1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
|
##
# nameservers. Use your own, not our.
##
nameserver 195.114.128.50
nameserver 193.219.193.130
##
# Ports and address to use for HTTP and ICP
##
#bind ip_addr|hostname
http_port 3128
icp_port 3130
##
## Change euid to that user
##
## WARNING: if you use 'userid, then you 'reconfigure will not be able to
## open new sockets on reserved (< 1024) ports and will not be able
## to return to original userid.
##
userid squid
##
## Change root directory. If don't know exactly what are you doing -
## leave commented.
#chroot ???
##
# Logfile - just debug output
# When used in form 'filename [{N S}] [[un]buffered]'
# will be rotated automatically (up to N files up to S bytes in size)
##
logfile /var/log/oops/oops.log
#logfile /usr/oops/logs/oops.log { 3 1m } unbuffered
##
# Accesslog - the same as for squid. Re rotating - see note for logfile
##
accesslog /var/log/oops/oops.access
#accesslog /usr/oops/logs/access.log
##
# Pidfile. for kill -1 `cat oops.pid` and for locking.
##
pidfile /var/run/oops/oops.pid
##
# Statistics file - once per minute flush some statistics to this file
##
statistics /var/log/oops/oops_statfile
##
# icons - where to find link.gif, dir.gif, binary.gif and so on (for
# ftp lists). If omitted - name of running host will be used. But
# using explicit names is better way.
##
#icons-host ss5.paco.net
#icons-port 80
#icons-path icons
##
# When total object volume in memory grow over this (this mean
# that cachable data from network came faster then we can save on disk)
# drop objects (without attempt to save on disk).
##
mem_max 64m
##
# Hint, how much cached objects keep in memory.
# When total amount become larger then this limit - start
# swaping cachable objects to disk
##
lo_mark 8m
##
# start random early drop when number of clients reach some level.
# this can protect you against attacks and against situation when
# oops cant handle too much connections. By default - 0 (or no limits).
##
#start_red 0
##
# refuse any connection when number of already connected clients reach some
# level. By default - 0 (or no limits).
##
#refuse_at 0
##
# if document contain no Expires: then expire after (in days)
# ftp-expire-value - expire time for ftp (in days)
##
default-expire-value 7
ftp-expire-value 7
##
# Maximum expite time - doc will not keep in cache more then
# this number of days (except if defaiult-expire-value used for this documeny)
##
max-expire-value 30
##
# in which proportion time passed since last document modification
# will accounted in expire time. For example, if last-modified-factor=5
# and there was passed 10 days since document modification, then expiration
# will be setted to 2 days in future (but no nore then max-expire-value)
##
last-modified-factor 5
##
# If you want not cache replies without Last-Modified:
# uncomment next line.
##
#dont_cache_without_last_modified
# run expire every ( in hours )
##
default-expire-interval 1
##
# icp_timeout - how long to wait icp reply from peer (in ms, e.g 1000 = 1sec)
##
icp_timeout 1000
##
# start disk cache cleanup when free space will be (in %%)
# As on the very large storages 1% is large space (1% from 9G is
# 90M), then on such storages you can set both disk-low-free and
# disk-ok-free to 0. Oops will start cleanup if it have less then 256
# free blocks(1M), and stop when it reach 512 bree blocks(2M).
##
disk-low-free 3
##
# stop disk cache cleanup when free space will be (in %%)
##
disk-ok-free 5
##
# Force_http11 - turn on http/1.1 for each request to document server
# This option required if module 'vary' used.
##
force_http11
##
# Always check document freshness, even it is not stale or expired
# This force Oops behave like squid - first check cached doc, then send
##
#always_check_freshness
##
# If user-requestor aborted connection to proxy, but there was received more
# then some percent ot the document - then continue.
# default value - 75%
##
force_completion 75
##
# maximum size of the object we will cache
##
maxresident 1m
insert_x_forwarded_for yes
insert_via yes
##
# If host have several interfaces or aliases, use exactly
# this name when connecting to server:
##
#connect-from proxy.paco.net
##
# ACLs - currently: urlregex, urlpath, usercharset
# port, dstdom, dstdom_regex, src_ip, time
# each acl can be loaded from file.
##
#acl CACHEABLECGI urlregex http://www\.topping\.com\.ua/cgi-bin/pingstat\.cgi\?072199131826
#acl WWWPACO urlregex www\.paco\.net
#acl NO_RLH urlregex zipper
#acl REWRITEPORTS urlregex (www.job.ru|www.sale.ru)
#acl REWRITEHOSTS urlregex (www.asm.ru|zipper\.paco)
#acl WINUSER usercharset windows-1251
#acl DOSUSER usercharset ibm866
#acl UNIXUSER usercharset koi8-r
#acl RUS dstdom ru su
#acl UKR dstdom ua
#acl BADPORTS port [0:79],110,138,139,513,[6000:6010]
#acl BADDOMAIN dstdom baddomain1.com baddomain2.com
#acl BADDOMREGEX dstdom_regex baddomain\.((com)|(org))
#acl LOCAL_NETWORKS src_ip include:/etc/oops/acl_local_networks
#acl BADNETWORKS src_ip 192.168.10/24
#acl WORKTIME time Mon,Tue:Fri 0900:1800
#acl HTMLS content_type text/html
#acl USERS username joe
acl ADMINS src_ip 127.0.0.1
acl PURGE method PURGE
##
# acl_deny [!]ACL [!]ACL ...
# deny access for combined acl
##
acl_deny PURGE !ADMINS
##
# Never cache objects with URL, containing...
##
stop_cache ?
