���� ������!
���� �� ������� ��� ���� ����� ��� ���������, ��
������� � ��� ��� ���. FreeBSD 4.2, oops 1.5.6,
BerkeleyDB 2.2.7, 1Gb RAM.
��� �������� ����� 10req/s oops ������ � ������,
� ����� ������� �� signal 11. ���� �� � �������, ���
��� ����������� � ��� ������� oops �� ��� root.
������������� ��� ������ polygraph.
���������� ��� �����: ���� ���������, ���� ����
shell �� ���� ������. ����� ���-�� ������� ������
���������� threads � fbsd.
P.S. � �� �������� Solaris, �� ��� ������������� i2o
��� �������� �� ��������. (��� ������ ��������� ��� ���� ��
������, ��� ��� ����������� ��������� ������ ��� ������ �
���� �� ���� :( )
oops.cfg:
##
# nameservers. Use your own, not our.
##
nameserver a1.b1.c1.d1
nameserver a2.b2.c2.d2
##
# Ports and address to use for HTTP and ICP
##
#bind ip_addr|hostname
http_port 3128
icp_port 3130
##
## Change euid to that user
##
## WARNING: if you use 'userid, then you 'reconfigure will not be able to
## open new sockets on reserved (< 1024) ports and will not be able
## to return to original userid.
##
userid oops
##
## Change root directory. If don't know exactly what are you doing -
## leave commented.
#chroot ???
