1. ##
2. ## tinyproxy.conf -- tinyproxy daemon configuration file
3. ##
4. ## This example tinyproxy.conf file contains example settings
5. ## with explanations in comments. For decriptions of all
6. ## parameters, see the tinproxy.conf(5) manual page.
7. ##
8.  
9. #
10. # User/Group: This allows you to set the user and group that will be
11. # used for tinyproxy after the initial binding to the port has been done
12. # as the root user. Either the user or group name or the UID or GID
13. # number may be used.
14. #
15. User nobody
16. Group nogroup
17.  
18. #
19. # Port: Specify the port which tinyproxy will listen on.  Please note
20. # that should you choose to run on a port lower than 1024 you will need
21. # to start tinyproxy using root.
22. #
23. Port 3128
24.  
25. #
26. # Listen: If you have multiple interfaces this allows you to bind to
27. # only one. If this is commented out, tinyproxy will bind to all
28. # interfaces present.
29. #
30. Listen 127.0.0.1
31.  
32. #
33. # Bind: This allows you to specify which interface will be used for
34. # outgoing connections.  This is useful for multi-home'd machines where
35. # you want all traffic to appear outgoing from one particular interface.
36. #
37. #Bind 192.168.0.1
38.  
39. #
40. # BindSame: If enabled, tinyproxy will bind the outgoing connection to the
41. # ip address of the incoming connection.
42. #
43. #BindSame yes
44.  
45. #
46. # Timeout: The maximum number of seconds of inactivity a connection is
47. # allowed to have before it is closed by tinyproxy.
48. #
49. Timeout 600
50.  
51. #
52. # ErrorFile: Defines the HTML file to send when a given HTTP error
53. # occurs.  You will probably need to customize the location to your
54. # particular install.  The usual locations to check are:
55. #   /usr/local/share/tinyproxy
56. #   /usr/share/tinyproxy
57. #   /etc/tinyproxy
58. #
59. #ErrorFile 404 "/usr/share/tinyproxy/404.html"
60. #ErrorFile 400 "/usr/share/tinyproxy/400.html"
61. #ErrorFile 503 "/usr/share/tinyproxy/503.html"
62. #ErrorFile 403 "/usr/share/tinyproxy/403.html"
63. #ErrorFile 408 "/usr/share/tinyproxy/408.html"
64.  
65. #
66. # DefaultErrorFile: The HTML file that gets sent if there is no
67. # HTML file defined with an ErrorFile keyword for the HTTP error
68. # that has occured.
69. #
70. DefaultErrorFile "/dev/null"
71. #DefaultErrorFile "/etc/null.html"
72.  
73. #
74. # StatHost: This configures the host name or IP address that is treated
75. # as the stat host: Whenever a request for this host is received,
76. # Tinyproxy will return an internal statistics page instead of
77. # forwarding the request to that host.  The default value of StatHost is
78. # tinyproxy.stats.
79. #
80. #StatHost "tinyproxy.stats"
81. #
82.  
83. #
84. # StatFile: The HTML file that gets sent when a request is made
85. # for the stathost.  If this file doesn't exist a basic page is
86. # hardcoded in tinyproxy.
87. #
88. StatFile "/usr/share/tinyproxy/stats.html"
89.  
90. #
91. # LogFile: Allows you to specify the location where information should
92. # be logged to.  If you would prefer to log to syslog, then disable this
93. # and enable the Syslog directive.  These directives are mutually
94. # exclusive.
95. #
96. LogFile "/var/log/tinyproxy/tinyproxy.log"
97.  
98. #
99. # Syslog: Tell tinyproxy to use syslog instead of a logfile.  This
100. # option must not be enabled if the Logfile directive is being used.
101. # These two directives are mutually exclusive.
102. #
103. #Syslog On
104.  
105. #
106. # LogLevel:
107. #
108. # Set the logging level. Allowed settings are:
109. #       Critical        (least verbose)
110. #       Error
111. #       Warning
112. #       Notice
113. #       Connect         (to log connections without Info's noise)
114. #       Info            (most verbose)
115. #
116. # The LogLevel logs from the set level and above. For example, if the
117. # LogLevel was set to Warning, then all log messages from Warning to
118. # Critical would be output, but Notice and below would be suppressed.
