# Example ziproxy.conf ############################ # daemon mode-only options # ############################ ## Port to listen for proxy connections ## default: 8080 Port = 8080 ## Local address to listen for proxy connections ## If you have more than one network interface, ## it's useful for restricting to which interface you want to bind to. ## By default Ziproxy binds to all interfaces. Address = "127.0.0.1" ## Accepts conections only from that address. ## WARNING: Remember to restrict the access to Ziproxy ## if your machine is directly connected to the Internet. OnlyFrom = "127.0.0.1" ## Limits the number of simultaneous active user connections. ## This does not affect the connection queue (see: SOMAXCONN). ## ## This also (indirectly) limits the number of processes Ziproxy will run ## at once. Formula for the worst-case scenario: ## MaxZiproxyProcesses = 1 + MaxActiveUserConnections ## OR if PreemptNameRes is enabled (worst-case scenario): ## MaxZiproxyProcesses = 1 + MaxActiveUserConnections * (1 + PreemptNameResMax) ## ## Valid values: 0 (no limit), >0 (max ative connections). ## ## default: 0 (no limit -- relies on OS limit instead) # MaxActiveUserConnections = 20 ## Defines the file where to dump the daemon PID number. ## If unspecified, will dump the PID to stdout (legacy behavior) and ## you will be unable to stop the daemon invoking 'ziproxy -k'. ## If you run two or more instances of Ziproxy simultaneously, ## you will need to set this to different names (for obvious reasons). ## ## default: unspecified (dumps PID to stdout) # PIDFile = "/var/run/ziproxy.pid" ## Run daemon as `RunAsUser` user. ## Switch from current user (in this case, typically `root`) ## to a less privileged one, as a security measure. ## ## default: unspecified (does not change user) # RunAsUser = "ziproxy" ## Run daemon as `RunAsGroup` group. ## Switch from current group (in this case, typically `root`) ## to a less privileged one, as a security measure. ## ## default: unspecified (does not change group) # RunAsGroup = "ziproxy" ################################## # TOS marking (daemon mode-only) # ################################## ## TOS marking ## Enable this if you want to specify the (IP-level) TOS certain types ## of traffic from ziproxy -> user. ## ## This feature is useful if one wants to do application-level QoS. ## Setting TOS does not provide QoS alone. You must be either using ## a network with routers priorizing traffic according to their TOS, ## or set your own QoS/traffic-shaper system and treat the packets ## with certain TOS accordingly. ## ## Ziproxy is RFC-agnostic regarding TOS bit meanings, ## though there may be limitations imposed by the host OS. ## See: RFC 791, RFC 1122, RFC 1349, RFC 2474 and RFC 3168. ## ## If disabled, all other TOS options won't have effect. ## Disabled by default. # TOSMarking = false ## TOS to set by default ## This is a decimal value between 0-255. ## ## If unset, will use the OS default (which usually is 0). ## If you want to make sure it is set to 0, then set ## this option accordingly. ## ## Your OS may put restrictions on which bits you may set ## (so certain bits will remain unchanged regardless). ## Your OS may also restrict which bits and/or value ranges ## you may set if you're not running as root. ## Other (non-unixish) OSes may be unable to set TOS at all. ## ## Default: unset. # TOSFlagsDefault = 0 ## TOS to set when the traffic is considered "differentiated", ## according to TOSMarkAsDiffURL, TOSMarkAsDiffCT or TOSMarkAsDiffSizeBT. ## This is a decimal value between 0-255. ## ## If unset, there will be no differentiated traffic at all. ## ## Your OS may put restrictions on which bits you may set ## (so certain bits will remain unchanged regardless). ## Your OS may also restrict which bits and/or value ranges ## you may set if you're not running as root. ## Other (non-unixish) OSes may be unable to set TOS at all. ## ## Default: unset. # TOSFlagsDiff = 16 ## This is the file containing a list of URLs which should ## have their traffic "differentiated" ## (that is, to have their TOS changed to TOSFlagsDiff). ## ## Inside the file, the URLs may also contain pattern-matching asterisks. ## Comments may be present if prefixed by '#' (shell-alike). ## In order to match a whole site: "http://www.examplehost.xyz/*" ## ## Default: none # TOSMarkAsDiffURL = "/etc/ziproxy/change_tos.list" ## This is the content-type list of data that should ## have their traffic "differentiated" ## (that is, to have their TOS changed to TOSFlagsDiff). ## This is the content-type as received by the remote HTTP server, ## if it is changed by Ziproxy later, it will not be taken into account. ## ## "" (empty string) will match empty content-types AND data which have ## no content-type specified. ## ## If no subtype is specified, all subtypes will match: ## "aaaa" will match "aaaa", "aaaa/bbbb", "aaaa/cccc" etc ## ## See also: TOSMarkAsDiffCTAlsoXST ## Default: none # TOSMarkAsDiffCT = {"video/flv", "video/x-msvideo", "audio/*", # "application/x-shockwave-flash", "application/x-rpm", # "application/x-msi", "application/x-tar"} ## When using TOSMarkAsDiffCT, this defines whether