##
# Logfile - just debug output
# When used in form 'filename [{N S}] [[un]buffered]'
# will be rotated automatically (up to N files up to S bytes in size)
##
#logfile /dev/tty
logfile /var/log/proxy/oops.log { 3 1m } unbuffered
##
# Accesslog - the same as for squid. Re rotating - see note for logfile
##
#accesslog /dev/tty
accesslog /var/log/proxy/access.log
##
# Pidfile. for kill -1 `cat oops.pid` and for locking.
##
pidfile /var/log/proxy/oops.pid
##
# Statistics file - once per minute flush some statistics to this file
##
statistics /var/log/proxy/oops_statfile
##
# icons - where to find link.gif, dir.gif, binary.gif and so on (for
# ftp lists). If omitted - name of running host will be used. But
# using explicit names is better way.
##
icons-host www.mydomain.ru
icons-port 80
icons-path icons
##
# When total object volume in memory grow over this (this mean
# that cachable data from network came faster then we can save on disk)
# drop objects (without attempt to save on disk).
##
mem_max 256m
##
# Hint, how much cached objects keep in memory.
# When total amount become larger then this limit - start
# swaping cachable objects to disk
##
lo_mark 128m
##
# start random early drop when number of clients reach some level.
# this can protect you against attacks and against situation when
# oops cant handle too much connections. By default - 0 (or no limits).
##
#start_red 0
##
# refuse any connection when number of already connected clients reach some
# level. By default - 0 (or no limits).
##
#refuse_at 0
##
# if document contain no Expires: then expire after (in days)
# ftp-expire-value - expire time for ftp (in days)
##
default-expire-value 7
ftp-expire-value 7
##
# Maximum expire time - doc will not keep in cache more then
# this number of days (except if defaiult-expire-value used for this documeny)
##
max-expire-value 30
##
# in which proportion time passed since last document modification
# will accounted in expire time. For example, if last-modified-factor=5
# and there was passed 10 days since document modification, then
expiration
# will be setted to 2 days in future (but no nore then max-expire-value)
##
last-modified-factor 5
##
# If you want not cache replies without Last-Modified:
# uncomment next line.
##
#dont_cache_without_last_modified
# run expire every ( in hours )
##
default-expire-interval 1
##
# icp_timeout - how long to wait icp reply from peer (in ms, e.g 1000 = 1sec)
##
icp_timeout 1000
##
# start disk cache cleanup when free space will be (in %%)
# As on the very large storages 1% is large space (1% from 9G is
# 90M), then on such storages you can set both disk-low-free and
# disk-ok-free to 0. Oops will start cleanup if it have less then 256
# free blocks(1M), and stop when it reach 512 bree blocks(2M).
##
disk-low-free 3
##
# stop disk cache cleanup when free space will be (in %%)
##
disk-ok-free 5
##
# Force_http11 - turn on http/1.1 for each request to document server
# This option required if module 'vary' used.
##
#force_http11
##
# Always check document freshness, even it is not stale or expired
# This force Oops behave like squid - first check cached doc, then send
##
#always_check_freshness
##
# If user-requestor aborted connection to proxy, but there was received
more
# then some percent ot the document - then continue.
# default value - 75%
##
force_completion 75
##
# maximum size of the object we will cache
##
maxresident 10m
insert_x_forwarded_for yes
insert_via yes
##
# If host have several interfaces or aliases, use exactly
# this name when connecting to server:
##
#connect-from proxy.paco.net
##
# ACLs - currently: urlregex, urlpath, usercharset
# port, dstdom, dstdom_regex, src_ip, time
# each acl can be loaded from file.
##
#acl CACHEABLECGI urlregex
http://www\.topping\.com\.ua/cgi-bin/pingstat\.cgi\?072199131826
#acl WWWPACO urlregex www\.paco\.net
#acl NO_RLH urlregex zipper
#acl REWRITEPORTS urlregex (www.job.ru|www.sale.ru)
#acl REWRITEHOSTS urlregex (www.asm.ru|zipper\.paco)
#acl WINUSER usercharset windows-1251
#acl DOSUSER usercharset ibm866
#acl UNIXUSER usercharset koi8-r
#acl RUS dstdom ru su
#acl UKR dstdom ua
#acl BADPORTS port [0:79],110,138,139,513,[6000:6010]
#acl BADDOMAIN dstdom baddomain1.com baddomain2.com
#acl BADDOMREGEX dstdom_regex baddomain\.((com)|(org))
#acl LOCAL_NETWORKS src_ip include:/usr/local/oops/acl_local_networks
#acl BADNETWORKS src_ip 192.168.10/24
#acl WORKTIME time Mon,Tue:Fri 0900:1800
#acl HTMLS content_type text/html
#acl USERS username joe
acl ADMINS src_ip 127.0.0.1
acl PURGE method PURGE
acl OURNETWORKS src_ip a1.b1.0/24
##
# acl_deny [!]ACL [!]ACL ...
# deny access for combined acl
##
acl_deny PURGE !ADMINS
##
# Never cache objects with URL, containing...
##
stop_cache ?
