ss5.conf(5)ss5.conf(5)NAMEss5.conf - Configuration file for the ss5 daemon
SYNOPSIS
The ss5 daemon usually reads the configuration file in
/etc/ss5/ss5.conf.
DESCRIPTION
The ss5 daemon reads the configuration file when it starts and each
time it receives an HUP signal.
The configuration file contains six sections:
- variables and flags
- authentication
- authorization
- bandwidth
- proxy
- balancing
- dumping
- miscellaneous
In each section, the ss5 daemon sequentially reads each line until it
encounters a matching line for that section. The order of sections and
the order of lines within a section are crucial to achieving the
desired result. Every entry in a line must match.
VARIABLE AND FLAGS ENTRIES
Variables and flags in the configuration file control the amount and
types of logging and information messages. The configuration file syn‐
tax for initializing variables is:
set variable value
set Identifies entries that initialize ss5 variables for
internal use.
Refer to the ss5(1) VARIABLES section for complete details about ss5
variables and values.
AUTHENTICATION ENTRIES
Authentication entries identify the types of authentication the ss5
daemon can use. Authentication lines use the syntax:
auth source-host source-port auth-methods
auth Identifies the entry as an authentication entry
source-host Could be host address or network address
source-port Must be a valid port or range
auth-methods Could be u (Basic autentication), n (Fake authentica‐
tion), s (SUPA authentication), k (GSS Kerberos) or -
(No authentication). With n flag, ss5 requests authenti‐
cation but doesn't check for password. Use fake authen‐
tication for logging or profiling purpose. About SUPA
see ss5_supa man page.
External authentication program could be used, using the syntax:
external_auth_program program name
external_auth_program
Force ss5 to use external authetication program instead
of reading password file. Authentication program return
OK on success or ERR if an error occurred.
program name Must be the full path name of the program to use for
user authentication.
The ss5 daemon authenticates clients that originate on source-port at
source-host using auth-methods. It can use password file or external
program to validate requests.
Radius authentication could be used, setting SS5_RADIUS_AUTH option and
configuring the following attributes:
radius_ip radius server address radius_bck_ip radius server sec‐
ondary address
radius_auth_port radius authentication service port
radius_acct_port radius authorization service port
radius_secret radius client/server secret password
AUTHORIZATION ENTRIES
The access control section determines when the server permits or denies
a request to establish a connection. The ss5 daemon denies a request if
an access control line does not match the request, even after it has
authenticated the host.
There are one type of line, permit line, with this syntax:
permit/deny method src-host src-port dest-host dest-port fixup
group bandwidth expdate
method could be - (authentication or not), k (GSS Kerberos), s
(SUPA) or u (BASIC authentication required)
src-host could be host address or network address
src-port Must be a valid port or range
dest-host Could be host address, network address or host name
dest-port Must be a valid port or range
fixup Could be http, ssl, smtp, pop3, imap, icache or -
(None)
group Could be filename in the /etc/ss5 directory containing
usernames, a DN into a directory server or - (None). Not
available for UDP requests.
bandwidth Could be a valid bandwidth range (from 256 bytes per
second to 2147483647) or - (None).
expdate Could be a valid expiration date in the format DD-MM-
YYYY
The entire line matches only when all the entries match.
BANDWIDTH ENTRIES
Bandwidth entries define limits per user about number of connections
and bandwidth value. Authentication lines use the syntax:
bandwidth group maxcons bandwidth session timeout
bandwidth Limit bandwidth and number of connections per user
group Could be filename in the /etc/ss5 directory containing
one or more usernames. Nb: if you modify a groupfile you
must reload ss5 configuration.
maxcons Could be the number of max connections permitted to
user. Valid range is 0 (no limit) to 65000.
bandwidth Could be a valid bandwidth range (from 256 bytes per
second to 2147483647) or - (None) per user.
session timeout
Could be a valid timeout in seconds or - (None) per
user.
PROXY ENTRIES
Proxy entries describe the addresses clients can only reach through
other SOCKS servers. With noproxy, ss5 makes direct connection.
proxy/noproxy dest-host dest-port proxy-host proxy-port ver
dest-host Could be host address or network address
dest-port Must be a valid port or range
proxy-host Must be host address
proxy-port Must be a valid port
ver Must be 4 or 5. SS5 will use 4 or 5 socks ver using upstream.
BALANCING ENTRIES
Define an association between vid and real servers to balance:
virtual vid real
vid define virtual identification and must be equal for the
real ones that belongs to the same virtual identifica‐
tion
real must be a valid internet address
DUMP ENTRIES
Dump entries describe the addresses and ports for which dumping traffic
into a file.
dump dest-host dest-port dump-dir dump-mode
dest-host Could be host address or network address
dest-port Must be a valid port or range
dump-dir Could be 's' or 'd'. If =s, dest-host is evaluated as
source host; if =d, dest-hoet is evaluated as destina‐
tion.
dump-mode r=rx (traffic received from client), t=tx (traffic sent
from client) and b=rx+tx (both directions)
MISCELLANEOUS ENTRIES
The profiling section determines when the server have to use ldap query
or mysql query to perform user profiling, instead of looking into group
file.
There are five type of line for directory configuration:
ldap_profile_ip
must be directory internet address
ldap_profile_port
must be directory port
ldap_profile_base
must be a valid "base" as starting point for the search
into directory. ss5 uses ou='group'+base where 'group'
is set in permit line in the ss5.conf file.
ldap_profile_filter
must be a valid "filter attribute" for ldap query, for
example "uid"
ldap_profile_attribute
must be a valid "attribute" for ldap query. SS5 uses it
with filter for search operation where SS5_LDAP_FILTER
option is specified.
ldap_profile_dn
must be a valid "distinguished name" to bind to direc‐
tory
ldap_profile_pass
must be a valid "password" for simple authentication
ldap_netbios_domain
must be a valid netbios domain name. If SS5_NET‐
BIOS_DOMAIN option is set, ss5 map netbios domain user
in authentication request with his configured directory
sever. Otherwise no match is done and directory are con‐
tacted in order of configuration
There are four type of line for mysql configuration:
mysql_profile_ip
must be mysql server internet address
mysql_profile_db
must be mysql database
mysql_profile_user
must be mysql the username to access to mysql
mysql_profile_pass
must be the password to access to mysql
mysql_profile_sqlstring
must be the sql base string for query. DEFAULT 'SELECT
uname FROM grp WHERE gname like'
EXAMPLES
auth 111.111.111.0/24 - u
permit - - 111.111.111.0/22 - - - -
Basic authenticated users from the class C network 111.111.111.0 can
use the server.
proxy - - 172.16.0.1 1081 -
permit - - www.mydomain.com - - http -
All socks requests through 172.16.0.1 port 1081. Only requests with
destination www.mydomain.com, protocol http are pertmitted.
SEE ALSOss5(1), ss5.conf(5), ss5.pam(5), ss5.passwd(5), ss5.ha(5), ss5srv(1),
ss5_supa(5), ss5_gssapi(5)AUTHORS
Matteo Ricchetti
Send comments to matteo.ricchetti@libero.it
20 Jan 2009 ss5.conf(5)