stop_cache cgi-bin
##
# stop_cache_acl [!]ACL [!]ACL ...
# Stop cache using ACL
##
#stop_cache_acl WWWPACO
##
# refresh_pattern ACLNAME min percent max
# 'min' and 'max' are limits between Expite time will be assigned
# Iff document have no expire: header and have Last-Modified: header
# we will use 'percent' to estimate how far in the future document will
# be expired.
##
#refresh_pattern CACHEABLECGI 20 50% 200
#refresh_pattern WWWPACO 0 0% 0
##
# bind_acl {hostname|ip} [!]ACL [!]ACL ...
# bind to given address when connecting to server
# if request match ACLNAME
##
#bind_acl outname1 RUS
#bind_acl outname2 UKR
##
# Always check document freshness, but now on acl basis.
# You can have several such lines.
## This example will force to check freshness only for html documents.
#always_check_freshness_acl HTMLS
##
# line 'parent ....' will force all connections (except to destinations
# in local-domain or local-networks) go through parent host
##
#parent proxy.paco.net 3128
##
# parent_auth login:password
# if your parent require login/password from your proxy
##
#parent_auth login:password
# ICP peer's
#peer proxy.paco.net 3128 3130 {
## ^^^ peer name ^http port ^icp port
## icp port can be 0, in which case we assume this is non-icp
## proxy. We assume that non-icp peer act like parent which
## answer MISS all th etime. If this peer refused connection
## then it goes down for 60 seconds - it doesn't take part in
## any peer-related decisions.
# sibling ;
## if this peer require login/password from your proxy
# my_auth my_login:my_password;
## we will send requests for these domains
# allow dstdomain * ;
## we will NOT send requests for these domains
# deny dstdomain * ;
## we will send only requests matched to this acl
# peer_access [!]ACL1 [!]ACL2
## if (and only if) peer is not icp-capable, then , in case of fail we
## leave failed peer alone for the down_timeout interval (in seconds).
## Then we will try again
# down_timeout 60 ;
#}
#peer proxy.gu.net 80 3130 {
# parent ;
# allow dstdomain * ;
# deny dstdomain paco.net odessa.ua ;
#}
##
# Never use "parent" when connecting to server in these domains
##
local-domain odessa.ua od.ua
local-domain odessa.net paco.net netsy.net netsy.com te.net.ua
local-networks 195.114.128/19 10/8 192.168/16
#
# Groups
#
group main {
##
# You can describe group ip adresses here, or using src_ip acl's
# with networks_acl directive.
# networks_acl always have higher preference (checked first) and
# are checked in the order of appearance.
# If host wil not fall in any networks_acl - we check in networks.
# networks are ordered by masklen - longest masks(most specific networks)
# are checked first.
##
#Next line enables redirection features and transparent proxying
redir_mods fastredir transparent;
#Change this next line to list the IP's of everyone in this group
networks 195.114.128/19 127/8 195.5.40.93/32 ;
# networks_acl LOCAL_NETWORKS !BAD_NETWORKS ;
badports [0:79],110,138,139,513,[6000:6010] ;
miss allow;
##
# denytime - when deny access to proxy server for this group
##
# denytime Sat,Sun 0642:1000
# denytime Mon,Thu:Fri,Sun 0900:2100
##
# Authentication modules for this group (seprated by space)
##
# auth_mods passwd_file;
##
# URL-Redirector (porno, ad. filtering) modules for this group (separate by
# space)
##
# redir_mods redir;
##
# limit whole group to 8Kbytes per sec
##
# bandwidth 8k;
##
# limit each host 8Kbytes per sec
##
# per_ip_bw 8k;
##
# limit connections number from each host
#
# per_ip_conn 8;
##
# limit request rate from this group (requests per second). This is crude,
# and must be used as last resort
##
# maxreqrate 100;
##
# icp acl ...
##
# icp {
# allow dstdomain * ;
# }
##
# http acl
##
http {
##
# http acls can be in form 'allow dstdomain domainname domainname ... domainname ;
# or in form 'allow dstdomain include:filename ;
# where filename - name of the file, which contain
# domainnames (one per line, # - comment line);
# the same rules for 'deny'
##
allow dstdomain * ;
}
}
group world {
networks 0/0;
badports [0:79],110,138,139,513,[6000:6010];
http {
deny dstdomain * ;
}
icp {
deny dstdomain * ;
}
}
##
# Storage section
# Change this for your own situation. Oops can work without
# storages (using only in-memory cache).
##
##
# Storage description (can be several)
# path - filename of storage. can be raw device (be carefull!)
# size - size (of storage file). Can be smthng like 100k or 200m or 4g
# Size used only durig format process (oops -z).
##
storage {
path /var/lib/oops/storage/oops_storage ;
# Size of the storage. Can be in bytes or 'auto'. Auto is
# usefull for pre-created storages or disk slices.
# NOTE: 'size auto' won't work for Linux on disk slices.
# To use large ( > 2G ) files run configure with --enable-large-files
size 100m ;
# You have to use 'offset' in the case your raw device (or slice)
# require that. For example if you use entire disk as storage
# under AIX and Soalris/Sparc - you have to skip first block
# which contain disk label (that is storage will start from
# next 512 sector.
# offset 512;
}
#storage {
# path /usr/oops/storages/oops_storage1 ;
# size 600m ;
#}
module lang {
default_charset eng
# Recode tables and other charset stuff
CharsetRecodeTable windows-1251 /etc/oops/tables/koi-win.tab
CharsetRecodeTable ISO-8859-5 /etc/oops/tables/koi-iso.tab
CharsetRecodeTable ibm866 /etc/oops/tables/koi-alt.tab
CharsetAgent windows-1251 AIR_Mosaic IWENG/1 MSIE WinMosaic (Windows (WinNT;
