# # Orenosp Secure Reverse Proxy Configuration # for version 1.2.2 or later # # ================== # Named Listen Ports # ================== # Define and name listen ports. # Listen ports are where orenosp accepts incoming connections. # you can set up to 8 ports. # proxy_listen_name = lis-ssl 0.0.0.0@443 https proxy_listen_name = lis-http 0.0.0.0@80 http # # -ssl_cli= # SSL profile to use for front (client) HTTPS connections. # The SSL profile must be of "server" peer type. # If not specified, a builtin server profile "svdflt" is used. # # -ip_allow="ap1,ap2,..." # -ip_deny="ap5,ap6,..." # -ip_order={ allow-deny | deny-allow } # These options control client's access to the listen port by their IP # addresses (IP-based Access Control). # These have the same meaning as their counterparts in proxy_authip_url # parameters, but these enforce IP access control on per-connection basis, # while proxy_authip_url are on per-request basis. Also IP address checking # is done before SSL negotiations, thereby thwarting SSL handshake DoS # attacks. # ==================== # Request Destinations # ==================== # Specify forwarding (reverse-proxying) rules. # Specify destination of requests # You can specify up to 256 rules. # # General syntax # proxy_pass_by = # # All specific syntaxes # proxy_pass_by = lis [options...] # proxy_pass_by = vhost [options...] # proxy_pass_by = url [options...] # # # -- Syntax-1 --- pass by listener #proxy_pass_by = lis [options...] # # This is to forward all requests received at listen port # to . # # requires a listen-port name defined in proxy_listen_name. # # requires either one of the following specifications: # 1) http://hostname[:port-number] # 2) hostname[:port-number] # 3) https://hostname[:port-number] # 4) lbgrp:// # # 2) is just a shorthand for 1). 3) is used to specifiy SSL connection # to the backend server. # 4) specifies a "load-balanced group" of hosts. See "Load Balancing". # # NOTE: When forwarding http to port 80 or https to 443, do not specify # the port number. # Also, you must use the canonical name of the backend HTTP server. # That is, even if your backend server runs on the same machine as Orenosp, # in most cases, you can't use "localhost". In simple cases, you can use # the machine's hostname. # e.g., # proxy_pass_by = lis lis-ssl http://www-pc # or # proxy_pass_by = lis lis-ssl http://localhost -hh=www-pc # You can also include username and password for HTTP basic authentication: # # http://username:password@hostname:port-number # # This auth info will supercede any HTTP basic auth info sent from the client. # # # --- options : general --- # # -hh= # This option is used to send a different hostname in Host: header. # if "_self_" is specified, forward Host: header as sent from client. # # -rq_hdr=":,:,..." # Add arbitrary headers to request headers set. # Do not put spaces around ":". # # -rs_hdr=":,:,..." # Add arbitrary headers to reponse headers set. # Do not put spaces around ":". # # --- options : pass by sub-rules --- # # -pass_by_ck="=" # Pass by sub-rule : by a cookie value # : cookie name # : cookie value pattern, can contain wild-card character (*) # See "Cookie-based Reverse Proxying" in guide_en.txt for an example. # # --- options : automatic content rewrite --- # # -rw_url={off|on|0|1|2} # Set this to "on" to enable maximal automatic URL rewriting. # "on" equals "2" in this version. # # If set to "1", enable URL Rewrite in HTML contents. # # Specifically, Orenosp internally creates the following rewrite filter and # inserts it onto the top of the request's filter chain: # # mod_filt_rwt rwtype=simple mtype=text/html -- -hname=1 # # With the following rewrite rule: # # ://=:// # # This will handle most internal link issues when reverse-proxying # a single-host application. # # If set to "2", CSS files are also subjected to URL rewriting. # # mod_filt_rwt rwtype=simple mtype=text/html,text/css -- -hname=1 # # # --- options : automatic WebDAV request/response body rewrite --- # # -rw_dav={0|1} # if set to 1, enable URL Rewrite in WebDAV bodies # # # --- options : cookie translation --- # # -ck_path="=,=,..." # Cookie path translation: # If backend sends a Set-Cookie with its path attribute equal to , # the proxy changes the path attribute to . # Note that this translation is not applied to Orenosp-generated cookies, # only to backend-generated cookies. # # -ck_dom= # Cookie domain replace: # If backend sends a Set-Cookie with domain attribute set, replace value of # domain attribute with . # If this option is not set, the default behavior is to drop domain # attribute altogether. # Note that this translation is not applied to Orenosp-generated cookies, # only to backend-generated cookies. # Example: # -ck_dom=.example.com # # -ck_domain="=" NOT IMPLEMENTED YET # Cookie domain translation: # if backend sends a Set-Cookie with domain attribute set, translate # backend-set domain name to the specified domain name. # Note that this translation is not applied to Orenosp-generated cookies, # only to backend-generated cookies. # For a valid domain name, refer to the cooke spec: # http://wp.netscape.com/newsref/std/cookie_spec.html # Hint: a domain must have at least two or three periods in it. # # --- options : SSL --- # # -ssl_orig= # SSL profile to use for HTTPS connections to backend server. # The SSL profile must be of "client" peer type. # If not specified, a builtin client profile "cldflt" is used. # # # -- Syntax-2 -- pass by vhost #proxy_pass_by = vhost [options...] # # This is to forward all requests destined for # to . # # is a hostname given in request's Host: header. # If you use standard port number for either http or https, you specify # a hostname only. If you use non-standard port number, you have to specify # hostname:port-number. For example, if your external URL is # http://www.example.com:8888/ then, you must specify # "vhost www.example.com:8888 <...