Configuration
The SS5 daemon usually reads the configuration file in /etc/opt/ss5.conf.
The configuration file contains four sections:
- variable and flags
- authentication
- authorization
- bandwidth
- proxy
- dump
- routing
- balancing
- miscellaneous
In each section, the SS5 daemon sequentially reads each line until it encounters a matching line for that section. The order of sections and the order of lines within a section are crucial to achieving the desired result. Every entry in a line must match.
| SECTION <VARIABLES AND FLAGS> | |
| Option name |
Description |
| SS5_DNSORDER | enable ordering of multiple dns answers |
| SS5_CONSOLE | (Only threaded mode) enable web console feature |
| SS5_SRV | enable server manager command line tool |
| SS5_SYSLOG_FACILITY | set syslog facility |
| SS5_SYSLOG_LEVEL | set syslog level |
| SS5_LDAP_BASE | set base method for authorization (see Authorization section). |
| SS5_LDAP_FILTER | set filter method for authorization (see Authorization section) |
| SS5_LDAP_TIMEOUT | set timeout value after that ldap query expires |
| SS5_ICACHESERVER | configure cache http proxy server ip address for icache fixup |
| SS5_GSS_PRINC | set GSS service principal |
| SS5_PAM_AUTH | enable PAM for authentication |
| SS5_AUTHCACHEAGE | (Only threaded mode) enable and set value after that authentication cache expires |
| SS5_AUTHOCACHEAGE | (Only threaded mode) enable and set value after that authorization cache expires |
| SS5_STICKYAGE | (Only threaded mode) set sticky value after that affinity expires |
| SS5_STICKY_SESSION | (Only threaded mode) enable affinity session |
| SS5_STIMEOUT | set session idle timeout value (default 1800 seconds) |
| SS5_VERBOSE | enable verbose output |
| SS5_DEBUG | enable debug output |
| SS5_NETBIOS_DOMAIN | enable netbios domain mapping with directory store during authorization process |
| SS5_PROCESSLIFE |
set number of requests ss5 process can serv before closing |
| SS5_RADIUS_AUTH | enable RADIUS authentication |
| SS5_RADIUS_INTERIM_INT | set interval beetwen interim update packet |
| SS5_RADIUS_INTERIM_TIMEOUT | set interim response timeout |
| Environment name |
Description |
| SS5_SOCKS_USER | sets the effective user ID of the ss5 process |
| SS5_SOCKS_PORT | sets listen port |
| SS5_SOCKS_ADDR | sets listen address |
| SS5_CONFIG_FILE | sets absolute pathname of ss5 config file |
| SS5_PASSWORD_FILE | sets absolute pathname of ss5 password file |
| SS5_PROPAGATE_KEY | sets key value for configuration replica |
| SS5_ROLE_SLAVE | sets role to slave to accept replica from master (default value is ALONE) |
| SS5_LOG_FILE | sets absolute pathname of ss5 log file |
| SS5_PEERS_FILE | sets absolute path of ss5 ha file |
| SS5_LIB_PATH | sets absolute path of ss5 modules |
| SECTION <AUTHENTICATION> | |
| auth <source host> < source port> <method> |
|
| <source host> |
define source host or network and netmask, ie:
|
| <source port> |
define source port or a range of ports, ie:
|
| <method> |
supported methods are:
|
| external_auth_program <program name> |
|
| <program name> |
define path and program name, ie: /usr/local/bin/auth.sh |
| SECTION <AUTHORIZATION> | |
| permit/deny <method> <source host> < source port> <destination host> <destination port> <fixup> <group> <bandwitdh> <expdate> |
|
| <method> | supported methods are:
|
| <source host> | define source host or network and netmask, ie:
|
| <source port> | define source port or a range of ports, ie:
|
| <destination host> | define source host or network and netmask, ie:
|
| <destination port> | define destination port or a range of ports, ie:
|
| <fixup> | supported fixup are:
|
| <group> | define a file name containing username in /etc/ss5 directory |
| <bandwidth> | define a value in bytes x seconds |
| <expdate> | define an expiration date in the format DD-MM-YYYY |