CharsetAgent windows-1251 (Win16; (Win95; (Win98; (16-bit) Opera/3.0
CharsetAgent ibm866 DosLynx Lynx2/OS/2
}
module err {
# error reporting module
# template
template /etc/oops/err_template.html
# Language to use when generate Error messages
lang eng
}
module passwd_file {
# password proxy-authentication module
#
# default realm, scheme and passwd file
# the only thing you really want to change is 'file' and 'template'
# you don't have to reconfigure oops if you only
# change content passwd file or template: oops authomatically
# reload file
realm oops
scheme Basic
file /etc/oops/passwd
template /etc/oops/auth_template.html
}
module passwd_pgsql {
# proxy authentication using postgresql
# "Ivan B. Yelnikov" <bahek@khspu.ru>
#
# host - host where database live,
# user,password - login and password for database access
# database - database name
# select - file with request body
# template - file with html doc which user will receive
# during authentication
scheme Basic
realm oops
host <host address/name>
user <database_user>
password <user_password>
database <database_name>
select /etc/oops/select.sql
template /etc/oops/auth_template.html
}
module passwd_mysql {
# proxy authentication usin mysql
# "Ivan B. Yelnikov" <bahek@khspu.ru>
#
# look passwd_pgsql description
#
scheme Basic
realm oops
host <host address/name>
user <database_user>
password <user_password>
database <database_name>
select /etc/oops/select.sql
template /etc/oops/auth_template.html
}
module redir {
# file - regex rules.
# each line consist of one or two fields (separated with white space)
# 1. regular expression
# 2. redirect-location
# if requested (by client) url match regex then
# if we have redirect-url then we send '302 Moved Temporary' to
# redirect-location
# if we have no redirect-location (i.e. we have no 2-nd field)
# then we send template.html (%R will be substituted by rule)
# or some default message if we have no template.
# you don't have to reconfigure oops each time
# you edit rules or template, they will be reloaded authomatically
file /etc/oops/redir_rules
template /etc/oops/redir_template.html
## mode control will redir rewrite url or send Location: header
## with new location. Values are 'rewrite' or 'bounce'
# mode rewrite
# This module can process requests which come on http_port
# and/or on different port. For example, you wish oops
# bind on two ports - 3128 and 3129, and all requests which come on
# port 3129 must pass through filters, and requests which come on port
# 3128 (common http_port) - not. Then you have to uncomment next line
# myport 3129
# which means exactly: bind oops to additional port 3129 and process
# requests which come on this port.
# myport can be in the next form:
# myport [{hostname|ip_addr}:]port
}
module oopsctl {
# path to oopsctl unix socket
socket_path /var/run/oops/oopsctl
# time to auto-refresh page (seconds)
html_refresh 300
}
##
## This module hadnle 'Vary' header - it was written to better support
## Russian Apache
##
module vary {
user-agent by_charset
accept-charset ignore
}