>". # You can specify '*' wildcard characters in . # # and all options are the same as in Syntax-1. # # # -- Syntax-3 -- pass by url # proxy_pass_by = url [options ...] # # This is actually a generalized syntax for syntax-1 and -2. # # := [[:]//] # # where # : name of listen port # : hostname (including non-standard port number) # : virtual path pattern (prefix-matching is done) # # So can be either: # /some-path/ : pass by path # //vhostname/ : pass by vhost # //vhostname:8888/ : pass by vhost # //vhostname/some-path/ : pass by vhost + path # lis-ssl://*/ : pass by listener # * : pass by path, catch-all # # # is a beefed up version of , in which you can # also specifiy path part. If path part doesn't exist, "/" is assumed. # # 1) http://hostname[:port-number]/path-prefix # 2) hostname[:port-number]/path-prefix # 3) https://hostname[:port-number]/path-prefix # 4) lbgrp:///path-prefix # # All options are the same as in Syntax-1. # examples for syntax-1 # proxy_pass_by = lis lis-ssl localhost:8888 proxy_pass_by = lis lis-http localhost:8887 # examples for syntax-2 # proxy_pass_by = vhost myhost.dyndns.org localhost -hh=myhost proxy_pass_by = vhost myhst2.dyndns.org localhost -hh=myhst2 # examples for syntax-3 # #proxy_pass_by = url lis-ssl://myhost.dyndns.org/path1/ \ # http://localhost:8888/path1/ # # --- Rule application rules --- # The rules are searched in reverse order of appearing in sproxy.conf file. # # ===================== # Load Balancing Groups # ===================== # You can define multiple LB groups here. # # proxy_lbgroup_define = \ # {http|https} nodes=",,..." } # # : hostname:port-number # hostname here is a physical or real hostname or IP address of a node in # the LB group. Do not include a port number if it's the standard port # for the protocol (i.e., 80 for http, 443 for https). # You can list up to 8 nodes in one LB group. # # # sorry_url= : URL to a sorry server. # A relative url (i.e., path only) can also be specified. # e.g., sorry_url=/_intmenu/sorry.html # # NOT IMPLEMENTED YET -fauth=uname:passwd : send fixed basic user auth info. # # # ======================= # Load Balancing Tunables # ======================= # --- restrict HTTP health check to DOWN nodes only. # proxy_lb_hcheck_downonly = 1 # --- traces, debugging, etc --- # _proxy_lb_thread_tracelvl = 1 # =================================== # More Reverse Proxying Tuning Params # =================================== # Note that these params apply globally. If you need a param to be applicable # to a single proxy_pass_by rule, please file a request to the author. # Automatic rewriting of Referer request field # default is 1 (on). You can disable it by setting it to 0. #proxy_rewrite_referer = 0 # Automatic rewriting of Destination request field (WebDAV) # default is 1 (on). You can disable it by setting it to 0. # When you use OWA with "Front-end-HTTPS:ON", you should set this to 0. #proxy_rewrite_destination = 0 # Maximum size of request bodies that will be buffered in the reverse proxy # component of Orenosp. # The default is 8192 (bytes). # Also in 0.8.0, DAV request body rewrite is limited to request bodies # smaller than this size. So when you use -rw_dav=1, you may also want # to increase this param value. # #proxy_post_save_limit = 65536 # # =========== # Access logs # =========== # # --- log format of access log --- # values: common, common-vhost, combined, combined-vhost # default is common proxy_log_access_fmt = combined # --- additional flags for log format --- #proxy_log_access_flags = # # # 0001 : record server vhostname in logname column (2nd column) # 0002 : resolve client ip address into hostname (1st column) # 0004 : record response time in seconds (added as the last column) # --- Access Logging I/O Scheme --- # #proxy_log_access_io = # # available io schemes # # "pipe" : Apache-compatible piped logging # "single" : regular single log file # "remote" : send log to a remote logging service # # e.g.1 (single log file) # proxy_log_access_io = single logs/access.log # # e.g.2 (send logs to external process via pipe) # proxy_log_access_io = pipe rotatelogs.exe "C:\Log Files\access_log" 86400 # # Note: you have to have a copy of rotatelogs.exe in . # You can obtain Orenosv-enhanced rotatelogs.exe from Orenosv webpage. # # e.g.3 (send logs to remote logging service) # proxy_log_access_io = remote host1:13000 ssl /host1/proxy \ # -u=logadmin:passwd # # Note: you must have LGS (Logging Service) of RBP (a freeware) running # on "host1". # ========= # Event log # ========= # # --- name and location of event log --- default is event.log #proxy_log_event = logs/event.log # --- share mode --- default is exclusive #proxy_log_event_mode = { exclusive | shared } # # If you set proxy_log_event_mode to shared, you will be able to rename or # delete the current event log file while the service is running. # You can use this feature rotate event log files. # ============= # Error Logging # ============= # The error log records request-specific errors. # # proxy_log_error_io = single logs/error.log # =================== # Performance Logging # =================== # # proxy_perf_logio = single perf.log # # ================= # Monitoring Module # ================= # You can place monitoring page at any URL. # example-1: dedicate one listen port for the monitoring page. # #proxy_listen_name = https-mon 0.0.0.0@4443 https #proxy_mon_xurl = https-mon://*/_monitor # # Note that you can specify only one occurence of proxy_mon_xurl parameter. # # For access protection, choose either one of the following # if you want Basic auth. #proxy_auth_url = https-mon://*/_monitor* -u="admin:pass" -rlm="Admin Only" #proxy_auth_path = /_monitor -u="admin:pass" -rlm="Admin Only" # You can also choose/add IP or form-auth. #proxy_authip_url = /_monitor* -allow="127.0.0.1,192.168.0.0/16" # ------------------------------- # Monitoring