## # nameservers. Multiple nameserver entries are allowed. ## nameserver 127.0.0.1 ## # Ports and address to use for HTTP and ICP ## #bind ip_addr|hostname http_port 3128 icp_port 3130 ## ## Change euid to that user ## ## WARNING: if you use userid, then you will not be able to open new sockets on ## reserved (< 1024) ports and will not be able to return to original userid. ## userid oops ## ## Change root directory. If don't know exactly what are you doing - ## leave commented. #chroot ??? ## # Logfile - just debug output # When used in form 'filename [{N S}] [[un]buffered]' # will be rotated automatically (up to N files up to S bytes in size) ## logfile /var/log/oops/oops.log #logfile /usr/oops/logs/oops.log { 3 1m } unbuffered ## # Accesslog - the same as for squid. Re rotating - see note for logfile ## accesslog /var/log/oops/oops.access #accesslog /usr/oops/logs/access.log ## # Pidfile. for kill -1 `cat oops.pid` and for locking. ## pidfile /var/run/oops/oops.pid ## # Statistics file - once per minute flush some statistics to this file ## statistics /var/log/oops/oops_statfile ## # icons - where to find link.gif, dir.gif, binary.gif and so on (for # ftp lists). If omitted - name of running host will be used. But # using explicit names is better way. ## #icons-host ss5.paco.net #icons-port 80 #icons-path icons ## # When total object volume in memory grow over this (this mean # that cachable data from network came faster then we can save on disk) # drop objects (without attempt to save on disk). ## mem_max 64m ## # Hint, how much cached objects keep in memory. # When total amount become larger then this limit - start # swaping cachable objects to disk ## lo_mark 8m ## # start random early drop when number of clients reach some level. # this can protect you against attacks and against situation when # oops cant handle too much connections. By default - 0 (or no limits). ## #start_red 0 ## # refuse any connection when number of already connected clients reach some # level. By default - 0 (or no limits). ## #refuse_at 0 ## # if document contain no Expires: then expire after (in days) # ftp-expire-value - expire time for ftp (in days) ## default-expire-value 7 ftp-expire-value 7 ## # Maximum expite time - doc will not keep in cache more then # this number of days (except if defaiult-expire-value used for this documeny) ## max-expire-value 30 ## # in which proportion time passed since last document modification # will accounted in expire time. For example, if last-modified-factor=5 # and there was passed 10 days since document modification, then expiration # will be setted to 2 days in future (but no nore then max-expire-value) ## last-modified-factor 5 ## # If you want not cache replies without Last-Modified: # uncomment next line. ## #dont_cache_without_last_modified # run expire every ( in hours ) ## default-expire-interval 1 ## # icp_timeout - how long to wait icp reply from peer (in ms, e.g 1000 = 1sec) ## icp_timeout 1000 ## # start disk cache cleanup when free space will be (in %%) # As on the very large storages 1% is large space (1% from 9G is # 90M), then on such storages you can set both disk-low-free and # disk-ok-free to 0. Oops will start cleanup if it have less then 256 # free blocks(1M), and stop when it reach 512 bree blocks(2M). ## disk-low-free 3 ## # stop disk cache cleanup when free space will be (in %%) ## disk-ok-free 5 ## # Force_http11 - turn on http/1.1 for each request to document server # This option required if module 'vary' used. ## force_http11 ## # Always check document freshness, even it is not stale or expired # This force Oops behave like squid - first check cached doc, then send ## #always_check_freshness ## # If user-requestor aborted connection to proxy, but there was received more # then some percent ot the document - then continue. # default value - 75% ## force_completion 75 ## # maximum size of the object we will cache ## maxresident 1m insert_x_forwarded_for yes insert_via yes ## # If host have several interfaces or aliases, use exactly # this name when connecting to server: ## #connect-from proxy.paco.net ## # ACLs - currently: urlregex, urlpath, usercharset # port, dstdom, dstdom_regex, src_ip, time # each acl can be loaded from file. ## #acl CACHEABLECGI urlregex http://www\.topping\.com\.ua/cgi-bin/pingstat\.cgi\?072199131826 #acl WWWPACO urlregex www\.paco\.net #acl NO_RLH urlregex zipper #acl REWRITEPORTS urlregex (www.job.ru|www.sale.ru) #acl REWRITEHOSTS urlregex (www.asm.ru|zipper\.paco) #acl WINUSER usercharset windows-1251 #acl DOSUSER usercharset ibm866 #acl UNIXUSER usercharset koi8-r #acl RUS dstdom ru su #acl UKR dstdom ua #acl BADPORTS port [0:79],110,138,139,513,[6000:6010] #acl BADDOMAIN dstdom baddomain1.com baddomain2.com #acl BADDOMREGEX dstdom_regex baddomain\.