# Example ziproxy.conf ############################ # daemon mode-only options # ############################ ## Port to listen for proxy connections ## default: 8080 # Port = 8080 ## Local address to listen for proxy connections ## If you have more than one network interface, ## it's useful for restricting to which interface you want to bind to. ## By default Ziproxy binds to all interfaces. # Address = "127.0.0.1" ## Accepts conections only from that address. ## WARNING: Remember to restrict the access to Ziproxy ## if your machine is directly connected to the Internet. # OnlyFrom = "127.0.0.1" ## Inactivity timeout before closing the daemon (0 = no timeout) ## default: 0 (no timeout) # NetdTimeout = 0 ## This will append bzipped logging output to LogFile. # LogPipe only works in daemon mode! LogPipe is not compatible with xinetd. # LogPipe ={"bzip2", "-9cq", "-"} ################### # general options # ################### ## Debugging log. ## Unless you really want that data, better leaving this disabled as ## it generates lots of data for each HTTP request. ## ## Disabled by default. ## ## Specifying as the following will append logging output to file named DDD-YYYY.log ## You may use an ordinary filename instead. # LogFile = "%j-%Y.log" ## File to be used as access log. ## If undefined, there will be no access logging at all. ## Log format: TIME (unix time as seconds.msecs), PROCESS_TIME (ms), ADDRESS (daemon mode only), FLAGS, ORIGINAL_SIZE, SIZE_AFTER_(RE)COMPRESSION, METHOD, URL. ## where flags may be: P (a request as proxy), T (a request as transparent proxy), S (CONNECT method, usually HTTPS data), Z (transfer timeoutted - see ZiproxyTimeout), B (interrupted transfer - either by user or by remote http host), W (content type was supposed to load into memory, but it had no content-size and, in the end, it was bigger than MaxSize. so it was streamed instead). # AccessLogFileName = "/var/log/ziproxy/access.log" ## By default Ziproxy reports the real incoming (from remote HTTP server) data size when ## writting access logs. ## So if it was gzipped by the HTTP server itself, the incoming data will be (naturally) smaller. ## When the client does not support gzipped data, and the data came originally compressed, ## the access log will show a data size increase (because it had to be decompressed ## by Ziproxy, due to client limitations). ## This is misleading in certain log analysis since, if the client accessed the server ## directly instead, the amount of data transferred into this client would be the same anyway ## -- there's no loss from the client's point-of-view. ## To avoid such distortion in statistics, you may want to log - instead of the real incoming size - ## the size which would be transferred had the client connected directly to the server. ## Only appliable when 'AccessLogFileName' is enabled. ## Disabled by default (reports the real incoming size). # AccessLogUserPOV = false ## HTTP auth file ## Should contain user:pass pairs, lines no longer than 128 chars ## Password is unencrypted # PasswdFile="/usr/local/ziproxy/ziproxy.passwd" ## Forward everything to another proxy server. ## Modifications/compression is still applied. # NextProxy="host.name" # NextPort=8080 ## Use these DNS name servers to resolve hostnames ## instead of the ones configured in /etc/resolv.conf # Nameservers = { "1.2.3.4", "11.22.33.44" } ## Bind outgoing connections (to remote HTTP server) to the following (local) IPs ## It applies to the _outgoing_ connections, it has _no_ relation to the listener socket. ## When 2 or more IPs are specified, Ziproxy will rotate to each of those at each ## outgoing connection. All IPs have the same priority. ## You may use this option for either of the following reasons: ## 1. - To use only a specific IP when connecting to remote HTTP servers. ## 2. - Use 2 or more IPs for load balancing (a rather primitive one, since it's ## connection-based and does not take into account the bytes transferred). ## 3. - You have a huge intranet and certain sites (google.com, for example) ## are blocking your requests because there are so many coming from the same IP. ## So you may use 2 or more IPs here and make it appear that your requests ## come from several