Module - Network Map # ------------------------------- # NIC to use for scan. # Linux/Mac OS X : names can be looked up with ifconfig. # e.g., eth0, eth1 # Windows: "nifX", where X is an network interface index number which # can be looked up with "netstat -r" or "route print". # X must be in decimal number. # e.g., nif4, nif131074 # #proxy_nmap_by_ifname = # NOT YET : NIC to use for scan. All platforms #proxy_nmap_by_macaddr = # max # of nodes that can be supported. Default is 32. # In a large LAN, you may want to increase it to 256. #proxy_nmap_max_nodes = 256 # ================= # SSL configuration # ================= # These SSL parameters are used for defining a single set of SSL-related # parameters. You can have multiple sets of SSL parameters using SSL Profiles. # # --- passphrase for server private key # This specifies a passphrase used for decrypting PEM-encrypted server/proxy's # private key whose location is specified by proxy_ssl_mycertstore parameter. # This passphrase is also used when opening PKCS#12 certificate file # (.p12 file) proxy_ssl_keypass = orenosp # --- non-standard filenames for server/proxy certificate/private-key --- #proxy_ssl_mycertstore = # This specifies which certificate store is used for loading # server/proxy's own certificate and private key. # The supported methods are either "file" or "file-p12". # # file: directs server to load its own certificate and private key from # files specified as options. # file # The cert file can be either PEM or DER. priv-key file needs to be # in PEM that can be decrypted with pass phrase specified by # proxy_ssl_keypass parameter. # # file-p12 : directs server to load from a single PKCS#12 file (p12 file). # A single p12 file holds its own certificate, its private key and # the signer's (CA's) certificate. # file-p12 # The p12 file is decrypted by the pass phrase specified by # proxy_ssl_keypass parameter. # # Default is # proxy_ssl_mycertstore = file ssl.crt/server.crt ssl.key/server.key # # --- client authentication by SSL --- # #proxy_ssl_clauth = # is: # none: SSL client auth is disabled. do not request any client certificate. # require: SSL client auth is required for every SSL connection. # Every SSL client must present a valid certificate. # optional: SSL client auth is optional for every SSL connection. # The server requests a client certificate but the client has an # option of not sending one. # Default is none. # Note: Some ftps/https clients (like Smartftp) don't work with # clauth=optional. You should either choose none or require. # # # #proxy_ssl_cacertstore = # This is similar to SSLCACertificatePath/SSLCACertificateFile in modssl. # This specifies which certificate store is used for verifying trusted CAs. # Supported methods are "os", "file", or "dir". # os : directs server to load CA certs from Windows Certificate Store "ROOT" # file : load CA certs from a single PEM file # dir : load CA certs from a directory # # Default is # "os" when proxy_ssl_clauth is enabled (require or optional) # "file ssl.key/root.pem" otherwise (if clauth is disabled, server reads it # but doesn't use it) # # Examples # file ssl.crt/ca.crt (if you are using gencert-generated CA) # file ssl.crt/ca-bundle-client.crt (like Apache) # dir ssl_ca.crt (like Apache) # os # #proxy_ssl_cacertstore = os # --- optional : allowed cipher suites # This is an equivalent of SSLCipherSuite in mod_ssl. # Mod_ssl has a good documentation, see: # http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9 # # to allow strong ciphers only, use # RSA:EDH:!EXP:!NULL:+HIGH:+MEDIUM:-LOW:-SSLv2 # # to disable SSLv2, use # ALL:-SSLv2 # # to limit to a single cipher suit of RC4-MD5 (like for speed comparison), use # RC4-MD5:-SSLv2 # #proxy_ssl_ciphers = # --- optional : openssl various interoperability flags #proxy_ssl_bugwa_opt = # # The default is use SSL_OP_ALL (enable all bug workarounds). # You can selectively enable/disable SSL_OP_xxx. # ============ # SSL Profiles # ============ # An SSL profile contains a set of SSL-related parameters. You can use # multiple SSL profiles in a single configuration file. # An SSL profile can be either "client side" or "server side". # A client side SSL profile is used for connecting to other HTTPS backend # servers. A server side SSL profile is used for accepting HTTPS connections # from clients. # # For the following explanation, "" means "proxy". # # --- general sslprof parameters --- # Print all parameters in SSL profiles to event.log file on startup # _sslprof_printinfo = 1 # # --- parameters to define an SSL profile --- # _sslprof_define = # _sslprof__ptype = {server|client} # _sslprof__clauth = {none|require|option} # _sslprof__svauth = {none|require|option} # _sslprof__mycertstore = ... # _sslprof__cacertstore = ... # _sslprof__keypass = # _sslprof__ciphers = # _sslprof__scache_size = # _sslprof__bugwa_opt = # _sslprof__trace = # Built-in SSL profiles # There are two built-in SSL profiles, which you can use as default profiles. # # "svdflt" : server side SSL profile, defined as # _sslprof_define = svdflt # _sslprof_svdflt_ptype = server # _sslprof_svdflt_mycertstore = file ssl.crt/server.crt ssl.key/server.key # _sslprof_svdflt_keypass = orenosp # _sslprof_svdflt_clauth = none # _sslprof_svdflt_cacertstore = file ssl.key/root.pem # # "cldflt" : client side SSL profile, defined as # _sslprof_define = cldflt # _sslprof_cldflt_ptype = client # _sslprof_cldflt_svauth = none # _sslprof_cldflt_cacertstore = os # # In contexts where a server SSL profile is required, "svdflt" is used # by default. In contexts where a client SSL profile is required, # "cldflt" is used by default. # # You can also re-define these built-in profiles. Start with: # _sslprof_define = svdflt # and add ALL required parameters using _sslprof_svdflt_xxx. # You should set but shouldn't change ptype parameter # (ptype of svdflt