tproxy(8)tproxy(8)NAMEtproxy - transparently re-direct HTTP requests to a HTTP cache.
SYNOPSIStproxy [ -t | -p ] [ -f forced-url ] [ -s bind-port
[ -d ] [ -b bind-address ] [ -r runas-uid ] [ -a access-ip-address ] ]
[ -l log-file ] proxyhost proxyport
DESCRIPTIONtproxy accepts HTTP requests and forwards them to a cache host. If the
HTTP request has been transparently re-directed, the URL is re-written
so that the cache host knows what web server to fetch the document
from. Tcp_wrappers is used to provide host access control.
The proxy-cache host's address and port are given by proxyhost and
proxyport.
OPTIONS-t Operate in a fully transparent mode. Instead of connecting to a
proxy and sending a re-written URL, connect only the intended
destination and send the real URL. This option can be used to
allow tproxy to operate as a HTTP gateway (or proxy) on a fire‐
wall.
-p Operate in proxy only mode. Normally if the connection to the
proxy fails, tproxy will try and connect transparently to the
intended destination. However for some sites this will never
work and it is better to simply fail the connection.
-f url Force all accesses to be sent to the specified URL. tproxy
checks for accesses that are referred by this forced URL and
allows then to pass. This allows images on the forced URL to
work.
-s port
Run as a server and bind to the specified port. Alternatively
tproxy may be run from either inetd or a program such a
tcpserver. In these cases this options is not given.
-d When running as a server, do not background the daemon. Usefull
when tproxy is started from inetd or from the supplied tproxy‐
watch program.
-b ipaddr
Bind to the specified IP address. When run as a server tproxy
will not accept requests sent to any other address when the host
has multiple addresses.
-r user
Run as the specified user. The user must exist in the
/etc/passwd database so that its uid and gid can be obtained.
-a access-ipaddr
Provide an IP address, network, sub-net, or super-net to allow
access. May be specified more than once. If the host portion of
the address in non-zero then the address refers to a host, oth‐
erwise it is assumed to refer to a network. The number of bits
may be given in CIDR notation to specify a sub-net or super-net.
-l log-file
Log all accesses to the specified file. The logfile will indi‐
cate if the request was done transparently, it was done without
DNS activity, or it required DNS activity.
FINE POINTStproxy is not an all-in-one transparent proxy solution. It requires
support from the operating system, and configuration from the system
administrator, to transparently capture HTTP requests.
tproxyrun provides an example script to add firewall commands and start
tproxy running. It currently supports FreeBSD-3.x and various versions
of Linux. See the environment variable definitions at the top of the
file.
tproxywatch provides a mechanism of ensuring that tproxy is re-started
should it fail. Whenever tproxy exits an email is sent to the root
account and then tproxy is re-started.
FreeBSD-3.x provides two methods of transparently capturing packets.
The first is ipfw(8) using the following example configuration.
ipfw add 1000 allow tcp from 192.168.1.1 to any 80
ipfw add 1001 fwd 192.168.1.1,8081 tcp from any to any 80
The second is ipnat(1) using the following example configuration. Note
that a rule is required for every interface you wish to transparently
re-direct for.
rdr ppp0 0.0.0.0/0 port 80 -> 192.168.1.1 port 8081
Linux provides the same mechanism with either the ipchains(8) command,
kernels 2.1.x and up, using the following example configuration.
ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 8081
Or the ipfwadm(8) command, kernels 2.0.x, using the following example
configuration.
ipfwadm -I -a accept -P tcp -D 0.0.0.0/0 80 -r 8081
SEE ALSOhosts_access(5), tcpserver(1), ipfw(8), ipnat(1), ipfwadm(8),
ipchains(8)AUTHORS
Written by John Saunders <john@nlc.net.au>
Copyright 1998, 1999, 2000 NORTHLINK COMMUNICATIONS PTY LTD. All
rights reserved.
tproxy(8)