to also automatically add ## content-type entries with 'x-' prefix appended to subtypes ## (aaaa/bbbb also adding aaaa/x-bbbb). ## Usually it's convenient to do this way, that avoids worrying about ## having to create duplicated entries, or whether which variant is valid. ## ## You may want to disable this is you wish to have a precise control ## of what types of content-type you wish to include. ## ## See also: TOSMarkAsDiffCT ## Default: true # TOSMarkAsDiffCTAlsoXST = true ## This is the stream size threshold (in bytes) which, if reached, ## will make such traffic "differentiated" ## (that is, to have their TOS changed to TOSFlagsDiff). ## The stream size is the ziproxy -> user one (which may be ## bigger or smaller than the original one, sent by the HTTP server). ## ## There are two possible behaviors with this parameter: ## - The total stream size is known beforehand, so the data ## will be marked as differentiated from the beginning. ## - The total stream size is unknown, so the data will ## be marked as differentiated once it reaches that ## size. ## ## Current limitations (this may change in the future): ## - The maximum value to be specified here is signed int ## usually 32bit -> (2^31 - 1). ## - HTTP range requests are not taken into account so, if their effective ## streams do not reach this threshold, such data will not be ## marked as "differentiated", even if the HTTP range goes beyond that. ## - Usually the HTTP headers will not be taken into account (only the body ## size itself), except in cases such as CONNECT method ## and URLNoProcessing (cases when the data from server is treated like ## a "black box"). ## ## Default: none # TOSMarkAsDiffSizeBT = 4000000 ################### # general options # ################### ## Debugging log. ## Dumps detailed processing information for each request. ## Since concurrent HTTP requests are asynchronous, the lines end up mixed ## in this log. Use the PID number to differentiate a request from another. ## Unless you really want this data, it's better leaving this disabled as ## it generates lots of data for each HTTP request. ## ## Disabled by default. # DebugLog = "/var/log/ziproxy/debug.log" ## Error-like messages logging. ## This relates to error messages, warnings and such messages, including ## configuration errors and other. ## If undefined, defaults to stderr. In this case the (normally rare) errors ## occuring after the program successfully started will not be displayed, ## that to avoid the possibility of flooding the screen with error messages. ## If defined, all error-like messages will be dumped into the specified ## file. The exception are the errors occurring at the very early stages ## of Ziproxy initialization. ## WARNING: If you define a error log file and ziproxy initialization fails, ## ziproxy will fail and no error will be displayed on the console. ## ## Default: undefined (dumps to stderr). # ErrorLog = "/var/log/ziproxy/error.log" ## File to be used as access log. ## If undefined, there will be no access logging at all. ## Log format: ## TIME (unix time as seconds.msecs) ## PROCESS_TIME (ms) ## [USER@]ADDRESS (address with daemon mode only) ## FLAGS ## ORIGINAL_SIZE ## SIZE_AFTER_(RE)COMPRESSION ## METHOD ## URL ## where FLAGS may be: ## P (a request as proxy) ## T (a request as transparent proxy) ## S (CONNECT method, usually HTTPS data) ## Z (transfer timeoutted - see ConnTimeout) ## B (interrupted transfer - either by user or by remote http host) ## W (content type was supposed to load into memory, but it had no content-size and, in the end, it was bigger than MaxSize. so it was streamed instead) ## N (URL not processed. See: URLNoProcessing config option) ## R (data was replaced) ## Q (TOS was changed). See: URLReplaceData config option) ## K (image too expansive. See: MaxUncompressedImageRatio config option) ## G (stream gunzip too expansive. See: MinUncompressedGzipStreamEval, MaxUncompressedGzipRatio) ## 1 (SIGSEGV received) ## 2 (SIGFPE received) ## 3 (SIGILL received) ## 4 (SIGBUS received) ## 5 (SIGSYS received) ## X (SIGTERM received - also happens when interrupting the daemon while transferring) ## Disabled by default. AccessLog = "/var/log/ziproxy/access.log" ## When enabled, Ziproxy will intercept signals indicative of ## software crash, flag the offending request in access log ## accordingly, then stop the offending process. ## This is useful for debugging purposes and it's not recommended ## to leave it enabled in normal use due to the risk of garbage ## being written to access log (due to a more severe crash). ## Once enabled, the intercepted signals are: ## SIGSEGV (segmentation fault) ## SIGFPE (FPU exception) ## SIGILL (illegal instruction) ## SIGBUS (bus error, alignment issues) ## SIGSYS (bad system call) ## Disabled by default (those signals not intercepted by Ziproxy) # InterceptCrashes = false ## Authentication mode to be used for proxy access: ## 0: none (no authentication required) ## 1: plain text file ## 2: SASL (auxprop, see /etc/ziproxy/sasl/ziproxy.conf) ## ## Notes: ## a) SASL support is optional (enabled during compilation time). ## b) SASL authentication does not require external