119. #
120. #LogLevel Info
121. LogLevel Critical
122.  
123. #
124. # PidFile: Write the PID of the main tinyproxy thread to this file so it
125. # can be used for signalling purposes.
126. #
127. PidFile "/var/run/tinyproxy/tinyproxy.pid"
128.  
129. #
130. # XTinyproxy: Tell Tinyproxy to include the X-Tinyproxy header, which
131. # contains the client's IP address.
132. #
133. #XTinyproxy Yes
134.  
135. #
136. # Upstream:
137. #
138. # Turns on upstream proxy support.
139. #
140. # The upstream rules allow you to selectively route upstream connections
141. # based on the host/domain of the site being accessed.
142. #
143. # For example:
144. #  # connection to test domain goes through testproxy
145. #  upstream testproxy:8008 ".test.domain.invalid"
146. #  upstream testproxy:8008 ".our_testbed.example.com"
147. #  upstream testproxy:8008 "192.168.128.0/255.255.254.0"
148. #
149. #  # no upstream proxy for internal websites and unqualified hosts
150. #  no upstream ".internal.example.com"
151. #  no upstream "www.example.com"
152. #  no upstream "10.0.0.0/8"
153. #  no upstream "192.168.0.0/255.255.254.0"
154. #  no upstream "."
155. #
156. #  # connection to these boxes go through their DMZ firewalls
157. #  upstream cust1_firewall:8008 "testbed_for_cust1"
158. #  upstream cust2_firewall:8008 "testbed_for_cust2"
159. #
160. #  # default upstream is internet firewall
161. #  upstream firewall.internal.example.com:80
162. #
163. # The LAST matching rule wins the route decision.  As you can see, you
164. # can use a host, or a domain:
165. #  name     matches host exactly
166. #  .name    matches any host in domain "name"
167. #  .        matches any host with no domain (in 'empty' domain)
168. #  IP/bits  matches network/mask
169. #  IP/mask  matches network/mask
170. #
171. #Upstream some.remote.proxy:port
172.  
173. #
174. # MaxClients: This is the absolute highest number of threads which will
175. # be created. In other words, only MaxClients number of clients can be
176. # connected at the same time.
177. #
178. MaxClients 100
179.  
180. #
181. # MinSpareServers/MaxSpareServers: These settings set the upper and
182. # lower limit for the number of spare servers which should be available.
183. #
184. # If the number of spare servers falls below MinSpareServers then new
185. # server processes will be spawned.  If the number of servers exceeds
186. # MaxSpareServers then the extras will be killed off.
187. #
188. MinSpareServers 5
189. MaxSpareServers 10
190.  
191. #
192. # StartServers: The number of servers to start initially.
193. #
194. StartServers 2
195.  
196. #
197. # MaxRequestsPerChild: The number of connections a thread will handle
198. # before it is killed. In practise this should be set to 0, which
199. # disables thread reaping. If you do notice problems with memory
200. # leakage, then set this to something like 10000.
201. #
202. MaxRequestsPerChild 1000
203.  
204. #
205. # Allow: Customization of authorization controls. If there are any
206. # access control keywords then the default action is to DENY. Otherwise,
207. # the default action is ALLOW.
208. #
209. # The order of the controls are important. All incoming connections are
210. # tested against the controls based on order.
211. #
212. Allow 127.0.0.1
213.  
214. #
215. # AddHeader: Adds the specified headers to outgoing HTTP requests that
216. # Tinyproxy makes. Note that this option will not work for HTTPS
217. # traffic, as Tinyproxy has no control over what headers are exchanged.
218. #
219. #AddHeader "X-My-Header" "Powered by Tinyproxy"
220.  
221. #
222. # ViaProxyName: The "Via" header is required by the HTTP RFC, but using
223. # the real host name is a security concern.  If the following directive
224. # is enabled, the string supplied will be used as the host name in the
225. # Via header; otherwise, the server's host name will be used.
226. #
227. ViaProxyName "tinyproxy"
228.  
