The main configuration file defines general parameters. By default it's foxy.cfg located in the same directory as Foxy executable (on Windows platforms). The file's name and location may be changed with -c command line option
Each line of the main configuration file defines one parameter and has a name = value format. The parameters are described below.
Defines IP address and port number on which Foxy will listen for client requests.
Format:
bind_to = address:portwhere
Foxy interprets this name as its own name, without trying to DNS-resolve it. Foxy web interface may be accessed by this name. Alternatively the IP address and port number Foxy listens on may be used. If pseudo-domain is used to access Foxy, port number does not matter.
The default value is foxy. In this case Foxy web interface will
be available at http://foxy/.
Note: This is not a real domain name. If there is a real domain
in your network with the same name, it will not be accessible through Foxy.
Note: Many browsers (e.g. IE) have a setting like "Bypass proxy for local addresses".
This option must be disabled for the pseudo domain feature to work properly.
If it's enabled, the browser will have to DNS-resolve domain names first in
order to determine whether they are local or not. This will cause either a domain
resolution error or send you to something like http://www.foxy.com/
(a completely unrelated website) when you type foxy in your
browser's address bar.
Note: If a pseudo domain name is defined and authentication is required,
access Foxy only by this pseudo domain name, otherwise it may confuse your
browser and you may see the authentication dialog too often.
These two parameters specify from which IP addresses clients can access Foxy. There may be several lines with client_ip_allow/client_ip_deny parameters in the configuration file. The order is important. If there are no client_ip_allow/client_ip_deny parameters in the configuration file, access to the proxy will be granted to everyone.
Each of the two parameter values contains a comma-delimited list of IP
addresses and/or IP address ranges.
An IP address range may have one of
these formats (examples):
A special value, “*” or “all” (without the quotes) means any address.
When a client connects to the server, the client's IP address is checked against the specified client_ip_allow and client_ip_deny elements in the order they appear in the configuration file.
Here are the rules:
Example:
Let's assume that we have a 192.168.96.0/255.255.255.0 network. We want to allow access to the proxy from all hosts on our network, but deny access to outsiders. This configuration will do the trick:
client_ip_allow = 192.168.96.0-192.168.96.255 client_ip_deny = *
Example 2:
The same as above, but now we want to deny access to local IP addresses 192.168.96.13 and 192.168.96.66 as well:
client_ip_deny = 192.168.96.13, 192.168.96.66 client_ip_allow = 192.168.96.0-192.168.96.255 client_ip_deny = *
Example 3 (incorrect):
Notice, that according to the rules above, if we switch the first two lines in the previous example, it won't work as expected:
client_ip_allow = 192.168.96.0-192.168.96.255 client_ip_deny = 192.168.96.13, 192.168.96.66 client_ip_deny = *
Let's say the client's address is 192.168.96.13 (one of the two banned local addresses). It matches the first client_ip_allow element, so access is allowed, and no further checks are performed.
These two parameters specify which clients can access online administrative functions (configuration, reports, etc.) If none of these parameters are specified, access is allowed from any IP address.
Format and rules are similar to those of client_ip_allow and client_ip_deny parameters.
The user configuration elements define which users can access Foxy in addition to (or instead of) source IP address checking.
The benefits:
Format:
user = name:password:flags:ipwhere
| name | User name. This name will appear in traffic reports. |
| password | User password. May be empty. |
| flags | Flags. Only one flag is defined presently: “a”, which means that this user is an administrator and can access administrative web pages (configuration, reports). Flag letters are case-insensitive. |
| ip | The user's IP address. Optional. If IP address is specified, all requests coming from that IP will be automatically resolved to the specified user name without explicit authentication. There may be more than one user element with the same user name but different IP addresses, but any given IP address must appear in a singe user element. |
Rules for regular proxy access:
Rules for administrative access:
Example:
user = john:adminpassword:a user = marie
Format:
login_cache_timeout = seconds
Matters only if your configuration requires users to enter their name and password to use Foxy.
Normaly, after the user logs in to a proxy server, the browser remembers login information for the current window only and resends it with every request. If the user opens a new window, he/she will have to re-enter their credentials.
Foxy caches every user's name by the IP address from which that user last used the server. The login_cache_timeout parameter specifies how long Foxy will store this information. When a cache entry expires, the user will have to login when he/she open a new browser window.
The default value is 3600 (one hour).
Note: This will not work if your users are coming from behind NAT or another proxy (so a few users may have the same IP address). If this is the case, set login_cache_timeout to 0. A user will have to login from every browser window he/she opens. tunnel_ports
Specifies a comma-delimited list of ports allowed for TCP tunneling.
Format:
tunnel_ports = port_list
An empty list disables tunneling (recommended). The special “*” value (without quotes) enables all ports.
Tunneling allows a proxy server to act as a transparent middle-man for TCP connections.
If you want Foxy to tunnel secure connections (https:// URLs), include port 443 in the list. You must setup your browser accordingly (to forward HTTPS traffic to the same host and port as regular HTTP traffic).
Foxy does not understand SSL, so it will not filter your secure streams. But it will reflect the tunneled traffic in the traffic reports.
Tunneling requests are subject to the usual access control rules (see client_ip_allow, client_ip_deny, user).
Please note that tunneling may present a security threat. It allows clients to use tunnels on allowed ports for anything at all (not necessarily web browsing).
The default configuration enables tunneling for port 443 (SSL). However, it will not work for HTTPS URLs with explicit port numbers, e.g. https://someserver:1234/path. For this to work, you will have to add port 1234 to the list:
tunnel_ports = 443,1234
Alternatively you can allow tunneling for all ports:
tunnel_ports = *
Timeout for tunneled connections in seconds. If neither browser, nor server send anything within the specified time interval, the connection is closed.
Format:
tunnel_timeout = seconds
The name of the filter configuration file. By default filters.cfg. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is located. See Filters for more details.
The name of the categorizer configuration file. By default categories.cfg. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is located. See Content Categories for more details.
The name of the proxy mapping file. By default proxies.cfg. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is located. See Forwarding for more details.
The name of the whitelist configuration file. By default whitelist.cfg. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is located. See Whitelist for more details.
Data directory name. The defaul value is data. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is located. See also Data Files.
Logging directory name. All log files will be created in this directory. The defaul value is logs. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is.
Max log file size in bytes. 1048576 by default.
HTTP root directory. The default value is httproot. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is. See also Foxy as HTTP Server.
Report templates directory. The default value is templates. May be relative to the current directory. On Windows platforms the current directory is the directory where the executable file is.
If set to false (default), Foxy will add X-Forwarded-For
request headers (like Squid and Apache do).
If set to true, X-Forwarded-For request headers (if any) will be
deleted.
Note: The anonymize parameter is ignored if X-Forwarded-For is deleted/modified by a Request Header Filter.
How long to keep an idle persistent connection on the client side, seconds. Recommended value 10 to 40.
How long to keep an idle persistent connection on the server side, seconds. Recommended value 30 to 60.
Specifies how many threads (client connections) are allowed. Recommended value is 20 to 70, depending on how many users may access the proxy at the same time.
Accept gzip/deflate transfer encoding.
The default value is true.
If set to false, Foxy will force web servers to send uncompressed
content. May be useful mostly for debugging (sniffing). On the client side
transfer is always unencoded.
Enables general application logging. Log file name is foxy.log in the directory specified by the log_dir parameter.
Enables HTTP logging. Log file name is http.log in the directory specified by the log_dir parameter. Both original and filtered request and reply headers are logged.
Enables crunch log (messages written by filters when they do modify something). Log file name is crunch.log in the directory specified by the log_dir parameter.