should be "server", cldflt "client"). # # An example for a client side SSL profile (to backend connections) # - authenticates HTTPS servers # - be authenticated as HTTPS client # # #proxy_sslprof_define = clprof1 #proxy_sslprof_clprof1_ptype = client # --- to authenticate HTTPS servers #proxy_sslprof_clprof1_svauth = option #proxy_sslprof_clprof1_cacertstore = os # --- to be authenticated HTTPS client #proxy_sslprof_clprof1_mycertstore = file ssl.crt/client.cer \ # ssl.key/client.key # An example for a server side SSL profile (to frontend(client) connections) # - authenticates HTTPS clients # - be authenticated as HTTPS servers # #proxy_sslprof_define = svprof1 #proxy_sslprof_svprof1_ptype = server # --- to be authenticated HTTPS server #proxy_sslprof_svprof1_mycertstore = file ssl.crt/server.cer \ # ssl.key/server.key # --- to authenticate HTTPS clients #proxy_sslprof_svprof1_clauth = require #proxy_sslprof_svprof1_cacertstore = file ssl.crt/ca-bundle-client.crt # ============= # Nimda Filters # ============= # The name Nimda mya be misleading. Please consider "Nimda filter" as # request pattern restriction. # # --- switch to enable nimda filter --- # default is 0 (off) proxy_nimda_enable = 1 # --- nimda rules, specify path pattern --- # up to 128 rules can be specified # see http://online.securityfocus.com/archive/1/261549 # for many kinds of nimda attacks. # # syntax # proxy_nimda_path = [options] proxy_nimda_path = /scripts/root.exe* proxy_nimda_path = /c/winnt/system32/cmd.exe* proxy_nimda_path = /d/winnt/system32/cmd.exe* proxy_nimda_path = /_vti_bin/*winnt/system32/cmd.exe* proxy_nimda_path = /_vti_cnf/*winnt/system32/cmd.exe* proxy_nimda_path = /_mem_bin/*/winnt/system32/cmd.exe* proxy_nimda_path = /scripts/*/winnt/system32/cmd.exe* proxy_nimda_path = /adsamples/*winnt/system32/cmd.exe* proxy_nimda_path = /cgi-bin/*winnt/system32/cmd.exe* proxy_nimda_path = /iisadmpwd/*winnt/system32/cmd.exe* proxy_nimda_path = /samples/*winnt/system32/cmd.exe* proxy_nimda_path = /scripts*winnt/system32/cmd.exe* proxy_nimda_path = /MSADC/root.exe* proxy_nimda_path = /MSADC/*winnt/system32/cmd.exe* proxy_nimda_path = /msadc/*winnt/system32/cmd.exe* proxy_nimda_path = /PBServer/*winnt/system32/cmd.exe* proxy_nimda_path = /default.ida* proxy_nimda_path = /scripts/Admin.dll proxy_nimda_path = /scripts/shell.exe* # --- nimda filter mode --- # pass : pass nimda requests to backend servers # refuse : return http error status # discard : close connection without returning anything to client # default is refuse. # #proxy_nimda_opmode = refuse # --- nimda filter log mode --- # mylog : write to logfile specified by proxy_nmida_logio # common : write to proxy-common logfile (defined by proxy_log_access_io) # nolog : don't write to any log # default is mylog # #proxy_nimda_logmode = mylog # --- logfile for nimda access --- # Relevant only when logmode is "mylog". # The default is "single trash.log". # As for the log format, the same setting of proxy_log_access_{fmt|flags} # is used. # # this is the prefered syntax #proxy_nimda_logio = single trash.log # # this param will go away #proxy_nimda_logfile = trash.log # -------------------------------------- # Limiting HTTP verbs using nimda filter # -------------------------------------- # By using -verb option, you can limit HTTP verbs (GET,POST, etc) that # the proxy will allow. # # proxy_nimda_path = -verb= # # : ",,..." # This lists HTTP verb patterns that you want to FORBID. # # : can be any string. can also contain '*' wildcard match. # does case-insenstive matching. # # example # To filter out these virus requests, you must place this entry at the end of # all the proxy_nimda_path entries. # proxy_nimda_path = * -verb="OPTIONS,*SEARCH" # ----------------------------------- # Referer checking using nimda filter # ----------------------------------- # 1) Allowed paths in Referer # # By using -ref option, you can enforce "no hot link" policy. # # proxy_nimda_path = -ref= # # Any request that is matched with are tested for following: # # - the request includes "Referer:" field # - value of "Referer" field matches with: # {http|https}:// # # The request is allowed only if both of the above stand true. # # eg: proxy_nimda_path = /myhome/*.gif -ref=/myhome/pict*.html # # # 2) Denied URLs in Referer # # By using -noref option, you can block "referer spam". # # e.g., # proxy_nimda_path = * -noref="*xxx*" # proxy_nimda_path = * -noref="*even-more-xxx*" # # The request is considered as nimda if the Referer URL matches one of these # -noref patterns. # ----------------------------------------------- # Request Policing # Additional Security Measures using nimda filter # ----------------------------------------------- # Important: To enable these parameters, you must also set proxy_nimda_enable # to 1. # # Implemented # #proxy_plc_max_post_datasz = # limit max post data size #proxy_plc_req_chunked_disable = { 0 | 1 } # forbid chunked request body #proxy_plc_max_url_len = # limit maximum length of URL in requests #proxy_plc_max_path_len = # limit maximum length of path in requests #proxy_plc_url_8bit_disable = { 0 | 1 } # forbid 8-bit URL in requests #proxy_plc_basic_auth_disable = { 0 | 1 | 2 } # 0: allow all # 1: disable unless on secured channel (SSL) # 2: disable it altogether # Note: this filters out not only requests with "Authorization: Basic" headers # but also any 401 response with "WWW-Authenticate: Basic". In other words # it won't allow any backend servers (in addition to clients) to request # basic authentication. # NOT IMPLEMENTED YET #proxy_plc_max_reqhdr_len = # ========================================= # Limiting Authentication Methods over HTTP # ========================================= # With these parameters you can prevent backend servers from requesting # specific authentication method to clients. Specifically the proxy will # look for "WWW-Authenticate" response