((com)|(org)) #acl LOCAL_NETWORKS src_ip include:/etc/oops/acl_local_networks #acl BADNETWORKS src_ip 192.168.10/24 #acl WORKTIME time Mon,Tue:Fri 0900:1800 #acl HTMLS content_type text/html #acl USERS username joe acl ADMINS src_ip 127.0.0.1 acl PURGE method PURGE ## # acl_deny [!]ACL [!]ACL ... # deny access for combined acl ## acl_deny PURGE !ADMINS ## # Never cache objects with URL, containing... ## stop_cache ? stop_cache cgi-bin ## # stop_cache_acl [!]ACL [!]ACL ... # Stop cache using ACL ## #stop_cache_acl WWWPACO ## # refresh_pattern ACLNAME min percent max # 'min' and 'max' are limits between Expite time will be assigned # Iff document have no expire: header and have Last-Modified: header # we will use 'percent' to estimate how far in the future document will # be expired. ## #refresh_pattern CACHEABLECGI 20 50% 200 #refresh_pattern WWWPACO 0 0% 0 ## # bind_acl {hostname|ip} [!]ACL [!]ACL ... # bind to given address when connecting to server # if request match ACLNAME ## #bind_acl outname1 RUS #bind_acl outname2 UKR ## # Always check document freshness, but now on acl basis. # You can have several such lines. ## This example will force to check freshness only for html documents. #always_check_freshness_acl HTMLS ## # line 'parent ....' will force all connections (except to destinations # in local-domain or local-networks) go through parent host ## #parent proxy.paco.net 3128 ## # parent_auth login:password # if your parent require login/password from your proxy ## #parent_auth login:password # ICP peer's #peer proxy.paco.net 3128 3130 { ## ^^^ peer name ^http port ^icp port ## icp port can be 0, in which case we assume this is non-icp ## proxy. We assume that non-icp peer act like parent which ## answer MISS all th etime. If this peer refused connection ## then it goes down for 60 seconds - it doesn't take part in ## any peer-related decisions. # sibling ; ## if this peer require login/password from your proxy # my_auth my_login:my_password; ## we will send requests for these domains # allow dstdomain * ; ## we will NOT send requests for these domains # deny dstdomain * ; ## we will send only requests matched to this acl # peer_access [!]ACL1 [!]ACL2 ## if (and only if) peer is not icp-capable, then , in case of fail we ## leave failed peer alone for the down_timeout interval (in seconds). ## Then we will try again # down_timeout 60 ; #} #peer proxy.gu.net 80 3130 { # parent ; # allow dstdomain * ; # deny dstdomain paco.net odessa.ua ; #} ## # Never use "parent" when connecting to server in these domains ## local-domain odessa.ua od.ua local-domain odessa.net paco.net netsy.net netsy.com te.net.ua local-networks 195.114.128/19 10/8 192.168/16 # # Groups # group main { ## # You can describe group ip adresses here, or using src_ip acl's # with networks_acl directive. # networks_acl always have higher preference (checked first) and # are checked in the order of appearance. # If host wil not fall in any networks_acl - we check in networks. # networks are ordered by masklen - longest masks(most specific networks) # are checked first. ## #Next line enables redirection features and transparent proxying redir_mods fastredir transparent; #Change this next line to list the IP's of everyone in this group networks 195.114.128/19 127/8 195.5.40.93/32 ; # networks_acl LOCAL_NETWORKS !BAD_NETWORKS ; badports [0:79],110,138,139,513,[6000:6010] ; miss allow; ## # denytime - when deny access to proxy server for this group ## # denytime Sat,Sun 0642:1000 # denytime Mon,Thu:Fri,Sun 0900:2100 ## # Authentication modules for this group (seprated by