stop_cache cgi-bin
##
# stop_cache_acl [!]ACL [!]ACL ...
# Stop cache using ACL
##
#stop_cache_acl WWWPACO
##
# refresh_pattern ACLNAME min percent max
# 'min' and 'max' are limits between Expite time will be assigned
# Iff document have no expire: header and have Last-Modified: header
# we will use 'percent' to estimate how far in the future document will
# be expired.
##
#refresh_pattern CACHEABLECGI 20 50% 200
#refresh_pattern WWWPACO 0 0% 0
##
# bind_acl {hostname|ip} [!]ACL [!]ACL ...
# bind to given address when connecting to server
# if request match ACLNAME
##
#bind_acl outname1 RUS
#bind_acl outname2 UKR
##
# Always check document freshness, but now on acl basis.
# You can have several such lines.
## This example will force to check freshness only for html documents.
#always_check_freshness_acl HTMLS
##
# line 'parent ....' will force all connections (except to destinations
# in local-domain or local-networks) go through parent host
##
#parent proxy.paco.net 3128
##
# parent_auth login:password
# if your parent require login/password from your proxy
##
#parent_auth login:password
# ICP peer's
#peer proxy.paco.net 3128 3130 {
## ^^^ peer name ^http port ^icp port
## icp port can be 0, in which case we assume this is non-icp
## proxy. We assume that non-icp peer act like parent which
## answer MISS all th etime. If this peer refused connection
## then it goes down for 60 seconds - it doesn't take part in
## any peer-related decisions.
# sibling ;
## if this peer require login/password from your proxy
# my_auth my_login:my_password;
## we will send requests for these domains
# allow dstdomain * ;
## we will NOT send requests for these domains
# deny dstdomain * ;
## we will send only requests matched to this acl
# peer_access [!]ACL1 [!]ACL2
## if (and only if) peer is not icp-capable, then , in case of fail we
## leave failed peer alone for the down_timeout interval (in seconds).
## Then we will try again
# down_timeout 60 ;
#}
#peer proxy.gu.net 80 3130 {
# parent ;
# allow dstdomain * ;
# deny dstdomain paco.net odessa.ua ;
#}
##
# Never use "parent" when connecting to server in these domains
##
#local-domain odessa.ua od.ua
#local-domain odessa.net paco.net netsy.net netsy.com te.net.ua
local-networks 194.226.0.0/20
#
# Groups
#
group mynet {
networks_acl OURNETWORKS ;
badports [0:79],110,138,139,513,[6000:6010] ;
miss allow;
icp {
allow dstdomain * ;
}
http {
allow dstdomain * ;
}
}
group world {
networks 0/0;
badports [0:79],110,138,139,513,[6000:6010];
http {
deny dstdomain * ;
}
icp {
deny dstdomain * ;
}
}
##
# Storage section
# Change this for your own situation. Oops can work without
# storages (using only in-memory cache).
##
##
# Storage description (can be several)
# path - filename of storage. can be raw device (be carefull!)
# size - size (of storage file). Can be smthng like 100k or 200m or 4g
# Size used only durig format process (oops -z).
##
storage {
path /var/proxy/c1/storage1 ;
# Size of the storage. Can be in bytes or 'auto'. Auto is
# usefull for pre-created storages or disk slices.
# NOTE: 'size auto' won't work for Linux on disk slices.
# To use large ( > 2G ) files run configure with --enable-large-files
size 2G ;
# You have to use 'offset' in the case your raw device (or slice)
# require that. For example if you use entire disk as storage
# under AIX and Soalris/Sparc - you have to skip first block
# which contain disk label (that is storage will start from
# next 512 sector.
# offset 512;
}
storage {
path /var/proxy/c1/storage2 ;
size 2G ;
}
storage {
path /var/proxy/c1/storage3 ;
size 2G ;
}
storage {
path /var/proxy/c1/storage4 ;
size 2G ;
}
storage {
path /var/proxy/c1/storage5;
size 2G ;
}
storage {
path /var/proxy/c1/storage6;
size 2G ;
}
storage {
path /var/proxy/c1/storage7;
size 2G ;
}
module lang {
default_charset koi8-r
# Recode tables and other charset stuff
CharsetRecodeTable windows-1251 /usr/local/oops/tables/koi-win.tab
CharsetRecodeTable ISO-8859-5 /usr/local/oops/tables/koi-iso.tab
CharsetRecodeTable ibm866 /usr/local/oops/tables/koi-alt.tab
CharsetAgent windows-1251 AIR_Mosaic IWENG/1 MSIE WinMosaic
(Windows (Wi
nNT;
CharsetAgent windows-1251 (Win16; (Win95; (Win98; (16-bit)
