ijbman.html

一个不错的服务代理器

<p><dt><i><a name="o_f">-f forward_host[:port]</a></i><br><a name="forwardfile"><tt>forwardfile</tt>&#160;&#160;<i>forwardfile</i></a><dd>
Version 1.X required all
<small>HTTP</small>
requests from the client to be forwarded to the same destination.
Version 2.0 takes its routing specification from a
<i>forwardfile</i>,
allowing selection of the proxy (a.k.a. forwarding host) and gateway
according to the
<small>URL</small>.
Here is a typical line.
<br>
<pre>
*         lpwa.com:8000      .      .
</pre>
<p>
<a name="lines">Each line contains four fields:</a>
<big><kbd>target</kbd></big>,
<big><kbd>forward_to</kbd></big>,
<big><kbd>via_gateway_type</kbd></big>
and
<big><kbd>gateway</kbd></big>.
As usual, the
<a href="ijbman.html#compare">last</a>
<big><kbd>target</kbd></big>
domain that matches the requested
<small>URL</small>
wins,
and the
<big><kbd>*</kbd></big>
character alone matches any domain.
The target domain need not be a fully qualified
hostname; it can be a general domain such as
<big><kbd>com</kbd></big>
or
<big><kbd>co.uk</kbd></big>
or even just a port number.
<a name="nose">For example, because</a>
<a href="http://lpwa.com">LPWA</a>
does not handle
<a href="ijbfaq.html#encrypt">SSL</a>,
the line above will typically be followed by a line such as
<br>
<pre>
:443	.      .      .
</pre>
to allow SSL transactions to proceed directly.
The cautious would also
add an entry in their blockfile to stop transactions
to port 443 for all but specified trusted sites.
<p>
<a name="forward">If the winning</a>
<big><kbd>forward_to</kbd></big>
field is
<big><kbd>.</kbd></big>
(the dot character) the proxy connects 
directly to the server given in the
<small>URL</small>,
otherwise it forwards to the host and port number specified.
The default port is 8000.
The
<big><kbd>via_gateway_type</kbd></big>
and
<big><kbd>gateway</kbd></big>
fields also use a dot to indicate no gateway protocol.
The gateway protocols are explained
<a href="ijbman.html#o_g">below</a>.
<p>
<a name="old">The example line above in a forwardfile alone</a>
would send everything through port 8000 at
<big><kbd>lpwa.com</kbd></big>
with no gateway protocol,
and is equivalent to the old
<big><kbd>-f lpwa.com:8000</kbd></big>
with no
<big><kbd>-g</kbd></big>
option.
For more information see the example file provided with the distribution.
<p>
<a name="loop">Configure with care: no loop detection is performed.</a>
When setting up chains of proxies that might loop back, try adding
<a href="ijbman.html#squid">Squid.</a>
<p><dt><i><a name="o_g">-g gw_protocol[:[gw_host][:gw_port]]</a></i><dd>
Use
<i>gw_protocol</i>
as the gateway protocol.
This option was introduced in Version 1.4,
but was folded into the
<a href="ijbman.html#forwardfile">forwardfile</a>
option in Version 2.0.
The default is to use no gateway protocol;
this may be explicitly specified as
<big><kbd>direct</kbd></big>
on the command line
or the dot character in the forwardfile.
The
<big><kbd>SOCKS4</kbd></big>
protocol may be specified as
<big><kbd>socks</kbd></big>
or
<big><kbd>socks4</kbd></big>.
The
<big><kbd>SOCKS4A</kbd></big>
protocol is specified as
<big><kbd>socks4a</kbd></big>.
The
<big><kbd>SOCKS5</kbd></big>
protocol is not currently supported.
The default
<small>SOCKS</small>
<i>gw_port</i>
is 1080.
<p>
<a name="configure">The user's browser should</a>
<em>not</em>
be
<a href="ijbfaq.html#socks">configured</a>
to use
<big><kbd>SOCKS</kbd></big>;
the proxy conducts the negotiations, not the browser.
<p>
<a name="identify">The user identification capabilities of</a>
