#
# config file for twhttpd
#

# perform chroot after daemonized??
$chroot = "enable";

# cache dir, after chroot
# only effective if belows any server has enable caching
$cache_dir = ".cache" ;

# change uid and gid
$uid = "nobody";
$gid = "nobody";

# protected inbound http service
# each server must have $listen and $forward defined
# note some of the options has default value
server ( $listen = 202.1.2.3:80,              # real IP for the web server
         $forward = 192.168.1.1:80,           # private IP of the Internal web server
         $access_log = "./inbound.log",       # note error log still goes to syslog
         $cache = "disable",                  # disable cache for inbound
         $safe_url = "enable",                # enable $safe_url, anyway, this is default
         $header_check = "request",           # enable header check, anyway, this is default
         # I am using IIS, just try to fool the hacker
         $server_version = "Netscape-Enterprise/3.6 SP2" )
{
    # only with the following HTTP "Host" Header
    if ( $host != "192.168.1.1" && $host != "www.mysite.com" )
    {
        # BAD REQUEST
        return 400;
    }

    if ( $port != 80 )
    {
        # INTERNAL SERVER ERROR, just to show you how to use this
        return 500;
    }
    
    # Method != POST or query string is null
    if ( !is_cgi() )
    {
        # allowed extension
        if ( $path == "/" || 
             $ext == "html" || 
             $ext == "htm" ||
             $ext == "jpg" )
        {
            # note return 200 does not really mean the final result will be 200
            # just means this access control config allow this access
            # the final destination server may still return 404 if file not found
            return 200;
        }
        else 
        {
            return 404;
        }
    }
    else
    {
        # only internal machine can reach the cgi pages
        if ( $client_ip == 192.168.2.1-192.168.1.254 )
        {
            return 200;
        }
        else 
        {
            if ( $path == /cgi-bin/* )
            {
                return 200;
            }
            else
            {
                return 404;
            }
        }
    }
}

# well this is for outbound
# security is not major concerned, but access control
# enable cache, no header or url check
# https is also enabled, but note https will only be enable for port 443
server ( $listen = 192.168.2.254:8001,
         $forward = "auto",
         $access_log = "./outbound.log",
         $cache = "enable",
         $safe_url = "disable",
         $header_check = "response",
         $https = "enable" 
         $browser_version = "[Anonymized browser]" )
{
    # only internal machine can reach the cgi pages
    if ( $client_ip == 192.168.2.0/24 )
    {
        # well, you can also check if host is something like *sex* before return 200
        return 200;
    }
    elsif ( htpasswd($proxy_auth, "./htpasswd") )
    {
        # note you should return 401, not_authorized, if you check for $auth
        # return 407, proxy_not_authorized, if you check for $proxy_auth
        return 407;
    }
    else
    {
        return 404;
    }
}

# that's all