|set variable value|
|set||Identifies entries that initialize ss5 variables for internal use.|
Authentication entries identify the types of authentication the ss5 daemon can use. Authentication lines use the syntax:
auth source-host source-port auth-methods
External authentication program could be used, using the syntax:
auth Identifies the entry as an authentication entry source-host Could be host address or network address source-port Must be a valid port or range auth-methods Could be u (Basic autentication), n (Fake authentication), s (SUPA authentication), k (GSS Kerberos) or - (No authentication). With n flag, ss5 requests authentication but doesnt check for password. Use fake authentication for logging or profiling purpose. About SUPA see ss5_supa man page.
external_auth_program program name
external_auth_program Force ss5 to use external authetication program instead of reading password file. Authentication program return OK on success or ERR if an error occurred. program name Must be the full path name of the program to use for user authentication. The ss5 daemon authenticates clients that originate on source-port at source-host using auth-methods. It can use password file or external program to validate requests.
Radius authentication could be used, setting SS5_RADIUS_AUTH option and configuring the following attributes:
radius_auth_port radius authentication service port
radius_ip radius server address radius_bck_ip radius server secondary address
radius_acct_port radius authorization service port
radius_secret radius client/server secret password
The access control section determines when the server permits or denies a request to establish a connection. The ss5 daemon denies a request if an access control line does not match the request, even after it has authenticated the host.
There are one type of line, permit line, with this syntax:
permit/deny method src-host src-port dest-host dest-port fixup group bandwidth expdate
method could be - (authentication or not), k (GSS Kerberos), s (SUPA) or u (BASIC authentication required) src-host could be host address or network address src-port Must be a valid port or range dest-host Could be host address, network address or host name dest-port Must be a valid port or range fixup Could be http, ssl, smtp, pop3, imap, icache or - (None) group Could be filename in the /etc/ss5 directory containing usernames, a DN into a directory server or - (None). Not available for UDP requests. bandwidth Could be a valid bandwidth range (from 256 bytes per second to 2147483647) or - (None). expdate Could be a valid expiration date in the format DD-MM-YYYY The entire line matches only when all the entries match.
Bandwidth entries define limits per user about number of connections and bandwidth value. Authentication lines use the syntax:
bandwidth group maxcons bandwidth session timeout
bandwidth Limit bandwidth and number of connections per user group Could be filename in the /etc/ss5 directory containing one or more usernames. Nb: if you modify a groupfile you must reload ss5 configuration. maxcons Could be the number of max connections permitted to user. Valid range is 0 (no limit) to 65000. bandwidth Could be a valid bandwidth range (from 256 bytes per second to 2147483647) or - (None) per user. session timeout Could be a valid timeout in seconds or - (None) per user.
Proxy entries describe the addresses clients can only reach through other SOCKS servers. With noproxy, ss5 makes direct connection.
proxy/noproxy dest-host dest-port proxy-host proxy-port ver
dest-host Could be host address or network address dest-port Must be a valid port or range proxy-host Must be host address proxy-port Must be a valid port
ver Must be 4 or 5. SS5 will use 4 or 5 socks ver using upstream.
Define an association between vid and real servers to balance:
virtual vid real
vid define virtual identification and must be equal for the real ones that belongs to the same virtual identification real must be a valid internet address
Dump entries describe the addresses and ports for which dumping traffic into a file.
dump dest-host dest-port dump-dir dump-mode
dest-host Could be host address or network address dest-port Must be a valid port or range dump-dir Could be s or d. If =s, dest-host is evaluated as source host; if =d, dest-hoet is evaluated as destination. dump-mode r=rx (traffic received from client), t=tx (traffic sent from client) and b=rx+tx (both directions)
The profiling section determines when the server have to use ldap query or mysql query to perform user profiling, instead of looking into group file.
There are five type of line for directory configuration:
There are four type of line for mysql configuration:
ldap_profile_ip must be directory internet address ldap_profile_port must be directory port ldap_profile_base must be a valid "base" as starting point for the search into directory. ss5 uses ou=group+base where group is set in permit line in the ss5.conf file. ldap_profile_filter must be a valid "filter attribute" for ldap query, for example "uid" ldap_profile_attribute must be a valid "attribute" for ldap query. SS5 uses it with filter for search operation where SS5_LDAP_FILTER option is specified. ldap_profile_dn must be a valid "distinguished name" to bind to directory ldap_profile_pass must be a valid "password" for simple authentication ldap_netbios_domain must be a valid netbios domain name. If SS5_NETBIOS_DOMAIN option is set, ss5 map netbios domain user in authentication request with his configured directory sever. Otherwise no match is done and directory are contacted in order of configuration
mysql_profile_ip must be mysql server internet address mysql_profile_db must be mysql database mysql_profile_user must be mysql the username to access to mysql mysql_profile_pass must be the password to access to mysql mysql_profile_sqlstring must be the sql base string for query. DEFAULT SELECT uname FROM grp WHERE gname like
auth 220.127.116.11/24 - u
permit - - 18.104.22.168/22 - - - -
Basic authenticated users from the class C network 22.214.171.124 can use the server.
proxy - - 172.16.0.1 1081 -
permit - - www.mydomain.com - - http -
All socks requests through 172.16.0.1 port 1081. Only requests with destination www.mydomain.com, protocol http are pertmitted.
Send comments to firstname.lastname@example.org
|-->||SS5.CONF (5)||20 Jan 2009|