# # config file for twhttpd # example for inbound proxy # # working dir, default current dir $work_dir = "/home/proxy"; # perform chroot after daemonized?? $chroot = "enable"; # cache dir, after chroot # only effective if belows any server has enable caching $cache_dir = ".cache" ; # change uid and gid $uid = "nobody"; $gid = "nobody"; # protected inbound http service server ( $listen = 0.0.0.0:8080, # real IP, port 80 $forward = 192.168.2.254:81, # private IP, port 80 $access_log = "./access.log", # note error log still goes to syslog $cache = "enable", # enable cache $safe_url = "enable", # enable $safe_url $header_check = "request", # enable header check # I am using IIS, just try to fool the hacker $server_version = "Netscape-Enterprise/3.6 SP3" ) { # the following check helps to block MOST cgi scanners and attack scripts if ( ($host != "202.1.2.3" && $host != "www.mysite.com") || ($user_agent != "*") ) # well, this match anything except NULL { # Bad Request return 400; } if ( is_cgi() ) { # is cgi # block _DANGER_ cgi path if ( $path == "*system32*" || # block system32 path $path == "*msadc*" || # MSADC attack $path == "*script*" || # default script?? $ext == "dll" || # I don't have any .dll cgi $ext == "exe" || # cmd.exe!!?? $ext == "com" || # command.com!!?? $ext == "bat" || # no bat script $ext == "ida" || # index server bug!? $ext == "idq" ) # index server bug!? { # Forbidden return 403; } # all cgi are .pl .asp .cgi .php and are under /cgi-bin/* # you can fine tune your own extensions if ( $path == "/cgi-bin/*" && ($ext =~ /(pl)|(asp)|(cgi)|(php)|(php3)|(php4)/ ) ) { # call CGI from local referer only # this may not be true for your script or site policy if ( $referer == "http://202.1.2.3/*" || $referer == "http://www.mysite.com/*" ) { # restrict query data to search engine if ( $host == "/cgi-bin/search.pl" ) { # only accept alpha_numeric or "+" not longer than 32 char long # but noted, currently you CAN'T check for $post data if ( $method == "GET" && $query =~ /q=[0-9a-zA-Z\+]{1,32}/ ) { return 200; } } # not checking others else { return 200; } } else { # Forbidden return 403; } } else { # File not Found return 404; } # you should not reach this # Internal Server Error return 500; } else { # not cgi if ( $path == "/" || # noted this is $path and no "*" in string $ext == "" || # this basically means allow directory browsing $ext == "html" || $ext == "htm" ) { # OK return 200; } elsif ( $ext =~ /(jpg)|(gif)|(css)|(txt)|(pdf)|(zip)|(doc)|(xls)|(ppt)/ ) { # well, this help to stop external linking if ( $referer == "http://202.1.2.3/*" || $referer == "http://www.mysite.com/*" ) { # OK return 200; } else { # Forbidden return 403; } } else { # File not Found return 404; } } # again, you should not reach this # Internal Server Error return 500; } # that's all