13.4.2009
Ziproxy 2.7.0 released.
This version suffered a major cleanup and contains a number of bugfixes (incluing security ones) and extra features.
The changes are listed below (relative to 2.6.0 version).
New security fixes/features:
- Added provision for outgoing port restrictions.
New options: RestrictOutPortHTTP, RestrictOutPortCONNECT
This provision mitigates the transparent proxy vulnerability US-CERT VU#435052
- Added feature against "image bomb" DoS.
New option: MaxUncompressedImageRatio
Other features:
- Added support for custom 403 error pages.
- Added Lanczos component upsampler support to JP2k.
New option: JP2Upsampler
- Added provision for crash (signal) interception and logging (see new access log flags).
New option: InterceptCrashes
- Added support for content substitution by matching URL + content-type.
New options: URLReplaceDataCT, URLReplaceDataCTList
- Added support for URL blocking.
New option: URLDeny
- Added support for "ICY" SHOUTcast headers. Now icecasts from such servers are playable.
Bugfixes:
- Fixed a bug which caused crashes in certain, rare, specific situations while compressing to jp2k.
- Fixed bug in rgb2yuv converter. In certain cases jp2 pictures had some very wrong colors (like deep red turned into strong pink etc).
- Fixed the type/signedness mess with outgoing Port vars. Ports >= 32768 were not accessible.
Non-standard HTTP/HTTPS ports (non-80/443) were not accessible in big-endian architectures. -
- Changed JPG and JP2K default settings to (hopefully) better values.
- Bug which prevented recompression to jp2k when more aggressive parameters were set to color components, original image was forwarded instead. Fixed.
- Encoding/decoding jp2 images with alpha channel always fails. Fixed.
Other:
- Obsoleted ModifySuffixes. It was buggy and lost its usefulness a long ago.
The following config options are obsolete:
ModifySuffixes, MinTextStream
- Flex is no longer required for building Ziproxy.
- Test programs were obsolete and were removed (imgtest, modifytest, cfgtest) and no longer are a build option.
Ziproxy 2.7.0 is available at the files' section.
15.3.2009
Ziproxy 2.6.9_BETA2 released.
New features:
- Added provision for crash (signal) interception and logging (see new access log flags).
New option: InterceptCrashes
- Added feature against "image bomb" DoS.
New option: MaxUncompressedImageRatio
- Added support for content substitution by matching URL + content-type.
New options: URLReplaceDataCT, URLReplaceDataCTList
- Added support for URL blocking.
New option: URLDeny
- Added support for "ICY" SHOUTcast headers. Now icecasts from such servers are playable.
Bugfixes:
- Fixed a bug which caused crashes in certain, rare, specific situations while compressing to jp2k.
- Fixed bug in rgb2yuv converter. In certain cases jp2 pictures had some very wrong colors (like deep red turned into strong pink etc).
Other:
- Obsoleted ModifySuffixes. It was buggy and lost its usefulness a long ago.
The following config options are obsolete:
ModifySuffixes, MinTextStream
- Flex is no longer required for building Ziproxy.
- Test programs were obsolete and were removed (imgtest, modifytest, cfgtest) and no longer are a build option.
- Miscellaneous code cleanup.
Ziproxy 2.6.9_BETA2 is available at the files' section.
26.2.2009
Ziproxy 2.6.9_BETA released.
New features:
- Added provision for outgoing port restrictions.
New options: RestrictOutPortHTTP, RestrictOutPortCONNECT
This provision mitigates the transparent proxy vulnerability US-CERT VU#435052
- Added support for custom 403 error pages.
- Added Lanczos component upsampler support to JP2k.
New option: JP2Upsampler
Bugfixes/changes:
- Fixed the type/signedness mess with outgoing Port vars. Ports >= 32768 were not accessible.
Non-standard HTTP/HTTPS ports (non-80/443) were not accessible in big-endian architectures. -
- Changed JPG and JP2K default settings to (hopefully) better values.
- Bug which prevented recompression to jp2k when more aggressive parameters were set to color components, original image was forwarded instead. Fixed.
- Encoding/decoding jp2 images with alpha channel always fails. Fixed.
Ziproxy 2.6.9_BETA is available at the files' section.
23.2.2009
Security warning - US-CERT VU#435052
US-CERT published today the security warning VU#435052 about a vulnerability concerning transparent HTTP proxies.
The report is available at http://www.kb.cert.org/vuls/id/435052.
Ziproxy-specific information may be accessed from that same page or directly at http://www.kb.cert.org/vuls/id/MAPG-7N9GN8.
23.2.2009
Implementing a WAN accelerator with JPEG 2000 + Squid.
Instructions on how to implement a WAN accelerator using Ziproxy and Squid
are now available here.
This information is based on a production scenario and includes specificities
relevant to that case. It's just a suggestion on how to do it, and it is possible to adapt that to a more specific case.
27.11.2008
Ziproxy is > 6 years old.
or a tentative of birthday announcement
Ok, that's a strange birthday but all the previous ones (including the major 5yo one) were not announced.
So that's it: Ziproxy is over 6 years now. Unfortunately I cannot provide a precise date
of creation, so let's use the earliest known public release: the 1.1 version from 2002-09-24.
Ziproxy started as a simple, humble project. It was not meant be used by ISPs, nor to provide the features
it currently does.
When I took over the development back in 2005 (because it was the only free-open-source software which provided what I wanted) I was not expecting to do much more than a number of bugfixes and perhaps some optimizations -- perhaps to work on that during 6 months and just releasing one bugfix or another afterwards.
