Once you install the base system, three configuration files are created in the folder /etc/traffpro
-
traffpro.cfg
-
traffpro_rule.cfg
-
addr_port_forward.cfg
The first thing which you need to configure is the file /etc/traffpro/traffpro.cfg which is the main configuration file. This is necessary if you choose to configure your system later during the install process or you decide to make chnages after you installed TraffPro.
We shall describe how to use these files one by one
1. traffpro.cfg
Example of the traffpro.cfg file /etc/traffpro/traffpro.cfg:
# Define which mode to run in. Two values true or false.
# true - runs in daemon mode
# false - runs in console mode (debug mode)
daemon=true
# Database address
# Can have values like (localhost, 127.0.0.1, 10.10.0.1)
# If using traffpro as a central server with other sub-servers then another value is used apart from local
#host where the address in sub-servers will have the central servers IP.
db_url=localhost
# Port connecting to MySQL.
#The port value must be specified in case you changed the port in the configuration file
# /etc/my.cnf
# Default value is 3306
db_port=3306
# MySQL Database user name , under whose rights the system will connect to and run.
# The default is root and blank password.
# For more information please visit http://en.traffpro.ru
db_usr=root
# User password to access the MySQL database .
db_passwd=
# Database name to connect to the system
# For older versions the name was office and in the new version its traffpro.
db_name=traffpro
# Waiting time before sending data to the database (in seconds)
# The less the value the faster information is sent and the size of the db becomes large fast too
time_out=720
# Affects authorization time, the recommended value of 10.
# The higher the value, the less the demon looks into the database for verification of changes.
time_in=10
# Enable/Disable MAC address control for users. Can be true/#false
# Recommended value - true
control_eth_addr=true
# Gateway number (used when traffic is distributed to more then one gateway to
# sub-servers. If you have only one gateway, default is set to 0)
net_number=0
# Enable detailed port logging (in case it is set to false, loging will continue but
# Individual ports will not be logged. Only a summary of on all ports will be
# logged)
ports_detail=true
# Enable firewall for the server and billing system.
# If you enable this setting, add the server using the web admin panel.
# WEB-Admin -> System -> Servers - Add Server.
# When adding indicate the external IP facing the internet.
ss_enabled=true
# State the external interface
# Can be known using ifconfig -a
eth_out=eth3
# Detailes of users URL surfing reports.
# Possible values are true / false.
# As of version 1.2-XX and above, squid is no longer needed for logging surfing histories
# Now, if true, the daemon keeps a record of visits to their resources.
# When set to false, Squid can be used squid to work with Traffpro for the histories, but accounting
# of surfing histories visits will be logged via ports going through the proxy server.
url_detail=true
# Note that the daemon itself will adjust the buffer automatically but we do not suggest you adjust the
# size of packets to more then 200 because a buffer size of 12 megabytes and larger
# under force majeure slow down the demon, but does not accelerate the size of packet queue
ip_queue_maxlen=2048000
# If stated then NAT will be used, if left blank then MASQUERADE is used.
out_ip=192.168.1.200
# true - runs in daemon mode
# false - runs in console mode (debug mode)
daemon=true
# Database address
# Can have values like (localhost, 127.0.0.1, 10.10.0.1)
# If using traffpro as a central server with other sub-servers then another value is used apart from local
#host where the address in sub-servers will have the central servers IP.
db_url=localhost
# Port connecting to MySQL.
#The port value must be specified in case you changed the port in the configuration file
