������������. ��� ��� �������� ��������� ��������.
������� ������� ������ � ������ ��� ���, ����� ��������
������������ oops ������ 1.5.2 � berkeley_db ��� FreeBSD:
>uname -a
FreeBSD odin.astral.kiev.ua 3.5-STABLE FreeBSD 3.5-STABLE #4: Mon Dec 25 10:48:09 EET
2000 [EMAIL PROTECTED]:/usr/src/sys/compile/ODIN i386
>
�������� � ������� world. � ������, ��� ��� ������� �������� � �������,
�� �������������� � LOCAL_NETWORKS, �� ��������� �������� ���������
��������� � ���������, ��� ������ � ������ ��������. ������, oops
������� index.html � ���������� ��� �������.
�������� � networks 0/0 - ��������� ����������
group world {
networks_acl !LOCAL_NETWORKS;
badports [0:79],110,138,139,513,[6000:6010];
miss allow;
redir_mods redir;
http {
deny dstdomain * ;
}
icp {
deny dstdomain * ;
}
}
��� ������: ���� � ���� ����� ��� ������ (group1 � group2)
��� group1 networks 10/8 � allow dstdomain *
��� group2 networks 10.10.100/24 � allow dstdomain only.my.domain
����� �� ��� ��������?
������ ������ ����������� � ������.
--
Andrew Degtiariov
AD5898-RIPE
[EMAIL PROTECTED]
##
# nameservers. Use your own, not our.
##
nameserver 127.0.0.1
nameserver 193.41.4.2
##
# Ports and address to use for HTTP and ICP
##
#bind ip_addr|hostname
http_port 3128
icp_port 3130
##
## Change euid to that user
##
## WARNING: if you use 'userid, then you 'reconfigure will not be able to
## open new sockets on reserved (< 1024) ports and will not be able
## to return to original userid.
##
userid web
##
## Change root directory. If don't know exactly what are you doing -
## leave commented.
#chroot ???