space) ## # auth_mods passwd_file; ## # URL-Redirector (porno, ad. filtering) modules for this group (separate by # space) ## # redir_mods redir; ## # limit whole group to 8Kbytes per sec ## # bandwidth 8k; ## # limit each host 8Kbytes per sec ## # per_ip_bw 8k; ## # limit connections number from each host # # per_ip_conn 8; ## # limit request rate from this group (requests per second). This is crude, # and must be used as last resort ## # maxreqrate 100; ## # icp acl ... ## # icp { # allow dstdomain * ; # } ## # http acl ## http { ## # http acls can be in form 'allow dstdomain domainname domainname ... domainname ; # or in form 'allow dstdomain include:filename ; # where filename - name of the file, which contain # domainnames (one per line, # - comment line); # the same rules for 'deny' ## allow dstdomain * ; } } group world { networks 0/0; badports [0:79],110,138,139,513,[6000:6010]; http { deny dstdomain * ; } icp { deny dstdomain * ; } } ## # Storage section # Change this for your own situation. Oops can work without # storages (using only in-memory cache). ## ## # Storage description (can be several) # path - filename of storage. can be raw device (be carefull!) # size - size (of storage file). Can be smthng like 100k or 200m or 4g # Size used only durig format process (oops -z). ## storage { path /var/lib/oops/storage/oops_storage ; # Size of the storage. Can be in bytes or 'auto'. Auto is # usefull for pre-created storages or disk slices. # NOTE: 'size auto' won't work for Linux on disk slices. # To use large ( > 2G ) files run configure with --enable-large-files size 100m ; # You have to use 'offset' in the case your raw device (or slice) # require that. For example if you use entire disk as storage # under AIX and Soalris/Sparc - you have to skip first block # which contain disk label (that is storage will start from # next 512 sector. # offset 512; } #storage { # path /usr/oops/storages/oops_storage1 ; # size 600m ; #} module lang { default_charset eng # Recode tables and other charset stuff CharsetRecodeTable windows-1251 /etc/oops/tables/koi-win.tab CharsetRecodeTable ISO-8859-5 /etc/oops/tables/koi-iso.tab CharsetRecodeTable ibm866 /etc/oops/tables/koi-alt.tab CharsetAgent windows-1251 AIR_Mosaic IWENG/1 MSIE WinMosaic (Windows (WinNT; CharsetAgent windows-1251 (Win16; (Win95; (Win98; (16-bit) Opera/3.0 CharsetAgent ibm866 DosLynx Lynx2/OS/2 } module err { # error reporting module # template template /etc/oops/err_template.html # Language to use when generate Error messages lang eng } module passwd_file { # password proxy-authentication module # # default realm, scheme and passwd file # the only thing you really want to change is 'file' and 'template' # you don't have to reconfigure oops if you only # change content passwd file or template: oops authomatically # reload file realm oops scheme Basic file /etc/oops/passwd template /etc/oops/auth_template.html } module passwd_pgsql { # proxy authentication using postgresql # "Ivan B. Yelnikov" # # host - host where database live, # user,password - login and password for database access # database - database name # select - file with request body # template - file with html doc which user will receive # during authentication scheme Basic realm oops host user password database select /etc/oops/select.sql template /etc/oops/auth_template.html } module passwd_mysql { # proxy authentication usin mysql # "Ivan B. Yelnikov" # # look passwd_pgsql description # scheme Basic realm oops host user password database select /etc/oops/select.sql template /etc/oops/auth_template.html } module redir { # file - regex rules. # each line consist of one or two fields (separated with white space) # 1. regular expression # 2. redirect-location # if requested (by client) url match regex then # if we have redirect-url then we send '302 Moved Temporary' to # redirect-location # if we have no redirect-location (i.e. we have no 2-nd field) # then we send template.html (%R will be substituted by rule) # or some default message if we have no template. # you don't have to reconfigure oops each time # you edit rules or template, they will be reloaded authomatically file /etc/oops/redir_rules template /etc/oops/redir_template.html ## mode control will redir rewrite url or send Location: header ## with new location. Values are 'rewrite' or 'bounce' # mode rewrite # This module can process requests which come on http_port # and/or on different port. For example, you wish oops # bind on two ports - 3128 and 3129, and all requests which come on # port 3129 must pass through filters, and requests which come on port # 3128 (common http_port) - not. Then you have to uncomment next line # myport 3129 # which means exactly: bind oops to additional port 3129 and process # requests which come on this port. # myport can be in the next form: # myport [{hostname|ip_addr}:]port } module oopsctl { # path to oopsctl unix socket socket_path /var/run/oops/oopsctl # time to auto-refresh page (seconds) html_refresh 300 } ## ## This module hadnle 'Vary' header - it was written to better support ## Russian Apache ## module vary { user-agent by_charset accept-charset ignore } ## ## WWW -accelerator. To use - add word accel to ## redir_mods line for ## the group 'world' description ## You will find more description of this module in supplied accel_maps file ## #module accel { # myport can have next form: # myport [{hostname|ip_addr}:]port ... # myport 80 ## # allow access to proxy through accel module. # Deny will stop proxy through accel completely, regardless # of any other access rules ## # proxy_requests deny # ## # File with maps and other config directives # Checked once per minute. No need to restart oops if maps changed ## # file /etc/oops/accel_maps #} ## ## Transparent proxy. To use - add word 'transparent' into ## redir_mods line for your group. ## in the your local (or any other) group description ## #module transparent { # myport can have next form: # myport [{hostname|ip_addr}:]port ... # myport 3128 #} ## ## %h - remote ip address ## %A - local ip address ## %d - ip address of source (peer or document server) ## %l - remote logname from identd (not suported now) ## %U - remote user (from 'Authorization' header) ## %u - remote user (from proxy-auth) ## %{format}t - time with optional {format} (for strftime) ## %t - time with standard format %d/%b/%Y:%T %Z ## %r - request line ## %s - status code ## %b - bytes received ## %{header}i - value of header in request ## %m - HIT/MISS ## %k - hierarchy (DIRECT/NONE/...) ## ## directive buffered can be followed by size of the buffer, ## like 'buffered 32000' ## #module customlog { # path /usr/local/oops/logs/access_custom1 # format "%h %l %u %t \"%r\" %>s %b" # squid httpd mode log emulation # format "%h %u %l %t \"%r\" %s %b %m:%k" # buffered # path /usr/local/oops/logs/access_custom2 # format "%h->%A %l %u [%t] \"%r\" %s %b \"%{User-Agent}i\"" #} module berkeley_db { ## # dbhome - directory where all DB indexes reside. Use full path # this directory must exist. # dbname - filename for index file. Use just filename (no full path) ## dbhome /var/lib/oops/db dbname dburl ## # This parameter specifies internal cache size of BerkeleyDB. # Increase this parameter for best performance (if you have a lot of memory). # For example: db_cache_mem 64m # Default and minimum value: 4m # # This memory pool is not part of memory pool, specified by mem_max parameter. # WARNING: the amount of RAM used by oops will be increased by the value of # this parameter. ## #db_cache_mem 4m } #module gigabase_db { # This module enable GigaBASE as database engine. # You can use berkeley_db or gigabase_db, not both. # Also, important notice - indexes created with different modules # are not compatible. # ## # # dbhome - directory where all DB indexes reside. Use full path # # this directory must exist. # # dbname - filename for index file. Use just filename (no full path) # ## # # dbhome /var/lib/oops/db # dbname gdburl # # ## # # This parameter specifies internal cache size of BerkeleyDB. # # Increase this parameter for best performance (if you have a lot of memory). # # For example: db_cache_mem 64m # # Default and minimum value: 4m # # # # This memory pool is not part of memory pool, specified by mem_max parameter. # # WARNING: the amount of RAM used by oops will be increased by the value of # # this parameter. # ## # #db_cache_mem 4m # #}