SASL daemon ## configuration/invocation, just Ziproxy's SASL configuration. ## ## Default: 0 (no authentication required) ## See also: AuthPasswdFile, AuthSASLConfPath # AuthMode = 0 ## Plain text file containing authentication data. ## Should contain user:pass pairs, lines no longer than 128 chars. ## Password is unencrypted. ## Used only when AuthMode=1 ## ## Default: (undefined) ## See also: AuthMode # AuthPasswdFile = "/etc/ziproxy/http.passwd" ## Path to Ziproxy's SASL configuration file, where ## a file named "ziproxy.conf" (not related to this one) ## must be present and properly configured. ## Used only when AuthMode=2 ## ## Default: (default SASL setting, OS-dependent, may be /etc/sasl2/) ## See also: AuthMode # AuthSASLConfPath = "/etc/ziproxy/sasl/" ## Forward everything to another proxy server. ## Modifications/compression is still applied. ## Default: none (disabled) # NextProxy="host.name" ## TCP port to be used by NextProxy. ## Default: 8080 # NextPort=8080 ## Use these DNS name servers to resolve hostnames ## instead of the ones configured in /etc/resolv.conf # Nameservers = { "1.2.3.4", "11.22.33.44" } ## Bind outgoing connections (to remote HTTP server) to the following (local) IPs ## It applies to the _outgoing_ connections, it has _no_ relation to the listener socket. ## When 2 or more IPs are specified, Ziproxy will rotate to each of those at each ## outgoing connection. All IPs have the same priority. ## You may use this option for either of the following reasons: ## 1. - To use only a specific IP when connecting to remote HTTP servers. ## 2. - Use 2 or more IPs for load balancing (a rather primitive one, since it's ## connection-based and does not take into account the bytes transferred). ## 3. - You have a huge intranet and certain sites (google.com, for example) ## are blocking your requests because there are so many coming from the same IP. ## So you may use 2 or more IPs here and make it appear that your requests ## come from several different machines. ## This option does _not_ spoof packets, it merely uses the host's local IPs. ## Note: While in (x)inetd mode, output may be bind-ed only to one IP. ## Disabled by default (binds to the default IP, the OS decides which one). ## See also: BindOutgoingExList # BindOutgoing = { "234.22.33.44", "4.3.2.1", "44.200.34.11" } ## Specifies a file containing a list of hosts which should not suffer ## IP rotation as specified by the option "BindOutgoing". ## The reason for this option is that certain services do not like ## the client IP changing in the same session. ## Certain webmail services fail or return authentication failure in this case. ## Example: www.bol.com.br ## This option has no effect if BindOutgoing is not used. ## Default: empty, no hosts are exempted. ## See also: BindOutgoingExAddr # BindOutgoingExList="/etc/ziproxy/bo_exception.list" ## Defines a specific IP to be bound to for hosts specified in BindOutgoingExList. ## As with BindOutgoing, this IP must be a local IP from the server running Ziproxy. ## This IP may be one of those specified in BindOutgoing, but that's _not_ ## a requirement and may be a different IP. ## This option has no effect if BindOutgoingExList is not being used. ## Default: empty, uses the first IP specified in BindOutgoing. # BindOutgoingExAddr="98.7.65.43" ## Allow processing of requests as transparent proxy ## (will still accept normal proxy requests) ## In order to use Ziproxy as transparent proxy it's also needed ## to reroute the connections from x.x.x.x:80 to ziproxy.host:PROXY_PORT ## Disabled by default. ## See also: RestrictOutPortHTTP # TransparentProxy = false ## Whether to process normal proxy requests or not ## Only makes sense when TransparentProxy is enabled. ## If transparent proxy is enabled, it's usually a good idea to disable ## conventional proxying since, depending on the layout of your network, ## it can be abused by ill-meant users to circumvent restrictions ## presented by another proxy placed between Ziproxy and the users. ## Enabled by default. # ConventionalProxy = true ## Whether to allow the CONNECT method. ## This method is used by HTTPS, but may be used for other ## types of service (like instant messenging) which allow tunneling through http proxy. ## If you plan on serving only HTTP requests (no HTTPS nor anything else) ## you may want to disable this, in order to prevent potential ## abuse of the service. ## Enabled by default. ## See also: RestrictOutPortCONNECT # AllowMethodCONNECT = true ## If defined, restricts the outgoing connections (except CONNECT methods - used by HTTPS) ## to the listed destination ports. ## If TransparentProxy is used, for security reasons it's recommended to restrict ## to the ports (typically port 80) which are being intercepted. ## Default: all ports are allowed. ## See also: RestrictOutPortCONNECT # RestrictOutPortHTTP = {80, 8080} ## If defined, restricts the outgoing connections using the CONNECT method (used by HTTPS) ## to the listed destination ports. ## If AllowMethodCONNECT=false, then no ports are allowed at all regardless this list. ## Default: all ports are allowed. ## See also: AllowMethodCONNECT, RestrictOutPortHTTP # RestrictOutPortCONNECT = {443} ## Whether to override the Accept-Encoding more to Ziproxy's liking. ## If disabled, Ziproxy will just forward Accept-Encoding received from the client ## (thus the data may or not come gzipped, depending on what the HTTP client says). ## ## Currently, this option is used to always advertise Gzip capability to ## the remote HTTP server. ## Enabling this does not neccessarily mean that the data will come compressed ## from the server. This option just advertises the capability at Ziproxy's side, ## the remote server must support that capability aswell. ## ## This has _no_ relation to the Gzip support between Ziproxy and the client, thus ## you may leave this enabled even if you have clients that do not support Gzip. ## Ziproxy will compress/decompress the data according to the client. ## ## Enabled by default. # OverrideAcceptEncoding = true ## Enable/disable the internal gzip decompression by Ziproxy. ## This decompression is needed when the remote server sends data already gzipped, ## but further processing is desired (like HTMLopt, PreemptDNS etc). ## Disabling this will save some processing load, and reduce some latency since ## Ziproxy will directly stream that data to the client. ## - But processing features (htmlopt, preemptdns...) WILL NOT work with such data. ## ## Attention: ## If you disable this, but configure Ziproxy to advertise as a gzip-supporting ## client to the remote server: While using a non-gzip-supporting client, the client ## may receive gzip-encoded data and it won't know how to deal with that ## (== it will receive useless garbage). ## ## Enabled by default. # DecompressIncomingGzipData = true ## Replaces the User-Agent data sent by the client with a custom string, ## OR defines User-Agent with that string if that entry was not defined. ## If disabled, Ziproxy will just forward the User-Agent sent by the client. ## Normally you will want to leave this option DISABLED (commented). ## ## It's useful if you, for some reason, want to identify all the clients as ## some specific browser/version/OS. ## Certain websites may appear broken if the client uses a different browser than ## the one specified here. ## Certain webservers may break completely when an unrecognized User-Agent is provided ## (for example: www.rzeczpospolita.pl). ## ## Undefined by default (leave User-Agent as defined by the client). # RedefineUserAgent = "Mozilla/5.0 (compatible; UltraBrowser/8.1; CP/M; console40x24; z80)" ## When Ziproxy receives Gzip data it will try to decompress in order to do ## further processing (HTMLopt, PreemptDNS etc). ## This makes Ziproxy vulnerable to 'gzip-bombs' (eg. like 10 GB of zeroes, compressed) ## which could be used to slow down or even crash the server. ## In order to avoid/minimise such problems, you can limit the max ## decompression proportion, related to the original file. ## If a Gzipped file exceedes that proportion while decompressing, its ## decompression is aborted. ## The user will receive an error page instead or (if already transferring) ## transfer will simply be aborted. ## ## You may disable this feature defining its value to '0'. ## default: 2000 (that's 2000% == 20 times the compressed size) # MaxUncompressedGzipRatio = 2000 ## When limiting decompression rate with MaxUncompressedGzipRatio ## _and_ gunzipping while streaming it's not possible to know the ## file size until the transfer is finished. So Ziproxy verifies this while ## decompressing. ## The problem by doing this is the possible false positives: ## certain files compress a lot at their beginning, but then not-so ## shortly after. ## In order to prevent/minimize such problems, we define the minimum ## output (the decompressed data) generated before starting to ## check the decompression rate. ## If defined as '0', it will check the rate immediately. ## A too large value will increase the rate-limit precision, at the cost of less ## protection. ## Streams with output less that this value won't have decompression ## rate checking at all. ## This feature is only active if MaxUncompressedGzipRatio is defined. ## This does not affect data wholly loaded to memory (for further processing). ## default: 10000000 (bytes) ## Note: The previous default (until version 2.7.9_BETA) was 250000 ## See also: MaxUncompressedGzipRatio # MinUncompressedGzipStreamEval = 10000000 ## This is the maximum compression rate allowable for an incoming ## (before recompression) image file. ## If an image has a higher compression rate than this, it will not ## be unpacked and it will be forwarded to the client as is. ## This feature protects against (or mitigates) the problem with ## "image bombs" (gif bombs, etc) done with huge bitmaps with the same ## pixel color (thus very small once compressed). ## Since Ziproxy may try to recompress the image, if several of this ## kind are requested, the server may run out of memory, so this ## may be used as a DoS attack against Ziproxy. ## This feature will not protect the client, since it will receive ## the unmodified picture. ## There are rare legitimate cases matching such high compression rate, ## including poor website