# /etc/my.cnf
# Default value is 3306
db_port=3306
# MySQL Database user name , under whose rights the system will connect to and run.
# The default is root and blank password.
# For more information please visit http://en.traffpro.ru
db_usr=root
# User password to access the MySQL database .
db_passwd=
# Database name to connect to the system
# For older versions the name was office and in the new version its traffpro.
db_name=traffpro
# Waiting time before sending data to the database (in seconds)
# The less the value the faster information is sent and the size of the db becomes large fast too
time_out=720
# Affects authorization time, the recommended value of 10.
# The higher the value, the less the demon looks into the database for verification of changes.
time_in=10
# Enable/Disable MAC address control for users. Can be true/#false
# Recommended value - true
control_eth_addr=true
# Gateway number (used when traffic is distributed to more then one gateway to
# sub-servers. If you have only one gateway, default is set to 0)
net_number=0
# Enable detailed port logging (in case it is set to false, loging will continue but
# Individual ports will not be logged. Only a summary of on all ports will be
# logged)
ports_detail=true
# Enable firewall for the server and billing system.
# If you enable this setting, add the server using the web admin panel.
# WEB-Admin -> System -> Servers - Add Server.
# When adding indicate the external IP facing the internet.
ss_enabled=true
# State the external interface
# Can be known using ifconfig -a
eth_out=eth3
# Detailes of users URL surfing reports.
# Possible values are true / false.
# As of version 1.2-XX and above, squid is no longer needed for logging surfing histories
# Now, if true, the daemon keeps a record of visits to their resources.
# When set to false, Squid can be used squid to work with Traffpro for the histories, but accounting
# of surfing histories visits will be logged via ports going through the proxy server.
url_detail=true
# Note that the daemon itself will adjust the buffer automatically but we do not suggest you adjust the
# size of packets to more then 200 because a buffer size of 12 megabytes and larger
# under force majeure slow down the demon, but does not accelerate the size of packet queue
ip_queue_maxlen=2048000
# If stated then NAT will be used, if left blank then MASQUERADE is used.
out_ip=192.168.1.200
#Removed from version 1.3.8
# Enable the monitor. If set to true then then two parameters below it should not be left out.
monitor_on=true
# Address the monitor listens on (default 127.0.0.1)
listen_addr=192.168.1.200
# Port the monitor listens on (default 9999)
listen_port=9999
# Removed from version 1.3.3-9Х, and a new script has been made in its place /etc/init.d/tp-scheduler
# True=loads timer, false=does not load timer
# Execute SQL queries or sh scripts. Data requests are taken from the admin area.
timer=false
# Path where traffpro should install to
to_install_dir=/opt/traffpro
#Allow traffpro to use SQUID logging user surfing histories . If set to true the proxy server should be
# removed as a autostartup script which will then be run using traffpro.
# To work properly you need to add the following data in the squid.conf configuration file
#squid_connect=true
# This option specifies the location of the file, which will
# Used to transfer files to the MYSql database.
# Then change the files (chown squid.squid access.log)
#squid_log_file=/var/log/squid/access.log
# Enable the monitor. If set to true then then two parameters below it should not be left out.
monitor_on=true
# Address the monitor listens on (default 127.0.0.1)
listen_addr=192.168.1.200
# Port the monitor listens on (default 9999)
listen_port=9999
# Removed from version 1.3.3-9Х, and a new script has been made in its place /etc/init.d/tp-scheduler
# True=loads timer, false=does not load timer
# Execute SQL queries or sh scripts. Data requests are taken from the admin area.
timer=false
# Path where traffpro should install to
to_install_dir=/opt/traffpro
#Allow traffpro to use SQUID logging user surfing histories . If set to true the proxy server should be
# removed as a autostartup script which will then be run using traffpro.
# To work properly you need to add the following data in the squid.conf configuration file
#squid_connect=true
# This option specifies the location of the file, which will
# Used to transfer files to the MYSql database.
# Then change the files (chown squid.squid access.log)
#squid_log_file=/var/log/squid/access.log
# This option is for use with the parameter url_detail = true.
# Thus, accounting for ports 80, 443 and other ports you wish to account for will go through the proxy server.
# Other ports will be reported by Traffpro. Needed for admins, who use proxy servers
# not only for web traffic, but also for database records.
# Thus, accounting for ports 80, 443 and other ports you wish to account for will go through the proxy server.
# Other ports will be reported by Traffpro. Needed for admins, who use proxy servers
# not only for web traffic, but also for database records.
#from version 1.3.4-36
url_port_squid=80,443
# Blocks sites. Using this parameter,
# you do not need to block resources using
# services like squid, squidGuard, iptables.
url_block=true
# This parameter is responsible for accounting icmp requests other
# than the udp and tcp, i.e. without this parameter, the system
# activity monitor will not be displayed. If set to true the true the #parameter is active, false if off.
Display the status on the monitor of packages that do not belong to the TCP and UDP
not_udptcp_control=true
# Maximum number of connection requests during time_in from the client
antiflood=500
# Disable reverse domain name look up to enable url surfing histories to be catched.
not_resolv_dn=true
# Allows daemon to route data, and raise the NAT using values from the database.
#Data is input through the web-admin panel.
