Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
NAME
       ffproxy.quick --	filtering HTTP/HTTPS proxy server quick	introduction

DESCRIPTION
       ffproxy	is  a filtering	HTTP/HTTPS proxy server.  It's capable of fil-
       tering by host, URL, and	header.	Custom header entries can  be  created
       for filtering.  It can also drop	privileges and optionally chroot(8) to
       a  chosen  directory.  Logging to syslog(3) is supported, , as is using
       another auxiliary proxy server.	An HTTP	accelerator feature  (An  HTTP
       accelerator feature) is also included.  Contacting IPv6 servers as well
       as binding to IPv6 is supported which allows transparent	IPv6 over IPv4
       browsing	(and vice versa).

       This  manual  describes	how to set up a	basic HTTP proxy installation.
       It is assumed that you've already have the program or installed it  via
       port or package.

COPYING	FILES
       The  program  comes  with default configuration files that contain both
       examples	and suggested entries.	You can	simply copy them to  a	direc-
       tory  of	your choice.  This directory will become the program's working
       directory.

	     mkdir /var/ffproxy
	     tar cf - db/ html/	| ( cd /var/ffproxy ; tar xf - )
	     cp	sample.config /var/ffproxy/ffproxy.conf

       Above example would install all needed files to /var/ffproxy, which  is
       ffproxy's default working directory.

SECURING
       The  proxy now has its own working directory.  By default, ffproxy does
       not change UID/GID after	start.	For security reasons we	want to	enable
       it.  You	have two choices know: Either use existing UID/GID or add cus-
       tom UID/GID for ffproxy.	 See adduser(8)	or  useradd(8),	 depending  on
       your system, on how to create new IDs.

       Edit ffproxy.conf and change the	lines containing uid and gid

	     # change UID and GID
	     #
	     # to use, both uid	and gid	must be	set
	     # (disabled by default)
	     #uid proxy
	     #gid proxy
	     uid _ffproxy
	     gid _ffproxy

       In addition to changing UID and GID, ffproxy should be executed change-
       rooted	to  its	 working  directory.   So  we  change  chroot_dir  and
       db_files_path in	the configuration file

	     # change root to (only in connection with uid and gid change)
	     # (disabled by default)
	     chroot_dir	/var/ffproxy

	     # path to db/ and html/ directories
	     # (default: /var/ffproxy)
	     db_files_path .

       db_files_path must be changed, too, since that is relative to new root.
       Finally,	we copy	/etc/resolv.conf to ffproxy's home to  enable  DNS  in
       chroot  and  chown /var/ffproxy so the proxy's master process can write
       its PID file

	     mkdir /var/ffproxy/etc
	     cp	/etc/resolv.conf /var/ffproxy/etc/
	     chmod 750 /var/ffproxy
	     chown _ffproxy._ffproxy /var/ffproxy

ACCESS TO THE PROXY
       By default, nobody is allowed to	connect	to  ffproxy.   Let's  say,  we
       want  to	provide	LAN users a filtering proxy to shut down malicous con-
       tent coming from	the Internet.  So the proxy has	to be listening	on the
       local network interface only.  We change	bind_ipv4  and	bind_ipv6  ap-
       propiately in ffproxy.conf

	     bind_ipv4 filter.cybersewage.org
	     bind_ipv6 filter6.cybersewage.org

       Additionally, we	have to	change db/access.ip.  By, for example,

	     ^192\.168\.10\.

       we allow	192.168.10.0/24	to use our proxy.

STARTING THE PROXY
       Last  step  is  starting	ffproxy.  Keep in mind that we run the program
       change-rooted to	/var/ffproxy, so files are relative to new root.

	     cd	/var/ffproxy ; /usr/local/bin/ffproxy -f ffproxy.conf

       starts ffproxy.	Now test if it works correctly.	 If  not,  change  ff-
       proxy.conf and/or read ffproxy(8) ffproxy.conf(5)

       ffproxy	is  not	 running as daemon right know.	If everything seems to
       work, simply shut down the proxy	by  pressing  CTRL-C,  set  `daemonize
       yes' in the configuration file and start	ffproxy	again.

TRANSPARENT OPERATION
       The  proxy allows transparent operation,	that is, HTTP traffic is redi-
       rect to the proxy which simulates a HTTP	server so that the users don't
       have to specify a proxy server.	 Consider  forced  usage  of  a	 proxy
       server  as  well.   To do that, you will	have to	configure your NAT ac-
       cordingly.  On OpenBSD you'll want a line like

	     rdr on rl0	proto tcp from any to any port 80 -> 127.0.0.1 port 8080

       in /etc/pf.conf.	 See your NAT's	documentation for details on how to do
       this.

VERSION
       This manual documents ffproxy 1.8 (2024-03-10).

SEE ALSO
       ffproxy(8), ffproxy.conf(5), pf.conf(5)

				 Mar 10, 2024		      ffproxy.quick(7)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ffproxy.quick&sektion=7&manpath=FreeBSD+Ports+15.0>

home | help