##
## WWW -accelerator. To use - add word accel to
## redir_mods line for
## the group 'world' description
## You will find more description of this module in supplied accel_maps file
##
#module accel {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
# myport 80
##
# allow access to proxy through accel module.
# Deny will stop proxy through accel completely, regardless
# of any other access rules
##
# proxy_requests deny
#
##
# File with maps and other config directives
# Checked once per minute. No need to restart oops if maps changed
##
# file /etc/oops/accel_maps
#}
##
## Transparent proxy. To use - add word 'transparent' into
## redir_mods line for your group.
## in the your local (or any other) group description
##
#module transparent {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
# myport 3128
#}
##
## %h - remote ip address
## %A - local ip address
## %d - ip address of source (peer or document server)
## %l - remote logname from identd (not suported now)
## %U - remote user (from 'Authorization' header)
## %u - remote user (from proxy-auth)
## %{format}t - time with optional {format} (for strftime)
## %t - time with standard format %d/%b/%Y:%T %Z
## %r - request line
## %s - status code
## %b - bytes received
## %{header}i - value of header in request
## %m - HIT/MISS
## %k - hierarchy (DIRECT/NONE/...)
##
## directive buffered can be followed by size of the buffer,
## like 'buffered 32000'
##
#module customlog {
# path /usr/local/oops/logs/access_custom1
# format "%h %l %u %t \"%r\" %>s %b"
# squid httpd mode log emulation
# format "%h %u %l %t \"%r\" %s %b %m:%k"
# buffered
# path /usr/local/oops/logs/access_custom2
# format "%h->%A %l %u [%t] \"%r\" %s %b \"%{User-Agent}i\""
#}
module berkeley_db {
##
# dbhome - directory where all DB indexes reside. Use full path
# this directory must exist.
# dbname - filename for index file. Use just filename (no full path)
##
dbhome /var/lib/oops/db
dbname dburl
##
# This parameter specifies internal cache size of BerkeleyDB.
# Increase this parameter for best performance (if you have a lot of memory).
# For example: db_cache_mem 64m
# Default and minimum value: 4m
#
# This memory pool is not part of memory pool, specified by mem_max parameter.
# WARNING: the amount of RAM used by oops will be increased by the value of
# this parameter.
##
#db_cache_mem 4m
}
#module gigabase_db {
# This module enable GigaBASE as database engine.
# You can use berkeley_db or gigabase_db, not both.
# Also, important notice - indexes created with different modules
# are not compatible.
# ##
# # dbhome - directory where all DB indexes reside. Use full path
# # this directory must exist.
# # dbname - filename for index file. Use just filename (no full path)
# ##
#
# dbhome /var/lib/oops/db
# dbname gdburl
#
# ##
# # This parameter specifies internal cache size of BerkeleyDB.
# # Increase this parameter for best performance (if you have a lot of memory).
# # For example: db_cache_mem 64m
# # Default and minimum value: 4m
# #
# # This memory pool is not part of memory pool, specified by mem_max parameter.
# # WARNING: the amount of RAM used by oops will be increased by the value of
# # this parameter.
# ##
# #db_cache_mem 4m
#
#}
|