1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
#ServerRoot#
MinSpareServers 5
MaxClients 20
LimitRequestLine 32768
Listen 443 https
LoadFile lib/libxml2.so
LoadFile lib/libxslt.so
LoadFile lib/libexslt.so
LoadModule log_config_module libexec/apache22/mod_log_config.so
LoadModule env_module libexec/apache22/mod_env.so
LoadModule setenvif_module libexec/apache22/mod_setenvif.so
LoadModule ssl_module libexec/apache22/mod_ssl.so
LoadModule mime_module libexec/apache22/mod_mime.so
LoadModule dir_module libexec/apache22/mod_dir.so
LoadModule php5_module libexec/apache22/libphp5.so
LoadModule dbd_module libexec/apache22/mod_dbd.so
LoadModule filter_module libexec/apache22/mod_filter.so
LoadModule deflate_module libexec/apache22/mod_deflate.so
LoadModule transform_module libexec/apache22/mod_transform.so
LoadModule headers_module libexec/apache22/mod_headers.so
LoadModule logio_module libexec/apache22/mod_logio.so
# proxy
LoadModule proxy_module libexec/apache22/mod_proxy.so
LoadModule proxy_connect_module libexec/apache22/mod_proxy_connect.so
LoadModule proxy_ftp_module libexec/apache22/mod_proxy_ftp.so
LoadModule proxy_http_module libexec/apache22/mod_proxy_http.so
# psiphon modules
LoadModule psiphon_headers_module libexec/apache22/mod_psiphon_headers.so
LoadModule psiphon3_module libexec/apache22/mod_psiphon3.so
LoadModule psiphon_auth_module libexec/apache22/mod_psiphon_auth.so
LoadModule map_to_proxy_module libexec/apache22/mod_map_to_proxy.so
LoadModule bluebar_module libexec/apache22/mod_bluebar.so
LoadModule xml2enc_module libexec/apache22/mod_xml2enc.so
LoadModule proxy_html_module libexec/apache22/mod_proxy_html.so
LoadModule proxy_css_module libexec/apache22/mod_proxy_css.so
LoadModule proxy_js_module libexec/apache22/mod_proxy_js.so
LoadModule proxy_flash_module libexec/apache22/mod_proxy_flash.so
LoadModule post2get_module libexec/apache22/mod_post2get.so
LoadModule psiphon_env_module libexec/apache22/mod_psiphon_env.so
# end of psiphon modules
User ppwww
Group ppwww
ServerName localhost
ServerAdmin webmaster
ServerTokens ProductOnly
MaxRequestsPerChild 50
DirectoryIndex index.php
ErrorLog /var/log/psiphon-httpd-error.log
LogLevel error
LogFormat "%{%Y-%m-%d:%H}t %{Host}i %{psiphon_proxy_domain}e %>s %b" combined
CustomLog /var/log/psiphon-httpd-access.log combined
LogFormat "{\"timestamp\":\"%{%Y-%m-%dT%H:%M:%SZ}t\",\"event_name\":\"bytes\",\"domain\":\"%{psiphon_proxy_domain}e\",\"proxy\":\"%{Host}i\",\"status\":\"%>s\",\"in\":%I,\"out\":%O,\"provider\":\"%{psiphon_provider}e\",\"service\":\"%{psiphon_service}e\"}" bytes
LogFormat "{\"timestamp\":\"%{%Y-%m-%dT%H:%M:%SZ}t\",\"event_name\":\"pageview\",\"domain\":\"%{pageview-domain}e\",\"proxy\":\"%{Host}i\",\"region\":\"%{pageview-region}e\",\"provider\":\"%{psiphon_provider}e\",\"service\":\"%{psiphon_service}e\"}" pageview
LogFormat "{\"timestamp\":\"%{%Y-%m-%dT%H:%M:%SZ}t\",\"event_name\":\"newlogin\",\"usergrp\":\"%{newlogin-usergrp}e\",\"proxy\":\"%{Host}i\",\"region\":\"%{newlogin-region}e\",\"provider\":\"%{psiphon_provider}e\",\"service\":\"%{psiphon_service}e\"}" newlogin
CustomLog "#logger_command#" pageview env=pageview-domain
CustomLog "#logger_command#" newlogin env=newlogin-usergrp
CustomLog "#logger_command#" bytes
ErrorDocument 403 /http-errors/403.php
ErrorDocument 404 /http-errors/404.php
