# # config file for twhttpd # example for inbound proxy # # working dir, default current dir ##### you should change this to where your want ##### $work_dir = "/home/proxy"; # perform chroot after daemonized?? $chroot = "enable"; # cache dir, after chroot # only effective if belows any server has enable caching $cache_dir = ".cache" ; # change uid and gid ##### you should change this to who you want ##### $uid = "nobody"; $gid = "nobody"; # protected inbound http service server ( ##### you should change below to this firewall real IP, port 80 ##### $listen = 0.0.0.0:8080, ##### set this to your web server private IP, port 80 ##### $forward = 127.0.0.1:80, $access_log = "./access.log", # note error log still goes to syslog $cache = "enable", # enable cache $safe_url = "enable", # enable $safe_url $header_check = "request", # enable header check # For outbound proxy, you may want to enable this # $browser_version = "[Anonymized browser]", # I am using IIS, just try to fool the hacker $server_version = "Netscape-Enterprise/3.6 SP2" ) { # only with the following HTTP "Host" Header # this helps to block most cgi scanner and attack scripts ##### you should change this to your host name and IP ##### if ( ($host != "*") || ($user_agent != "*") ) # well, this match anything except NULL # I DO NOT suggest broswer discrimination { # Bad Request return 400; } if ( is_cgi() ) { # the request is a cgi request # block _DANGER_ cgi path if ( $path == "*system32*" || # block system32 path $path == "*msadc*" || # MSADC attack $path == "*script*" || # default script?? $ext == "dll" || # I don't have any .dll cgi $ext == "exe" || # cmd.exe!!?? $ext == "com" || # command.com!!?? $ext == "bat" || # no bat script $ext == "ida" || # index server bug!? $ext == "idq" ) # index server bug!? { # Forbidden return 403; } # all cgi are .pl .asp .cgi .php and are under /cgi-bin/* ##### you can fine tune your own extensions here ##### if ( $path == "/cgi-bin/*" && ($ext == "pl" || $ext == "asp" || $ext == "cgi" || $ext == "php") ) { # call CGI from local referer only # this may not be true for your script or site policy ##### you should change this to your host name and IP ##### if ( $referer == "http://*" ) { # OK return 200; } else { # Forbidden return 403; } } else { # File not Found return 404; } # you should not reach this # Internal Server Error return 500; } else { # not cgi if ( $path == "/" || # noted this is $path and no "*" in string $ext == "" || # this basically means allow directory browsing $ext == "html" || $ext == "htm" ) { # OK return 200; } elsif ( $ext == "jpg" || $ext == "gif" || $ext == "css" || $ext == "txt" || $ext == "pdf" || $ext == "zip" || $ext == "doc" || $ext == "xls" || $ext == "ppt" ) { # well, this help to stop external linking ###### you should change this to your host name and IP ##### if ( $referer == "http://*" ) { # OK return 200; } else { # Forbidden return 403; } } else { # File not Found return 404; } } # again, you should not reach this # Internal Server Error return 500; } # that's all