Репозитории ALT
| 5.1: | 3.6.4-alt2.rel3.2 |
| 4.1: | 3.6.4-alt2.rel3 |
| 4.0: | 3.6.1-alt1 |
| 3.0: | |
| +backports: | 3.0-alt0.M30.4 |
Группа :: Система/Серверы
Пакет: ss5
навигация по пакетам
Главная Изменения Спек Патчи Исходники Загрузить Gear Bugs and FR Repocop
#
# SECTION <VARIABLES AND FLAGS>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
# TAG: set
#
# set option name:
# SS5_DNSORDER -> order dns answer
# SS5_VERBOSE -> enable verbose output to be written into logfile
# SS5_STIMEOUT -> set session idle timeout (default 1800 seconds)
# SS5_LDAP_TIMEOUT -> set ldap query timeout
# SS5_LDAP_BASE -> set BASE method for profiling (see PROFILING section)
# Is default option!
# SS5_LDAP_FILTER -> set FILTER method for profiling (see PROFILING
# section)
# SS5_PAM_AUTH -> set PAM authentication
# SS5_AUTHCACHEAGE -> set age in seconds for authentication cache
# SS5_AUTHOCACHEAGE -> set age in seconds for authorization cache
# SS5_STICKYAGE -> enable affinity session
# SS5_STICKYSESSION -> set age for affinity
# SS5_PROCESSLIFE -> set number of requests process must servs before
# closing
# SS5_NETBIOS_DOMAIN -> enable netbios domain mapping with directory store,
# during autorization process
#
# ///////////////////////////////////////////////////////////////////////////////////
#
# SECTION <AUTHENTICATION>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
# TAG: auth
#
# auth source host, source port, authentication type
#
# Some examples:
#
# Authentication from 10.253.8.0 network
# auth 10.253.8.0/22 - u
#
# Fake authentication from 10.253.0.0 network. In this case, ss5 request
# authentication but doesn't check for password. Use fake authentication
# for logging or profiling purpose.
# auth 10.253.0.0/16 - n
#
# Fake authentication: ss5 doesn't check for correct password but fetchs
# username for profiling.
# auth 0.0.0.0/0 - n
#
# TAG: external_auth_program
#
# external_auth_program program name and path
#
# Some examples:
#
# Use shell file to autheticate user via ldap query
# external_auth_program /usr/local/bin/ldap.sh
#
# ///////////////////////////////////////////////////////////////////////////////////
# SHost SPort Authentication
#
auth 0.0.0.0/0 - u
#
# SECTION <PROXIES>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
# TAG: proxy/noproxy
#
# proxy/noproxy dst host/network, dst port, socks proxy address, port address
#
# Some examples:
#
# Proxy request for 172.0.0.0 network to socks server 10.253.9.240 on port 1081:
#
# if authentication is request, downstream socks server have to check it;
# if resolution is request, downstream socks server does it before proxying
# the request toward the upstream socks server.
# proxy 172.0.0.0/16 - 10.253.9.240 1081
#
# SS5 makes direct connection to 10.253.0.0 network (in this case, port value is not
# verified) without using upstream proxy server
# noproxy 0.0.0.0/0 - 10.253.0.0/16 1080
#
# ///////////////////////////////////////////////////////////////////////////////////
# DHost/Net DPort DProxyip DProxyPort
#
# proxy 0.0.0.0/0 - 1.1.1.1 -
#
# SECTION <DUMP>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
# TAG: dump
#
# dump dst host/network, dst port, dump mode (0=rx, 1=tx, 2=rx+tx)
#
# Some examples:
#
# Dump traffic for 172.30.1.0 network on port 1521:
#
# if authentication is request, downstream socks server have to check it;
# if resolution is request, downstream socks server does it before proxying
# the request toward the upstream socks server.
# dump 172.30.1.0/24 1521 2
#
# ///////////////////////////////////////////////////////////////////////////////////
# DHost/Net DPort Dump mode (0=rx,1=tx,2=rx+tx)
#
# dump 0.0.0.0/0 - 1
#
# SECTION <ACCESS CONTROL>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
# TAG: permit/deny
# permit/deny src auth flag, host/network, src port, dst host/network, dst port,
# fixup, group, bandwidth (from 256 bytes per second to 2147483647)
#
# Some examples:
#
# FTP Control + Passive Mode
# permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - -
#
# FTP DATA Active Mode
# permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - -
# permit - 