nat_data_in_db=true
# Shows how much traffic and load is being taken up by a gateway.
log_route=true
# For the PPPD plugin – informs the plug-in that if file is not found in the traffpro database, it should
# also check the secret files if value is set to true. i.e. file where the login and passwords are stored.
secret_files=false
# Aggregate clients url-surfing resources. Value is set to true by default.
# To disable set to false
url_agregate=false
# you do not need to block resources using
# services like squid, squidGuard, iptables.
url_block=true
# This parameter is responsible for accounting icmp requests other
# than the udp and tcp, i.e. without this parameter, the system
# activity monitor will not be displayed. If set to true the true the #parameter is active, false if off.
Display the status on the monitor of packages that do not belong to the TCP and UDP
not_udptcp_control=true
# Maximum number of connection requests during time_in from the client
antiflood=500
# Disable reverse domain name look up to enable url surfing histories to be catched.
not_resolv_dn=true
# Allows daemon to route data, and raise the NAT using values from the database.
#Data is input through the web-admin panel.
nat_data_in_db=true
# Shows how much traffic and load is being taken up by a gateway.
log_route=true
# For the PPPD plugin – informs the plug-in that if file is not found in the traffpro database, it should
# also check the secret files if value is set to true. i.e. file where the login and passwords are stored.
secret_files=false
# Aggregate clients url-surfing resources. Value is set to true by default.
# To disable set to false
url_agregate=false
# From Version 1.3.4-06
# Turn on or off ports surfing reports. If enabled, the reports
# will be processed and recorded, if false then there is records on ports. This will reduce database load,
# because fewer records will be written to it.
# Turn on or off ports surfing reports. If enabled, the reports
# will be processed and recorded, if false then there is records on ports. This will reduce database load,
# because fewer records will be written to it.
url_no_port=false
# Shaper Type. If set to true – All clients are queued in one line.
# False – Each client has his own queu (default)
shaper_type_linear=false
# Default = 0.
# Possible values from 0 to 3.
# For dual core processors, set value to 1.
# For quad core processors, set value to 2 or 3.
# Shaper Type. If set to true – All clients are queued in one line.
# False – Each client has his own queu (default)
shaper_type_linear=false
# Default = 0.
# Possible values from 0 to 3.
# For dual core processors, set value to 1.
# For quad core processors, set value to 2 or 3.
shaper_thread_count=1
#algo = 1 MULTIPATH: round robin algorithm (IP_ROUTE_MULTIPATH_RR)
#Mulitpath routes are chosen according to Round Robin
#algo = 2 -MULTIPATH: INTERFACE ROUND ROBIN ALGORITHM (IP_ROUTE_MULTIPATH_DRR)
#Connections are distributed in a round robin fashion over the
#available interfaces. This policy makes sense if the connections
#should be primarily distributed on interfaces and not on routes.
#algo = 3 -MULTIPATH: RANDOM ALGORITHM (IP_ROUTE_MULTIPATH_RANDOM)
#Multipath routes are chosen in a random fashion. Actually,
#there is no weight for a route. The advantage of this policy
#is that it is implemented stateless and therefore introduces only
#a very small delay.
#algo = 4 -MULTIPATH: WEIGHTED RANDOM ALGORITHM (IP_ROUTE_MULTIPATH_WRANDOM)
#Multipath routes are chosen in a weighted random fashion.
#The per route weights are the weights visible via ip route 2. As the
#corresponding state management introduces some overhead routing delay
#is increased.
#Mulitpath routes are chosen according to Round Robin
#algo = 2 -MULTIPATH: INTERFACE ROUND ROBIN ALGORITHM (IP_ROUTE_MULTIPATH_DRR)
#Connections are distributed in a round robin fashion over the
#available interfaces. This policy makes sense if the connections
#should be primarily distributed on interfaces and not on routes.
#algo = 3 -MULTIPATH: RANDOM ALGORITHM (IP_ROUTE_MULTIPATH_RANDOM)
#Multipath routes are chosen in a random fashion. Actually,
#there is no weight for a route. The advantage of this policy
#is that it is implemented stateless and therefore introduces only
#a very small delay.
#algo = 4 -MULTIPATH: WEIGHTED RANDOM ALGORITHM (IP_ROUTE_MULTIPATH_WRANDOM)
#Multipath routes are chosen in a weighted random fashion.
