Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
tproxy(8)		    System Manager's Manual		     tproxy(8)

       tproxy -	transparently re-direct	HTTP requests to a HTTP	cache.

       tproxy [	-t | -p	] [ -f forced-url ] [ -s bind-port

       [  -d ] [ -b bind-address ] [ -r	runas-uid ] [ -a access-ip-address ] ]
       [ -l log-file ] proxyhost proxyport

       tproxy accepts HTTP requests and	forwards them to a cache host. If  the
       HTTP  request has been transparently re-directed, the URL is re-written
       so that the cache host knows what web  server  to  fetch	 the  document
       from. Tcp_wrappers is used to provide host access control.

       The  proxy-cache	 host's	 address  and  port are	given by proxyhost and

       -t     Operate in a fully transparent mode. Instead of connecting to  a
	      proxy  and  sending  a re-written	URL, connect only the intended
	      destination and send the real URL. This option can  be  used  to
	      allow  tproxy to operate as a HTTP gateway (or proxy) on a fire-

       -p     Operate in proxy only mode. Normally if the  connection  to  the
	      proxy  fails,  tproxy  will try and connect transparently	to the
	      intended destination. However for	some  sites  this  will	 never
	      work and it is better to simply fail the connection.

       -f url Force  all  accesses  to	be  sent to the	specified URL.	tproxy
	      checks for accesses that are referred by this forced URL and al-
	      lows then	to pass. This allows images on the forced URL to work.

       -s port
	      Run  as  a  server and bind to the specified port. Alternatively
	      tproxy may be  run  from	either	inetd  or  a  program  such  a
	      tcpserver. In these cases	this options is	not given.

       -d     When  running as a server, do not	background the daemon. Usefull
	      when tproxy is started from inetd	or from	the  supplied  tproxy-
	      watch program.

       -b ipaddr
	      Bind  to	the  specified IP address. When	run as a server	tproxy
	      will not accept requests sent to any other address when the host
	      has multiple addresses.

       -r user
	      Run   as	the  specified	user.  The  user  must	exist  in  the
	      /etc/passwd database so that its uid and gid can be obtained.

       -a access-ipaddr
	      Provide an IP address, network, sub-net, or super-net  to	 allow
	      access.  May be specified	more than once.	If the host portion of
	      the address in non-zero then the address refers to a host,  oth-
	      erwise  it is assumed to refer to	a network.  The	number of bits
	      may be given in CIDR notation to specify a sub-net or super-net.

       -l log-file
	      Log all accesses to the specified	file. The logfile  will	 indi-
	      cate  if the request was done transparently, it was done without
	      DNS activity, or it required DNS activity.

       tproxy is not an	all-in-one transparent	proxy  solution.  It  requires
       support	from  the  operating system, and configuration from the	system
       administrator, to transparently capture HTTP requests.

       tproxyrun provides an example script to add firewall commands and start
       tproxy running.	It currently supports FreeBSD-3.x and various versions
       of Linux. See the environment variable definitions at the  top  of  the

       tproxywatch  provides a mechanism of ensuring that tproxy is re-started
       should it fail.	Whenever tproxy	exits an email is sent to the root ac-
       count and then tproxy is	re-started.

       FreeBSD-3.x  provides  two  methods of transparently capturing packets.
       The first is ipfw(8) using the following	example	configuration.

       ipfw add	1000 allow tcp from	to any 80

       ipfw add	1001 fwd,8081 tcp from any to any 80

       The second is ipnat(1) using the	following example configuration.  Note
       that  a	rule is	required for every interface you wish to transparently
       re-direct for.

       rdr ppp0 port 80 -> port 8081

       Linux provides the same mechanism with either the ipchains(8)  command,
       kernels 2.1.x and up, using the following example configuration.

       ipchains	-A input -p tcp	-d 80	-j REDIRECT 8081

       Or  the	ipfwadm(8) command, kernels 2.0.x, using the following example

       ipfwadm -I -a accept -P tcp -D	80 -r 8081

       hosts_access(5),	  tcpserver(1),	  ipfw(8),    ipnat(1),	   ipfwadm(8),

       Written by John Saunders	<>

       Copyright  1998,	1999, 2000	NORTHLINK COMMUNICATIONS PTY LTD.  All
       rights reserved.



Want to link to this manual page? Use this URL:

home | help