Name

http-proxy.cfg — format of http-proxy program configuration file

DESCRIPTION

General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the http-proxy.cfg configuration file.

Repeatable sections/items are marked by the '*' before section/item name.

TYPES

Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).

Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.

The following enumerations are used in http-proxy.cfg configuration directives:

enabling (see common(5))

yes-no (see common(5))

language (see common(5))

nls (see common(5))

direction (see common(5))

ip-version (see common(5))

osi4-proto (see common(5))

time-cond (see common(5))

zip-mode (see common(5))

obligation (see common(5))

range-op (see common(5))

inline-file-format (see common(5))

dbglev (see log(5))

logfail-mode (see log(5))

week-day (see time(5))

month (see time(5))

lock-type (see ipc(5))

radius-attr (see radius(5))

ldap-tls-reqcert-mode (see ldap(5))

ldap-search-scope (see ldap(5))

ldap-group-match (see ldap(5))

auth-method (see auth(5))

oob-authentication-method (see auth(5))

bandwidth-mode (see pf-queue(5))

pf-sc-setting (see pf-queue(5))

antivirus-protocol (see antivirus(5))

virus-status (see antivirus(5))

database-source (see antivirus(5))

source-address-mode (see source-address(5))

accept-deny (see mod-html-filter(5))

transparency (see acl(5))

user-auth-spec (see acl(5))

doctype-ident-method (see acl(5))

header-op (see acl(5))

lagg-protocol (see interface(5))

listen-on-sock (see listen-on(5))

log-in-vain-proto (see sysctl(5))

blackhole-proto (see sysctl(5))

proc-priority (see application(5))

ssl-ver (see ssl(5))

extension-op (see ssl(5))

veri-fail-action (see ssl(5))

auth-cert-type (see ssl(5))

distrusted-cert-type (see ssl(5))

data-match-action (see mod-match(5))

clear-web-db-category (see clear-web-db(5))

clear-web-db-match-mode (see clear-web-db(5))

replace-authorization-mode (see http-proxy(5))

proxy-via (see http-proxy(5))

http-protocol (see http-proxy(5))

http-scheme (see http-proxy(5))

cookie-table-clean (see http-proxy(5))

accept-gzip (see http-proxy(5))

content-gzip (see http-proxy(5))

http-redirect (see http-proxy(5))

kerberos-user-match (see http-proxy(5))

ldap-select (see http-proxy(5))

auth-headers (see http-proxy(5))

sni-result (see http-proxy(5))

ITEMS AND SECTIONS

Program http-proxy recognizes following items and sections:


  admin ... ;
* antivirus name { ... }
* aproxy name { ... }
  clear-web-db { ... }
* data-match name { ... }
* fake-cert name { ... }
* html-filter name { ... }
* interface name { ... }
* kerberos-auth name { ... }
* ldap-client-auth name { ... }
* ntlm-auth name { ... }
* oob-auth name { ... }
* pf-queue name { ... }
* radius-client name { ... }
* resolver name { ... }
* shared-dir name { ... }
* shared-file name { ... }
* ssl-params name { ... }
  sysctl { ... }
  use-resolver ... ;
* web-filter name { ... }
* http-proxy name { ... }
  ipv6-mode ... ;
    

Description:

admin system [contact];

Firewall administrator and contact e-mail addresses.

system (type: str)

The technical administrator(s) of the system; an address or set of comma separated adresses of persons responsible for system maintenance.

contact (type: str, optional, default: <NULL>)

The policy administator; an address of person responsible for system configuration. If not defined, the technical administration is used instead.

