twhttpd Documentation

Copyright 2002 by Sam Ng

Version 0.96


Part C: Specific Configuration

Part C.1 Specific Config Options

 

$listen and $forward Syntax: IP:port
Default: undefined

$listen specify which IP address and port number this particular server config should be binded to. A 0.0.0.0 specify any IP address. 

$forward specify which IP address and port number the request should be passed to. For inbound proxy, this is should be the IP address of the internal web server. For outbond proxy, you can forward to your ISP proxy cache by specifying an IP address, or 0.0.0.0 to indicate the program to resolve the final destination IP address.

$forward_proxy Syntax: enable/disable
Default: disable

Usually, a broswer would send this to a web server

GET /this.html HTTP/1.0
HOST: www.host.com
..[some other headers]..

And would send belows if it connects though a proxy server

GET http://www.host.com/this.html HTTP/1.0
HOST: www.host.com
..[some other headers]..

Although most web/proxy servers support both format, some does not.

Usually $forward_proxy is used in outbound setup, and you would like to forward your request to, say, your ISP proxy server, and you should enable $forward_proxy. For most of the time, the default value works just fine.

$safe_url Syntax: enable/disable
Default: enable

$safe_url enable URL request line parser to ensure the URL is OK and does not contains any malicious data. The following checks will be performed if $safe_url is enabled 

  1. Path has to be in ascii code 32-127
  2. Path can not contains hidden path, i.e. "/."
  3. Path can not contains "..."
  4. Extension can only be consist of plain alphanumeric characters only
  5. Path can not contains any meta-character "|&<>;%?+#" 

NOTE: '#' means anchor part, but anchor part is removed before any further processing.

Violation of the above rules will result in 400 BAD_REQEST.
Please also note the following decode will be performed before the above checks 

  1. hexdecode, %dd
  2. "../" decode
$header_check Syntax: request/response/both/disable
Default: request

$check_header perform more or less the same functions as $safe_url, except it is simpler and $safe_url only checks the URL line while the $check_header checks all other header lines except URL line. 

  • "request" means only check the HTTP request header send by the browser
  • "response" means only check the HTTP response header send by the web server
  • "both" means "request" and "response" 
  • "disable" means do not check any header 

The following checks will be performed if $header_check is enable 

  1. header should be in ASCII code 32-127 
  2. string length are limited to the according header field, for example, default cookie string limit is 4096, default host string limit is 64, these value can only be changed in compilation. For compatibility reason, over long strings in minor fields are simply ignored.
$server_version Syntax: Any String
Default: undefined

$server_version define what string should return as the HTTP header field "server". This is just a simple method to fool around the hacker by sending the wrong "server" header. For example, if you are using M$soft IIS server, you can set this string to return the "server" header as something like "Netscape- Enterprise/3.6 SP2". 

An empty string "" means the "Server" header should not be send. 

Undefined will result in returning the original "Server" header.

Common server version strings are listed as follows:

  • Apache/1.3.1 (Unix)
  • Apache/1.3.19 (Unix) (RedHat/Linux)
  • Netscape-Enterprise/3.6
  • Netscape-Enterprise/3.6 SP3
  • Netscape-Enterprise/4.1
  • Microsoft-IIS/4.0
  • Microsoft-IIS/5.0
$browser_version Syntax: Any String
Default: undefined

Complement of $server_version for HTTP "User-Agent". Help to anonymoize client we browser version instead of server web server version.

An empty string "" means the "User-Agent" header should not be send. 

Undefined will result in returning the original "User-Agent" header.

Common server version strings are listed as follows:

  • Mozilla/4.76 [en] (Win98; U)
  • Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
$cache Syntax: enable/disable
Default: enable

Enable/disable the caching feature for this particular server config. For more info about caching, see Cache Control Details.

$https Syntax: enable/disable
Default: disable

Enable proxy https connection.

NOTE: THIS IS TYPICALLY FOR OUTBOUND PROXY ONLY. DO NOT ENABLE THIS FOR INBOUND PROXY. THIS IS NOT REQUIRED EVEN YOU WANT TO ENABLE INBOUND SSL TO YOUR INTERNAL WEB SERVER. 

HTTPS will only be enabled for port 443 in any case.

$access_log Syntax: Any file path
Default: undefined (log to syslog)

The location of the access log for this particular server config. File will be created if not exist.

 


[Sam Ng Home] [twhttpd Home]

Last Modified: 2002-02-12