different machines. ## This option does _not_ spoof packets, it merely uses the host's local IPs. ## Note: While in (x)inetd mode, output may be bind-ed only to one IP. ## Disabled by default (binds to the default IP, the OS decides which one). # BindOutgoing = { "234.22.33.44", "4.3.2.1", "44.200.34.11" } ## Allow processing of requests as transparent proxy ## (will still accept normal proxy requests) ## In order to use Ziproxy as transparent proxy it's also needed ## to reroute the connections from x.x.x.x:80 to ziproxy.host:PROXY_PORT ## Disabled by default. # TransparentProxy = false ## Whether to process normal proxy requests or not ## Only makes sense when TransparentProxy is enabled. ## If transparent proxy is enabled, it's usually a good idea to disable ## conventional proxying since, depending on the layout of your network, ## it can be abused by ill-meant users to circumvent restrictions ## presented by another proxy placed between Ziproxy and the users. ## Enabled by default. # ConventionalProxy = true ## Whether to allow the CONNECT method. ## This method is used by HTTPS, but may be used for other ## types of service (like instant messenging) which allow tunneling through http proxy. ## If you plan on serving only HTTP requests (no HTTPS nor anything else) ## you may want to disable this, in order to prevent potential ## abuse of the service. ## Enabled by default. # AllowMethodCONNECT = true ## Whether to override the Accept-Encoding more to Ziproxy's liking. ## If disabled, Ziproxy will just forward Accept-Encoding received from the client ## (thus the data may or not come gzipped, depending on what the HTTP client says). ## ## Currently, this option is used to always advertise Gzip capability to ## the remote HTTP server. ## Enabling this does not neccessarily mean that the data will come compressed ## from the server. This option just advertises the capability at Ziproxy's side, ## the remote server must support that capability aswell. ## ## This has _no_ relation to the Gzip support between Ziproxy and the client, thus ## you may leave this enabled even if you have clients that do not support Gzip. ## Ziproxy will compress/decompress the data according to the client. ## ## Enabled by default. # OverrideAcceptEncoding = true ## Enable/disable the internal gzip decompression by Ziproxy. ## This decompression is needed when the remote server sends data already gzipped, ## but further processing is desired (like HTMLopt, PreemptDNS etc). ## Disabling this will save some processing load, and reduce some latency since ## Ziproxy will directly stream that data to the client. ## - But processing features (htmlopt, preemptdns...) WILL NOT work with such data. ## ## Attention: ## If you disable this, but configure Ziproxy to advertise as a gzip-supporting ## client to the remote server: While using a non-gzip-supporting client, the client ## may receive gzip-encoded data and it won't know how to deal with that ## (== it will receive useless garbage). ## ## Enabled by default. # DecompressIncomingGzipData = true ## Replaces the User-Agent data sent by the client with a custom string, ## OR defines User-Agent with that string if that entry was not defined. ## If disabled, Ziproxy will just forward the User-Agent sent by the client. ## Normally you will want to leave this option DISABLED (commented). ## ## It's useful if you, for some reason, want to identify all the clients as ## some specific browser/version/OS. ## Certain websites may appear broken if the client uses a different browser than ## the one specified here. ## Certain webservers may break completely when an unrecognized User-Agent is provided ## (for example: www.rzeczpospolita.pl). ## ## Undefined by default (leave User-Agent as defined by the client). # RedefineUserAgent = "Mozilla/5.0 (compatible; UltraBrowser/8.1; CP/M; console40x24; z80)" ## When Ziproxy receives Gzip data it will try to decompress in order to do ## further processing (HTMLopt, PreemptDNS etc). ## This makes Ziproxy vulnerable to 'gzip-bombs' (eg. like 10 GB of zeroes, compressed) ## which could be used to slow down or even crash the server. ## In order to avoid/minimise such problems, you can limit the max ## decompression