Constraints:

Administrator contact must comply with RFC.

antivirus name {


  connection ... ;
  sock-opt { ... }
  timeout ... ;
  comm-dir ... ;
  altq ... ;
  max-checked-size ... ;
  icap-pass-200-with-pure-body ... ;
  persistent-stream ... ;
  clamav-agent { ... }
}

        

The antivirus section is derived from antivirus section prototype. For detail description of it, see antivirus(5).

aproxy name {


  auth ... ;
  insecure-cookies ... ;
  oob-auth ... ;
  cookie-name ... ;
  logout ... ;
  timeout-idle ... ;
  timeout-unauth ... ;
  bufsz ... ;
}

        

The aproxy section is derived from aproxy section prototype. For detail description of it, see http-proxy(5).

clear-web-db {


  internal-servers ... ;
  db ... ;
  lock ... ;
  local-db { ... }
}

        

The clear-web-db section is derived from clear-web-db section prototype. For detail description of it, see clear-web-db(5).

data-match name {


  max-size ... ;
  init-match ... ;
  max-match ... ;
  step-size ... ;
  step-match ... ;
* test ... ;
}

        

The data-match section is derived from data-match section prototype. For detail description of it, see mod-match(5).

fake-cert name {


  key ... ;
  auth-ca ... ;
  fail-ca ... ;
* extension ... ;
  purge ... ;
}

        

The fake-cert section is derived from fake-cert section prototype. For detail description of it, see ssl(5).

html-filter name {


* script-tag-language ... ;
  replace-head-script-tags ... ;
  replace-body-script-tags ... ;
* style-tag-type ... ;
  replace-style-tags ... ;
* iframe-tag-src ... ;
  replace-iframe-tags ... ;
* intrinsic-language ... ;
* intrinsic-hack ... ;
  replace-intrinsic ... ;
* macro-language ... ;
* macro-hack ... ;
  replace-macros ... ;
* uri ... ;
  replace-uri ... ;
* embed-tag-type ... ;
* embed-src-hack ... ;
* embed-plugin-hack ... ;
  replace-head-embed-tags ... ;
  replace-body-embed-tags ... ;
* applet ... ;
  replace-applets ... ;
* object ... ;
* object-classid-hack ... ;
* object-data-hack ... ;
  replace-head-object-tags ... ;
  replace-body-object-tags ... ;
* param-tags ... ;
  replace-param ... ;
  script-end-hack ... ;
}

        

The html-filter section is derived from html-filter section prototype. For detail description of it, see mod-html-filter(5).

interface name {


  dev ... ;
  ipv4 ... ;
  ipv6 ... ;
  mac ... ;
  aggregate ... ;
  pike ... ;
  vlan ... ;
  tunnel ... ;
  dhcp-client ... ;
  ipv6-rtadv { ... }
* alias name { ... }
* tag ... ;
}

        

The interface section is derived from interface section prototype. For detail description of it, see interface(5).

kerberos-auth name {


  domain ... ;
  user-match ... ;
  kinit ... ;
  keytab ... ;
  proxy-host ... ;
* ad-controller ... ;
  ldap ... ;
  timeout-idle ... ;
  timeout-unauth ... ;
  lock ... ;
  lock-ldap ... ;
  one-per-session ... ;
}

        

The kerberos-auth section is derived from kerberos-auth section prototype. For detail description of it, see http-proxy(5).

ldap-client-auth name {


  server ... ;
  ssl { ... }
  bindinfo ... ;
  kerberos ... ;
  users ... ;
  groups ... ;
  active-directory ... ;
}

        

The ldap-client-auth section is derived from ldap-client-auth section prototype. For detail description of it, see ldap(5).

ntlm-auth name {


  domain ... ;
  workgroup ... ;
* ad-controller ... ;
  interfaces { ... }
  ldap ... ;
  timeout ... ;
  timeout-idle ... ;
  timeout-unauth ... ;
}

        

The ntlm-auth section is derived from ntlm-auth section prototype. For detail description of it, see http-proxy(5).

oob-auth name {


  method ... ;
  max-sessions ... ;
  max-user ... ;
  max-groups ... ;
  truncate-groups ... ;
  file ... ;
  lock ... ;
}

        

The oob-auth section is derived from oob-auth section prototype. For detail description of it, see auth(5).

pf-queue name {


  parent ... ;
  bandwidth ... ;
  priority ... ;
  qlimit ... ;
  cbq { ... }
  priq { ... }
  hfsc { ... }
}

