oracular (7) ffproxy.quick.7.gz

Provided by: ffproxy_1.6-12_amd64 bug

NAME

     ffproxy.quick — filtering HTTP/HTTPS proxy server quick introduction

DESCRIPTION

     ffproxy is a filtering HTTP/HTTPS proxy server.  It is able to filter by host, URL, and
     header.  Custom header entries can be filtered and added.  It can even drop its privileges
     and optionally chroot(2) to some directory.  Logging to syslog(3) is supported, as is using
     another auxiliary proxy server.  An HTTP accelerator feature (acting as a front-end to an
     HTTP server) is included.  Contacting IPv6 servers as well as binding to IPv6 is supported
     and allows transparent IPv6 over IPv4 browsing (and vice versa).

     This manual describes how to set up a basic HTTP proxy installation.  It is assumed that you
     already have compiled the program or installed it via port or package.

COPYING FILES

     The program comes with default configuration files that contain both examples and suggested
     entries.  You can simply copy them to a directory of your choice.  This directory will
     become the program's working directory.

           mkdir /var/ffproxy
           tar cf - db/ html/ | ( cd /var/ffproxy ; tar xf - )
           cp sample.config /var/ffproxy/ffproxy.conf

     Above example would install all needed files to /var/ffproxy, which is ffproxy's default
     working directory.

SECURING

     The proxy now has its own working directory.  By default, ffproxy does not change UID/GID
     after start.  For security reasons we want to enable it.  You have two choices know: Either
     use existing UID/GID or add custom UID/GID for ffproxy.  See adduser(8) or useradd(8),
     depending on your system, on how to create new IDs.

     Edit ffproxy.conf and change the lines containing uid and gid

           # change UID and GID
           #
           # to use, both uid and gid must be set
           # (disabled by default)
           #uid proxy
           #gid proxy
           uid _ffproxy
           gid _ffproxy

     In addition to changing UID and GID, ffproxy should be executed change-rooted to its working
     directory.  So we change chroot_dir and db_files_path in the configuration file

           # change root to (only in connection with uid and gid change)
           # (disabled by default)
           chroot_dir /var/ffproxy

           # path to db/ and html/ directories
           # (default: /var/ffproxy)
           db_files_path .

     db_files_path must be changed, too, since that is relative to new root.  Finally, we copy
     /etc/resolv.conf to ffproxy's home to enable DNS in chroot and chown /var/ffproxy so the
     proxy's master process can write its PID file

           mkdir /var/ffproxy/etc
           cp /etc/resolv.conf /var/ffproxy/etc/
           chmod 750 /var/ffproxy
           chown _ffproxy._ffproxy /var/ffproxy

ACCESS TO THE PROXY

     By default, nobody is allowed to connect to ffproxy.  Let's say, we want to provide LAN
     users a filtering proxy to shut down malicious content coming from the Internet.  So the
     proxy has to be listening on the local network interface only.  We change bind_ipv4 and
     bind_ipv6 appropiately in ffproxy.conf

           bind_ipv4 martyr.burden.eu.org
           bind_ipv6 martyr.burden.eu.org

     Additionally, we have to change db/access.ip.  By, for example,

           ^192\.168\.10\.

     we allow 192.168.10.0/24 to use our proxy.

STARTING THE PROXY

     Last step is starting ffproxy.  Keep in mind that we run the program change-rooted to
     /var/ffproxy, so files are relative to new root.

           cd /var/ffproxy ; /usr/local/bin/ffproxy -f ffproxy.conf

     starts ffproxy.  Now test if it works correctly.  If not, change ffproxy.conf and/or read
     ffproxy(8) ffproxy.conf(5)

     ffproxy is not running as daemon right know.  If everything seems to work, simply shut down
     the proxy by pressing CTRL-C, set `daemonize yes' in the configuration file and start
     ffproxy again.

TRANSPARENT OPERATION

     The proxy allows transparent operation, that is, HTTP traffic is redirect to the proxy which
     simulates a HTTP server so that the users don't have to specify a proxy server.  Consider
     forced usage of a proxy server as well.  To do that, you will have to configure your NAT
     accordingly.  On OpenBSD you'll want a line like

           rdr on rl0 proto tcp from any to any port 80 -> 127.0.0.1 port 8080

     in /etc/pf.conf.  See your NAT's documentation for details on how to do this.

VERSION

     This manual documents ffproxy 1.6 (2005-01-05).

SEE ALSO

     ffproxy(8), ffproxy.conf(5), pf.conf(5)

                                           Jan 5, 2005