which come on this port.
	# myport can be in the next form:
	# myport [{hostname|ip_addr}:]port
}

module oopsctl {
	# path to oopsctl unix socket
	socket_path	/var/run/oops/oopsctl
	# time to auto-refresh page (seconds)
        html_refresh    300
}

##
## This module hadnle 'Vary' header - it was written to better support
## Russian Apache
##
module	vary {
	user-agent	by_charset
	accept-charset	ignore
}

##
## WWW -accelerator. To use - add word accel to
## redir_mods line for
## the group 'world' description
## You will find more description of this module in supplied accel_maps file
##
#module	accel {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
#	myport			80
##
# allow access to proxy through accel module.
# Deny will stop proxy through accel completely, regardless
# of any other access rules
##
#	proxy_requests		deny
#
##
#	File with maps and other config directives
#	Checked once per minute. No need to restart oops if maps changed
##
#	file			/etc/oops/accel_maps
#}

##
## Transparent proxy. To use - add word 'transparent' into
## redir_mods line for your group.
## in the your local (or any other) group description
##
#module	transparent {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
#	myport			3128
#}

##
## %h -			remote ip address
## %A -			local ip address
## %d -			ip address of source (peer or document server)
## %l -			remote logname from identd (not suported now)
## %U -			remote user (from 'Authorization' header)
## %u -			remote user (from proxy-auth)
## %{format}t -		time with optional {format} (for strftime)
## %t -			time with standard format %d/%b/%Y:%T %Z
## %r -			request line
## %s -			status code
## %b -			bytes received
## %{header}i -		value of header in request
## %m -			HIT/MISS
## %k -			hierarchy (DIRECT/NONE/...)
##
## directive buffered can be followed by size of the buffer,
## like 'buffered 32000'
##
#module customlog {
#	path	/usr/local/oops/logs/access_custom1
#	format	"%h %l %u %t \"%r\" %>s %b"
#  squid httpd mode log emulation
#	format	"%h %u %l %t \"%r\" %s %b %m:%k"
#	buffered
#	path	/usr/local/oops/logs/access_custom2
#	format	"%h->%A %l %u [%t] \"%r\" %s %b \"%{User-Agent}i\""
#}

module	berkeley_db {
    ##
    #  dbhome - directory where all DB indexes reside. Use full path
    #	    this directory must exist.
    #  dbname - filename for index file. Use just filename (no full path)
    ##

	dbhome	/var/lib/oops/db
	dbname	dburl

    ##
    #  This parameter specifies internal cache size of BerkeleyDB.
    #  Increase this parameter for best performance (if you have a lot of memory).
    #  For example:  db_cache_mem	64m
    #  Default and minimum value:	4m
    #
    #  This memory pool is not part of memory pool, specified by mem_max parameter.
    #  WARNING: the amount of RAM used by oops will be increased by the value of
    #  this parameter.
    ##
    #db_cache_mem	4m

}

#module	gigabase_db {
#    This module enable GigaBASE as database engine.
#    You can use berkeley_db or gigabase_db, not both.
#    Also, important notice - indexes created with different modules
#    are not compatible.
#    ##
#    #  dbhome - directory where all DB indexes reside. Use full path
#    #	    this directory must exist.
#    #  dbname - filename for index file. Use just filename (no full path)
#    ##
#
#	dbhome	/var/lib/oops/db
#	dbname	gdburl
#
#    ##
#    #  This parameter specifies internal cache size of BerkeleyDB.
#    #  Increase this parameter for best performance (if you have a lot of memory).
#    #  For example:  db_cache_mem	64m
#    #  Default and minimum value:	4m
#    #
#    #  This memory pool is not part of memory pool, specified by mem_max parameter.
#    #  WARNING: the amount of RAM used by oops will be increased by the value of
#    #  this parameter.
#    ##
#    #db_cache_mem	4m
#
#}