Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ss5.conf(5)		      File Formats Manual		   ss5.conf(5)

NAME
       ss5.conf	- Configuration	file for the ss5 daemon

SYNOPSIS
       The    ss5   daemon   usually   reads   the   configuration   file   in
       /etc/ss5/ss5.conf.

DESCRIPTION
       The ss5 daemon reads the	configuration file when	 it  starts  and  each
       time it receives	an HUP signal.

       The configuration file contains six sections:

	    - variables	and flags
	    - authentication
	    - authorization
	    - bandwidth
	    - proxy
	    - balancing
	    - dumping
	    - miscellaneous

       In  each	 section, the ss5 daemon sequentially reads each line until it
       encounters a matching line for that section. The	order of sections  and
       the  order  of  lines within a section are crucial to achieving the de-
       sired result. Every entry in a line must	match.

VARIABLE AND FLAGS ENTRIES
       Variables and flags in the configuration	file control  the  amount  and
       types  of logging and information messages. The configuration file syn-
       tax for initializing variables is:

	    set	variable value

       set	      Identifies entries that initialize ss5 variables for in-
		      ternal use.

       Refer  to  the  ss5(1) VARIABLES	section	for complete details about ss5
       variables and values.

AUTHENTICATION ENTRIES
       Authentication entries identify the types  of  authentication  the  ss5
       daemon can use. Authentication lines use	the syntax:

	    auth source-host source-port auth-methods

       auth	      Identifies the entry as an authentication	entry

       source-host    Could be host address or network address

       source-port    Must be a	valid port or range

       auth-methods   Could  be	 u  (Basic autentication), n (Fake authentica-
		      tion), s (SUPA authentication), k	(GSS  Kerberos)	 or  -
		      (No authentication). With	n flag,	ss5 requests authenti-
		      cation but doesn't check for password. Use fake  authen-
		      tication	for  logging  or profiling purpose. About SUPA
		      see ss5_supa man page.

       External	authentication program could be	used, using the	syntax:

	    external_auth_program program name

       external_auth_program
		      Force ss5	to use external	authetication program  instead
		      of  reading password file. Authentication	program	return
		      OK on success or ERR if an error occurred.

       program name   Must be the full path name of the	 program  to  use  for
		      user authentication.

       The  ss5	 daemon	authenticates clients that originate on	source-port at
       source-host using auth-methods. It can use password  file  or  external
       program to validate requests.

       Radius authentication could be used, setting SS5_RADIUS_AUTH option and
       configuring the following attributes:

       radius_ip      radius server address radius_bck_ip radius  server  sec-
		      ondary address

       radius_auth_port	radius authentication service port

       radius_acct_port	radius authorization service port

       radius_secret radius client/server secret password

AUTHORIZATION ENTRIES
       The access control section determines when the server permits or	denies
       a request to establish a	connection. The	ss5 daemon denies a request if
       an  access  control  line does not match	the request, even after	it has
       authenticated the host.

       There are one type of line, permit line,	with this syntax:

	    permit/deny	method src-host	 src-port  dest-host  dest-port	 fixup
	    group bandwidth expdate

       method	      could  be	- (authentication or not), k (GSS Kerberos), s
		      (SUPA) or	u (BASIC authentication	required)

       src-host	      could be host address or network address

       src-port	      Must be a	valid port or range

       dest-host      Could be host address, network address or	host name

       dest-port      Must be a	valid port or range

       fixup	      Could be http, ssl,  smtp,  pop3,	 imap,	icache	 or  -
		      (None)

       group	      Could  be	 filename in the /etc/ss5 directory containing
		      usernames, a DN into a directory server or - (None). Not
		      available	for UDP	requests.

       bandwidth      Could  be	 a  valid  bandwidth range (from 256 bytes per
		      second to	2147483647) or - (None).

       expdate	      Could be a valid expiration date in  the	format	DD-MM-
		      YYYY

       The entire line matches only when all the entries match.

BANDWIDTH ENTRIES
       Bandwidth  entries  define  limits per user about number	of connections
       and bandwidth value. Authentication lines use the syntax:

	    bandwidth group maxcons bandwidth session timeout

       bandwidth      Limit bandwidth and number of connections	per user

       group	      Could be filename	in the /etc/ss5	 directory  containing
		      one or more usernames. Nb: if you	modify a groupfile you
		      must reload ss5 configuration.

       maxcons	      Could be the number  of  max  connections	 permitted  to
		      user. Valid range	is 0 (no limit)	to 65000.

       bandwidth      Could  be	 a  valid  bandwidth range (from 256 bytes per
		      second to	2147483647) or - (None)	per user.

       session timeout
		      Could be a valid timeout in  seconds  or	-  (None)  per
		      user.