header with one of these auth method # names and drop the matching header. # HTTP Basic Authentication #proxy_auth_disable_basic = { 0 | 1 | 2 } # -- default is 0 (always enabled) # 0: allow all # 1: disable unless on secured channel (SSL) # 2: disable it completely # HTTP Digest Authentication #proxy_auth_disable_digest = { 0 | 1 | 2 } # -- default is 0 (always enabled) # HTTP MS NTLM Authentication #proxy_auth_disable_ntlm = { 0 | 1 | 2 } # -- default is 2 (always disabled) # do not change this. NTLM won't work with Orenosp, as of 0.4.1 # HTTP MS Negotiate Authentication #proxy_auth_disable_negotiate = { 0 | 1 | 2 } # -- default is 2 (always disabled) # do not change this. Negotiate won't work with Orenosp, as of 0.4.1 # ============================= # IP-based Access Authorization # ============================= # #proxy_authip_url = # # : extended-url-pattern with wildcard matching path # # Options # # -allow=",,..." # -deny=",,..." # # can be either # : explained below # @ : a text file # # Up to 8 s and up to 4 s can be # specified in a single -allow or -deny option. # # : IP address pattern as described in # "IP address patterns for matching" in Common Services Manual. # But you can look at the following three cases to get an idea. # # 1) IP address plus netmask in CIDR style (prefix in IPv6) # examples # 192.168.1.0/24 (192.168.1.XXX) # 127.0.0.1/32 (127.0.0.1 only) # 0.0.0.0/0 (matches any IPv4 address) # 0.0.0.0/32 (0.0.0.0 only, i.e., matches no IPv4 address) # IPv4 and IPv6 examples # 1|192.168.1.0/24 # 1|127.0.0.1/32 # 2|::1/128 # 2|fec0::/10 # 2) (NOT-IMPLEMENTED-YET) per-component wildcard pattern # examples # 192.168.*.1 # 3) plain IPv4 addresses # # : a text file containing list of s # The file should contain one address pattern per one line. # The file can have unlimited number of address patterns. Orenosp will # detects file modification and reloads dynamically. # # -order={ allow-deny | deny-allow } # allow-deny : if client IP is in allow list and not in deny list # then access is allowed. In all other cases access is denied. # deny-allow : if client IP is in deny list and not in allow list # then access is denied. In all other cases access is allowed. # Tip: You can consider the second list ("deny" in allow-deny case and # "allow" in deny-allow case) as an "exception list". # # Examples # # allow list is empty, everyone is denied # proxy_authip_url = /* -order=allow-deny # # # deny list is empty, everyone is allowed # proxy_authip_url = /* -order=deny-allow # # # allow all intra-net access, except for 192.168.1.1 # proxy_authip_url = /* -order=allow-deny \ # -allow="127.0.0.0/24,192.168.1.0/24" -deny="191.168.1.1/32" # # # allow public access, but block certain addresses # proxy_authip_url = /* -order=deny-allow \ # -deny="192.168.1.2" # # # allow all intra-net access, except for virus-infected ones # # both IP lists can be modified dynamically # proxy_authip_url = /* -order=allow-deny \ # -allow="@ip_intra.txt,@ip_intra2.txt" -deny="@ip_bad.txt" # ============================================= # Form Based Authentication (and Authorization) # ============================================= # # Switch to enable form-based auth #proxy_authck_enable = 1 # # Note: by enabling the form based authentication, any virtual paths # that begin with "/_formauth/" # - are intercepted by the proxy # - will be accessible without __any authentication__ # - any files in $ORENOSP_HOME/_formauth directory are sent by the proxy # This is necessary for the form based authentication to work. # In future versions, this path will be configurable. # # # --- Define an authentication policy using form-based authentication --- # #proxy_authck_define = -u="..." -rlm="..." # # -u="..." : user-password-list # user-password-list is # ":,:,..." # # -rlm="realm-name" : specifies protection realm name # # -tmo= : idle login timeout in minutes (must be >= 2) # default is 30 (minutes). # # -tmo_owa=on : enable OWA-specific timeout behavior in the regular -tmo # mechanism. In current version, this causes # POLL commands to be not considered an active request. # # -ckdomain="domain-name" : specifies "domain" name in the ticket cookie. # if you have two vhosts, www.example.com and www2.example.com, you could # set -ckdomain=".example.com" (notice the leading dot) so that a user # could be authenticated just once for all vhosts in *.example.com. # # -onlogin=ipacl_add: # When a client is succeccfully authenticated, add its IP address to # the IP-based access control pattern file specified by . # After a certain time period, the IP address will be removed from # the pattern file. This timeout defaults to the value specified in -tmo, # but can be overridden with ipacl_tmo suboption. # # -onlogin=ipacl_tmo: # Specify, in minutes, timeout for ipacl_add. # # --- Define an access control policy on URL spaces --- # #proxy_authck_assign = \ # [-allow="user1,user2,..."] # # where # : extended-url-pattern with wildcard matching path # # : name of auth type defined in proxy_authck_define, or # special name "_skipthis_" # # -allow="user1,user2,@group1..." # list of user names and group names (prefixed with "@") that are # authorized to access the URL space specified by # . # First, a user is authenticated with . Then, if successfully # authenticated, the user is checked against this user list to see if # he/she is properly authorized. If a member name in this list starts # with '@', it is treated as a group name and "grpdb.txt" file is # consulted for member information. # # The default is to allow any user who is successfully authenticated by # . # # # All the requests matching will be required to send # a form-based auth ticket to be validated by Orenosp. If the request doesn't # present a valid ticket, Orenosp will redirect the client to URL # "/_formauth/login.html". # If multiple proxy_authck_assign rules are present, matching