ErrorDocument 500 /http-errors/500.php
ErrorDocument 502 /http-errors/502.php
ErrorDocument 503 /http-errors/503.php
ErrorDocument 504 /http-errors/504.php
ProxyErrorOverride Off
DefaultType text/plain
PidFile /var/run/psiphon-httpd.pid
TypesConfig conf/mime.types
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/var/run/ssl_mutex"
SSLOptions
<IfDefine NOHTTPACCEPT>
AcceptFilter http none
AcceptFilter https none
</IfDefine>
DocumentRoot www
DBDParams "host=localhost,port=3306,user=psiphon,pass=#psiphon_mysql_password#,dbname=psiphon"
DBDPersist Off
DBDriver mysql
SSLProxyEngine on
KeepAlive On
php_flag magic_quotes_gpc Off
#don't announce mod_transform in server signature
TransformAnnounce off
#Use this to block IPs, domains and hostnames
#Similar in use to NoProxy from mod_proxy
#See http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#noproxy
BlockMapToProxy 127.0.0.1 10.0.0.0/8 172.16.0.0/14 192.168.0.0/16 .example.com example.com
#Setup common filters i.e. gzip and xml2enc
#xml2enc
FilterDeclare TO_UTF8
FilterProvider TO_UTF8 xml2enc resp=Content-Type $text/html
FilterProvider TO_UTF8 xml2enc resp=Content-Type $application/xhtml+xml
FilterProvider TO_UTF8 xml2enc resp=Content-Type $text/javascript
FilterProvider TO_UTF8 xml2enc resp=Content-Type $application/x-javascript
FilterProvider TO_UTF8 xml2enc resp=Content-Type $application/javascript
FilterDeclare UTF8_TO_ORIGINAL
FilterProvider UTF8_TO_ORIGINAL xml2enc resp=Content-Type $text/html
FilterProvider UTF8_TO_ORIGINAL xml2enc resp=Content-Type $application/xhtml+xml
FilterProvider UTF8_TO_ORIGINAL xml2enc resp=Content-Type $text/javascript
FilterProvider UTF8_TO_ORIGINAL xml2enc resp=Content-Type $application/x-javascript
FilterProvider UTF8_TO_ORIGINAL xml2enc resp=Content-Type $application/javascript
#xml2enc settings
xml2encDefaultCharset UTF-8
xml2encEnvCharsetOriginal psiphon_charset_original
xml2encOriginalCharset ${psiphon_charset_original}
xml2encParsers HTML JS CSS
#gzip
FilterDeclare DECOMPRESS
FilterProvider DECOMPRESS INFLATE resp=Content-Type $text/
FilterProvider DECOMPRESS INFLATE resp=Content-Type $application/xhtml+xml
FilterProvider DECOMPRESS INFLATE resp=Content-Type $application/x-javascript
FilterProvider DECOMPRESS INFLATE resp=Content-Type $application/javascript
FilterProvider DECOMPRESS INFLATE resp=Content-Type $application/rss+xml
FilterProvider DECOMPRESS INFLATE resp=Content-Type $application/atom+xml
FilterProvider DECOMPRESS INFLATE resp=Content-Type $application/xml
FilterDeclare COMPRESS
FilterProvider COMPRESS DEFLATE resp=Content-Type $text/
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-javascript
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/javascript
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml
FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml
#gzip settings
DeflateCompressionLevel 7
#Overlapping HTTP Range vulnerability mitigation
#http://mail-archives.apache.org/mod_mbox/httpd-announce/201108.mbox/%3C20110824161640.122D387DD@minotaur.apache.org%3E
#commented out, as applicable to versions prior to 2.2.20, "Range" needed for av.voanews.com
#RequestHeader unset Range
#remove "br" and "sdch" from Accept-Encoding to avoid err_content_decoding_failed in chrome
RequestHeader edit Accept-Encoding ", br" ""
