-
Notifications
You must be signed in to change notification settings - Fork 64
2. Proxies
Georgii Gennadev edited this page Feb 13, 2024
·
5 revisions
The proxies section describes the basic proxy settings, the filtering action, and the filter pipeline used to filter traffic from unwanted visitors using rules. The number of proxies you can create is only limited by your operating system. An example proxy configuration is shown below:
proxies:
- name: example http proxy
type: http
listen: 0.0.0.0:80
target: http://127.0.0.1:5002
timeout: 10s
# tls:
# - cert: test/testdata/tls/cert_bounceback_test.pem
# key: test/testdata/tls/key_bounceback_test.pem
# - cert: test/testdata/tls/cert_example_com.pem
# key: test/testdata/tls/key_example_com.pem
# - cert: test/testdata/tls/cert_example_com.pem
# key: test/testdata/tls/key_example_com.pem
# domain: "*.example.org"
filter_settings:
reject_action: redirect
reject_url: https://www.youtube.com/watch?v=dQw4w9WgXcQ
reject_threshold: 5
noreject_threshold: 5
filters:
- rule: default_ip_acceptlist
action: accept
- rule: default_ip_banlist
action: reject
# - rule: default_ip_allowlist
# action: reject
- rule: default_geo_rule
action: reject
- rule: default_lookup_rule
action: reject
# - rule: example_not_time_rule
# action: reject
- rule: default_regexp_rule
action: reject
# - rule: example_malleable_rule
# action: reject
- *another proxy config*-
name- unique name of proxy that will be used in logs to identify proxy. -
type- type of proxy. Description of proxy types may be found here. -
listen- address the proxy will bind to in formatip:port. -
target- address where traffic will be proxyfied to. Some proxy types may require protocol scheme (e.ghttporhttps), info for each type may be found here. Just remember that tls traffic may be proxyfied to non-tls service. -
timeout- timeout of response for both sides: original and proxyfied request. -
tls- array of TLS configurations. If not empty,httpbecomeshttps,tcpbecomestls. Each configuration element has next parameters:-
cert- path to TLS certificate in PEM format. -
key- path to TLS key in PEM format. -
domain- (optional) if set, the certificate will match that domain except as specified in the certificate. Can be a wildcard (e.g.*.example.com).
-
-
filter_settings- section of filter settings, contains the following options:-
reject_action- action that will be performed on filtered packet. May be:-
proxy- the stealthiest option, filtered packet will be proxyfied to another (url) address. -
redirect- filtered packet will be redirected to another (url) address. -
drop- connection with client will be closed after reading full request. -
noneor unknown - packet will be delivered to the original (target) destination without any actions. May be used for debug purposes.
-
-
reject_url- action URL that will be used ifproxyorredirectwas triggered. -
reject_threshold- number of filtered packets, after which all packets from thatipwill be filtered. Set 0 to disable. -
noreject_threshold- number of non-filtered packets, after which all packets from thatipwon't be banned. Set 0 to disable.
-
-
filters- array of rule names and actions that creates pipeline for that proxy. All rules will be executed one by one and perform action if matched. Each filter has next parameters:-
rule- rule name, that will be executed. -
action- action that will be performed, if rule fires, may be:-
accept- accept request ignoring all filters below. -
reject- reject request ignoring all filters below.
-
-
TLS support? - yes: HTTPS.
Target needs protocol scheme? - yes: http or https.
Actions supported:
proxyredirectdropnone
TLS support? - yes: DNS over TLS.
Target needs protocol scheme? - no.
When TLS is disabled, listens both TCP and UDP port, otherwise only TCP.
Actions supported:
proxydropnone
TLS support? - yes: common TLS socket.
Target needs protocol scheme? - yes: tcp or tls.
Actions supported:
dropnone
TLS support? - no.
Target needs protocol scheme? - no.
Actions supported:
dropnone