229. #
230. # DisableViaHeader: When this is set to yes, Tinyproxy does NOT add
231. # the Via header to the requests. This virtually puts Tinyproxy into
232. # stealth mode. Note that RFC 2616 requires proxies to set the Via
233. # header, so by enabling this option, you break compliance.
234. # Don't disable the Via header unless you know what you are doing...
235. #
236. #DisableViaHeader Yes
237.  
238. #
239. # Filter: This allows you to specify the location of the filter file.
240. #
241. Filter "/etc/filter"
242.  
243. #
244. # FilterURLs: Filter based on URLs rather than domains.
245. #
246. FilterURLs On
247.  
248. #
249. # FilterExtended: Use POSIX Extended regular expressions rather than
250. # basic.
251. #
252. #FilterExtended On
253.  
254. #
255. # FilterCaseSensitive: Use case sensitive regular expressions.
256. #
257. FilterCaseSensitive Off
258.  
259. #
260. # FilterDefaultDeny: Change the default policy of the filtering system.
261. # If this directive is commented out, or is set to "No" then the default
262. # policy is to allow everything which is not specifically denied by the
263. # filter file.
264. #
265. # However, by setting this directive to "Yes" the default policy becomes
266. # to deny everything which is _not_ specifically allowed by the filter
267. # file.
268. #
269. FilterDefaultDeny No
270.  
271. #
272. # Anonymous: If an Anonymous keyword is present, then anonymous proxying
273. # is enabled.  The headers listed are allowed through, while all others
274. # are denied. If no Anonymous keyword is present, then all headers are
275. # allowed through.  You must include quotes around the headers.
276. #
277. # Most sites require cookies to be enabled for them to work correctly, so
278. # you will need to allow Cookies through if you access those sites.
279. #
280. Anonymous "Host"
281. Anonymous "Authorization"
282. Anonymous "Cookie"
283. Anonymous "Connection"
284. Anonymous "Accept"
285. Anonymous "Accept-Encoding"
286. Anonymous "Cache-Control"
287. Anonymous "If-Modified-Since"
288. Anonymous "If-None-Match"
289. Anonymous "User-Agent"
290. #AddHeader "User-Agent" "'; OR 1 = 1 --<script>alert(3);</script>"
291.  
292. #
293. # ConnectPort: This is a list of ports allowed by tinyproxy when the
294. # CONNECT method is used.  To disable the CONNECT method altogether, set
295. # the value to 0.  If no ConnectPort line is found, all ports are
296. # allowed (which is not very secure.)
297. #
298. # The following two ports are used by SSL.
299. #
300. ConnectPort 443
301. ConnectPort 563
302.  
303. #
304. # Configure one or more ReversePath directives to enable reverse proxy
305. # support. With reverse proxying it's possible to make a number of
306. # sites appear as if they were part of a single site.
307. #
308. # If you uncomment the following two directives and run tinyproxy
309. # on your own computer at port 8888, you can access Google using
310. # http://localhost:8888/google/ and Wired News using
311. # http://localhost:8888/wired/news/. Neither will actually work
312. # until you uncomment ReverseMagic as they use absolute linking.
313. #
314. #ReversePath "/google/" "http://www.google.com/"
315. #ReversePath "/wired/"  "http://www.wired.com/"
316.  
317. #
318. # When using tinyproxy as a reverse proxy, it is STRONGLY recommended
319. # that the normal proxy is turned off by uncommenting the next directive.
320. #
321. #ReverseOnly Yes
322.  
323. #
324. # Use a cookie to track reverse proxy mappings. If you need to reverse
325. # proxy sites which have absolute links you must uncomment this.
326. #
327. #ReverseMagic Yes
328.  
329. #
330. # The URL that's used to access this reverse proxy. The URL is used to
331. # rewrite HTTP redirects so that they won't escape the proxy. If you
332. # have a chain of reverse proxies, you'll need to put the outermost
333. # URL here (the address which the end user types into his/her browser).
334. #
335. # If not set then no rewriting occurs.
336. #
337. #ReverseBaseURL "http://localhost:8888/"
338.  
339.  
340.