RequestHeader edit Accept-Encoding ", sdch" ""
RequestHeader edit Accept-Encoding "br" ""
RequestHeader edit Accept-Encoding "sdch" ""
# this header related only to client-server connect
Header unset Strict-Transport-Security
#to make twitter working
Header unset Content-Security-Policy
#to make facebook working, plus redirect all JS to mbasic.facebook.com, plus user-agent to ff-42.0
RequestHeader unset Origin
#get rid of 'no file favicon.co found' in error log
<Location /favicon.ico>
ErrorDocument 404 /http-errors/404.php
</Location>
<Location />
PsiphonAuthEnable On
PsiphonNoAuth /a.php /e.php /w.php /chk.php /reset_password.php /logout.php /p.php
PsiphonAuthLoginPath /auth.php
Psiphon3Path /psiphon3/www/
PsiphonLoginURLCheck On
</Location>
<Location /b>
PsiphonHeadersFixup On
MapToProxy On
FilterDeclare FEED
FilterProvider FEED XSLT resp=Content-Type $application/rss+xml
FilterProvider FEED XSLT resp=Content-Type $application/atom+xml
FilterProvider FEED XSLT resp=Content-Type $application/xml
FilterProvider FEED XSLT resp=Content-Type $text/xml
TransformOptions +ApacheFS
TransformSet /xsl/feeds.xsl
FilterDeclare HTML
FilterProvider HTML proxy-html resp=Content-Type *
#proxy-html settings
ProxyHTML On
ProxyHTMLBluebarFrame /bluebar.frame.php?u=
ProxyHTMLBufSize 32768
ProxyHTMLLinks a href
ProxyHTMLLinks area href
ProxyHTMLLinks link href
ProxyHTMLLinks img src longdesc usemap
ProxyHTMLLinks image src longdesc usemap xlink:href
ProxyHTMLLinks object classid codebase data usemap
ProxyHTMLLinks q cite
ProxyHTMLLinks blockquote cite
ProxyHTMLLinks ins cite
ProxyHTMLLinks del cite
ProxyHTMLLinks form action
ProxyHTMLLinks input src usemap
ProxyHTMLLinks head profile
ProxyHTMLLinks base href
ProxyHTMLLinks script src for
ProxyHTMLLinks frame src longdesc
ProxyHTMLLinks iframe src longdesc
ProxyHTMLLinks table background
ProxyHTMLLinks td background
ProxyHTMLLinks tr background
ProxyHTMLLinks th background
#HTML5
ProxyHTMLLinks video src poster
ProxyHTMLLinks source src
ProxyHTMLLinks source srcset
ProxyHTMLLinks audio src
ProxyHTMLSkipElements applet
ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
onmouseover onmousemove onmouseout onkeypress \
onkeydown onkeyup onfocus onblur onload onbeforeunload\
onunload onsubmit onreset onselect onchange onscroll
FilterDeclare BLUEBAR
FilterProvider BLUEBAR psiphon-bluebar resp=Content-Type $text/html
FilterProvider BLUEBAR psiphon-bluebar resp=Content-Type $application/xhtml+xml
BluebarURI "/bluebar.browser.php"
FilterChain DECOMPRESS TO_UTF8 FEED HTML UTF8_TO_ORIGINAL BLUEBAR COMPRESS
</Location>
<Location /010>
PsiphonPost2Get On
</Location>
<Location /011>
PsiphonHeadersFixup On
MapToProxy On
FilterDeclare JS
FilterProvider JS proxy-js resp=Content-Type *
ProxyJSLineEnd ANY
ProxyJS On
FilterChain DECOMPRESS TO_UTF8 JS UTF8_TO_ORIGINAL COMPRESS
</Location>
<Location /100>
PsiphonHeadersFixup On
MapToProxy On
FilterDeclare CSS
FilterProvider CSS proxy-css resp=Content-Type *
ProxyCSSLineEnd custom ";"
ProxyCSS On
FilterChain DECOMPRESS TO_UTF8 CSS UTF8_TO_ORIGINAL COMPRESS
</Location>
<Location /101>
ProxyFlash On
PsiphonHeadersFixup On
MapToProxy On
MapURLEncoded On
</Location>
SSLCertificateFile ssl/psiphon2.crt
SSLCertificateKeyFile ssl/psiphon2.key
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
|