NAME¶
ffproxy.quick
—
filtering HTTP/HTTPS proxy server quick
introduction
DESCRIPTION¶
ffproxy
is a filtering HTTP/HTTPS proxy
server. It is able to filter by host, URL, and header. Custom header entries
can be filtered and added. It can even drop its privileges and optionally
chroot(2) to some directory. Logging to
syslog(3) is supported, as is using another
auxiliary proxy server. An HTTP accelerator feature (acting as a front-end to
an HTTP server) is included. Contacting IPv6 servers as well as binding to
IPv6 is supported and allows transparent IPv6 over IPv4 browsing (and vice
versa).
This manual describes how to set up a basic HTTP proxy installation. It is
assumed that you already have compiled the program or installed it via port or
package.
COPYING FILES¶
The program comes with default configuration files that contain both examples
and suggested entries. You can simply copy them to a directory of your choice.
This directory will become the program's working directory.
mkdir /var/ffproxy
tar cf - db/ html/ | ( cd /var/ffproxy ; tar xf - )
cp sample.config /var/ffproxy/ffproxy.conf
Above example would install all needed files to
/var/ffproxy, which is ffproxy's default
working directory.
SECURING¶
The proxy now has its own working directory. By default, ffproxy does not change
UID/GID after start. For security reasons we want to enable it. You have two
choices know: Either use existing UID/GID or add custom UID/GID for ffproxy.
See
adduser(8) or
useradd(8), depending on your system, on how to
create new IDs.
Edit
ffproxy.conf and change the lines
containing uid and gid
# change UID and GID
#
# to use, both uid and gid must be set
# (disabled by default)
#uid proxy
#gid proxy
uid _ffproxy
gid _ffproxy
In addition to changing UID and GID, ffproxy should be executed change-rooted to
its working directory. So we change chroot_dir and db_files_path in the
configuration file
# change root to (only in connection with uid and gid change)
# (disabled by default)
chroot_dir /var/ffproxy
# path to db/ and html/ directories
# (default: /var/ffproxy)
db_files_path .
db_files_path must be changed, too, since that is relative to new root. Finally,
we copy /etc/resolv.conf to ffproxy's home to enable DNS in chroot and chown
/var/ffproxy so the proxy's master process can write its PID file
mkdir /var/ffproxy/etc
cp /etc/resolv.conf /var/ffproxy/etc/
chmod 750 /var/ffproxy
chown _ffproxy._ffproxy /var/ffproxy
ACCESS TO THE PROXY¶
By default, nobody is allowed to connect to ffproxy. Let's say, we want to
provide LAN users a filtering proxy to shut down malicous content coming from
the Internet. So the proxy has to be listening on the local network interface
only. We change bind_ipv4 and bind_ipv6 appropiately in
ffproxy.conf
bind_ipv4 martyr.burden.eu.org
bind_ipv6 martyr.burden.eu.org
Additionally, we have to change
db/access.ip.
By, for example,
we allow 192.168.10.0/24 to use our proxy.
STARTING THE PROXY¶
Last step is starting ffproxy. Keep in mind that we run the program
change-rooted to /var/ffproxy, so files are relative to new root.
cd /var/ffproxy ; /usr/local/bin/ffproxy -f ffproxy.conf
starts ffproxy. Now test if it works correctly. If not, change ffproxy.conf
and/or read
ffproxy(8)
ffproxy.conf(5)
ffproxy is not running as daemon right know. If everything seems to work, simply
shut down the proxy by pressing CTRL-C, set `daemonize yes' in the
configuration file and start ffproxy again.
TRANSPARENT OPERATION¶
The proxy allows transparent operation, that is, HTTP traffic is redirect to the
proxy which simulates a HTTP server so that the users don't have to specify a
proxy server. Consider forced usage of a proxy server as well. To do that, you
will have to configure your NAT accordingly. On OpenBSD you'll want a line
like
rdr on rl0 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
in
/etc/pf.conf. See your NAT's documentation
for details on how to do this.
VERSION¶
This manual documents ffproxy 1.6 (2005-01-05).
SEE ALSO¶
ffproxy(8),
ffproxy.conf(5),
pf.conf(5)