design. But in such cases is not really worth ## recompressing anyway (the processing costs are not worth the savings). ## Usually "image bomb" pictures have a >1000:1 compression ratio. ## Setting this to less than 100 risks not processing legitimate pictures. ## Setting 0 disables this feature. ## Default: 500 (500:1 ratio) # MaxUncompressedImageRatio = 500 ## If specified, ziproxy will send and check Via: header ## with given string as host identification. ## It is sometimes useful to avoid request loops. Default: not specified # ViaServer = "something" ## If processing of request exceeds specified time in seconds, ## or connection is idle beyond that time (stalled) it will abort. ## This avoids processes staying forever (or for a very long time) ## in case of a stalled connection or software bug. ## This will NOT necessarily abort the streaming of very big files, ## it will ONLY if the connection stalls or there's a software bug. ## If "0", no timeout. ## Default: 90 (seconds) # ConnTimeout = 90 ## Max file size to try to (re)compress, in bytes; ## If "0", means that this limitation won't apply. ## This regards to the file size as received from the remote HTTP server ## (which may arrive gzipped or not -- it doesn't matter). ## If a file is bigger than this limit, Ziproxy will simply stream it unmodified, ## unless the user also requested gzip compression (see below). ## Attention: If setting a very big size, the request answer latency will ## increase since Ziproxy needs to fetch the whole file before ## attempting to (re)compress it. ## A too low value will prevent data bigger that that to de processed ## (jpg/png/gif recompression, htmlopt, preemptdns..). ## Note that if: ## - Only gzipping is to be applied *OR* ## - Gzipping and other is to be applied, but data is > MaxSize ## Gzip compression (and only that) will be applied while streaming. ## Default: 1048576 (bytes) ## (default used to be "0" in ziproxy 2.3.0 and earlier) # MaxSize = 1048576 UseContentLength = false ## Whether to try to apply lossless compression with gzip. ## This option concerns traffic between Ziproxy and the client only. ## This optimization is not limited by MaxSize. ## ## Gzip compression applies only to content-types specified with ## the parameter LosslessCompressCT. ## ## See also: LosslessCompressCT ## Default: true # Gzip = true ## This parameter specifies what kind of content-type is to be ## considered lossless compressible (that is, data worth applying gzip). ## ## Images, movies etc, normally are NOT compressible such way and those ## content-types should not be added (such data would turn slightly bigger ## and CPU would be wasted). ## ## See also: LosslessCompressCTAlsoXST, Gzip ## Default: an internal list of the most common compressible content-types. # LosslessCompressCT = { # "text/*", # "application/asp", # "application/awk", # "application/cgi", # "application/class", # "application/css", # "application/dvi", # "application/executable", # "application/font", # "application/futuresplash", # "application/iso9660-image", # "application/java", # "application/javascript", # "application/json", # "application/msexcel", # "application/mspowerpoint", # "application/msword", # "application/pdf", # "application/perl", # "application/php", # "application/postscript", # "application/python", # "application/rtf", # "application/shellscript", # "application/shockwave", # "application/staroffice", # "application/tar", # "application/truetype-font", # "application/vnd.*", # "application/*+xml", # "application/xml", # "application/xml-dtd", # "image/svg+xml" # } ## When using LosslessCompressCT, this defines whether to also automatically add ## content-type entries with 'x-' prefix appended to subtypes ## (aaaa/bbbb also adding aaaa/x-bbbb). ## Usually it's convenient to do this way, that avoids worrying about ## having to create duplicated entries, or whether which variant is valid. ## ## Note: If LosslessCompressCT is undefined (thus the internal defaults ## are being used) this option has no effect. ## ## You may want to disable this is you wish to have a precise control ## of what types of content-type you wish to include. ## ## See also: LosslessCompressCT ## Default: true # LosslessCompressCTAlsoXST = true ## Whether to try to (re)compress incoming data originally in ## the following formats (true) or not (false) ## default: true # ProcessJPG = true # ProcessPNG = true # ProcessGIF = true ## Whether to try to optimize HTML, CSS and Javascript, thus reducing their size ## ProcessHTML: text/html ## ProcessCSS: text/css ## ProcessJS: application/[x-]javascript) ## Although such data may be Gzipped too, optimizing prior to Gzipping normally ## reduces the data size even further. ## The final size depends much on how unoptimal is the coding of such data; ## some sites already present HTML pre-optimized so, in such cases, there won't ## be much gain. ## Note: Due to the higher complexity of such optimization, there's some risk of a page ## being corrupted. ## ****** THESE OPTIONS ARE EXPERIMENTAL ****** ## # ProcessHTML = false # ProcessCSS = false # ProcessJS = false ## Options for fine-tuning text/html