##
# Logfile - just debug output
# When used in form 'filename [{N S}] [[un]buffered]'
# will be rotated automatically (up to N files up to S bytes in size)
##
#logfile /dev/tty
logfile /var/log/oops/oops.log { 3 1m } unbuffered
##
# Accesslog - the same as for squid. Re rotating - see note for logfile
##
#accesslog /dev/tty
accesslog /var/log/oops/access.log
##
# Pidfile. for kill -1 `cat oops.pid` and for locking.
##
pidfile /var/run/oops.pid
##
# Statistics file - once per minute flush some statistics to this file
##
statistics /var/log/oops/statfile
##
# icons - where to find link.gif, dir.gif, binary.gif and so on (for
# ftp lists). If omitted - name of running host will be used. But
# using explicit names is better way.
##
icons-host www.astral.kiev.ua
icons-port 80
icons-path icons
##
# When total object volume in memory grow over this (this mean
# that cachable data from network came faster then we can save on disk)
# drop objects (without attempt to save on disk).
##
mem_max 16m
##
# Hint, how much cached objects keep in memory.
# When total amount become larger then this limit - start
# swaping cachable objects to disk
##
lo_mark 8m
##
# start random early drop when number of clients reach some level.
# this can protect you against attacks and against situation when
# oops cant handle too much connections. By default - 0 (or no limits).
##
#start_red 0
##
# refuse any connection when number of already connected clients reach some
# level. By default - 0 (or no limits).
##
#refuse_at 0
##
# if document contain no Expires: then expire after (in days)
# ftp-expire-value - expire time for ftp (in days)
##
default-expire-value 9
ftp-expire-value 9
##
# Maximum expite time - doc will not keep in cache more then
# this number of days (except if defaiult-expire-value used for this documeny)
##
max-expire-value 30
##
# in which proportion time passed since last document modification
# will accounted in expire time. For example, if last-modified-factor=5
# and there was passed 10 days since document modification, then expiration
# will be setted to 2 days in future (but no nore then max-expire-value)
##
last-modified-factor 5
##
# If you want not cache replies without Last-Modified:
# uncomment next line.
##
#dont_cache_without_last_modified
# run expire every ( in hours )
##
default-expire-interval 1
##
# icp_timeout - how long to wait icp reply from peer (in ms, e.g 1000 = 1sec)
##
icp_timeout 500
##
# start disk cache cleanup when free space will be (in %%)
# As on the very large storages 1% is large space (1% from 9G is
# 90M), then on such storages you can set both disk-low-free and
# disk-ok-free to 0. Oops will start cleanup if it have less then 256
# free blocks(1M), and stop when it reach 512 bree blocks(2M).
##
disk-low-free 3
##
# stop disk cache cleanup when free space will be (in %%)
##
disk-ok-free 5
##
# Force_http11 - turn on http/1.1 for each request to document server
# This option required if module 'vary' used.
##
force_http11
##
# Always check document freshness, even it is not stale or expired
# This force Oops behave like squid - first check cached doc, then send
##
always_check_freshness
##
# If user-requestor aborted connection to proxy, but there was received more
# then some percent ot the document - then continue.
# default value - 75%
##
force_completion 90
##
# maximum size of the object we will cache
##
maxresident 6m
insert_x_forwarded_for yes
insert_via yes
##
# If host have several interfaces or aliases, use exactly
# this name when connecting to server:
##
connect-from proxy1.astral.kiev.ua
##
# ACLs - currently: urlregex, urlpath, usercharset
# port, dstdom, dstdom_regex, src_ip, time
# each acl can be loaded from file.
##
#acl CACHEABLECGI urlregex
http://www\.topping\.com\.ua/cgi-bin/pingstat\.cgi\?072199131826
#acl WWWPACO urlregex www\.paco\.net
#acl NO_RLH urlregex zipper
#acl REWRITEPORTS urlregex (www.job.ru|www.sale.ru)
#acl REWRITEHOSTS urlregex (www.asm.ru|zipper\.paco)
#acl WINUSER usercharset windows-1251
#acl DOSUSER usercharset ibm866
#acl UNIXUSER usercharset koi8-r
#acl RUS dstdom ru su
#acl UKR dstdom ua
#acl BADPORTS port [0:79],110,138,139,513,[6000:6010]
#acl BADDOMAIN dstdom baddomain1.com baddomain2.com
#acl BADDOMREGEX dstdom_regex baddomain\.((com)|(org))
#acl LOCAL_NETWORKS src_ip include:/usr/local/oops/acl_local_networks
#acl BADNETWORKS src_ip 192.168.10/24
#acl WORKTIME time Mon,Tue:Fri 0900:1800
acl ADMINS src_ip 127.0.0.1
acl PURGE method PURGE
acl ALL dst_ip 0/0
##
# acl_deny [!]ACL [!]ACL ...
# deny access for combined acl
##
acl_deny PURGE !ADMINS
acl LOCAL_NETWORKS src_ip include:/usr/local/oops/acl_local_networks
#acl_deny ALL !LOCAL_NETWORKS
##
# Never cache objects with URL, containing...
##
stop_cache ?
stop_cache cgi-bin
##
# stop_cache_acl [!]ACL [!]ACL ...
# Stop cache using ACL
##
#stop_cache_acl WWWPACO
##
# refresh_pattern ACLNAME min percent max
##
#refresh_pattern CACHEABLECGI 20 50% 200
#refresh_pattern WWWPACO 0 0% 0
##
# bind_acl {hostname|ip} [!]ACL [!]ACL ...
# bind to given address when connecting to server
# if request match ACLNAME
##
#bind_acl outname1 RUS
#bind_acl outname2 UKR
##
# line 'parent ....' will force all connections (except to destinations
# in local-domain or local-networks) go through parent host
##
#parent proxy.astral.kiev.ua 3128
peer proxy.astral.kiev.ua 3128 3130 {
parent ;
# sibling ;
## if this peer require login/password from your proxy
# my_auth my_login:my_password;
## we will send requests for these domains
allow dstdomain * ;
## we will NOT send requests for these domains
## deny dstdomain * ;
}
# ICP peer's
#peer proxy.paco.net 3128 3130 {
# sibling ;
## we will send requests for these domains
# allow dstdomain * ;
## we will NOT send requests for these domains
## deny dstdomain * ;
#}
#peer proxy.gu.net 80 3130 {
# parent ;
# allow dstdomain * ;
# deny dstdomain paco.net odessa.ua ;
#}
##
# Never use "parent" when connecting to server in these domains
##
local-domain astral.kiev.ua astral.carrier.kiev.ua
local-networks 193.41.4.0/23 10/8 192.168/16
#
# Groups
#
group astral {
# networks 193.41.4.0/23 192.168/16;
networks_acl LOCAL_NETWORKS;
badports [0:79],110,138,139,513,[6000:6010];
miss allow;
# bandwidth 2k;
redir_mods redir transparent;
# redir_mods accel redir;
http {
allow dstdomain * ;
}
icp {
allow dstdomain * ;
}
}
group guest {
networks 10.10.99/24;
#badports [0:79],[81-65536];
miss allow;
redir_mods redir transparent;
http {
allow dstdomain astral.kiev.ua;
allow dstdomain astral.com.ua;
allow dstdomain astral-on.com;
#allow dstdomain *;
#deny dstdomain *;
}
icp {
allow dstdomain astral.kiev.ua;
allow dstdomain astral.com.ua;
allow dstdomain astral-on.com;
#deny dstdomain *;