proportion, related to the original file. ## If a Gzipped file exceedes that proportion while decompressing, its ## decompression is aborted. ## The user will receive an error page instead or (if already transferring) ## transfer will simply be aborted. ## ## You may disable this feature defining its value to '0'. ## default: 2000 (that's 2000% == 20 times the compressed size) # MaxUncompressedGzipRatio = 2000 ## When limiting decompression rate with MaxUncompressedGzipRatio ## _and_ gunzipping while streaming it's not possible to know the ## file size until the transfer is finished. So Ziproxy verifies this while ## decompressing. ## The problem by doing this is the possible false positives: ## certain files compress a lot at their beginning, but then not-so ## shortly after. ## In order to prevent/minimize such problems, we define the minimum ## output (the decompressed data) generated before starting to ## check the decompression rate. ## If defined as '0', it will check the rate immediately. ## A too large value will increase the rate-limit precision, at the cost of less ## protection. ## Streams with output less that this value won't have decompression ## rate checking at all. ## This feature is only active if MaxUncompressedGzipRatio is defined. ## This does not affect data wholly loaded to memory (for further processing). ## default: 250000 (bytes) # MinUncompressedGzipStreamEval = 250000 ## If specified, ziproxy will send and check Via: header ## with given string as host identification. ## It is sometimes useful to avoid request loops. Default: not specified # ViaServer = "something" ## If processing of request exceeds specified time in seconds, ## or connection is idle beyond that time (stalled) it will abort. ## This avoids processes staying forever (or for a very long time) ## in case of a stalled connection or software bug. ## This will NOT necessarily abort the streaming of very big files, ## it will ONLY if the connection stalls or there's a software bug. ## If "0", no timeout. ## Default: 90 (seconds) # ZiproxyTimeout = 90 ## Max file size to try to (re)compress, in bytes; ## If "0", means that this limitation won't apply. ## This regards to the file size as received from the remote HTTP server ## (which may arrive gzipped or not -- it doesn't matter). ## If a file is bigger than this limit, Ziproxy will simply stream it unmodified, ## unless the user also requested gzip compression (see below). ## Attention: If setting a very big size, the request answer latency will ## increase since Ziproxy needs to fetch the whole file before ## attempting to (re)compress it. ## A too low value will prevent data bigger that that to de processed ## (jpg/png/gif recompression, htmlopt, preemptdns..). ## Note that if: ## - Only gzipping is to be applied *OR* ## - Gzipping and other is to be applied, but data is > MaxSize ## Gzip compression (and only that) will be applied while streaming. ## Default: 1048576 (bytes) ## (default used to be "0" in ziproxy 2.3.0 and earlier) # MaxSize = 1048576 ## Min text file for streaming while modifying suffixes. ## NOTE: This used to affect gzip compression (ziproxy 2.3.0 and earlier) ## it is not the case anymore, gzipping is always streamed. ## Files smaller than this will be completely processed before being ## streamed, being temporarily stored in /tmp (or equivalent) dir. ## For performance reasons, streaming while processing is better ## (no disk overhead and lower latency), ## but such files won't have the compressed filesize reported in logs ## (will show '-1' as compressed size). ## Default: 20000 bytes # MinTextStream = 20000 UseContentLength = false ## Whether to try to compress text/html/alikes with gzip. ## This option concerns traffic between Ziproxy and the client only. ## This optimization is not limited by MaxSize. ## (it used to be like that up to ziproxy 2.3.0) ## default: true # Gzip = true ## Substrings for gzippable data types under application/. ## Matches with leading "x-" too. Compressible = { "shockwave", "msword", "msexcel", "mspowerpoint", "rtf", "postscript", "java", "javascript", "staroffice", "vnd.", "futuresplash", "asp", "class", "font", "truetype-font", "php", "cgi", "executable", "shellscript", "perl", "python", "awk", "dvi", "css", "xhtml+xml", "rss+xml", "xml", "pdf", "tar" } ## Whether