optimization. ## Only used when ProcessHTML=true ## Certain optimizations may be disabled as quick 'fix' when a text data ## gets currupted after being optimized. ## Note: CSS and JS switches apply _only_ to such data when embedded into HTML data, ## for JS, CSS-only data, see ProcessJS and ProcessCSS options. ## # ProcessHTML_CSS = true # ProcessHTML_JS = true # ProcessHTML_tags = true # ProcessHTML_text = true # ProcessHTML_PRE = true # ProcessHTML_NoComments = true # ProcessHTML_TEXTAREA = true ## If enabled, will discard PNG/GIF/JP2K transparency and de-animate ## GIF images if necessary for recompression, at the cost of some image ## distortion. ## Note: Images with useless transparency/alpha data (all pixels ## being opaque) do not require this option. In such cases Ziproxy ## will detect that and remove the useless data automatically. ## Disabled by default. # AllowLookChange = true ## If enabled, convert images to grayscale before recompressing. ## This provides extra compression, at the cost of losing color data. ## Note: Not all images sent will be in grayscale, only the ones ## considered worth recompression that way. ## Disabled by default. # ConvertToGrayscale = false ## Preemptive Name Resolution ## If enabled, tries to resolve hostnames present in the processed HTML files ## for speeding up things (no delay for name resolution). ## One extra process + (max)PreemptNameResMax threads will run for each HTML request. ## PreemptNameResMax is the max hostnames it will try to resolve per HTML file. ## PreemptNameResBC "bogus check", ignore names whose domains are not .nnnn, .nnn or .nn ## ## WARNING: This option makes sense _only_ if you have a caching DNS or ## a name cache of some sort (like: PDNSD). ## == THIS OPTION WILL INCREASE BY MANY TIMES THE REQUESTS TO THE DNS == ## # PreemptNameRes = false # PreemptNameResMax = 50 # PreemptNameResBC = true ## Image quality for JPG (JPEG) compression. ## Image quality is specified in integers between 100 (best) and 0 (worst). ImageQuality = {30,25,25,20} ## Alpha channel (image transparency data) removal threshold ## Removes alpha channel from images with a minimum opacity ## of AlphaRemovalMinAvgOpacity ## (1000000: completely opaque, 0: completely transparent). ## ## This reduces data by removing unnecessary alpha channel from ## fully-opaque images; and from (subjectively) not-so-relevant transparency ## information. ## This also allows recompression to JPEG for PNG/JP2k images originally ## with alpha channel (which is not supported by JPEG image format). ## Note: Debug log reports the average alpha opacity for each ## image with alpha channel. ## Default: 1000000 (remove alpha only from fully-opaque images) ## # AlphaRemovalMinAvgOpacity = 1000000 ## Workaround for MSIE's pseudo-feature "Show friendly HTTP error messages." ## If User-Agent=MSIE, don't change/compress the body of error messages in any way. ## If compressed it could go down below to 256 or 512 bytes and be replaced with ## a local error message instead. ## In certain cases the body has crucial data, like HTML redirection or so, and ## that would be broken if a "friendly error" replaces it. ## ## If you are sure there are no users using MSIE's with "friendly error messages" ## enabled, or you don't support/have users with such configuration, you may ## disable this and have error data compressed for MSIE users. ## This workaround does not affect other clients at all, and error messages ## will be sent compressed if the client supports it. ## ## Enabled by default. # WA_MSIE_FriendlyErrMsgs = true ## This option specifies a file containing a list of URLs that should be tunneled ## by Ziproxy with no kind of processing whatsoever. ## The list contain fully-formatted URLS (http://xxx/xxx), one URL per line. ## The URLs may also contain pattern-matching asterisks. ## Comments may be present if prefixed by '#' (shell-alike). ## In order to exempt a whole site from processing: "http://www.exemptedhost.xyz/*" ## ## This option exists when a page is known to stop working under Ziproxy processing ## and there's no specific workaround/bugfix still available. ## Thus, this is a temporary solution when you depend on the page to work in a ## production environment. ## ## ****** REMEMBER TO REPORT BUGS/INCOMPATIBILITIES SO THEY MAY BE FIXED ******* ## *** THIS IS NOT SUPPOSED TO BE A DEFINITIVE SOLUTION TO INCOMPATIBILITIES *** ## ## Default: empty (no file specified, inactive) # URLNoProcessing = "/etc/ziproxy/noprocess.list" ## This option specifies a file containing a list of URLs which its ## data should be intercepted and replaced by another. ## Header data such as cookies is maintained. ## Currently the only replacing data available is an empty image ## (1x1 transparent pixel GIF). ## ## The list contain fully-formatted URLS (http://xxx/xxx), one URL per line. ## The URLs may also contain pattern-matching asterisks. ## Comments may be present if prefixed by '#' (shell-alike). ## In order to exempt a whole site from processing: "http://ad.somehost.xyz/*" ## ## The way it is, this option may be used as an AD-BLOCKER which is ## transparent to the remote host (data is downloaded from