172.0.0.0/8 - 0.0.0.0/0 - - - -
#
# Query DNS
# permit - 0.0.0.0/0 - 172.30.0.1/32 53 - - -
#
# Http + fixup
# permit - 0.0.0.0/0 - www.example.com 80 http - -
#
# Http + fixup + profile + bandwidth (bytes x second)
# permit - 0.0.0.0/0 - www.example.com 80 http admin 10240
#
# Sftp + profile + bandwidth (bytes x second)
# permit - 0.0.0.0/0 - sftp.example.com 22 - developer 102400
#
# Http + fixup
# permit - 0.0.0.0/0 - web.example.com 80 - - -
#
# Http + fixup + user autentication required
# permit u 0.0.0.0/0 - web.example.com 80 - - -
#
# Deny all connection to web.example.com
# deny - 0.0.0.0/0 - web.example.com - - - -
#
#
# ///////////////////////////////////////////////////////////////////////////////////
# Auth SHost SPort DHost DPort Fixup Group Band
#
permit u 0.0.0.0/0 - 0.0.0.0/0 - - - -
#
# SECTION <PROFILING>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
# 1) File profiling:
#
# ss5 look for a file name specified in permit line in the /etc/ss5 directory.
# This file must contain user members. File profiling is the default option.
#
# 2) Ldap profiling:
#
# ldap_profile_ip (directory internet address)
# ldap_profile_port (directory port)
# ldap_profile_base (ss5 replaces % with "group specified in permit line"
# if SS5LDAP_BASE if specified, otherwise if
# SS5LDAP_FILTER is specified, it uses base and search
# for group as attribute in user entry; see examples)
# ldap_profile_filter (ss5 uses filter for search operation)
# ldap_profile_dn (directory manager or another user authorized to
# query the directory)
# ldap_profile_pass ("dn" password)
# ldap_netbios_domain (If SS5_NETBIOS_DOMAIN option is set, ss5 map netbios
# domain user in authentication request with his configured
# directory sever. Otherwise no match is done and
# directory are contacted in order of configuration)
#
# Some examples:
#
# Directory configuration for ldap profiling with SS5LDAP_BASE option:
# in this case, ss5 look for attribute uid="username" with base ou="group",
# dc=example,dc=com where group is specified in permit line as
# "permit - - - - - group - -
#
# Note: in this case, attribute value is not userd
#
# ldap_profile_ip 10.10.10.1
# ldap_profile_port 389
# ldap_profile_base ou=%,dc=example,dc=com
# ldap_profile_filter uid
# ldap_profile_attribute gid
# ldap_profile_dn cn=root,dc=example,dc=com
# ldap_profile_pass secret
# ldap_netbios_domain dir
#
# Directory configuration for ldap profiling with SS5LDAP_FILTER option:
# in this case, ss5 look for attributes uid="username" & "gid=group" with
# base dc=example,dc=com where group is specified in permit line as
# "permit - - - - - group - -
#
# Note: you can also use a base like "ou=%,dc=example,dc=com", where %
# will be replace with "group".
#
# ldap_profile_ip 10.10.10.1
# ldap_profile_port 389
# ldap_profile_base ou=Users,dc=example,dc=com
# ldap_profile_filter uid
# ldap_profile_attribute gecos
# ldap_profile_dn cn=root,dc=example,dc=com
# ldap_profile_pass secret
# ldap_domain_domain dir
#
# Sample OpenLdap log:
# conn=304 op=0 BIND dn="cn=root,dc=example,dc=com" mech=simple ssf=0
# conn=304 op=0 RESULT tag=97 err=0 text=
# conn=304 op=1 SRCH base="ou=Users,dc=example,dc=com" scope=1 filter="(&(uid=usr1)(gecos=Users))"
# conn=304 op=1 SRCH attr=gecos
#
# where ldap entry is:
# dn: uid=usr1,ou=Users,dc=example,dc=com
# uid: usr1
# cn: usr1
# objectClass: account
# objectClass: posixAccount
# objectClass: top
# userPassword:: dXNyMQ==
# loginShell: /bin/bash
# homeDirectory: /home/usr1
# uidNumber: 1
# gidNumber: 1
# gecos: Users
#
# SECTION <SERVER BALANCE>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
# TAG: virtual
#
# virtual virtual identification (vid), real ip server
#
# Some examples:
#
# Two vip balancing on three real server each one
# virtual 1 172.30.1.1
# virtual 1 172.30.1.2
# virtual 1 172.30.1.3
#
# virtual 2 172.30.1.6
# virtual 2 172.30.1.7
# virtual 2 172.30.1.8
#
# Note: Server balancing only works with -t option, (threaded mode) and ONLY
# with "connect" operation.
#
# ///////////////////////////////////////////////////////////////////////////////////
# Vid Real ip
#
#vitual - -