##----------------------------------------------------------------------------- ## fli4l __FLI4LVER__ - configuration for package "proxy" ## ## P L E A S E R E A D T H E D O C U M E N T A T I O N ! ## ## B I T T E U N B E D I N G T D I E D O K U M E N T A T I O N L E S E N ! ## ##----------------------------------------------------------------------------- ## Creation: 26.06.2001 fm ## Last Update: $Id$ ## ## Copyright (c) 2001-2016 - Frank Meyer, fli4l-Team ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. ##----------------------------------------------------------------------------- #------------------------------------------------------------------------------ # Optional package: PRIVOXY (Privacy Enhancing Proxy) #------------------------------------------------------------------------------ #OPT_PRIVOXY='no' # privoxy: yes or no PRIVOXY_MENU='yes' # show Privoxy in httpd menu? PRIVOXY_N='1' # number of instances PRIVOXY_1_LISTEN='IP_NET_1_IPADDR:8118' # ip and port to listen on PRIVOXY_1_ALLOW_N='1' # open firewall for hosts and networks PRIVOXY_1_ALLOW_1='IP_NET_1' PRIVOXY_1_HTTP_PROXY='' # optional http forward (host:port) PRIVOXY_1_SOCKS_PROXY='' # optional socks4a forward (host:port) # e.g. 127.0.0.1:9050 to use TOR # remember making TOR listen this port PRIVOXY_1_TOGGLE='yes' # may users switch privoxy on/off? PRIVOXY_1_CONFIG='yes' # may users edit the config online? PRIVOXY_1_LOGDIR='/var/log/privoxy' # folder for log files PRIVOXY_1_LOGLEVEL='1 4096 8192' # what to log? (see manual) # the following is a sample for a privoxy sending its traffic to tor PRIVOXY_2_LISTEN='IP_NET_1_IPADDR:8090' PRIVOXY_2_ALLOW_N='1' PRIVOXY_2_ALLOW_1='IP_NET_1' PRIVOXY_2_HTTP_PROXY='' PRIVOXY_2_SOCKS_PROXY='127.0.0.1:9050' PRIVOXY_2_TOGGLE='yes' PRIVOXY_2_CONFIG='yes' PRIVOXY_2_LOGDIR='/var/log/privoxy-tor' PRIVOXY_2_LOGLEVEL='1 4096 8192' #------------------------------------------------------------------------------ # Optional package: TOR (The Onion Router) #------------------------------------------------------------------------------ #OPT_TOR='no' # install tor sock4a anon proxy TOR_LISTEN_N='1' # number of interfaces to listen on TOR_LISTEN_1='IP_NET_1_IPADDR:9050' TOR_LISTEN_2='127.0.0.1:9050' # activate this to listen for local privoxy TOR_ALLOW_N='1' # open firewall for hosts and networks TOR_ALLOW_1='IP_NET_1' TOR_CONTROL_PORT='' # control using Tor Control Protocol # leave empty to disable control TOR_CONTROL_PASSWORD='' # password to gain control over TOR TOR_DATA_DIR='' # data folder (/etc/tor, if left empty) TOR_HTTP_PROXY='' # forward directory request to proxy TOR_HTTP_PROXY_AUTH='' # username:password for http proxy TOR_HTTPS_PROXY='' # forward SSL traffic to proxy TOR_HTTPS_PROXY_AUTH='' # username:password for http proxy TOR_LOGLEVEL='notice' # debug, info, notice, warn or err # logging is disabled if left empty. # WARNING: do NOT use levels below # 'notice' for security reasons! TOR_LOGFILE='' # log to file instead of syslog #------------------------------------------------------------------------------ # Optional package: SS5 (Generic Socks proxy) #------------------------------------------------------------------------------ #OPT_SS5='no' # install ss5 socks4/5 proxy SS5_LISTEN_N='1' # number of interfaces to listen on SS5_LISTEN_1='IP_NET_1_IPADDR:8050' SS5_ALLOW_N='1' # open firewall for hosts and networks SS5_ALLOW_1='IP_NET_1' #------------------------------------------------------------------------------ # Optional package: Transproxy (transparently forward HTTP requests) #------------------------------------------------------------------------------ #OPT_TRANSPROXY='no' TRANSPROXY_LISTEN_N='1' # number of interfaces to listen on TRANSPROXY_LISTEN_1='any:8081' TRANSPROXY_TARGET_IP='127.0.0.1' # where to redirect requests TRANSPROXY_TARGET_PORT='8118' TRANSPROXY_ALLOW_N='1' TRANSPROXY_ALLOW_1='IP_NET_1' #------------------------------------------------------------------------------ # Optional package: Siproxd - a masquerading SIP Proxy Server #------------------------------------------------------------------------------ #OPT_SIPROXD='no' #SIPROXD_N='1' #SIPROXD_1_DEV_IN='IP_NET_1_DEV' # device facing internal network #SIPROXD_1_DEV_OUT='eth0.100' # device facing internet #SIPROXD_1_ALLOW_REG_N='2' #SIPROXD_1_ALLOW_REG_1='IP_NET_1' # which networks to allow access to SIP proxy #SIPROXD_1_ALLOW_REG_2='{Site2Site}' # which networks to allow access to SIP proxy #SIPROXD_1_SIP_PORT='5060' # listening port of siproxd #SIPROXD_1_RTP_PORT_MIN='7070' # lower UDP port for RTP - 2 ports per softphone #SIPROXD_1_RTP_PORT_MAX='7089' # upper UDP port for RTP - 2 ports per softphone #SIPROXD_1_USER_N='2' # define users that have access to SIP proxy #SIPROXD_1_USER_1_NAME='test' # username #SIPROXD_1_USER_1_PASS='testpw' # password #SIPROXD_1_USER_2_NAME='test2' #SIPROXD_1_USER_2_PASS='testpw2' #SIPROXD_1_TRANSPARENT='yes' # (optional) make this a transparent SIP proxy, i.e. a # firewall rule will be set up that autmoatically # redirects all traffic from networks configured # in ALLOW_REG - it can also be created manually # in base.txt # PF_PREROUTING[]='prot:udp IP_NET_1 @fritz.box:5060 REDIRECT:5060' SIPROXD[] { DEV_IN='IP_NET_1_DEV' # device facing internal network DEV_OUT='eth0.100' # device facing internet ALLOW_REG[]='IP_NET_1' # which networks to allow access to SIP proxy SIP_PORT='5060' # listening port of siproxd RTP_PORT_MIN='7070' # lower UDP port for RTP - 2 ports per softphone RTP_PORT_MAX='7089' # upper UDP port for RTP - 2 ports per softphone TRANSPARENT='yes' # (optional) make this a transparent SIP proxy, i.e. a # firewall rule will be set up that autmoatically # redirects all traffic from networks configured # in ALLOW_REG - it can also be created manually # in base.txt # PF_PREROUTING[]='prot:udp IP_NET_1 @fritz.box:5060 REDIRECT:5060' } SIPROXD[] { DEV_IN='IP_NET_2_DEV' DEV_OUT='eth0.100' TRANSPARENT='no' ALLOW_REG[]='IP_NET_2' ALLOW_REG[]='10.0.0.0/24' ALLOW_REG[]='{SomeNetPrefix.prefix}' SIP_PORT='5061' RTP_PORT_MIN='7090' RTP_PORT_MAX='7099' # define users that have access to SIP proxy USER[] { NAME='user1' # username PASS='pasword_user_1' # password } USER[] { NAME='user2' PASS='geheim' } } #------------------------------------------------------------------------------ # Optional package: kamailio- another routing/masquerading SIP Proxy Server #------------------------------------------------------------------------------ #OPT_KAMAILIO='no' #------------------------------------------------------------------------------ # Optional package: rtpproxy- RTP proxy #------------------------------------------------------------------------------ #OPT_RTPPROXY='no' #------------------------------------------------------------------------------ # Optional package: igmpproxy - IGMP proxy #------------------------------------------------------------------------------ #OPT_IGMPPROXY='no' IGMPPROXY_DEBUG='no' # default: no; change to yes for verbose information IGMPPROXY_DEBUG2='no' # default: no; change to yes for debug information IGMPPROXY_QUICKLEAVE_ON='yes' # Enable Quickleave mode; sends Leave instantly; default: yes IGMPPROXY_UPLOAD_DEV='eth1.8' # upstream interface; default: ppp0; VLAN8 Interface for Entertain IPTV IGMPPROXY_DOWNLOAD_DEV='eth2' # interface to IPTV box IGMPPROXY_ALT_N='3' # number of IP addresses for multicast sources IGMPPROXY_ALT_1_NET='239.35.0.0/16' # IPTV streams IGMPPROXY_ALT_2_NET='217.0.119.0/24' # Required for T-Home IGMPPROXY_ALT_3_NET='193.158.34.0/23' # Required for T-Home IGMPPROXY_WLIST_N='1' # number of IP addresses for multicast sources IGMPPROXY_WLIST_1_NET='239.35.0.0/16' # IPTV streams #------------------------------------------------------------------------------ # Optional package: improxy - IGMPv3/MLD proxy #------------------------------------------------------------------------------ #OPT_IMPROXY='no' IMPROXY_ENABLE_MLD='yes' IMPROXY_ENABLE_IGMPV3='yes' IMPROXY_UPSTREAM_DEV='ppp1' IMPROXY_DOWNSTREAM_DEV='eth0.8' #------------------------------------------------------------------------------ # Optional package: stunnel - SSL/TLS tunnel #------------------------------------------------------------------------------ #OPT_STUNNEL='no' # enable SSL/TLS tunnelling: yes or no STUNNEL { DEBUG='no' # enable debug messages: yes or no or log level # between 0 and 7 # ------------------------------ first tunnel --------------------------------- # [] { # NAME='https' # name of first tunnel # CLIENT='no' # SSL/TLS server # ACCEPT='any:443' # address and port to listen to # ACCEPT_IPV6='no' # only listen to IPv4 connection requests (this # # obviously makes sense only for OPT_IPV6='yes' # # configurations) # CONNECT='127.0.0.1:80' # # where to delegate incoming connections to? # CERT_FILE='server.pem' # # our (server) certificate, always required for # # CLIENT='no' # CERT_CA_FILE='stunnel-ca.pem' # # certificate(s) to validate peer certificates # # against, see below # CERT_VERIFY='optional' # # How to validate peer certificate? Possible # # values are: # # none - no validation # # optional - validate against CA certificate # # if peer provides one # # onlyca - require peer certificate and # # validate it against CA cert. # # onlycert - require peer certificate and # # compare it to certificate in # # STUNNEL_x_CERT_CA_FILE # # both - require peer certificate; # # validate it against CA cert. and # # compare it to certificate in # # STUNNEL_x_CERT_CA_FILE (_both_ # # certificates, peer + CA, need # # to exist in that file!) # } # ------------------------------ second tunnel -------------------------------- # [] { # NAME='remote-imond' # name of second tunnel # CLIENT='yes' # SSL/TLS client # ACCEPT='any:50000' # address and port to listen to # ACCEPT_IPV4='no' # only listen to IPv6 connection requests (this # # obviously requires OPT_IPV6='yes') # CONNECT='@ibox:5000' # # where to delegate incoming connections to? # # (using '@ibox' needs the dns_dhcp package # # with OPT_HOSTS='yes' and HOST_x_NAME='ibox') # CERT_CA_FILE='ca+server.pem' # # contains CA certificate and desired server # # certificate, the latter needed for 'both' # # verify mode # CERT_FILE='client.pem' # # our (client) certificate and key, typically # # not necessary when using CLIENT='yes' # CERT_VERIFY='both' # see above # } }