AnrDaemon
Продвинутый новичок
Это не документация, это туториал!
А я, в отличие от, читаю и документацию в том числе.
Боевой конфиг, есличо.
А я, в отличие от, читаю и документацию в том числе.
Код:
#!/opt/3proxy/bin/3proxy
# Yes, 3proxy.cfg can be executable, in this case you should place
# something like
# monitor "/usr/sbin/3proxy/cfg/3proxy.sh"
# config "/usr/sbin/3proxy/cfg/3proxy.sh"
# to show which configuration 3proxy should re-read on realod.
#system "echo Hello world!"
# you may use system to execute some external command if proxy starts
# We can configure nservers to avoid unsafe gethostbyname() usage
nserver 127.0.0.1
#nserver 192.168.1.2
# nscache is good to save speed, traffic and bandwidth
nscache 65536
#nsrecord porno.security.nnov.ru 0.0.0.0
# nobody will be able to access porno.security.nnov.ru by the name.
#nsrecord wpad.security.nnov.ru www.security.nnov.ru
# wpad.security.nnov.ru will resolve to www.security.nnov.ru for
# clients
# timeouts <BYTE_SHORT> <BYTE_LONG> <STRING_SHORT> <STRING_LONG> <CONNECTION_SHORT> <CONNECTION_LONG> <DNS> <CHAIN>
# Sets timeout values
#
# BYTE_SHORT (1) - short timeout for single byte, is usually used for receiving
# single byte from stream.
# BYTE_LONG (5) - long timeout for single byte, is usually used for receiving
# first byte in frame (for example first byte in socks request).
# STRING_SHORT (30) - short timeout, for character string within stream (for
# example to wait between 2 HTTP headers)
# STRING_LONG (60) - long timeout, for first string in stream (for example to
# wait for HTTP request).
# CONNECTION_SHORT (180) - inactivity timeout for short connections (HTTP, POP3,
# etc).
# CONNECTION_LONG (1800) - inactivity timeout for long connection (SOCKS,
# portmappers, etc).
# DNS (15) - timeout for DNS request before requesting next server
# CHAIN (60) - timeout for reading data from chained connection
#timeouts 30 60 30 120 180 1800 5 60
#users 3APA3A:CL:3apa3a "test:CR:$1$qwer$CHFTUFGqkjue9HyhcMHEe1"
# note that "" required, overvise $... is treated as include file name.
# $1$qwer$CHFTUFGqkjue9HyhcMHEe1 is 'test' in MD5 crypt format.
#users $/usr/local/etc/3proxy/passwd
# this example shows you how to include passwd file. For included files
# <CR> and <LF> are treated as field separators.
daemon
# now we will not depend on any console (daemonize). daemon must be given
# before any significant command on *nix.
pidfile /var/run/3proxy.pid
#service
# service is required under NT if you want 3proxy to start as service
# deprecated since 0.6-dev
#log /usr/local/etc/3proxy/logs/3proxy.log D
log "/var/log/3proxy/%Y-%m-%d-main.log" D
# log allows to specify log file location and rotation, D means logfile
# is created daily
#logformat "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
#logformat "Linsert into log (l_date, l_user, l_service, l_in, l_out, l_descr) values ('%d-%m-%Y %H:%M:%S', '%U', '%N', %I, %O, '%T')"
#Compatible with Squid access.log:
#
#"- +_G%t.%. %D %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"
#or, more compatible format without %D
#"- +_G%t.%. 1 %C TCP_MISS/200 %I %1-1T %2-2T %U DIRECT/%R application/unknown"
#
#Compatible with ISA 2000 proxy WEBEXTD.LOG (fields are TAB-delimited):
#
#"- + L%C %U Unknown Y %Y-%m-%d %H:%M:%S w3proxy 3PROXY - %n %R %r %D %O %I http TCP %1-1T %2-2T - - %E - - -"
#
#Compatible with ISA 2004 proxy WEB.w3c
#
#"- + L%C %U Unknown %Y-%m-%d %H:%M:%S 3PROXY - %n %R %r %D %O %I http %1-1T %2-2T - %E - - Internal External 0x0 Allowed"
#
#Compatible with ISA 2000/2004 firewall FWSEXTD.log (fields are TAB-delimited):
#
#"- + L%C %U unnknown:0:0.0 N %Y-%m-%d %H:%M:%S fwsrv 3PROXY - %n %R %r %D %O %I %r TCP Connect - - - %E - - - - -"
#
#Compatible with HTTPD standard log (Apache and others)
#
#"-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" %E %I"
#or more compatible without error code
#"-""+_L%C - %U [%d/%o/%Y:%H:%M:%S %z] ""%T"" 200 %I"
# in log file we want to have underscores instead of spaces
logformat "L%Y.%m.%d %H:%M:%S.%. %N:%p ""%U"" %C:%c (%h)%R:%r/%E %O %I %T"