is tried in # reverse order of appearing in config file and only the first rule matched # is enforced. # # example #proxy_authck_enable = 1 #proxy_authck_define = fmauth1 -u="user1:passwd1,user2:passwd2" \ # -rlm="Restricted Area" #proxy_authck_assign = *://vhost1.dyndns.org/* fmauth1 #proxy_authck_assign = *://vhost1.dyndns.org/admin* fmauth1 -allow="@admin" #proxy_authck_assign = *://vhost1.dyndns.org/public* _skipthis_ # # --- support for authentication services --- # If password is empty in user-password-list, the proxy will # call a backend authentication service to authenticate the user. # An empty password can be specifed as "username:" (you have to put ':'). # # HTTP/HTTPS basic auth server # proxy_authck_authsrv_url = # # File based authentication (proxy_auth_authsrv_file) # proxy_authck_authsrv_file = # # PAM authentication (Linux/Mac OS X only) # proxy_authck_authsrv_pam = svcname=orenosp # # LDAP authentication (Active Directory is assumed) # proxy_authck_authsrv_ldap = ldap_server= \ # upn_domain= # # RADIUS authentication # proxy_authck_authsrv_radius = conf= \ # auth={pap|chap} # # You can use a special username "_valid_" to allow any user who is # successfully authenticated by the backend server. e.g., -u="_valid_:" # # See "support for authentication services" in Simple Basic Authentication # and/or Users Guide for details. # # # example #proxy_authck_enable = 1 #proxy_authck_define = fmauth1 -u="user1:,user2:" -rlm="Restricted Area" #proxy_authck_assign = *://vhost1.dyndns.org/* fmauth1 #proxy_authck_authsrv_url = https://authserver1/ # or #proxy_authck_authsrv_file = passwd.txt # # # --- Passing form-based auth user credential to backend servers as --- # --- HTTP basic auth info --- # proxy_authck_pass_to_backend = 1 # =========================== # Simple Basic Authentication # =========================== # This functionality is intended for simple HTTP devices that don't # have basic authentication (username and password). # # All the requests matching will be required to send # basic authentication info to be validated by Orenosp. If multiple rules # are present, matching is tried in reverse order of appearing in config # file and only the first rule matched is enforced. # # --- NOTE --- # If the backend server for this request also requires Basic authentication, # users will never be able to authenticate themselves due to authentication # headers conflict. In other words, double authentications by Orenosp and # backend server is not possible, by default. # # Possible work arounds: # - new in 0.7.2 : have Orenosp to pass username/password to the backend # server requirng HTTP basic auth. The realm names of Orenosp and backend # server can be different. Set the following parameter: # # proxy_auth_pass_to_backend = 1 # # - specify fixed Basic authentication info in proxy_pass_by parameter. # # proxy_pass_by = lis lis-ssl http://username:password@hostname:port-number # # - have orenosp to use other auth methods (form-based, etc) # - have the backend server to use other auth methods # # ------------ # # # --- type 1 --- #proxy_auth_path = [options] # # is prefix-match pattern. (not wildcard-match) # # options include: # -u=":,:,..." # list of username and passwords # -rlm= : specify realm name # -skipthis=1 : do not enforce auth on this # # examples #proxy_auth_path = / -u="user1:pass1,user2:pass2" #proxy_auth_path = /admin/ -u="admin:apass" -rlm="Admin Only" #proxy_auth_path = /pub/ -skipthis=1 # # # --- type 2 --- #proxy_auth_url = [options] # # example #proxy_auth_url = lis-ssl://*/admin/* \ # -u="admin:apass" -rlm="Admin Only" #proxy_auth_url = lis-ssl://*/pub/* -skipthis=1 # # # --- support for authentication services --- # If password is empty in user-password-list, the proxy will # call an backend authentication service to authenticate the user. # An empty password can be specifed as "username:" (you have to put ':'). # # HTTP/HTTPS basic auth server (proxy_auth_authsrv_url) # send HEAD request along with username and password to . # if it returns status 200, the user is authenticated. # # proxy_auth_authsrv_url = # # File based authentication (proxy_auth_authsrv_file) # Authenticates username and password against "passwd.txt" file which # usually resides in . # Also, when using this methods, you can authenticate users against # the OS's native authentication mechanism (os_acl option). See Users Guide # for detail. # # proxy_auth_authsrv_url = # # PAM authentication (Linux only) # Delegates username/password verification to a PAM rule named "orenosp". # # proxy_auth_authsrv_pam = svcname=orenosp # # LDAP authentication (Active Directory is assumed) # proxy_auth_authsrv_ldap = ldap_server= \ # upn_domain= # # RADIUS authentication # proxy_auth_authsrv_radius = conf= \ # auth={pap|chap} # # # # You can use a special username "_valid_" to allow any user who is # successfully authenticated by the backend server. e.g., -u="_valid_:" # # # example #proxy_auth_path = / -u="user1:,user2:" #proxy_auth_authsrv_url = https://authserver1/ # #proxy_auth_path = / -u="os_user1:,os_user2:" #proxy_auth_authsrv_file = passwd.txt # # # --- Passing basic auth user credential to backend servers --- # proxy_auth_pass_to_backend = 1 # ============================================ # Client Certificate Mapping and Authorization # ============================================ # # #proxy_authcert_define = -u="..." # # -u="..." : user-list # user-list is # ",,..." # # -cmap= # specifies a certificate mapping file. default filename is "certmap.txt" # # -set_username={0|1} # specifies whether mapped username will be required by subsequent # auth mechanisms (like form-based auth). The default is "0" (no). # # #proxy_authcert_assign = # # where # : extended-url-pattern with wildcard matching path # # : name of auth type defined in proxy_authcert_define, or # special name "_skipthis_" # # If multiple