to try to compress the following formats (true) or not (false) ## default: true # ProcessJPG = true # ProcessPNG = true # ProcessGIF = true ## Whether to try to optimize HTML, CSS and Javascript, thus reducing their size ## ProcessHTML: text/html ## ProcessCSS: text/css ## ProcessJS: application/[x-]javascript) ## Although such data may be Gzipped too, optimizing prior to Gzipping normally ## reduces the data size even further. ## The final size depends much on how unoptimal is the coding of such data; ## some sites already present HTML pre-optimized so, in such cases, there won't ## be much gain. ## Note: Due to the higher complexity of such optimization, there's some risk of a page ## being corrupted. ## ****** THESE OPTIONS ARE EXPERIMENTAL ****** ## # ProcessHTML = false # ProcessCSS = false # ProcessJS = false ## Options for fine-tuning text/html optimization. ## Only used when ProcessHTML=true ## Certain optimizations may be disabled as quick 'fix' when a text data ## gets currupted after being optimized. ## Note: CSS and JS switches apply _only_ to such data when embedded into HTML data, ## for JS, CSS-only data, see ProcessJS and ProcessCSS options. ## # ProcessHTML_CSS = true # ProcessHTML_JS = true # ProcessHTML_tags = true # ProcessHTML_text = true # ProcessHTML_PRE = true # ProcessHTML_NoComments = true # ProcessHTML_TEXTAREA = true ## If enabled, will try to convert PNG/GIF files to JPEG ## and will de-animate GIF files aswell. ## This option enables further compression at the cost of ## change of appearance of those files. ## ## If false, does not process transparent/animated GIFs ## Disabled by default. # AllowLookChange = true ## Preemptive Name Resolution ## If enabled, tries to resolve hostnames present in the processed HTML files ## for speeding up things (no delay for name resolution). ## One extra process + (max)PreemptNameResMax threads will run for each HTML request. ## PreemptNameResMax is the max hostnames it will try to resolve per HTML file. ## PreemptNameResBC "bogus check", ignore names whose domains are not .nnnn, .nnn or .nn ## ## WARNING: This option makes sense _only_ if you have a caching DNS or ## a name cache of some sort (like: PDNSD). ## == THIS OPTION WILL INCREASE BY MANY TIMES THE REQUESTS TO THE DNS == ## # PreemptNameRes = false # PreemptNameResMax = 50 # PreemptNameResBC = true ## Image quality for JPG compression. ImageQuality = {20,15,15,15} ## Image quality for JP2 compression. JP2Rate={0,0.1,0.04,0.03} ## WARNING: Suffixes modification code is currently buggy, ## better leaving it disabled for now. ModifySuffixes = false ## Workaround for MSIE's pseudo-feature "Show friendly HTTP error messages." ## If User-Agent=MSIE, don't change/compress the body of error messages in any way. ## If compressed it could go down below to 256 or 512 bytes and be replaced with ## a local error message instead. ## In certain cases the body has crucial data, like HTML redirection or so, and ## that would be broken if a "friendly error" replaces it. ## ## If you are sure there are no users using MSIE's with "friendly error messages" ## enabled, or you don't support/have users with such configuration, you may ## disable this and have error data compressed for MSIE users. ## This workaround does not affect other clients at all, and error messages ## will be sent compressed if the client supports it. ## ## Enabled by default. # WA_MSIE_FriendlyErrMsgs = true ## Custom HTTP Error Messages ## Define here the full path to the HTML file which should be ## sent, instead of the internal default page. ## Note: The internal defaults give more precise error messages. ## ## 400 - Bad request (malformed URL, or unknown URL type) # CustomError400="/var/ziproxy/error/400.html" ## 404 - Unknown host (Ziproxy will not issue 'page not found' errors itself) # CustomError404="/var/ziproxy/error/404.html" ## 408 - Request timed out # CustomError408="/var/ziproxy/error/408.html" ## 500 - Internal error (or empty response from server) # CustomError500="/var/ziproxy/error/500.html" ## 503 - Connection refused (or service unavailable) # CustomError503="/var/ziproxy/error/503.html"