ss5.conf

Langue: en

Autres versions - même langue

Version: 384706 (fedora - 01/12/10)

Section: 5 (Format de fichier)

NAME

ss5.conf - Configuration file for the ss5 daemon

SYNOPSIS

The ss5 daemon usually reads the configuration file in /etc/ss5/ss5.conf.

DESCRIPTION

The ss5 daemon reads the configuration file when it starts and each time it receives an HUP signal.

The configuration file contains six sections:

- variables and flags
- authentication
- authorization
- proxy
- balancing
- dumping
- miscellaneous

In each section, the ss5 daemon sequentially reads each line until it encounters a matching line for that section. The order of sections and the order of lines within a section are crucial to achieving the desired result. Every entry in a line must match.

VARIABLE AND FLAGS ENTRIES

Variables and flags in the configuration file control the amount and types of logging and information messages. The configuration file syntax for initializing variables is:
set variable value
set
Identifies entries that initialize ss5 variables for internal use. Refer to the ss5(1) VARIABLES section for complete details about ss5 variables and values.

AUTHENTICATION ENTRIES

Authentication entries identify the types of authentication the ss5 daemon can use. Authentication lines use the syntax:
auth source-host source-port auth-methods
auth
Identifies the entry as an authentication entry
source-host
Could be host address or network address
source-port
Must be a valid port or range
auth-methods
Could be u (Basic autentication), n (Fake authentication) or - (No authentication). With n flag, ss5 requests authentication but doesn't check for password. Use fake authentication for logging or profiling purpose.

External authentication program could be used, using the syntax:

external_auth_program program name
external_auth_program
Force ss5 to use external authetication program instead of reading password file. Authentication program return OK on success or ERR if an error occurred.
program name
Must be the full path name of the program to use for user authentication.
The ss5 daemon authenticates clients that originate on source-port at source-host using auth-methods. It can use password file or external program to validate requests.

AUTHORIZATION ENTRIES

The access control section determines when the server permits or denies a request to establish a connection. The ss5 daemon denies a request if an access control line does not match the request, even after it has authenticated the host.

There are one type of line, permit line, with this syntax:


permit method src-host src-port dest-host dest-port fixup group bandwidth expdate
method
could be - (authentication or not) or u (authentication required)
src-host
could be host address or network address
src-port
Must be a valid port or range
dest-host
Could be host address, network address or host name
dest-port
Must be a valid port or range
fixup
Could be http, ssl, smtp, pop3, imap or - (None)
group
Could be filename in the /etc/ss5 directory containing usernames, a DN into a directory server or - (None). Not available for UDP requests.
bandwidth
Could be a valid bandwidth range (from 256 bytes per second to 2147483647) or - (None)
expdate
Could be a valid expiration date in the format DD-MM-YYYY
The entire line matches only when all the entries match.

PROXY ENTRIES

Proxy entries describe the addresses clients can only reach through other SOCKS servers. With noproxy, ss5 makes direct connection.

proxy/noproxy dest-host dest-port proxy-host proxy-port ver
dest-host
Could be host address or network address
dest-port
Must be a valid port or range
proxy-host
Must be host address
proxy-port
Must be a valid port
ver
Must be 4 or 5. SS5 will use 4 or 5 socks ver using upstream.

BALANCING ENTRIES

Define an association between vid and real servers to balance:

virtual vid real
vid
define virtual identification and must be equal for the real ones that belongs to the same virtual identification
real
must be a valid internet address

DUMP ENTRIES

Dump entries describe the addresses and ports for which dumping traffic into a file.

dump dest-host dest-port dump-mode
dest-host
Could be host address or network address
dest-port
Must be a valid port or range
dump-mode
0=rx (traffic received from client), 1=tx (traffic sent from client) and 2=rx+tx (both directions)

MISCELLANEOUS ENTRIES

The profiling section determines when the server have to use ldap query to perform user profiling, instead of looking into group file.

There are five type of line for directory configuration:


ldap_profile_ip
must be directory internet address
ldap_profile_port
must be directory port
ldap_profile_base
must be a valid "base" as starting point for the search into directory. ss5 uses ou='group'+base where 'group' is set in permit line in the ss5.conf file.
ldap_profile_filter
must be a valid "filter attribute" for ldap query, for example "uid"
ldap_profile_attribute
must be a valid "attribute" for ldap query. SS5 uses it with filter for search operation where SS5_LDAP_FILTER option is specified.
ldap_profile_dn
must be a valid "distinguished name" to bind to directory
ldap_profile_pass
must be a valid "password" for simple authentication
ldap_netbios_domain
must be a valid netbios domain name. If SS5_NETBIOS_DOMAIN option is set, ss5 map netbios domain user in authentication request with his configured directory sever. Otherwise no match is done and directory are contacted in order of configuration

EXAMPLES

auth 111.111.111.0/24 - u
permit - - 111.111.111.0/22 - - - -

Basic authenticated users from the class C network 111.111.111.0 can use the server.

proxy - - 172.16.0.1 1081 -
permit - - www.mydomain.com - - http -

All socks requests through 172.16.0.1 port 1081. Only requests with destination www.mydomain.com, protocol http are pertmitted.

SEE ALSO

ss5(1), ss5.passwd(5) ss5.pam(5) ss5.ha(5)

AUTHORS

Matteo Ricchetti

Send comments to matteo.ricchetti@libero.it