Name
Options · Checking Options · Installation · Copyright · (FAQ)
Name
junkbuster - The Internet Junkbuster Proxy TM
Synopsis
junkbuster
configfile
(Version 2.0 onwards)
junkbstr.exe
configfile
(Windows)
junkbuster
[-a]
[-y]
[-s]
[-c]
[-v]
[-u user_agent]
[-r referer]
[-t from]
[-b blockfile]
[-j jarfile]
[-l logfile]
[-w NAME=VALUE]
[-x Header_text]
[-h [bind_host_address][:bind_port]]
[-f forward_host[:port]]
[-d N]
[-g gw_protocol[:[gw_host][:gw_port]]]
(Version 1.4 and earlier)
Description
junkbuster is an instrumentable proxy that filters the HTTP stream between web servers and browsers. Its main purpose is to enhance privacy.
Versions before 2.0 used command-line options; Versions from 2.0 onward use a configuration file. The following descriptions of the options first give the older command-line usage, then the new configfile line.
In Versions 2.0.1 upwards on Windows, a start-up message is printed and the configuration is read from the file junkbstr.ini if it exists and no argument was given.
All files except the configfile are checked for changes before each page is fetched, so they may edited without restarting the proxy.
To compare the domains, the pattern domain and the target domain specified in the URL are each broken into their components. (Components are separated by the . (period) character.) Next each of the target components is compared with the corresponding pattern component: last with last, next-to-last with next-to-last, and so on. (This is called right-anchored matching.) If all of the pattern components find their match in the target, then the domains are considered a match. Case is irrelevant when comparing domain components.
A successfully matching pattern can be an anchored substring of a target, but not vice versa. Thus if a pattern doesn't specify a domain, it matches all domains. Furthermore, when comparing two components, the components must either match in their entirety or up to a wildcard * (star character) in the pattern. The wildcard feature implements only a "prefix" match capability ("abc*" vs. "abcdefg"), not suffix matching ("*efg" vs. "abcdefg") or infix matching ("abc*efg" vs. "abcdefg"). The feature is restricted to the domain component; it is unrelated to the optional regular expression feature in the path (described below).
If a numeric port is specified in the pattern domain, then the target port must match as well. The default port in a target is port 80.
If the domain and port match, then the target URL path is checked for a match against the path in the pattern. Paths are compared with a simple case-sensitive left-anchored substring comparison. Once again, the pattern can be an anchored substring of the target, but not vice versa. A path of / (slash) would match all paths. Wildcards are not considered in path comparisons.
For example, the target
URL
the.yellow-brick-road.com/TinMan/has_no_brain
would be matched (and blocked) by the following patterns
yellow-brick-road.com
and
Yellow*.COM
and
/TinM
but not
follow.the.yellow-brick-road.com
or
/tinman
Comments in a blockfile start with a # (hash) character and end at a new line. Blank lines are also ignored.
Lines beginning with a ~ (tilde) character are taken to be exceptions: a URL blocked by previous patterns that matches the rest of the line is let through. (The last match wins.)
Patterns may contain POSIX regular expressions provided the junkbuster was compiled with this option (the default in Version 2.0 on). The idiom /*.*/ad can then be used to match any URL containing /ad (such as http://nomatterwhere.com/images/advert/g3487.gif for example). These expressions don't work in the domain part.
In version 1.3 and later the blockfile and cookiefile are checked for changes before each request.
In Version 1.2 and later this option must be followed by a filename containing instructions on which sites are allowed to receive and set cookies. By default cookies are dropped in both the browser's request and the server's response, unless the URL requested matches an entry in the cookiefile. The matching algorithm is the same as for the blockfile. A leading > character allows server-bound cookies only; a < allows only browser-bound cookies; a ~ character stops cookies in both directions. Thus a cookiefile containing a single line with the two characters >* will pass on all cookies to servers but not give any new ones to the browser.
Version 2.0 also accepts the spelling referrer, which most dictionaries consider correct.
* lpwa.com:8000 . .
Each line contains four fields:
target,
forward_to,
via_gateway_type
and
gateway.