the remove server ## and cookies are transported) -- a stealthy ad-blocker, if you like. ## ## Default: empty (no file specified, inactive) ## See also: URLReplaceDataCT # URLReplaceData = "/etc/ziproxy/replace.list" ## Same as URLReplaceData, except it will only replace the data ## from matching URLs if the content-type matches ## the list in URLReplaceDataCTList (mandatory parameter) aswell. ## ## URLReplaceDataCT may be useful as a more compatible AD-BLOCKER ## if only visual files are replaced. Certain websites rely on ## external javascript from advertisement hosts and break when ## that data is missing, this is a way to block advertisements ## in such cases. ## ## Default: empty (no file specified, inactive) ## See also: URLReplaceDataCTList, URLReplaceData # URLReplaceDataCT = "/etc/ziproxy/replace_ct.list" ## List of content-types to use with the URLReplaceDataCT option. ## This option is required by URLReplaceDataCT. ## Default: empty (no content-type specified, inactive) ## See also: URLReplaceDataCTListAlsoXST, URLReplaceDataCT # URLReplaceDataCTList = {"image/jpeg", "image/gif", "image/png", "application/x-shockwave-flash"} ## When using URLReplaceDataCTList, this defines whether to also automatically add ## content-type entries with 'x-' prefix appended to subtypes ## (aaaa/bbbb also adding aaaa/x-bbbb). ## Usually it's convenient to do this way, that avoids worrying about ## having to create duplicated entries, or whether which variant is valid. ## ## You may want to disable this is you wish to have a precise control ## of what types of content-type you wish to include. ## ## See also: URLReplaceDataCTList ## Default: true # URLReplaceDataCTListAlsoXST = true ## This option specifies a file containing a list of URLs which ## should be blocked. ## A "access denied" 403 error will be returned when trying to access ## one of those URLs. ## Default: empty (no file specified, inactive) # URLDeny = "/etc/ziproxy/deny.list" ## Custom HTTP Error Messages ## Define here the full path to the HTML file which should be ## sent, instead of the internal default page. ## Note: The internal defaults give more precise error messages. ## ## 400 - Bad request (malformed URL, or unknown URL type) CustomError400="/var/ziproxy/error/400.html" ## 403 - Forbidden CustomError403="/var/ziproxy/error/403.html" ## 404 - Unknown host (Ziproxy will not issue 'page not found' errors itself) CustomError404="/var/ziproxy/error/404.html" ## 407 - Proxy Authentication Required CustomError407="/var/ziproxy/error/407.html" ## 408 - Request timed out CustomError408="/var/ziproxy/error/408.html" ## 409 - Conflict CustomError409="/var/ziproxy/error/409.html" ## 500 - Internal error (or empty response from server) CustomError500="/var/ziproxy/error/500.html" ## 503 - Connection refused (or service unavailable) CustomError503="/var/ziproxy/error/503.html" ############################################################################## # JPEG 2000-specific options (require Ziproxy to be compiled with libjasper) # ############################################################################## ## Whether to try to (re)compress incoming data originally in ## the JP2 format (true) or not (false) ## Note: This option is not required to be enabled in order to convert ## _to_ JP2 format. ## default: false # ProcessJP2 = false ## Whether to try to compress a image to JP2K (JPEG 2000) ## Even when enabled, other formats may sill be tried. ## Web browsers' support vary and an external plugin may be required ## in order to display JP2K pictures. ## If "ForceOutputNoJP2 = true", this option will be overrided ## and stay disabled. ## default: false # ProcessToJP2 = false ## When enabled, this option forces the conversion of all incoming ## JP2K images to another format (usually JPEG). ## JP2K images with unsupported internal data will be forwarded unmodified. ## One may use this option to create "JP2K-compressed tunnels" between ## two Ziproxies with narrow bandwidth in between and serve clients ## which otherwise do not support JP2K while still taking advantage of that ## format. In such scenario, if the clients and their Ziproxy share a LAN, ## for best image quality it is recommended to set a very low (highest quality) ## _local_ output compression. ## This option requires "ProcessJP2 = true" in order to work. ## default: false # ForceOutputNoJP2 = false ## When enabled, every request as a client will include an extra header "X-Ziproxy-Flags" ## announcing it as a Ziproxy with JP2 support enabled. ## This option makes sense when chaining to another Ziproxy. ## Note: when the request is intercepted by another Ziproxy, ## the extra header won't be sent further. ## See also: JP2OutRequiresExpCap ## default: false # AnnounceJP2Capability = false ## "JP2 Output Requires Explicit Capability" ## When enabled (and when JP2 output is enabled) will only compress to JP2 to ## clients which explicity support for that -- that means Ziproxy with ## AnnounceJP2Capability = true. ## This option is useful when you want to compress to JP2 only for clients ## behind a local Ziproxy with ForceOutputNoJP2 = true, but at the same time ## you have