<big><kbd>SOCKS4</kbd></big>
are deliberately not used;
the user is always identified to the
<big><kbd>SOCKS</kbd></big>
server as
<big><kbd>userid=anonymous</kbd></big>.
If the server's policy is to reject requests from
<big><kbd>anonymous</kbd></big>,
the proxy will not work.
Use a
<a href="ijbman.html#o_d">debug</a>
value of 3
to see the status returned by the server.
<p><dt><i><a name="o_d">-d N</a></i><br><a name="debug"><tt>debug</tt>&#160;&#160;<i>N</i></a><dd>
Set debug mode.
The most common value is 1,
to
<a href="ijbfaq.html#pinpoint">pinpoint</a>
offensive
<small>URL</small>s,
so they can be added to the blockfile.
The value of
<b>N</b>
is a bitwise
logical-<small>OR</small>
of the following values:
<br>
1 =  URLs (show each URL requested by the browser);<br>
2 =  Connections (show each connection to or from the proxy);<br>
4 =  I/O (log I/O errors);<br>
8 =  Headers (as each header is scanned, show the header and what is done to it);<br>
16 =  Log everything (including debugging traces and the contents of the pages).<br>
<a name="or">Multiple</a>
<big><kbd>debug</kbd></big>
lines are permitted; they are logical OR-ed together.
<p>
<a name="single">Because most browsers send several requests in parallel</a>
the debugging output may appear intermingled, so the
<a href="ijbman.html#single-threaded">single-threaded</a>
option is recommended when using
<a href="ijbman.html#debug">debug</a>
with
<b>N</b>
greater than 1.
<!-- Aside: Yes, it's clumsy, but it's easy to parse. -->
<p><dt><i><a name="o_y">-y</a></i><br><a name="add-forwarded-header"><tt>add-forwarded-header</tt></a><dd>
Add 
<big><kbd>X-Forwarded-For</kbd></big>
headers to the server-bound 
<small>HTTP</small>
stream
indicating the client 
<small>IP</small>
address
<a href="ijbfaq.html#detect">to the server,</a>
in the new style of
<a href="ijbman.html#squid">Squid 1.1.4.</a>
If you want the traditional
<big><kbd>HTTP_FORWARDED</kbd></big>
response header, add it manually with the
<a href="ijbman.html#o_x">-x</a>
option.
<!-- Aside: Not a default, since the end-client usually doesn't wish to be identified, but may be helpful in debugging chains. -->
<p><dt><i><a name="o_x">-x HeaderText</a></i><br><a name="add-header"><tt>add-header</tt>&#160;&#160;<i>HeaderText</i></a><dd>
Add the
<i>HeaderText</i>
verbatim to requests to the server.
Typical uses include
adding old-style forwarding notices such as
<big><kbd>Forwarded: by http://pro-privacy-isp.net</kbd></big>
and reinstating the
<big><kbd>Proxy-Connection: Keep-Alive</kbd></big>
header
(which the
<b><kbd>junkbuster</kbd></b>
deletes so as
<a href="ijbfaq.html#detect">not</a>
to reveal its existence).
No checking is done for correctness or plausibility,
so it can be used to throw any old trash into the server-bound 
<small>HTTP</small>
stream.
Please don't litter.
<!-- Aside: this represents "more than enough rope" -->
<p><dt><i><a name="o_s">-s</a></i><br><a name="single-threaded"><tt>single-threaded</tt></a><dd>
Doesn't
<big><kbd>fork()</kbd></big>
a separate process
(or create a separate thread)
to handle each connection.
Useful when debugging to keep the process single threaded.
<p><dt><i><a name="o_l">-l logfile</a></i><br><a name="logfile"><tt>logfile</tt>&#160;&#160;<i>logfile</i></a><dd>
Write all debugging data into
<i>logfile.</i>
The default
<i>logfile</i>
is the standard output.
<p><dt><br><a name="aclfile"><tt>aclfile</tt>&#160;&#160;<i>aclfile</i></a><dd>
Unless this option is used, the proxy talks to anyone who can connect to it,
and everyone who can has equal permissions on where they can go.
