ss5.conf(5)

1ss5.conf(5)                   File Formats Manual                  ss5.conf(5)
2
3
4

NAME

6       ss5.conf - Configuration file for the ss5 daemon
7

SYNOPSIS

9       The    ss5   daemon   usually   reads   the   configuration   file   in
10       /etc/ss5/ss5.conf.
11

DESCRIPTION

13       The ss5 daemon reads the configuration file when  it  starts  and  each
14       time it receives an HUP signal.
15
16       The configuration file contains six sections:
17
18            - variables and flags
19            - authentication
20            - authorization
21            - proxy
22            - balancing
23            - dumping
24            - miscellaneous
25
26       In  each  section, the ss5 daemon sequentially reads each line until it
27       encounters a matching line for that section. The order of sections  and
28       the  order  of  lines  within  a  section  are crucial to achieving the
29       desired result. Every entry in a line must match.
30
31

VARIABLE AND FLAGS ENTRIES

33       Variables and flags in the configuration file control  the  amount  and
34       types  of logging and information messages. The configuration file syn‐
35       tax for initializing variables is:
36
37            set variable value
38
39       set            Identifies entries that  initialize  ss5  variables  for
40                      internal use.
41
42       Refer  to  the  ss5(1) VARIABLES section for complete details about ss5
43       variables and values.
44

AUTHENTICATION ENTRIES

46       Authentication entries identify the types  of  authentication  the  ss5
47       daemon can use. Authentication lines use the syntax:
48
49            auth source-host source-port auth-methods
50
51       auth           Identifies the entry as an authentication entry
52
53       source-host    Could be host address or network address
54
55       source-port    Must be a valid port or range
56
57       auth-methods   Could  be  u  (Basic autentication), n (Fake authentica‐
58                      tion)  or  -  (No  authentication).  With  n  flag,  ss5
59                      requests  authentication but doesn't check for password.
60                      Use fake authentication for logging  or  profiling  pur‐
61                      pose.
62
63       External authentication program could be used, using the syntax:
64
65            external_auth_program program name
66
67       external_auth_program
68                      Force  ss5 to use external authetication program instead
69                      of reading password file. Authentication program  return
70                      OK on success or ERR if an error occurred.
71
72       program name   Must  be  the  full  path name of the program to use for
73                      user authentication.
74
75       The ss5 daemon authenticates clients that originate on  source-port  at
76       source-host  using  auth-methods.  It can use password file or external
77       program to validate requests.
78

AUTHORIZATION ENTRIES

80       The access control section determines when the server permits or denies
81       a request to establish a connection. The ss5 daemon denies a request if
82       an access control line does not match the request, even  after  it  has
83       authenticated the host.
84
85       There are one type of line, permit line, with this syntax:
86
87            permit  method  src-host  src-port dest-host dest-port fixup group
88            bandwidth expdate
89
90       method         could be - (authentication or not) or u  (authentication
91                      required)
92
93       src-host       could be host address or network address
94
95       src-port       Must be a valid port or range
96
97       dest-host      Could be host address, network address or host name
98
99       dest-port      Must be a valid port or range
100
101       fixup          Could be http, ssl,  smtp, pop3, imap  or - (None)
102
103       group          Could  be  filename in the /etc/ss5 directory containing
104                      usernames, a DN into a directory server or - (None). Not
105                      available for UDP requests.
106
107       bandwidth      Could  be  a  valid  bandwidth range (from 256 bytes per
108                      second to 2147483647) or - (None)
109
110       expdate        Could be a valid expiration date in  the  format  DD-MM-
111                      YYYY
112
113       The entire line matches only when all the entries match.
114

PROXY ENTRIES

116       Proxy  entries  describe  the  addresses clients can only reach through
117       other SOCKS servers. With noproxy, ss5 makes direct connection.
118
119            proxy/noproxy dest-host dest-port proxy-host proxy-port ver
120
121       dest-host      Could be host address or network address
122
123       dest-port      Must be a valid port or range
124
125       proxy-host     Must be host address
126
127       proxy-port     Must be a valid port
128
129       ver    Must be 4 or 5. SS5 will use 4 or 5 socks ver using upstream.
130

BALANCING ENTRIES

132       Define an association between vid and real servers to balance:
133
134            virtual vid real
135
136       vid            define virtual identification and must be equal for  the
137                      real  ones  that belongs to the same virtual identifica‐
138                      tion
139
140       real           must be a valid internet address
141

DUMP ENTRIES

143       Dump entries describe the addresses and ports for which dumping traffic
144       into a file.
145
146            dump dest-host dest-port dump-mode
147
148       dest-host      Could be host address or network address
149
150       dest-port      Must be a valid port or range
151
152       dump-mode      0=rx  (traffic received from client), 1=tx (traffic sent
153                      from client) and 2=rx+tx (both directions)
154

MISCELLANEOUS ENTRIES

156       The profiling section determines when the server have to use ldap query
157       to perform user profiling, instead of looking into group file.
158
159       There are five type of line for directory configuration:
160
161       ldap_profile_ip
162                      must be directory internet address
163
164       ldap_profile_port
165                      must be directory port
166
167       ldap_profile_base
168                      must  be a valid "base" as starting point for the search
169                      into directory. ss5 uses ou='group'+base  where  'group'
170                      is set in permit line in the ss5.conf file.
171
172       ldap_profile_filter
173                      must  be  a valid "filter attribute" for ldap query, for
174                      example "uid"
175
176       ldap_profile_attribute
177                      must be a valid "attribute" for ldap query. SS5 uses  it
178                      with  filter  for search operation where SS5_LDAP_FILTER
179                      option is specified.
180
181       ldap_profile_dn
182                      must be a valid "distinguished name" to bind  to  direc‐
183                      tory
184
185       ldap_profile_pass
186                      must be a valid "password" for simple authentication
187
188       ldap_netbios_domain
189                      must  be  a  valid  netbios  domain  name.  If  SS5_NET‐
190                      BIOS_DOMAIN option is set, ss5 map netbios  domain  user
191                      in  authentication request with his configured directory
192                      sever. Otherwise no match is done and directory are con‐
193                      tacted in order of configuration
194

EXAMPLES

196            auth 111.111.111.0/24 - u
197            permit - - 111.111.111.0/22 - - - -
198
199       Basic  authenticated  users  from the class C network 111.111.111.0 can
200       use the server.
201
202            proxy - - 172.16.0.1 1081 -
203            permit - - www.mydomain.com - - http -
204
205       All socks requests through 172.16.0.1 port  1081.  Only  requests  with
206       destination www.mydomain.com, protocol http are pertmitted.
207

AUTHORS

212          Matteo Ricchetti
213
214       Send comments to matteo.ricchetti@libero.it
215
216
217
218
219                                  02 May 1997                      ss5.conf(5)