}
}
#group paco {
##
# You can describe group ip adresses here, or using src_ip acl's
# with networks_acl directive.
# networks_acl always have higher preference (checked first) and
# are checked in the order of appearance.
# If host wil not fall in any networks_acl - we check in networks.
# networks are ordered by masklen - longest masks(most specific networks)
# are checked first.
##
# networks 195.114.128/19 127/8 195.5.40.93/32 ;
# networks_acl LOCAL_NETWORKS !BAD_NETWORKS ;
# badports [0:79],110,138,139,513,[6000:6010] ;
# miss allow;
##
# denytime - when deny access to proxy server for this group
##
# denytime Sat,Sun 0642:1000
# denytime Mon,Thu:Fri,Sun 0900:2100
##
# Authentication modules for this group (seprated by space)
##
# auth_mods passwd_file;
##
# URL-Redirector (porno, ad. filtering) modules for this group (separate by
# space)
##
# redir_mods redir;
##
# limit whole group to 8Kbytes per sec
##
# bandwidth 8k;
##
# limit request rate from this group (requests per second). This is crude,
# and must be used as last resort
##
# maxreqrate 100;
##
# icp acl ...
##
# icp {
# allow dstdomain * ;
# }
##
# http acl
##
# http {
##
# http acls can be in form 'allow dstdomain domainname domainname ... domainname ;
# or in form 'allow dstdomain include:filename ;
# where filename - name of the file, which contain
# domainnames (one per line, # - comment line);
# the same rules for 'deny'
##
# allow dstdomain * ;
# }
#}
group world {
# networks 0/0;
networks_acl !LOCAL_NETWORKS;
badports [0:79],110,138,139,513,[6000:6010];
miss allow;
redir_mods redir;
http {
deny dstdomain * ;
}
icp {
deny dstdomain * ;
}
}
##
# Storage section
# Change this for your own situation. Oops can work without
# storages (using only in-memory cache).
##
##
# dbhome - directory where all DB indexes reside. Use full path
# this directory must exist.
# dbname - filename for index file. Use just filename (no full path)
##
#dbhome /var/spool/oops/DB
#dbname dburl
##
# Storage description (can be several)
# path - filename of storage. can be raw device (be carefull!)
# size - size (of storage file). Can be smthng like 100k or 200m or 4g
# Size used only durig format process (oops -z).
##
storage {
# path /var/oops/storages/oops_storage ;
path /var/spool/oops/storages/oops_storage ;
# Size of the storage. Can be in bytes or 'auto'. Auto is
# usefull for pre-created storages or disk slices.
# NOTE: 'size auto' won't work for Linux on disk slices.
# To use large ( > 2G ) files run configure with --enable-large-files
size 1000m ;
# You have to use 'offset' in the case your raw device (or slice)
# require that. For example if you use entire disk as storage
# under AIX and Soalris/Sparc - you have to skip first block
# which contain disk label (that is storage will start from
# next 512 sector.
# offset 512;
}
#storage {
# path /usr/local/oops/storages/oops_storage1 ;
# size 600m ;
#}
module lang {
default_charset koi8-r
# Recode tables and other charset stuff
CharsetRecodeTable windows-1251 /usr/local/oops/tables/koi-win.tab
CharsetRecodeTable ISO-8859-5 /usr/local/oops/tables/koi-iso.tab
CharsetRecodeTable ibm866 /usr/local/oops/tables/koi-alt.tab
CharsetAgent windows-1251 AIR_Mosaic IWENG/1 MSIE WinMosaic (Windows (WinNT;