An access file allows restrictions to be placed on these two policies,
by distinguishing some
<i><dfn>source</dfn></i>
<small>IP</small>
addresses and/or
some
<i><dfn>destination</dfn></i>
addresses.
(If a
<a href="ijbman.html#forwardfile">forwarder or a gateway</a>
is being used, its address is considered the destination address,
not the ultimate
<small>IP</small>
address of the
<small>URL</small>
requested.)
<p>
<a name="permit">Each line of the access file begins with</a>
either the word
<big><kbd>permit</kbd></big>
or
<big><kbd>deny</kbd></big>
followed by source and (optionally) destination addresses 
to be matched against those of the
<small>HTTP</small>
request.
The last matching line specifies the result: if it was a
<big><kbd>deny</kbd></big>
line or if no line matched,
the request will be refused.
<p>
<a name="various">A source or destination</a>
can be specified as a single numeric
<small>IP</small>
address,
or with a hostname, provided that the host's name
can be resolved to a numeric address: this cannot be used to block all
<big><kbd>.mil </kbd></big>
domains for example,
because there is no single address associated with that domain name.
Either form may be followed by a slash and an integer
<big><kbd>N</kbd></big>,
specifying a subnet mask of
<big><kbd>N</kbd></big>
bits.
For example,
<big><kbd>permit 207.153.200.72/24</kbd></big>
matches the entire Class-C subnet from
207.153.200.0
through 207.153.200.255.
(A netmask of 255.255.255.0 corresponds to 24 bits of
ones in the netmask, as with
<big><kbd>*_MASKLEN=24</kbd></big>.)
A value of 16 would be used for a Class-B subnet.
A value of zero for
<big><kbd>N</kbd></big>
in the subnet mask length will cause any address to match;
this can be used to express a default rule.
For more information see the example file provided with the distribution.
<p>
<a name="false">If you like these access controls</a>
you should probably have
<a href="ijbfaq.html#firewall">firewall</a>;
they are not intended to replace one.
<p><dt><br><a name="trustfile"><tt>trustfile</tt>&#160;&#160;<i>trustfile</i></a><dd>
This feature is experimental, has not been fully documented and is
very subject to change.
The goal is for parents to be able to choose a page or site whose
links they regard suitable for their
<a href="ijbfaq.html#children">young children</a>
and for the proxy to allow access only to sites mentioned there.
To do this the proxy examines the
<a href="ijbman.html#o_r">referer</a>
variable on each page request to check they resulted from
a click on the ``trusted referer'' site: if so the referred site
is added to a list of trusted sites, so that the child can
then move around that site.
There are several uncertainties in this scheme that experience may be
able to iron out; check back in the months ahead.
<p><dt><br><a name="trust_info_url"><tt>trust_info_url</tt>&#160;&#160;<i>trust_info_url</i></a><dd>
When access is denied due to lack of a trusted referer, this
<small>URL</small>
is displayed with a message pointing the user to it for further information.
<p><dt><br><a name="hide-console"><tt>hide-console</tt></a><dd>
In the Windows version only, instructs the program
to disconnect from and hide the command console after starting.
<p><dt><i><a name="o_a">-a</a></i><dd>
(Obsolete) Accept the server's
<big><kbd>Set-cookie</kbd></big>
headers, passing them through to the browser.
<a name="obsolete">This option was removed in Version 1.2</a>
and replaced by an improvement to the
<a href="ijbman.html#o_c">-c</a>
option.
</dl>
</p>