clients connecting directly and those do not support JP2. ## default: false (does not make such discrimination for JP2 output) # JP2OutRequiresExpCap = false ## Image quality for JP2 (JPEG 2000) compression. ## Image quality is specified in integers between 100 (best) and 0 (worst). ## This option is similar to "ImageQuality" except it applies to JP2K files, instead. ## JP2K, internally, works differently and has a "rate" setting instead of "quality". ## Within Ziproxy's context we want to use a fixed quality, not a fixed bitrate. ## Thus, prior to compression, the image is analysed in order to know which rate ## (loosely) reflects the quality had this picture be compressed using jpeg. ## This option obsoletes "JP2Rate". # JP2ImageQuality = {20,15,15,15} ## Color model to be used while compressing images to JP2K. ## Accepted values: ## 0 - RGB ## 1 - YUV ## If different than RGB, it adds extra processing due to conversion. ## By itself doesn't change much the output data size, and the ## conversion is not 100.0% lossless. ## If you plan using JP2CSampling* or JP2BitRes* options, a non-RGB ## color model is highly prefereable. ## Default: 0 (YUV) ## Note: certain jp2-aware software do NOT support a color model ## other than RGB and will either fail or display a distorted image. # JP2Colorspace = 1 ## Upsampler to be used while resampling each component of a JP2K picture. ## This is used ONLY when decompressing JP2K pictures, it does not affect ## JP2K compression at all (that uses a downsampler, which is linear-only). ## Accepted values: ## 0 - Linear ## 1 - Lanczos (Lanczos3) ## For modest scaling such as 2:1, linear is usually better, ## resulting in a overall clear component. ## Lanczos may be interesting when scaling 4:1 or more, though ## it tends to sharpen the JP2K artifacts and add harmonic ## interference to the component. ## Default: 0 (Linear) # JP2Upsampler = 0 ## This applies to B&W pictures compressed to JP2K. ## Defines the channel resolution for each component: ## Y (luma) and A (alpha, if present) ## in number of bit (min: 1, max: 8) ## Defines for each file size (see JP2ImageQuality). ## Smallest image is the first components in array. ## Sequence is YAYAYAYA. ## ## Default: all to eight bits #JP2BitResYA = {6,4, # 7,5, # 8,6, # 8,6} ## This applies to color pictures compressed to JP2K ## using the RGB model (see JP2Colorspace). ## Defines the channel resolution for each component: ## R (red), G (green), B (blue) and A (alpha, if present) ## in number of bit (min: 1, max: 8) ## Defines for each file size (see JP2ImageQuality). ## Smallest image is the first components in array. ## Sequence is RGBARGBARGBARGBA. ## ## Default: all to eight bits # JP2BitResRGBA = {6,5,5,4, # 7,6,6,5, # 6,7,7,6, # 8,8,8,6} ## This applies to color pictures compressed to JP2K ## using the YUV color model (see JP2Colorspace). ## Defines the channel resolution for each component: ## Y (luma), U (chroma, Cb), V (chroma, Cr), and A (alpha, if present) ## in number of bit (min: 1, max: 8) ## Defines for each file size (see JP2ImageQuality). ## Smallest image is the first components in array. ## Sequence is YUVAYUVAYUVAYUVA. ## ## Default: sensible values for best quality/compression #JP2BitResYUVA = {6,5,5,4, # 7,6,6,5, # 8,7,7,6, # 8,8,8,6} ## This applies to B&W pictures compressed to JP2K. ## Here you may define the sampling rate for each component, ## for each picture size. ## The sequence is: ## Y_xpos, Y_ypos, Y_xstep, Y_ystep, A_xpos, A_ypos, A_xstep, A_ystep, (smallest picture) ## ... ... ... (medium-sized picture) ## etc. ## Default: all x/ypos=0 x/ystep=1 (no components suffer subsampling) ## Note: certain jp2-aware software do NOT support component subsampling and will fail. #JP2CSamplingYA = {0,0,1,1, 0,0,1,1, # 0,0,1,1, 0,0,1,1, # 0,0,1,1, 0,0,2,2, # 0,0,1,1, 0,0,2,2} ## This applies to color pictures compressed to JP2K ## using the RGB model (see JP2Colorspace). ## Here you may define the sampling rate for each component, ## for each picture size. ## The sequence is: ## R_xpos, R_ypos, R_xstep, R_ystep, G_xpos, G_ypos, G_xstep, G_ystep, B... A... (smallest picture) ## ... ... ... (medium-sized picture) ## etc. ## Default: all x/ypos=0 x/ystep=1 (no components suffer subsampling) ## Note: certain jp2-aware software do NOT support component subsampling and will fail. #JP2CSamplingRGBA = {0,0,1,1, 0,0,1,1, 0,0,1,1, 0,0,1,1, # 0,0,1,1, 0,0,1,1, 0,0,1,1, 0,0,1,1, # 0,0,1,1, 0,0,1,1, 0,0,1,1, 0,0,1,1, # 0,0,1,1, 0,0,1,1, 0,0,1,1, 0,0,1,1} ## This applies to color pictures compressed to JP2K ## using the YUV color model (see JP2Colorspace). ## Here you may define the sampling rate for each component, ## for each picture size. ## The sequence is: ## Y_xpos, Y_ypos, Y_xstep, Y_ystep, U_xpos, U_ypos, U_xstep, U_ystep, V... A... (smallest picture) ## ... ... ... (medium-sized picture) ## etc. ## Default: sensible values for a good image quality. ## Note: certain jp2-aware software do NOT support component subsampling and will fail. #JP2CSamplingYUVA = {0,0,1,1, 0,0,1,1, 0,0,1,1, 0,0,1,1, # 0,0,1,1, 0,0,1,2, 0,0,2,1, 0,0,1,1, # 0,0,1,1, 0,0,2,2, 0,0,2,1, 0,0,2,2, # 0,0,1,1, 0,0,2,2, 0,0,2,2, 0,0,2,2}