#The per route weights are the weights visible via ip route 2. As the
#corresponding state management introduces some overhead routing delay
#is increased.
algo=2
# From version 1.3.4-42
# True – set by default
# False - disable
# Determines the mode of load balancing:
# True - balancing by packets
# False – balancing by sessions
equalize_channel=false
# True – set by default
# False - disable
# Determines the mode of load balancing:
# True - balancing by packets
# False – balancing by sessions
equalize_channel=false
# Turn on / off, traffic accounting daemon with your router (Cisco).
# Possible values are on, off, comb.
# Turn on (accounting only for netflows) off (off)
# Comb (accounting and methods of the Linux kernel and netflows simultaneously)
# From version 1.3.7-34
# Possible values are on, off, comb.
# Turn on (accounting only for netflows) off (off)
# Comb (accounting and methods of the Linux kernel and netflows simultaneously)
# From version 1.3.7-34
# Parameter redirect_server_auth_on to redirect users to a page/captive portal
# that describes why the internet is not working. If the parameter
# Is not described in the configuration file, it will not be active.
# True - default
# False - disable
# that describes why the internet is not working. If the parameter
# Is not described in the configuration file, it will not be active.
# True - default
# False - disable
# Note ss_enabled must be set to true for this function to work. See forum for more info
redirect_server_auth_on=on
# This option specifies where to redirect users to e.g. LAN NIC. For normal working off this option
# you need to configure a virtual host in the apache settings, or another www server
# you need to configure a virtual host in the apache settings, or another www server
ip_to_redirect_auth = "192.168.1.200"
# Specify the port that you specified in as virtual host in the apache config file.
# Page to redirect unauthorised users to
# Specify the port that you specified in as virtual host in the apache config file.
# Page to redirect unauthorised users to
port_to_redirect_auth=81
# Specify the port that you specified in as virtual host in the apache config file.
# Page to redirect users to when they access blocked/blacklisted pages
# Page to redirect users to when they access blocked/blacklisted pages
port_to_redirect_access_denied=82
# Specify the port that you specified in as virtual host in the apache config file.
# Page to redirect users to when they money in their account is over.
# Page to redirect users to when they money in their account is over.
port_to_redirect_no_money=83
enable_netflow_type=on
# Netfow configuration. Designed to collect information on the IP-traffic within the network.
# Address on which tapped packages are sent using neflow to the cisco from your server
netflow_addr=192.168.0.237
# Port on which to listen to netflow packages flowing from your server
netflow_port=8818
# Netfow configuration. Designed to collect information on the IP-traffic within the network.
# Address on which tapped packages are sent using neflow to the cisco from your server
netflow_addr=192.168.0.237
# Port on which to listen to netflow packages flowing from your server
netflow_port=8818
# From Version 1.4.2 был введён параметр по управлению времени холостого хода шейпера, данное
# введение было обусловлено тем, что фиксированное значение приводило к увеличению
# задержки пакетов при больших нагрузках, а в случае снижения данного фиксированного
# значения к большим нагрузкам на процессор.
# Принимает целое значение от 10 — 2000, при работе шейпера данное значение после
# некоторых вычислений останавливает шейпер для ожидания следующих пакетов, чтобы не
# нагружать процессоры пустым прохождением по очередям ожидающих пакетов, при этом
# остановка по времени равна =shaper_time_out — (количество обработанных пакетов при
# прошлом прохождении очереди), соответственно, чем больше нагрузка, тем меньше время
# ожидания перед следующим прохождение по очередям ожидающих пакетов.
shaper_time_out=200
# Для управления количества потоков шейпера был введён параметр shaper_thread_count,
# который может приобретать значения от 0 до 3, что соответствует количеству потоков от 1
до 4х. Параметры shaper_thread_count и control_thread_count работают независимо друг от друга.
shaper_thread_count=3
# Для управления количеством потоков захвата из ядра был введён параметр control_thread_count ,
# который может иметь значения от 0 до 3, что соответствует количеству потоков от 1 до 4
control_thread_count=3
# Текстовый параметр, в который требуется внести все внутренние подсети, например:
# "192.168.0.0/24 192.168.1.0/24". Если вы используете объединение офисов, то ppp подсети укажите обязательно.
local_networks="192.168.1.0/24"