But Ziproxy grew up, much more than I've expected, for the benefit of everyone who use this software nowadays.
About the future... I don't know. Ziproxy never had a development plan and it seems to be fine without one.
I would like to thank everyone who directly or indirectly contributed to the project (see the "CREDITS" file in the sourcecode), specially Juraj for creating Ziproxy in the first place.
Enough sentimentalism. Let's go back to work.
yours,
the current Ziproxy maintainer, D.M.C.
27.11.2008
Ziproxy 2.6.0 released.
New features (compared to 2.5.2):
- Ad-blocker, by the means of content substitution. New option: URLReplaceData
- Now a authenticated connection also logs the username alongside its IP (username@X.X.X.X).
- Added support for host exception list when using the BindOutgoing option.
May solve problems with certain hosts which do not like IP rotation.
New options: BindOutgoingExList, BindOutgoingExAddr
- Added support for custom 407 and 409 error pages.
- Added Russian translation of manpages, README and other docs.
Bugfixes:
- Under random conditions or unrelated configuration changes the pictures were not recompressed. Fixed.
Ziproxy 2.6.0 is available at the files' section.
FOR OLDER NEWS CLICK HERE
|
|
Ziproxy is forwarding, non-caching, compressing HTTP proxy server.
Basically it squeezes images by converting them to lower quality JPEGs or JPEG 2000 and compresses (gzip) HTML and other text-like data.
It also provides other features such as: HTML/JS/CSS optimization, preemptive hostname resolution, transparent proxying and more.
Ziproxy is an option when dealing with low-bandwidth cases like:
- ISPs providing dialup services
- ISPs providing mobile internet services
- HTTP WAN optimization cases
- Low bandwidth (or saturated) point-to-point connections in general
Ziproxy may be called a "web accelerator", although it is not the best name, considering the number of snake oil products advertised as such.
Ziproxy operates in daemon mode. It also may be invoked by (x)inetd if desired (not recommended for performance reasons).
It is HTTP/1.1-aware and compatible with HTTPS.
Currently it is known to be usable under the following OSes: Linux (Red Hat, Conectiva, Debian), FreeBSD and Cygwin (there were reports on Mac OS X and Solaris compatibility aswell).
It ran successfully under the following architectures: x86, x86-64 and SPARC32.
And it was successfully compiled under GNU GCC and Intel's ICC.
Ziproxy is available as a free (FOSS) software under the GNU GPL (version 2 or higher) license.
example of web compression
original image
vs standard JPEG
vs JPEG 2000
using Ziproxy - typical setups
example of customized error
example of output by log tools
|
Ziproxy requires libraries which are pretty much standard nowadays, thus the chances are that your OS already offer them pre-packaged.
The latest Ziproxy version requires:
- libungif
- libpng
- libjpeg-6b
- zlib
- libjasper
(required if JPEG2000 support is to be enabled)
|
|
PERFORMANCE OPTIMIZATIONS
|
If you have a scenario with many concurrent users, consider the following options:
- Run Ziproxy with a machine with at least 1 MB of L2 CPU cache per core, 2 MB (or more) the better.
Many MHz won't save a CPU with 256kB L2 cache and performance will suffer, badly.
- Run Ziproxy in daemon mode.
Running under (x)inetd is (naturally) much slower and only viable for personal use.
- If you have considerable latency in your main (fast) data link to the Internet, you may want to disable HTMLopt and PreemptDNS so the HTML pages will be streamed directly to the user while being loaded by Ziproxy (Gzip may be applied during streams, no problem).
This way you will lower the latency experienced by the user since you cannot start loading the pictures in parallel before the HTML page arrives.
- If you have a lot of users sharing the same compressed data link, it might be a good idea to use a caching proxy at their side.
That's quite obvious, but worth remembering anyway.
- Seriously consider installing a good DNS caching system serving Ziproxy if it has a very high number of users.
Ziproxy does not have an internal DNS caching system, it tries to resolve the hostname of each request received.
|
Are you using xinetd with ziproxy? Then disable LogPipe option in ziproxy.conf. Or disable both LogPipe and
LogFile options to turn off the logging completely. Piping the logging output through
other program is supported only if you use netd. It's my mistake I kept these
options on in default ziproxy.conf, with too terse disclaimer.
To get IE accepting gzipped data, under Internet Options/Advanced tab check option
``Use HTTP/1.1 extensions when using proxy''.
Some transparent GIFs/PNGs are displayed with incorrect background. It's because
JPEG can't store transparency information, and background color information is
"out there" in HTML. With AllowLookChange option you can make ziproxy avoid these images.
For every HTTP request, new ziproxy process is started. In case of intensive parallel
downloading/mirroring (for example, with HTTrack or wwwoffle -fetch), number of
processes may reach maximal user processes limit set by administrator. To avoid
the problem, set subsequent limit for netd using limit(csh) or ulimit(bash) shell
command.
|
The standard way of asking questions, requesting features, reporting bugs or receiving announcements. is using one of our mailing lists:
- ziproxy-users: discussion
about ziproxy compilation and usage, usage questions, feature requests, bug reports
- ziproxy-announce: ziproxy announcements (read-only)
- ziproxy-devel: developers' discussion, submitting patches
If you encounter problem with this webpage (broken link, information missing here, errors etc), you may contact the maintainer directly.
|
Current Ziproxy maintainer (since v1.4.0):
Daniel Mealha Cabrita
For support on Ziproxy usage please use the ziproxy-users mailing list.
Ziproxy's original maintainer:
Juraj Variny
|
|