Opera/3.0
CharsetAgent ibm866 DosLynx Lynx2/OS/2
}
module err {
# error reporting module
# template
template /usr/local/oops/err_template.html
# Language to use when generate Error messages
lang ru
}
module passwd_file {
# password proxy-authentication module
#
# default realm, scheme and passwd file
# the only thing you really want to change is 'file' and 'template'
# you don't have to reconfigure oops if you only
# change content passwd file or template: oops authomatically
# reload file
realm oops
scheme Basic
file /usr/local/oops/passwd
template /usr/local/oops/auth_template.html
}
module passwd_pgsql {
# proxy authentication using postgresql
# "Ivan B. Yelnikov" <[EMAIL PROTECTED]>
#
# host - host where database live,
# user,password - login and password for database access
# database - database name
# select - file with request body
# template - file with html doc which user will receive
# during authentication
scheme Basic
realm oops
host <host address/name>
user <database_user>
password <user_password>
database <database_name>
select /usr/local/oops/select.sql
template /usr/local/oops/auth_template.html
}
module passwd_mysql {
# proxy authentication usin mysql
# "Ivan B. Yelnikov" <[EMAIL PROTECTED]>
#
# look passwd_pgsql description
#
scheme Basic
realm oops
host <host address/name>
user <database_user>
password <user_password>
database <database_name>
select /usr/local/oops/select.sql
template /usr/local/oops/auth_template.html
}
module redir {
# file - regex rules.
# each line consist of one or two fields (separated with white space)
# 1. regular expression
# 2. redirect-location
# if requested (by client) url match regex then
# if we have redirect-url then we send '302 Moved Temporary' to
# redirect-location
# if we have no redirect-location (i.e. we have no 2-nd field)
# then we send template.html (%R will be substituted by rule)
# or some default message if we have no template.
# you don't have to reconfigure oops each time
# you edit rules or template, they will be reloaded authomatically
file /usr/local/oops/redir_rules
template /usr/local/oops/redir_template.html
## mode control will redir rewrite url or send Location: header
## with new location. Values are 'rewrite' or 'bounce'
# mode rewrite
# This module can process requests which come on http_port
# and/or on different port. For example, you wish oops
# bind on two ports - 3128 and 3129, and all requests which come on
# port 3129 must pass through filters, and requests which come on port
# 3128 (common http_port) - not. Then you have to uncomment next line
# myport 3129
# which means exactly: bind oops to additional port 3129 and process
# requests which come on this port.
# myport can be in the next form:
# myport [{hostname|ip_addr}:]port
}
module oopsctl {
# path to oopsctl unix socket
socket_path /var/log/proxy/oopsctl
# time to auto-refresh page (seconds)
html_refresh 300
}
##
## This module hadnle 'Vary' header - it was written to better support
## Russian Apache
##
module vary {
user-agent by_charset
accept-charset ignore
}
##
## WWW -accelerator. To use - add word accel to
## redir_mods line for
## the group 'world' description
## You will find more description of this module in supplied accel_maps
file
##
#module accel {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
# myport 80
##
# allow access to proxy through accel module.
# Deny will stop proxy through accel completely, regardless
# of any other access rules
##
# proxy_requests deny
#
##
# File with maps and other config directives
# Checked once per minute. No need to restart oops if maps changed
##
# file /usr/local/oops/accel_maps
#}
##
## Transparent proxy. To use - add word 'transparent' into
## redir_mods line for your group.
## in the your local (or any other) group description
##
#module transparent {
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
# myport 3128
#}
##
## %h - remote ip address
## %A - local ip address
## %d - ip address of source (peer or document server)
## %l - remote logname from identd (not suported now)
## %U - remote user (from 'Authorization' header)
## %u - remote user (from proxy-auth)
## %{format}t - time with optional {format} (for strftime)
## %t - time with standard format %d/%b/%Y:%T %Z
## %r - request line
## %s - status code
## %b - bytes received
## %{header}i - value of header in request
## %m - HIT/MISS
## %k - hierarchy (DIRECT/NONE/...)
##
## directive buffered can be followed by size of the buffer,
## like 'buffered 32000'
##
#module customlog {
# path /var/log/proxy/access_custom1
# format "%h %l %u %t \"%r\" %>s %b"
# squid httpd mode log emulation
# format "%h %u %l %t \"%r\" %s %b %m:%k"
# buffered
# path /var/log/proxy/access_custom2
# format "%h->%A %l %u [%t] \"%r\" %s %b \"%{User-Agent}i\""
#}
module berkeley_db {
##
# dbhome - directory where all DB indexes reside. Use full path
# this directory must exist.
# dbname - filename for index file. Use just filename (no full path)
##
dbhome /usr/local/oops/DB
dbname dburl
##
# This parameter specifies internal cache size of BerkeleyDB.
# Increase this parameter for best performance (if you have a lot of memory).
# For example: db_cache_mem 64m
# Default and minimum value: 4m
#
# This memory pool is not part of memory pool, specified by mem_max parameter.
# WARNING: the amount of RAM used by oops will be increased by the value of
# this parameter.
##
#db_cache_mem 4m
}
#module gigabase_db {
# This module enable GigaBASE as database engine.
# You can use berkeley_db or gigabase_db, not both.
# Also, important notice - indexes created with different modules
# are not compatible.
# ##
# # dbhome - directory where all DB indexes reside. Use full path
# # this directory must exist.
# # dbname - filename for index file. Use just filename (no full path)
# ##
#
# dbhome /usr/local/oops/DB
# dbname gdburl
#
# ##
# # This parameter specifies internal cache size of BerkeleyDB.
# # Increase this parameter for best performance (if you have a lot of memory).
# # For example: db_cache_mem 64m
# # Default and minimum value: 4m
# #
# # This memory pool is not part of memory pool, specified by mem_max parameter.
# # WARNING: the amount of RAM used by oops will be increased by the value of
# # this parameter.
# ##
# #db_cache_mem 4m
#
#}
__________________________________________
Sincerely Yours, mailto:[EMAIL PROTECTED]
Michael V. Smirnoff tel. +7-095-532-0581
CCNA-R/S,CCDA
MIEEnet Network Operations Center
=====================================================================
If you would like to unsubscribe from this list send message to
[EMAIL PROTECTED] with "unsubscribe oops" in message body.
Archive is accessible on http://www.paco.net/oops/
