tproxy(8)

NAME

tproxy - transparently re-direct HTTP requests to a HTTP
cache.

SYNOPSIS

tproxy [ -t | -p ] [ -f forced-url ] [ -s bind-port
[  -d  ]  [  -b  bind-address  ]  [  -r  runas-uid  ] [ -a
access-ip-address ] ] [ -l log-file ] proxyhost proxyport

DESCRIPTION

tproxy accepts HTTP requests and forwards them to a cache
host. If the HTTP request has been transparently re-directed, the
URL is re-written so that the cache host knows what web server to
fetch the document from. Tcp_wrappers is used to provide host ac
cess control.
The proxy-cache host's address and port are given by
proxyhost and proxyport.

OPTIONS

-t Operate in a fully transparent mode. Instead of
connecting to a proxy and sending a re-written URL, connect only
the intended destination and send the real URL. This option can
be used to allow tproxy to operate as a HTTP gateway (or proxy)
on a firewall.
-p Operate in proxy only mode. Normally if the connec
tion to the proxy fails, tproxy will try and connect transparent
ly to the intended destination. However for some sites this will
never work and it is better to simply fail the connection.
-f url Force all accesses to be sent to the specified URL.
tproxy checks for accesses that are referred by this forced URL
and allows then to pass. This allows images on the forced URL to
work.
-s port: Run as a server and bind to the specified port. Al; ternatively tproxy may be run from either inetd or a program such; a tcpserver. In these cases this options is not given.
-d When running as a server, do not background the
daemon. Usefull when tproxy is started from inetd or from the
supplied tproxywatch program.
-b ipaddr: Bind to the specified IP address. When run as a; server tproxy will not accept requests sent to any other address; when the host has multiple addresses.
-r user: Run as the specified user. The user must exist in; the /etc/passwd database so that its uid and gid can be obtained.
-a access-ipaddr: Provide an IP address, network, sub-net, or super; net to allow access. May be specified more than once. If the host; portion of the address in non-zero then the address refers to a; host, otherwise it is assumed to refer to a network. The number; of bits may be given in CIDR notation to specify a sub-net or su; per-net.
-l log-file: Log all accesses to the specified file. The logfile; will indicate if the request was done transparently, it was done; without DNS activity, or it required DNS activity.

FINE POINTS

tproxy is not an all-in-one transparent proxy solution. It
requires support from the operating system, and configuration
from the system administrator, to transparently capture HTTP re
quests.
tproxyrun provides an example script to add firewall com
mands and start tproxy running. It currently supports FreeB
SD-3.x and various versions of Linux. See the environment vari
able definitions at the top of the file.
tproxywatch provides a mechanism of ensuring that tproxy
is re-started should it fail. Whenever tproxy exits an email is
sent to the root account and then tproxy is re-started.
FreeBSD-3.x provides two methods of transparently captur
ing packets. The first is ipfw(8) using the following example
configuration.
ipfw add 1000 allow tcp from 192.168.1.1 to any 80
ipfw add 1001 fwd 192.168.1.1,8081 tcp from any to any 80
The second is ipnat(1) using the following example config
uration. Note that a rule is required for every interface you
wish to transparently re-direct for.
rdr ppp0 0.0.0.0/0 port 80 -> 192.168.1.1 port 8081
Linux provides the same mechanism with either the
ipchains(8) command, kernels 2.1.x and up, using the following
example configuration.
ipchains -A input -p tcp -d 0.0.0.0/0 80 -j REDIRECT 8081
Or the ipfwadm(8) command, kernels 2.0.x, using the fol
lowing example configuration.
ipfwadm -I -a accept -P tcp -D 0.0.0.0/0 80 -r 8081

AUTHORS

Written by John Saunders <john@nlc.net.au>

docs.sk

comprehensive documentation repository

See also

tproxy(8)

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

FINE POINTS

SEE ALSO

AUTHORS