proxy_authcert_assign rules are present, matching is tried in # reverse order of appearing in config file and only the first rule matched # is enforced. # # example # ============== # Output Filters (for HTTP compression / Content Rewrite) # ============== # Output filter modules are common between Orenosp and Orenosv, except that # parameters names are different. Orenosp's versions start with "proxy_" # whereas Orenosv's versions start with "http_". # # For all the explanation and options, see Orenosv's users guide and # "http_dflt.txt". # http://hp.vector.co.jp/authors/VA027031/orenosv/http_dflt.txt # # For usage of rewrite filter sub-modules see Orenosp's Users Guide # (section Simple Content Rewrite) # # Note: when using rewrite filters, you almost always want to set: # proxy_origin_gzip_disable = 1 # mod_filt_rwt # rewrite filter - offers optimized rewrite filtering # # mod_filt_rwt rwtype={simple|regex} -- # # # mtype=",,..." # Input mime types (content types). If input mtype does not match # any of these, content will not be passed to the submodule. # It uses prefix match, so "text/" matches with any mtype that # begins with "text/". # If this option not specified, any mtype content will be passed to # the submodule (i.e., will be subjected to the content rewrite). # outmtype= # output mtype (content type). if not specified input mtype will # be output mtype. # headers=",,..." # apply filter to response headers also. # it uses exact matches, with special "*" as meaning any headers. # if not specified, no header is subject to filter processing. # flags= # 0001 : process response body # 0002 : process response headers # 0004 : process response headers regardless of mtypes # default is 0003 (0001|0002). # debug={1|0} # if greater than zero, turns on debugging. # # submodule-options # these are for specifying submodule-specific options # # submodules for mod_filt_rwt # # rwtype=simple : simple search & replace filter # no regex, no wildcard. does case-insensitive search. # rewriting rules are specified in dedicated config file (rewrite_simple.conf). # options: # -cf= : alternate name for config file # -hname_match={1|0} : assume all rewrite target are HTTP hostnames # and do a special trick. # # rwtype=regex : regular-expression based matching & replace filter # rewriting rules are specified in dedicated config file (rewrite_regex.conf). # # options: # -cf= : alternate name for config file # # --------------- # define filters # --------------- # proxy_filter_define = comp-txtonly mod_filt_zlib mtype="text/" z_cmplvl=1 proxy_filter_define = ext-rewrite mod_filt_ext int=rewrite_simple mtype="text/html" # --------------- # assign filters # --------------- # proxy_filter_assign = * comp-txtonly proxy_filter_assign = * ext-rewrite # ============== # HTTP redirects # ============== # # proxy_redirect_by = url [-s] # # : an to specify URLs to # redirect. # for extended-url-pattern-wc syntax, see form-based authentication. # # : a URL to which the request will be redirected to. # Without -s option: path part in is ignored and path in # origianl request will be used. See examples below. # With -s option: (redirect to a single URL) client is redirected to # the exact location. # Example-1: Any http requests arrived at lis-http will be redirected to # https://localhost/ #proxy_redirect_by = url lis-http://*/* https://host.com/ # Example-2: All requests to top page (/) will be redirected to # https://host.com/_intmenu/menu.html. #proxy_redirect_by = url *://host.com/ https://host.com/_intmenu/menu.html -s # ================== # Local File Serving # ================== # # enable local file serving under "/_intmenu/" vpath. # The filesystem path for it is /_intmenu/. # #proxy_lfile_enable = 1 # ================= # Self Health Check # ================= # Health check # NOTE: not available on Linux/Mac OS X yet # These parameters are tentative, should be reviewed on each upgrade. # URL to health-check # if not specified, health check is disabled #proxy_hcheck_url = https://localhost/ # check interval in seconds - default is 300 secs (5 mins) proxy_hcheck_interval = 300 # retry count before self-destruct - default is 3 proxy_hcheck_retry = 3 # check level # status : OK only if status is normal (200) # conn : OK if connected and got some kind of reply from server # regardless of status returned # usually use "conn" if proxy, use "status" if web server # default is conn proxy_hcheck_chklevel = conn # trace level proxy_hcheck_tracelvl = 0 # ================= # bandwidth control # ================= # # --- define bandwidth groups --- # # #proxy_bw_define = send-pub 6K #proxy_bw_define = recv-pub 20K #proxy_bw_define = send-priv 6K #proxy_bw_define = recv-priv 80K # --- mapping requests to bandwidth groups --- # URL of a request will be matched against in the reverse order of appearing. # A request matches a proxy_bw_assign rule if # request path matches (using extended-url-pattern-with-wildcard-match), AND # request direction (send or recv) matches # # #proxy_bw_assign = *://*/* send-priv -dir=send #proxy_bw_assign = *://*/* recv-priv -dir=recv #proxy_bw_assign = /pub/* send-pub -dir=send #proxy_bw_assign = /pub/incoming/* recv-pub -dir=recv # # # -dir={send|recv|both} : specifies which direction of data this bandwidth # control is enforced to. # send(or up): server to client # recv(or down): client to server # both : both directions # Default is both. # IMPORTANT : current limitations # - Only the SEND direction (reverse proxy sending out contents) is currently # supported. # - BW control works over data that have not been processed by output filters. # This means that the amount of data that's subjected to the bandwidth # control will differ from the actual amount of data that goes over the # wire. For example, if the HTTP compression filter reduces a 1MB content # by 90%, the bandwidth control will see it