# В случае если система traffpro была не корректно остановлена, например, из за сбоя
# электропитания сервера или не корректной перезагрузки сервера, при следующем старте
# traffpro будет произведена проверка базы данных на корректность, и в случае нахождения
# сбойных таблиц производится попытка их восстановления командой mysqlcheck --auto-repair
# traffpro. from version 1.4.2-xx
database_crash_control=false
# from version 1.4.2 introduced a parameter to control time shaper stays idle, this
# Introduction was due to the fact that a fixed value led to an increase
# in Packet delay at high loads, and value can be reduced in case of
# high loads on the processor.
# Takes an integer value from 10 - 2000, while working shaper, this value after
# Some calculations shaper stops to wait for the next packet, so as not to
# CPU-blank passing the queue of pending packets, while
# Stop on time is equal to = shaper_time_out - (number of processed packets in
# Last line passes), respectively, the more the load, the less time
# Wait before following the passage of the queue of pending packets.
shaper_time_out=200
# To control the number of threads in shaper we introduced parameter shaper_thread_count,
# Which can take values from 0 to 3, which corresponds to the number of threads from 1
to 4. Options and shaper_thread_count control_thread_count operate independently of each other.
shaper_thread_count = 3
# To control the flow of the capture of the kernel parameter was introduced control_thread_count,
# Which can have values from 0 to 3, which corresponds to the number of threads from 1 to 4
control_thread_count = 3
# A text parameter that you want to make all internal subnets, for example:
# "192.168.0.0/24 192.168.1.0/24". If you are using the union office, then specify the subnet ppp optional.
local_networks = "192.168.1.0/24"
# If the traffpro system was not correctly stopped, for example, from a failure
# Power server or reboot the server correctly, the next time you start
# Traffpro is checked for correctness of the database, and if
# crashed tables are found an attempt is made to restore them using command mysqlcheck - auto-repair
# traffpro. from version 1.4.2-xx
database_crash_control = false
Example 1: The simplest example of a configuration file traffpro.cfg
This is a real example. Used, if you have a server with Traffpro connecting to a modem or other router.
to_install_dir=/opt/traffpro
daemon=true
db_url=localhost
db_port=3306
db_usr=root
db_password=
db_name=traffpro
time_in=10
time_out=360
control_eth_addr=true
net_number=0
ports_detail=false
ss_enabled=false
eth_out=eth0
out_ip=192.168.1.1
ip_queue_maxlen=2048000
Example 2: Here we use a functional modified configuration
This allows the admin to:
1. Block url addresses
2. aggregation url surfing reports
3. Accounting is a means of visits of the billing and records of visits by passing through
proxy server. At the same time through a proxy server, will include visits by name, and billing itself by ip address.
4. Time of discharge data in the database is 360 seconds
5. Includes protection of the server and traffic accounting server thereby.
6. Specified separate log file, where the proxy writes the log.
7. Enabled option algo = 2 - algorithm selects the route based on a round robin basis
to_install_dir=/opt/traffprodaemon=true
db_url=localhost
db_port=3306
db_usr=root
db_password=
db_name=traffpro
time_in=10
time_out=360
control_eth_addr=true
net_number=0
ports_detail=true
ss_enabled=true
eth_out=eth0
url_block=true
url_detail=true
out_ip=71.190.11.200
monitor_on=true
listen_addr=127.0.0.1
listen_port=9999
ip_queue_maxlen=2048000
squid_connect=true
squid_log_file=/var/log/squid/traffpro.log
url_port_squid=80
timer=false
antiflood=500
not_udptcp_control=true
not_resolv_dn=true
nat_data_in_db=true
log_route=true
shaper_type_linear=false
url_agregate=true
url_no_port=false
algo=2
2. traffpro_rule.cfg
The second configuration file /etc/traffpro/traffpro_rule.cfg
This configuration file is used to add your own iptables' rules.
simple example:
For, example, putting these strings into your traffpro_rule.cfg file will enable
SSH access to your server. (better do it before you enable the service or else
you can get locked out of your ssh session)
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPTiptables -A OUTPUT -m tcp -p tcp --sport 22 -j ACCEPT
3. addr_port_forward.cfg
The fourth config file /etc/traffpro/addr_port_forward.cfg (can be absent, so you can just create it)
Its configuration file for port forwarding from external networks to your internal one. WARNING! This file should NOT contain empty strings! Every string must contain:
IP_SRC PORT_DEST IP_DEST:PORT_DESTIP_SRC - source ip-address (for all - 0.0.0.0);PORT_DEST - destination port on the remote external server interface toconnect;IP_DEST - destination IP-address of the target computer in the local net;PORT_DEST - destination port of the target computer in the local net.