<h3><a name="install" href="/cgi-bin/gp?pg=ijbman&pr=install"><img border=0 width=14 height=14 src="/images/fb.gif" alt="&lt;Feedback&gt"></a>&#160;
Installation and Use
</h3>
<p>
Browsers must be told where to find the
<b><kbd>junkbuster</kbd></b>
(e.g.
<big><kbd>localhost</kbd></big>
port 8000).
To set the 
<small>HTTP</small>
proxy in Netscape 3.0,
go through:
<b><font face="arial, helvetica">
Options</font></b>;
<b><font face="arial, helvetica">
Network Preferences</font></b>;
<b><font face="arial, helvetica">
Proxies</font></b>;
<b><font face="arial, helvetica">
Manual Proxy Configuration</font></b>;
<b><font face="arial, helvetica">
View</font></b>.
See the
<a href="ijbfaq.html"><small>FAQ</small></a>
for other browsers.
The
<a href="ijbfaq.html#security">Security Proxy</a>
should also be set to the same values,
otherwise
<big><kbd>shttp:</kbd></big>
<small>URL</small>s
won't work.
<p>
<a name="limitations">Note the limitations</a>
explained in the
<a href="ijbfaq.html"><small>FAQ</small></a>.
</p>

<h3><a name="show" href="/cgi-bin/gp?pg=ijbman&pr=show"><img border=0 width=14 height=14 src="/images/fb.gif" alt="&lt;Feedback&gt"></a>&#160;
Checking Options
</h3>
<p>
To allow users to
<a href="ijbfaq.html#show">check</a>
that a
<b><kbd>junkbuster</kbd></b>
is running and how it is configured,
it intercepts requests for any
<small>URL</small>
ending in
<big><kbd>/show-proxy-args</kbd></big>
and blocks it,
returning instead returns information on its
version number and
current configuration
including the contents of its blockfile.
To get an explicit warning that no
<b><kbd>junkbuster</kbd></b>
intervened if the proxy was not configured,
it's best to point it to a
<small>URL</small>
that does this, such as
<a href="http://internet.junkbuster.com/cgi-bin/show-proxy-args">http://internet.junkbuster.com/cgi-bin/show-proxy-args</a>
on Junkbusters's website.
</p>

<h3><a name="also" href="/cgi-bin/gp?pg=ijbman&pr=also"><img border=0 width=14 height=14 src="/images/fb.gif" alt="&lt;Feedback&gt"></a>&#160;
See Also
</h3>
<p>
<a href="ijbfaq.html">http://www.junkbusters.com/ht/en/ijbfaq.html</a>
<br>
<a href="cookies.html">http://www.junkbusters.com/ht/en/cookies.html</a>
<br>
<a href="http://internet.junkbuster.com/cgi-bin/show-proxy-args">http://internet.junkbuster.com/cgi-bin/show-proxy-args</a>
<br>
<a name ="kristol" href="http://www.cis.ohio-state.edu/htbin/rfc/rfc2109.html">http://www.cis.ohio-state.edu/htbin/rfc/rfc2109.html</a>
<br>
<a name ="squid" href="http://squid.nlanr.net/Squid/">http://squid.nlanr.net/Squid/</a>
<br>
<a href="http://www-math.uni-paderborn.de/~axel/">http://www-math.uni-paderborn.de/~axel/</a>
</p>

<h3><a name="copyright" href="/cgi-bin/gp?pg=ijbman&pr=copyright"><img border=0 width=14 height=14 src="/images/fb.gif" alt="&lt;Feedback&gt"></a>&#160;
Copyright and GPL
</h3>
<p>
Written and copyright by the Anonymous Coders and Junkbusters Corporation
and made available under the
<a href="gpl.html">GNU General Public License (GPL).</a>
This software comes with
<a href="gpl.html#nowarr">NO WARRANTY.</a>
Internet Junkbuster
Proxy
is a
<a href="legal.html#marks">trademark</a>
of Junkbusters Corporation.
</p>
<p align="center"><a href="#top_of_page"><img border=0 width=250 height=15 src="/images/top.gif" alt="--- Back to Top of Page ---"></a></p>
<font face="arial, helvetica">
<a rel="begin" href="index.html">Home</a> <font color="#ff0000">
<b> &#183; </b></font>
<a rel="next" href="cookies.html">Next</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="lopt.html">Site Map</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="legal.html">Legal</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="junkdata.html">Privacy</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="cookies.html">Cookies</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="ijb.html">Banner Ads</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="telemarketing.html">Telemarketing</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="junkmail.html">Mail</a>
<font color="#ff0000">
<b> &#183; </b></font><a href="junkemail.html">Spam</a>

</font><form action="/cgi-bin/search" method="GET">
<input type="text" name="q" size=60 maxlength=120 value="">
<input type="submit" value="Search"></form>
<small>
<small>
<p>
<a href="legal.html#copy">Copyright</a> &#169; 1996-8 Junkbusters
<a href="legal.html#marks">&#174;</a> Corporation.
Copying and distribution permitted under
the <a href="gpl.html"><small>GNU</small></a>
General Public License.
</small>
<tt>
1998/10/31
http://www.junkbusters.com/ht/en/ijbman.html
</tt>
<address><kbd>webmaster&#64;junkbusters.com</kbd></address>
</small>
</body>
</html>