CharsetAgent windows-1251 (Win16; (Win95; (Win98; (16-bit) Opera/3.0
CharsetAgent ibm866 DosLynx Lynx2/OS/2
}
module err {
# error reporting module
# template
template /usr/local/oops/err_template.html
# Language to use when generate Error messages
lang ru
}
#module passwd_file {
# password proxy-authentication module
#
# default realm, scheme and passwd file
# the only thing you really want to change is 'file' and 'template'
# you don't have to reconfigure oops if you only
# change content passwd file or template: oops authomatically
# reload file
# realm oops
# scheme Basic
# file /usr/local/oops/passwd
# template /usr/local/oops/auth_template.html
#}
module redir {
# file - regex rules.
# each line consist of one or two fields (separated with white space)
# 1. regular expression
# 2. redirect-location
# if requested (by client) url match regex then
# if we have redirect-url then we send '302 Moved Temporary' to
# redirect-location
# if we have no redirect-location (i.e. we have no 2-nd field)
# then we send template.html (%R will be substituted by rule)
# or some default message if we have no template.
# you don't have to reconfigure oops each time
# you edit rules or template, they will be reloaded authomatically
file /usr/local/oops/redir_rules
template /usr/local/oops/empty1x1.gif
# This module can process requests which come on http_port
# and/or on different port. For example, you wish oops
# bind on two ports - 3128 and 3129, and all requests which come on
# port 3129 must pass through filters, and requests which come on port
# 3128 (common http_port) - not. Then you have to uncomment next line
# myport 3129
# which means exactly: bind oops to additional port 3129 and process
# requests which come on this port.
# myport can be in the next form:
# myport [{hostname|ip_addr}:]port
}
module oopsctl {
# path to oopsctl unix socket
socket_path /var/log/oops/oopsctl
# time to auto-refresh page (seconds)
html_refresh 300
}
##
## This module hadnle 'Vary' header - it was written to better support
## Russian Apache
##
module vary {
user-agent by_charset
accept-charset ignore
}
##
## WWW -accelerator. To use - add word accel to
## redir_mods line for
## the group 'world' description
## You will find more description of this module in supplied accel_maps file
##
#module accel {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
# myport 8000
##
# allow access to proxy through accel module.
# Deny will stop proxy through accel completely, regardless
# of any other access rules
##
# proxy_requests deny
# proxy_requests allow
#
##
# File with maps and other config directives
# Checked once per minute. No need to restart oops if maps changed
##
# file /usr/local/oops/accel_maps
#}
##
## Transparent proxy. To use - add word 'transparent' into
## redir_mods line for your group.
## in the your local (or any other) group description
##
module transparent {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
myport 3128
}
##
## %h - remote ip address
## %A - local ip address
## %l - remote logname from identd (not suported now)
## %u - remote user (from auth)
## %{format}t - time with optional {format} (for strftime)
## %t - time with standard format %d/%b/%Y:%T %Z
## %r - request line
## %s - status code
## %b - bytes received
## %{header}i - value of header in request
## %m - HIT/MISS
## %k - hierarchy (DIRECT/NONE/...)
##
## directive buffered can be followed by size of the buffer,
## like 'buffered 32000'
##
#module customlog {
# path /usr/local/oops/logs/access_custom1
# format "%h %l %u %t \"%r\" %>s %b"
# squid httpd mode log emulation
# format "%h %u %l %t \"%r\" %s %b %m:%k"
# buffered
# path /usr/local/oops/logs/access_custom2
# format "%h->%A %l %u [%t] \"%r\" %s %b \"%{User-Agent}i\""
#}
module berkeley_db {
##
# dbhome - directory where all DB indexes reside. Use full path
# this directory must exist.
# dbname - filename for index file. Use just filename (no full path)
##
dbhome /var/spool/oops/DB
dbname dburl
##
# This parameter specifies internal cache size of BerkeleyDB.
# Increase this parameter for best performance (if you have a lot of memory).
# For example: db_cache_mem 64m
# Default and minimum value: 4m
#
# This memory pool is not part of memory pool, specified by mem_max parameter.
# WARNING: the amount of RAM used by oops will be increased by the value of
# this parameter.
##
db_cache_mem 6m
}
#module gigabase_db {
# This module enable GigaBASE as database engine.
# You can use berkeley_db or gigabase_db, not both.
# Also, important notice - indexes created with different modules
# are not compatible.
# dbhome /var/spool/oops/DB
# dbname gdburl
#
#}