#archiver gz /bin/gzip %F
#archiver zip zip -m -qq %A %F
#archiver zip pkzipc -add -silent -move %A %F
archiver rar rar a -df -inul %A %F
# if archiver specified log file will be compressed after closing.
# you should specify extension, path to archiver and command line, %A will be
# substituted with archive file name, %f - with original file name.
# Original file will not be removed, so archiver should care about it.
rotate 30
# We will keep last 30 log files
#auth iponly
#auth nbname
#auth strong
# auth specifies type of user authentication. If you specify none proxy
# will not do anything to check name of the user. If you specify
# nbname proxy will send NetBIOS name request packet to UDP/137 of
# client and parse request for NetBIOS name of messanger service.
# Strong means that proxy will check password. For strong authentication
# unknown user will not be allowed to use proxy regardless of ACL.
# If you do not want username to be checked but wanna ACL to work you should
# specify auth iponly.
auth none
#allow <userlist> <sourcelist> <targetlist> <targetportlist> <operationlist> <weekdayslist> <timeperiodslist>
#allow ADMINISTRATOR,root
#allow * 127.0.0.1,192.168.1.1 * *
#redirect 192.168.1.2 80 * * * 80
# redirect to_host to_port from_user from_address to_host to_port
#allow * 192.168.1.0/24 * 25,53,110,20-21,1024-65535
# we will allow everything if username matches ADMINISTRATOR or root or
# client ip is 127.0.0.1 or 192.168.1.1. Overwise we will redirect any request
# to port 80 to our Web-server 192.168.0.2.
# We will allow any outgoing connections from network 192.168.1.0/24 to
# SMTP, POP3, FTP, DNS and unprivileged ports.
# Note, that redirect may also be used with proxy or portmapper. It will
# allow you to redirect requests to different ports or different server
# for different clients.
# sharing access to internet
#external 0.0.0.0
# external is address 3proxy uses for outgoing connections. 0.0.0.0 means any
# interface. Using 0.0.0.0 is not good because it allows to connect to 127.0.0.1
#internal 192.168.10.1
# internal is address of interface proxy will listen for incoming requests
# 127.0.0.1 means only localhost will be able to use this proxy. This is
# address you should specify for clients as proxy IP.
# You MAY use 0.0.0.0 but you shouldn't, because it's a chance for you to
# have open proxy in your network in this case.
auth none
# no authentication is required for next lines
#dnspr
# dnsproxy listens on UDP/53 to answer client's DNS requests. It requires
# nserver/nscache configuration.
internal 192.168.1.12
#external $./external.ip
#internal $./internal.ip
# this is just an alternative form fo giving external and internal address
# allows you to read this addresses from files
#counter "/usr/sbin/3proxy/cfg/counters" D "/usr/sbin/3proxy/cfg/main.cnt"
#countin "1/kanareika" M 7168 * 10.192.85.41
# kanareika.int.nln.ru
auth iponly
allow * * * 20,21,22,23,25,80-88,110,443
# We want to protect internal interface
deny * * * 0-1023,3080
# and allow HTTP and HTTPS traffic.
#allow * * * 80-88,8000-8088 HTTP
#allow * * * * HTTPS
allow *
proxy -a -n -p3128
#-l"/var/log/3proxy/%Y-%m-%d-PROXY.log"
ftppr -p3021
#-l"/var/log/3proxy/%Y-%m-%d-FTPPR.log"
socks -p1080
#socks -p3090
#-l"/var/log/3proxy/%Y-%m-%d-SOCKS.log"
#tcppm 3091 daemon2.darkdragon 3091
#tcppm 3092 daemon2.darkdragon 3092
#tcppm 3093 daemon2.darkdragon 3093
#tcppm 3094 daemon2.darkdragon 3094
#tcppm 3095 daemon2.darkdragon 3095
#tcppm 3096 daemon2.darkdragon 3096
#tcppm 3097 daemon2.darkdragon 3097
#tcppm 3098 daemon2.darkdragon 3098
#tcppm 3099 daemon2.darkdragon 3099
# NNTP portmap
tcppm 119 news.mtu.ru 119
# EVE Tranquility server
tcppm 26000 87.237.38.200 26000
# Mail forward
# tcppm 3025 smtp.tochka.ru 25
pop3p -p3110 -hpop.mtu.ru
flush
internal 0.0.0.0
auth iponly
allow * xx.xx.xx.36,192.168.1.10
#SMTP wrap
tcppm 3025 smtp.xx.ru 25
#auth none
# pop3p will be used without any authentication. It's bad choice
# because it's possible to use pop3p to access any port
#pop3p
#tcppm 25 mail.my.provider 25
#udppm -s 53 ns.my.provider 53
# we can portmap port TCP/25 to provider's SMTP server and UDP/53
# to provider's DNS.
# Now we can use our proxy as SMTP and DNS server.
# -s switch for UDP means "single packet" service - instead of setting
# association for period of time association will only be set for 1 packet.
# It's very userfull for services like DNS but not for some massive services
# like multimedia streams or online games.
#auth strong
#flush
#allow 3APA3A,test
#maxconn 20
#socks
# for socks we will use password authentication and different access control -
# we flush previously configured ACL list and create new one to allow users
# test and 3APA3A to connect from any location
#auth strong
flush
auth iponly
internal 127.0.0.1
allow * 127.0.0.1
maxconn 3
admin -p3080
#-l"/var/log/3proxy/%Y-%m-%d-ADMIN.log"
# only allow acces to admin interface for user 3APA3A from 127.0.0.1 address
# via 127.0.0.1 address.
# map external 80 and 443 ports to internal Web server
# examples below show how to use 3proxy to publish Web server in internal
# network to Internet. We must switch internal and external addresses and
# flush any ACLs
#auth none
#flush
#external $./internal.ip
#internal $./external.ip
#maxconn 300
#tcppm 80 websrv 80
#tcppm 443 websrv 443
#chroot /usr/local/jail
#setgid 65535
#setuid 65535
# now we needn't any root rights. We can chroot and setgid/setuid.
flush
auth none
internal 192.168.1.12
tcppm 2106 216.107.242.199 2106
