# # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: set # # set option name: # SS5_DNSORDER -> order dns answer # SS5_VERBOSE -> enable verbose output to be written into logfile # SS5_STIMEOUT -> set session idle timeout (default 1800 seconds) # SS5_LDAP_TIMEOUT -> set ldap query timeout # SS5_LDAP_BASE -> set BASE method for profiling (see PROFILING section) # Is default option! # SS5_LDAP_FILTER -> set FILTER method for profiling (see PROFILING # section) # SS5_PAM_AUTH -> set PAM authentication # SS5_AUTHCACHEAGE -> set age in seconds for authentication cache # SS5_AUTHOCACHEAGE -> set age in seconds for authorization cache # SS5_STICKYAGE -> enable affinity session # SS5_STICKYSESSION -> set age for affinity # SS5_PROCESSLIFE -> set number of requests process must servs before # closing # SS5_NETBIOS_DOMAIN -> enable netbios domain mapping with directory store, # during autorization process # # /////////////////////////////////////////////////////////////////////////////////// # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: auth # # auth source host, source port, authentication type # # Some examples: # # Authentication from 10.253.8.0 network # auth 10.253.8.0/22 - u # # Fake authentication from 10.253.0.0 network. In this case, ss5 request # authentication but doesn't check for password. Use fake authentication # for logging or profiling purpose. # auth 10.253.0.0/16 - n # # Fake authentication: ss5 doesn't check for correct password but fetchs # username for profiling. # auth 0.0.0.0/0 - n # # TAG: external_auth_program # # external_auth_program program name and path # # Some examples: # # Use shell file to autheticate user via ldap query # external_auth_program /usr/local/bin/ldap.sh # # /////////////////////////////////////////////////////////////////////////////////// # SHost SPort Authentication # auth 0.0.0.0/0 - u # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: proxy/noproxy # # proxy/noproxy dst host/network, dst port, socks proxy address, port address # # Some examples: # # Proxy request for 172.0.0.0 network to socks server 10.253.9.240 on port 1081: # # if authentication is request, downstream socks server have to check it; # if resolution is request, downstream socks server does it before proxying # the request toward the upstream socks server. # proxy 172.0.0.0/16 - 10.253.9.240 1081 # # SS5 makes direct connection to 10.253.0.0 network (in this case, port value is not # verified) without using upstream proxy server # noproxy 0.0.0.0/0 - 10.253.0.0/16 1080 # # /////////////////////////////////////////////////////////////////////////////////// # DHost/Net DPort DProxyip DProxyPort # # proxy 0.0.0.0/0 - 1.1.1.1 - # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: dump # # dump dst host/network, dst port, dump mode (0=rx, 1=tx, 2=rx+tx) # # Some examples: # # Dump traffic for 172.30.1.0 network on port 1521: # # if authentication is request, downstream socks server have to check it; # if resolution is request, downstream socks server does it before proxying # the request toward the upstream socks server. # dump 172.30.1.0/24 1521 2 # # /////////////////////////////////////////////////////////////////////////////////// # DHost/Net DPort Dump mode (0=rx,1=tx,2=rx+tx) # # dump 0.0.0.0/0 - 1 # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: permit/deny # permit/deny src auth flag, host/network, src port, dst host/network, dst port, # fixup, group, bandwidth (from 256 bytes per second to 2147483647) # # Some examples: # # FTP Control + Passive Mode # permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - - # # FTP DATA Active Mode # permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - - # permit - 172.0.0.0/8 - 0.0.0.0/0 - - - - # # Query DNS # permit - 0.0.0.0/0 - 172.30.0.1/32 53 - - - # # Http + fixup # permit - 0.0.0.0/0 - www.example.com 80 http - - # # Http + fixup + profile + bandwidth (bytes x second) # permit - 0.0.0.0/0 - www.example.com 80 http admin 10240 # # Sftp + profile + bandwidth (bytes x second) # permit - 0.0.0.0/0 - sftp.example.com 22 - developer 102400 # # Http + fixup # permit - 0.0.0.0/0 - web.example.com 80 - - - # # Http + fixup + user autentication required # permit u 0.0.0.0/0 - web.example.com 80 - - - # # Deny all connection to web.example.com # deny - 0.0.0.0/0 - web.example.com - - - - # # # /////////////////////////////////////////////////////////////////////////////////// # Auth SHost SPort DHost DPort Fixup Group Band # permit u 0.0.0.0/0 - 0.0.0.0/0 - - - - # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # 1) File profiling: # # ss5 look for a file name specified in permit line in the /etc/ss5 directory. # This file must contain user members. File profiling is the default option. # # 2) Ldap profiling: # # ldap_profile_ip (directory internet address) # ldap_profile_port (directory port) # ldap_profile_base (ss5 replaces % with "group specified in permit line" # if SS5LDAP_BASE if specified, otherwise if # SS5LDAP_FILTER is specified, it uses base and search # for group as attribute in user entry; see examples) # ldap_profile_filter (ss5 uses filter for search operation) # ldap_profile_dn (directory manager or another user authorized to # query the directory) # ldap_profile_pass ("dn" password) # ldap_netbios_domain (If SS5_NETBIOS_DOMAIN option is set, ss5 map netbios # domain user in authentication request with his configured # directory sever. Otherwise no match is done and # directory are contacted in order of configuration) # # Some examples: # # Directory configuration for ldap profiling with SS5LDAP_BASE option: # in this case, ss5 look for attribute uid="username" with base ou="group", # dc=example,dc=com where group is specified in permit line as # "permit - - - - - group - - # # Note: in this case, attribute value is not userd # # ldap_profile_ip 10.10.10.1 # ldap_profile_port 389 # ldap_profile_base ou=%,dc=example,dc=com # ldap_profile_filter uid # ldap_profile_attribute gid # ldap_profile_dn cn=root,dc=example,dc=com # ldap_profile_pass secret # ldap_netbios_domain dir # # Directory configuration for ldap profiling with SS5LDAP_FILTER option: # in this case, ss5 look for attributes uid="username" & "gid=group" with # base dc=example,dc=com where group is specified in permit line as # "permit - - - - - group - - # # Note: you can also use a base like "ou=%,dc=example,dc=com", where % # will be replace with "group". # # ldap_profile_ip 10.10.10.1 # ldap_profile_port 389 # ldap_profile_base ou=Users,dc=example,dc=com # ldap_profile_filter uid # ldap_profile_attribute gecos # ldap_profile_dn cn=root,dc=example,dc=com # ldap_profile_pass secret # ldap_domain_domain dir # # Sample OpenLdap log: # conn=304 op=0 BIND dn="cn=root,dc=example,dc=com" mech=simple ssf=0 # conn=304 op=0 RESULT tag=97 err=0 text= # conn=304 op=1 SRCH base="ou=Users,dc=example,dc=com" scope=1 filter="(&(uid=usr1)(gecos=Users))" # conn=304 op=1 SRCH attr=gecos # # where ldap entry is: # dn: uid=usr1,ou=Users,dc=example,dc=com # uid: usr1 # cn: usr1 # objectClass: account # objectClass: posixAccount # objectClass: top # userPassword:: dXNyMQ== # loginShell: /bin/bash # homeDirectory: /home/usr1 # uidNumber: 1 # gidNumber: 1 # gecos: Users # # SECTION # \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ # # TAG: virtual # # virtual virtual identification (vid), real ip server # # Some examples: # # Two vip balancing on three real server each one # virtual 1 172.30.1.1 # virtual 1 172.30.1.2 # virtual 1 172.30.1.3 # # virtual 2 172.30.1.6 # virtual 2 172.30.1.7 # virtual 2 172.30.1.8 # # Note: Server balancing only works with -t option, (threaded mode) and ONLY # with "connect" operation. # # /////////////////////////////////////////////////////////////////////////////////// # Vid Real ip # #vitual - -