        

The pf-queue section is derived from pf-queue section prototype. For detail description of it, see pf-queue(5).

radius-client name {


  nas ... ;
  groups ... ;
* server ... ;
}

        

The radius-client section is derived from radius-client section prototype. For detail description of it, see radius(5).

resolver name {


* server ... ;
  search ... ;
  preference ... ;
  edns ... ;
  conf-timeout ... ;
  initial-timeout ... ;
  final-timeout ... ;
  conn-timeout ... ;
  disable-deresolution ... ;
}

        

The resolver section is derived from resolver section prototype. For detail description of it, see resolver(5).

shared-dir name {


  path ... ;
}

        

The shared-dir section is derived from shared-dir section prototype. For detail description of it, see common(5).

shared-file name {


  path ... ;
  format ... ;
}

        

The shared-file section is derived from shared-file section prototype. For detail description of it, see common(5).

ssl-params name {


  versions ... ;
  ciphers ... ;
  tcp-eof ... ;
  id ... ;
* auth-cert ... ;
  distrusted-certs ... ;
  dont-check-crl ... ;
* crl ... ;
  verify-peer ... ;
  cache-timeout ... ;
  use-ticket ... ;
  enable-renegotiation ... ;
  fake-cert ... ;
  prefer_server_ciphers ... ;
  enable-ecdh ... ;
}

        

The ssl-params section is derived from ssl-params section prototype. For detail description of it, see ssl(5).

sysctl {


* variable ... ;
  portrange-default ... ;
  portrange-high ... ;
  portrange-low ... ;
  portrange-reserved ... ;
  somaxconn ... ;
  log-in-vain ... ;
  blackhole ... ;
}

        

The sysctl section is derived from sysctl section prototype. For detail description of it, see sysctl(5).

use-resolver name;

Resolver Section Specification.

This item defines name of global (system) resolver section used in particular configuration environment. Namely, it is applicable within SYSTEM section and within any section derived from PROXY prototype. The former usage defines system-wide values, the latter one values valid for particular proxy.

name (type: name of resolver, see resolver(5))

web-filter name {


  connection ... ;
  fail-ok ... ;
  sock-opt { ... }
}

        

The web-filter section is derived from web-filter section prototype. For detail description of it, see http-proxy(5).

http-proxy name {


  phase ... ;
* tag ... ;
  log-debug { ... }
  log-stats { ... }
  use-resolver ... ;
  cfg-resolution ... ;
  monitoring { ... }
  stats-daily { ... }
  stats-weekly { ... }
  stats-monthly { ... }
  nodaemon ... ;
  singleproc ... ;
  app-user ... ;
  idle-timeout ... ;
  run-block-sigalrm ... ;
  listen-on { ... }
  tcpserver { ... }
  source-address ... ;
  doctype-identification { ... }
  client-conn { ... }
  server-conn { ... }
  document-root ... ;
  hdr-line-len ... ;
  blacklist-db ... ;
  connect-data-mime-db ... ;
  ftp-proxy ... ;
  max-aproxy-sessions ... ;
  max-bypass-sessions ... ;
  oob-auth-srv ... ;
  ssl-session-cache { ... }
  aproxy-lock ... ;
  cookie-table { ... }
  extended-status ... ;
* session-acl name { ... }
* request-acl name { ... }
* doc-acl name { ... }
}

        

The http-proxy section is derived from http-proxy section prototype. For detail description of it, see http-proxy(5).

ipv6-mode [status];

Enabling/Disabling IPv6 Mode.

status (type: enabling, optional, default: enable)

SEE ALSO

configuration(7), http-proxy(8), acl(5), antivirus(5), application(5), auth(5), clear-web-db(5), common(5), http-proxy(5), interface(5), ipc(5), ldap(5), listen-on(5), log(5), mod-html-filter(5), mod-match(5), pf-queue(5), radius(5), resolver(5), source-address(5), ssl(5), sysctl(5), time(5), host-matching(7)