| note: deny | it works in opposite way of permit |
| SECTION <BANDWIDTH> | |
| bandwidth <group file> <maxcons> <bandwidth> |
(Only threaded mode) |
| <group> |
define a filename in the configuration directory containing one or more usernames for which limit bandwidth or number of connections. note: if you add/remove a user from group file, ss5 requires reload. |
| <maxcons> |
define the number of max connections permitted to user. |
| <bandwidth> |
define a valid bandwidth range (from 256 bytes per second to 2147483647) or - (None) per user. |
| <session timeout> |
Could be a valid timeout in seconds or - (None) per user. |
| SECTION <PROXY> | |
| proxy/noproxy <destination host> < destination port> <socks address> <socks port> <socks ver> |
|
| <destination host> |
define destination host or network and netmask, ie:
|
| <destination port> |
define destination port or a range of ports, ie:
|
| <socks address> |
define socks host, ie:
|
| <socks port> | define socks port, ie:
|
| <socks ver> | define socks version, ie:
|
| note: noproxy | cause ss5 makes direct connection |
| SECTION <DUMP> | |
| dump <destination host> < destination port> <mode> |
|
| <destination host> |
define destination host or network and netmask, ie:
|
| <destination port> |
define destination port or a range of ports, ie:
|
| <mode > |
define traffic direction, ie:
|
| SECTION <ROUTING> | |
| route <source or destination host> < <bind address> <group> <src/dst> |
|
| <source or destination host/network> |
define source or destination host or network and netmask, ie:
|
| <bind address> |
define socks host, ie:
|
| <group> |
define a file name containing username into configuration directory. |
| <src/dst> |
define if host/network is source or destination. |
| SECTION <BALANCING> | |
| virtual <vid> <host> |
(Only threaded mode) |
| <vid> |
virtual group identifier |
| <host> |
destination host |
| SECTION <MISCELLANEOUS> | |
| ldap profiling with SS5LDAP_BASE set |
|
| ldap_profile_ip | define directory address |
| ldap_profile_port | define directory port |
| ldap_profile_base | base for ldap query. SS5 uses base and search for for group as attribute in user entry |
| ldap_profile_filter | define filter for ldap query |
| ldap_profile_dn | define a directory manager or another user authorized to query the directory |
| ldap_profile_pass | user dn password |
| ldap_netbios_domain | netbios domain name for directory mapping (see LDAP_NETBIOS_DOMAIN option) |
| ldap profiling with SS5LDAP_FILTER set | |
| ldap_profile_ip | define directory address |
| ldap_profile_port | define directory port |
| ldap_profile_base | base for ldap query. SS5 replaces % with group name specified in permit line |
| ldap_profile_filter | define filter for ldap query |
| ldap_profile_dn | define a directory manager or another user authorized to query the directory |
| ldap_profile_pass | user dn password |
| ldap_netbios_domain | netbios domain name for directory mapping (see LDAP_NETBIOS_DOMAIN option) |
| note: up to 20 directory configurable | ss5 connects to directory in configuration order if SS5_NETBIOS_DOMAIN option is not set |
| radius authentication with SS5_RADIUS_AUTH set | |
| radius_ip | set radius server address |
| radius_bck_ip | radius server secondary address |
| radius_auth_port | radius authentication service port |
| radius_acct_port | radius authorization service port |
| radius_secret | radius client/server secret password |
| mysql profiling | |
| mysql_profile_ip | set mysql server address |
| mysql_profile_db | set mysql database name |
| mysql_profile_user | set mysql username to connect to db |
| mysql_profile_password | set mysql password to connect to db |
| mysql_profile_sqlstring | set sql base string for query profiling. (By default is 'SELECT uname FROM grp WHERE gname like' ) |