As usual, the
last
target
domain that matches the requested
URL
wins,
and the
*
character alone matches any domain.
The target domain need not be a fully qualified
hostname; it can be a general domain such as
com
or
co.uk
or even just a port number.
For example, because
LPWA
does not handle
SSL,
the line above will typically be followed by a line such as
:443 . . .to allow SSL transactions to proceed directly. The cautious would also add an entry in their blockfile to stop transactions to port 443 for all but specified trusted sites.
If the winning forward_to field is . (the dot character) the proxy connects directly to the server given in the URL, otherwise it forwards to the host and port number specified. The default port is 8000. The via_gateway_type and gateway fields also use a dot to indicate no gateway protocol. The gateway protocols are explained below.
The example line above in a forwardfile alone would send everything through port 8000 at lpwa.com with no gateway protocol, and is equivalent to the old -f lpwa.com:8000 with no -g option. For more information see the example file provided with the distribution.
Configure with care: no loop detection is performed. When setting up chains of proxies that might loop back, try adding Squid.
The user's browser should not be configured to use SOCKS; the proxy conducts the negotiations, not the browser.
The user identification capabilities of SOCKS4 are deliberately not used; the user is always identified to the SOCKS server as userid=anonymous. If the server's policy is to reject requests from anonymous, the proxy will not work. Use a debug value of 3 to see the status returned by the server.
Because most browsers send several requests in parallel the debugging output may appear intermingled, so the single-threaded option is recommended when using debug with N greater than 1.
Each line of the access file begins with either the word permit or deny followed by source and (optionally) destination addresses to be matched against those of the HTTP request. The last matching line specifies the result: if it was a deny line or if no line matched, the request will be refused.
A source or destination can be specified as a single numeric IP address, or with a hostname, provided that the host's name can be resolved to a numeric address: this cannot be used to block all .mil domains for example, because there is no single address associated with that domain name. Either form may be followed by a slash and an integer N, specifying a subnet mask of N bits. For example, permit 207.153.200.72/24 matches the entire Class-C subnet from 207.153.200.0 through 207.153.200.255. (A netmask of 255.255.255.0 corresponds to 24 bits of ones in the netmask, as with *_MASKLEN=24.) A value of 16 would be used for a Class-B subnet. A value of zero for N in the subnet mask length will cause any address to match; this can be used to express a default rule. For more information see the example file provided with the distribution.
If you like these access controls you should probably have firewall; they are not intended to replace one.
Installation and Use
Browsers must be told where to find the junkbuster (e.g. localhost port 8000). To set the HTTP proxy in Netscape 3.0, go through: Options; Network Preferences; Proxies; Manual Proxy Configuration; View. See the FAQ for other browsers. The Security Proxy should also be set to the same values, otherwise shttp: URLs won't work.
Note the limitations explained in the FAQ.
Checking Options
To allow users to check that a junkbuster is running and how it is configured, it intercepts requests for any URL ending in /show-proxy-args and blocks it, returning instead returns information on its version number and current configuration including the contents of its blockfile. To get an explicit warning that no junkbuster intervened if the proxy was not configured, it's best to point it to a URL that does this, such as http://internet.junkbuster.com/cgi-bin/show-proxy-args on Junkbusters's website.
See Also
http://www.junkbusters.com/ht/en/ijbfaq.html
http://www.junkbusters.com/ht/en/cookies.html
http://internet.junkbuster.com/cgi-bin/show-proxy-args
http://www.cis.ohio-state.edu/htbin/rfc/rfc2109.html
http://squid.nlanr.net/Squid/
http://www-math.uni-paderborn.de/~axel/
Copyright and GPL
Written and copyright by the Anonymous Coders and Junkbusters Corporation and made available under the GNU General Public License (GPL). This software comes with NO WARRANTY. Internet Junkbuster Proxy is a trademark of Junkbusters Corporation.
Copyright © 1996-8 Junkbusters ® Corporation. Copying and distribution permitted under the GNU General Public License. 1998/10/31 http://www.junkbusters.com/ht/en/ijbman.html
webmaster@junkbusters.com