PROXY ENTRIES
       Proxy  entries  describe	 the  addresses	clients	can only reach through
       other SOCKS servers. With noproxy, ss5 makes direct connection.

	    proxy/noproxy dest-host dest-port proxy-host proxy-port ver

       dest-host      Could be host address or network address

       dest-port      Must be a	valid port or range

       proxy-host     Must be host address

       proxy-port     Must be a	valid port

       ver    Must be 4	or 5. SS5 will use 4 or	5 socks	ver using upstream.

BALANCING ENTRIES
       Define an association between vid and real servers to balance:

	    virtual vid	real

       vid	      define virtual identification and	must be	equal for  the
		      real  ones  that belongs to the same virtual identifica-
		      tion

       real	      must be a	valid internet address

DUMP ENTRIES
       Dump entries describe the addresses and ports for which dumping traffic
       into a file.

	    dump dest-host dest-port dump-dir dump-mode

       dest-host      Could be host address or network address

       dest-port      Must be a	valid port or range

       dump-dir	      Could  be	 's'  or 'd'. If =s, dest-host is evaluated as
		      source host; if =d, dest-hoet is evaluated  as  destina-
		      tion.

       dump-mode      r=rx  (traffic received from client), t=tx (traffic sent
		      from client) and b=rx+tx (both directions)

MISCELLANEOUS ENTRIES
       The profiling section determines	when the server	have to	use ldap query
       or mysql	query to perform user profiling, instead of looking into group
       file.

       There are five type of line for directory configuration:

       ldap_profile_ip
		      must be directory	internet address

       ldap_profile_port
		      must be directory	port

       ldap_profile_base
		      must be a	valid "base" as	starting point for the	search
		      into  directory.	ss5 uses ou='group'+base where 'group'
		      is set in	permit line in the ss5.conf file.

       ldap_profile_filter
		      must be a	valid "filter attribute" for ldap  query,  for
		      example "uid"

       ldap_profile_attribute
		      must  be a valid "attribute" for ldap query. SS5 uses it
		      with filter for search operation	where  SS5_LDAP_FILTER
		      option is	specified.

       ldap_profile_dn
		      must  be	a valid	"distinguished name" to	bind to	direc-
		      tory

       ldap_profile_pass
		      must be a	valid "password" for simple authentication

       ldap_netbios_domain
		      must be a	valid netbios domain name. If  SS5_NETBIOS_DO-
		      MAIN  option  is set, ss5	map netbios domain user	in au-
		      thentication  request  with  his	configured   directory
		      sever. Otherwise no match	is done	and directory are con-
		      tacted in	order of configuration

       There are four type of line for mysql configuration:

       mysql_profile_ip
		      must be mysql server internet address

       mysql_profile_db
		      must be mysql database

       mysql_profile_user
		      must be mysql the	username to access to mysql

       mysql_profile_pass
		      must be the password to access to	mysql

       mysql_profile_sqlstring
		      must be the sql base string for query.  DEFAULT  'SELECT
		      uname FROM grp WHERE gname like'

       EXAMPLES

	    auth 111.111.111.0/24 - u
	    permit - - 111.111.111.0/22	- - - -

       Basic  authenticated  users  from the class C network 111.111.111.0 can
       use the server.

	    proxy - - 172.16.0.1 1081 -
	    permit - - www.mydomain.com	- - http -

       All socks requests through 172.16.0.1 port  1081.  Only	requests  with
       destination www.mydomain.com, protocol http are pertmitted.

SEE ALSO
       ss5(1),	ss5.conf(5),  ss5.pam(5), ss5.passwd(5), ss5.ha(5), ss5srv(1),
       ss5_supa(5), ss5_gssapi(5)

AUTHORS
	  Matteo Ricchetti

       Send comments to	matteo.ricchetti@libero.it

				  20 Jan 2009			   ss5.conf(5)

NAME | SYNOPSIS | DESCRIPTION | VARIABLE AND FLAGS ENTRIES | AUTHENTICATION ENTRIES | AUTHORIZATION ENTRIES | BANDWIDTH ENTRIES | PROXY ENTRIES | BALANCING ENTRIES | DUMP ENTRIES | MISCELLANEOUS ENTRIES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ss5.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help