as 1MB of data even though # only the 100KB of data is actually sent over the wire. # ================ # Resource control # ================ # --- init/max numbers of worker threads --- # # of worker threads is effectively the degree of concurrent executions. # # Orenosp uses resident worker threads to process # client requests. When orenosp starts, it will create N worker threads # where N is specified by proxy_worker_threads. When it finds that all # N worker threads are busy processing client requests, it will add an # additional worker thread to the thread pool. It will do so until the # number of worker threads reaches M, which is specified by # proxy_worker_max_threads. # # The defaults are init=16 and max=128 and should be reasonable for most # environments. # You can also set proxy_worker_threads == proxy_worker_max_threads, in which # case the memory footprint of the proxy will be almost stable. # number of initial worker threads # default is 16 #proxy_worker_threads = 8 # number of maximum worker threads # The proxy will add an additional worker thread when it finds all workers are # busy. # default is 128 #proxy_worker_max_threads = 32 # --- all threads --- # max number of all threads in the process # default is 512, max is 2048 #proxy_max_threads = 1500 # --- front connections --- # max number of front (client) connections # default: 1024 (Windows), 900 (linux) # hard limit : 99999 (Windows),1000 (linux) #proxy_front_max_conns = 1024 # number of seconds to keep idle front connections alive # default is 300 #proxy_front_keepalive_timeout = 60 # network(i.e., receive) timeout in seconds for front connections # default is 0 (no timeout) #proxy_front_timeout_recv = 180 # --- back connections --- # size of backend connection cache # default is 32, max is 1024 #proxy_origin_conn_cachesize = 256 # backend connection network(i.e., receive) timeout in seconds # default is 0 (no timeout) #proxy_origin_timeout_recv = 120 # backend connection enable TCP keepalive (in seconds) # This option enables per-connection TCP keepalive on backend connections. # This will come handy when a backend server or a network device in between # goes down without resetting the TCP connection. # default is 0 (don't use TCP keepalive) # proxy_origin_tcp_keepalive = 15 # backend connection - # of retries when connect() to a backend server # fails with ECONNREFUSED. Basically this is to work around the restriction # of limited listen backlog when running a backend web server on non-Server # versions of Windows OSes. # The proxy sleeps for 50msec before retrying. # # default is 1. you can set it to 0. #proxy_origin_connrefused_retry = 2 # --- SSL session cache (memory) --- # see proxy_ssl_scache_size or proxy_sslprof_XXX_scache_size. # setting it to a value near proxy_front_max_conns is reasonable. # setting it to -1 disable session cache. # ============= # Miscellaneous # ============= # # server name - set DNS name of this proxy # this param is needed when translating some field values if client is # not sending Host: field. Default is whatever gethostname() returns. # #proxy_server_name = myname.no-ip.com # use HTTP/1.1 for connections to backend servers # this is effectively to tell the backend(origin) server that we can accept # chunked encoding. # default is 1 (true), i.e., use HTTP/1.1 #proxy_origin_http11 = 1 # disable HTTP compression on backend servers. This is achieved by # dropping client-supplied "Accept-Encoding" request header. #proxy_origin_gzip_disable = 1 # to clients, return http/1.0. # default is 0 (false) #proxy_force_http10 = 1 # to clients, do not return error messages that are decernible as Orenosp. # default is 0 (false) #proxy_hide_proxy_msg = 1 # instruct the proxy to send absolute URLs in redirect responses # Applicable only to proxy-generated redirect responses. # default is 0 (return relative URLs in Location headers) #proxy_redir_absurl = 1 # to clients: # if client sends in HTTP/1.1 request without Connection: header on SSL, # do not assume persistent connection. However this will be against # the HTTP/1.1 spec. # This option is to work around the https problem in Irvine downloader. #proxy_client_irvine_wa = 1 # extra headers #proxy_enable_ext_headers = 1 # ======================= # Windows Only Parameters # ======================= # UPnP-enabled Router Support # # upnp_auto = { on | off } # ==================== # Unix Only Parameters # ==================== # # If you want to run orenosp as a different user, you must start orenosp # as root and it will change to the specified user after doing necessary # work (such as binding to port under 1024). # Note: you must make ORENOSP_HOME directory owned by the specified user. # Also you must pre-create "event.log" and/or "logs/event.log" by that user. # # proxy_unix_user_group = user[:group] # # ======== # traceing # ======== # # HTTP trace between client and proxy (written to htrace.log) #proxy_hctrace_level = 0 # # HTTP trace betwen proxy and backend (written to htrace.log) #proxy_hbtrace_level = 0 # # Outputs from these params go to "htrace.log", by default. # If you want to change destination of htrace.log, set either: # #proxy_htrace_logio = single g:/trace/proxy_trc.log #proxy_htrace_logio = remote host1:13000 raw /host1/htrace -u=logadmin:passwd #proxy_htrace_logio = pipe rotatelogs.exe "htrace-%Y%m%d-%H%M%S.log" 1M # # # debug trace - for Orenosp-internal workings (written to event.log) # with level 3 or higher, orenosp also dumps request body (if it's text) #proxy_trace_level = 0 # # DAV trace - WebDAV trace including body # proxy_davtrace_level = 0 # # # diagnostic dump facility # If enabled, accessing url "/_dump?" invokes diag dumps. # If proxy_dump_passwd is not set, authorization by dump routine is not done. # In such a case, protect "_dump" with proxy_auth_path or proxy_authck_path. #proxy_dump_enable = 0 #proxy_dump_passwd = #EOF