1ss5.conf(5) File Formats Manual ss5.conf(5)
2
3
4
6 ss5.conf - Configuration file for the ss5 daemon
7
9 The ss5 daemon usually reads the configuration file in
10 /etc/ss5/ss5.conf.
11
13 The ss5 daemon reads the configuration file when it starts and each
14 time it receives an HUP signal.
15
16 The configuration file contains six sections:
17
18 - variables and flags
19 - authentication
20 - authorization
21 - proxy
22 - balancing
23 - dumping
24 - miscellaneous
25
26 In each section, the ss5 daemon sequentially reads each line until it
27 encounters a matching line for that section. The order of sections and
28 the order of lines within a section are crucial to achieving the
29 desired result. Every entry in a line must match.
30
31
33 Variables and flags in the configuration file control the amount and
34 types of logging and information messages. The configuration file syn‐
35 tax for initializing variables is:
36
37 set variable value
38
39 set Identifies entries that initialize ss5 variables for
40 internal use.
41
42 Refer to the ss5(1) VARIABLES section for complete details about ss5
43 variables and values.
44
46 Authentication entries identify the types of authentication the ss5
47 daemon can use. Authentication lines use the syntax:
48
49 auth source-host source-port auth-methods
50
51 auth Identifies the entry as an authentication entry
52
53 source-host Could be host address or network address
54
55 source-port Must be a valid port or range
56
57 auth-methods Could be u (Basic autentication), n (Fake authentica‐
58 tion) or - (No authentication). With n flag, ss5
59 requests authentication but doesn't check for password.
60 Use fake authentication for logging or profiling pur‐
61 pose.
62
63 External authentication program could be used, using the syntax:
64
65 external_auth_program program name
66
67 external_auth_program
68 Force ss5 to use external authetication program instead
69 of reading password file. Authentication program return
70 OK on success or ERR if an error occurred.
71
72 program name Must be the full path name of the program to use for
73 user authentication.
74
75 The ss5 daemon authenticates clients that originate on source-port at
76 source-host using auth-methods. It can use password file or external
77 program to validate requests.
78
80 The access control section determines when the server permits or denies
81 a request to establish a connection. The ss5 daemon denies a request if
82 an access control line does not match the request, even after it has
83 authenticated the host.
84
85 There are one type of line, permit line, with this syntax:
86
87 permit method src-host src-port dest-host dest-port fixup group
88 bandwidth expdate
89
90 method could be - (authentication or not) or u (authentication
91 required)
92
93 src-host could be host address or network address
94
95 src-port Must be a valid port or range
96
97 dest-host Could be host address, network address or host name
98
99 dest-port Must be a valid port or range
100
101 fixup Could be http, ssl, smtp, pop3, imap or - (None)
102
103 group Could be filename in the /etc/ss5 directory containing
104 usernames, a DN into a directory server or - (None). Not
105 available for UDP requests.
106
107 bandwidth Could be a valid bandwidth range (from 256 bytes per
108 second to 2147483647) or - (None)
109
110 expdate Could be a valid expiration date in the format DD-MM-
111 YYYY
112
113 The entire line matches only when all the entries match.
114
116 Proxy entries describe the addresses clients can only reach through
117 other SOCKS servers. With noproxy, ss5 makes direct connection.
118
119 proxy/noproxy dest-host dest-port proxy-host proxy-port ver
120
121 dest-host Could be host address or network address
122
123 dest-port Must be a valid port or range
124
125 proxy-host Must be host address
126
127 proxy-port Must be a valid port
128
129 ver Must be 4 or 5. SS5 will use 4 or 5 socks ver using upstream.
130
132 Define an association between vid and real servers to balance:
133
134 virtual vid real
135
136 vid define virtual identification and must be equal for the
137 real ones that belongs to the same virtual identifica‐
138 tion
139
140 real must be a valid internet address
141
143 Dump entries describe the addresses and ports for which dumping traffic
144 into a file.
145
146 dump dest-host dest-port dump-mode
147
148 dest-host Could be host address or network address
149
150 dest-port Must be a valid port or range
151
152 dump-mode 0=rx (traffic received from client), 1=tx (traffic sent
153 from client) and 2=rx+tx (both directions)
154
156 The profiling section determines when the server have to use ldap query
157 to perform user profiling, instead of looking into group file.
158
159 There are five type of line for directory configuration:
160
161 ldap_profile_ip
162 must be directory internet address
163
164 ldap_profile_port
165 must be directory port
166
167 ldap_profile_base
168 must be a valid "base" as starting point for the search
169 into directory. ss5 uses ou='group'+base where 'group'
170 is set in permit line in the ss5.conf file.
171
172 ldap_profile_filter
173 must be a valid "filter attribute" for ldap query, for
174 example "uid"
175
176 ldap_profile_attribute
177 must be a valid "attribute" for ldap query. SS5 uses it
178 with filter for search operation where SS5_LDAP_FILTER
179 option is specified.
180
181 ldap_profile_dn
182 must be a valid "distinguished name" to bind to direc‐
183 tory
184
185 ldap_profile_pass
186 must be a valid "password" for simple authentication
187
188 ldap_netbios_domain
189 must be a valid netbios domain name. If SS5_NET‐
190 BIOS_DOMAIN option is set, ss5 map netbios domain user
191 in authentication request with his configured directory
192 sever. Otherwise no match is done and directory are con‐
193 tacted in order of configuration
194
196 auth 111.111.111.0/24 - u
197 permit - - 111.111.111.0/22 - - - -
198
199 Basic authenticated users from the class C network 111.111.111.0 can
200 use the server.
201
202 proxy - - 172.16.0.1 1081 -
203 permit - - www.mydomain.com - - http -
204
205 All socks requests through 172.16.0.1 port 1081. Only requests with
206 destination www.mydomain.com, protocol http are pertmitted.
207
209 ss5(1), ss5.passwd(5) ss5.pam(5) ss5.ha(5)
210
212 Matteo Ricchetti
213
214 Send comments to matteo.ricchetti@libero.it
215
216
217
218
219 02 May 1997 ss5.conf(5)