ss5 mysql radius_ss5.conf

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

# TAG: set

#

# set option name:

#

# SS5_DNSORDER -> order dns answer

# SS5_VERBOSE -> enable verbose output to be written into logfile

# SS5_DEBUG -> enable debug output to be written into logfile

# SS5_CONSOLE -> enable web console

# SS5_ATIMEOUT -> for future uses

# SS5_STIMEOUT -> set session idle timeout (default 1800 seconds,

# 0 for infinite)

# SS5_LDAP_TIMEOUT -> set ldap query timeout

# SS5_LDAP_BASE -> set BASE method for profiling (see PROFILING section)

# It is default option!

# SS5_LDAP_FILTER -> set FILTER method for profiling (see PROFILING

# section)

# SS5_SRV -> enable ss5srv admin tool

# SS5_PAM_AUTH -> set PAM authentication

# SS5_RADIUS_AUTH -> set RADIUS authentication

# SS5_RADIUS_INTERIM_INT -> set interval beetwen interim update packet

# SS5_RADIUS_INTERIM_TIMEOUT -> set interim response timeout

# SS5_AUTHCACHEAGE -> set age in seconds for authentication cache

# SS5_AUTHOCACHEAGE -> set age in seconds for authorization cache

# SS5_STICKYAGE -> set age for affinity

# SS5_STICKYSESSION -> enable affinity session

# SS5_SUPAKEY -> set SUPA secret key (default SS5_SERVER_S_KEY)

# SS5_ICACHESERVER -> set internet address of ICP server

# SS5_GSS_PRINC -> set GSS service principal

# SS5_PROCESSLIFE -> set number of requests process must servs before

# closing

# SS5_NETBIOS_DOMAIN -> enable netbios domain mapping with directory store,

# during autorization process

# SS5_SYSLOG_FACILITY-> set syslog facility

# SS5_SYSLOG_LEVEL-> set syslog level

#

# ///

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

# TAG: auth

#

# auth source host, source port, authentication type

#

# Some examples:

#

# Authentication from 10.253.8.0 network

# auth 10.253.8.0/22 - u

#

# Fake authentication from 10.253.0.0 network. In this case, ss5 request

#authentication but doesn't check for password. Use fake authentication

#for logging or profiling purpose.

# auth 10.253.0.0/16 - n

#

# Fake authentication: ss5 doesn't check for correct password but fetchs

#username for profiling.

# auth 0.0.0.0/0 - n

#

# TAG: external_auth_program

#

# external_auth_program program name and path

#

# Some examples:

#

# Use shell file to autheticate user via ldap query

# external_auth_program /usr/local/bin/ldap.sh

#

# TAG: RADIUS authentication could be used setting SS5_RADIUS_AUTH option and

# configuring the following attributes:

#

# radius_ip (radius address)

# radius_bck_ip (radius secondary address)

# radius_auth_port (radius authentication port, DFAULT = 1812)

# radius_acct_port (radius authorization port, DFAULT = 1813)

# radius_secret (secret password betw

#

#

#

# ///

# SHost SPort Authentication

#

auth 0.0.0.0/0 - u

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

# TAG: bandwidth

#

# bandwidth group, max number of connections, bandwidth, session timeout

#

# Some examples:

#

# Limit connections to 2 for group Admin

# bandwidth Admin 2 - -

#

# Limit bandwidth to 100k for group Users

# bandwidth Users - 102400 -

#

# note: if you enable bandwith profiling per user, SS5 use this value instead of

# value specified into permit directive.

#

# ///

# Group MaxCons Bandwidth Session timeout

# bandwidth grp1 5 - -

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

# TAG: proxy/noproxy

#

#proxy/noproxy dst host/network, dst port, socks proxy address, port address, ver

#

#Some examples:

#

#Proxy request for 172.0.0.0 network to socks server 10.253.9.240 on port 1081:

#

# if authentication is request, downstream socks server have to check it;

# if resolution is request, downstream socks server does it before proxying

#the request toward the upstream socks server.

# proxy 172.0.0.0/16 - 10.253.9.240 1081

#

# SS5 makes direct connection to 10.253.0.0 network (in this case, port value is not

# verified) without using upstream proxy server

# noproxy 0.0.0.0/0 - 10.253.0.0/16 1080 -

#

# ///

# DHost/NetDPortDProxyipDProxyPort SocksVer

#

#proxy0.0.0.0/0-1.1.1.1- -

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

# TAG: dump

#

# dump host/network, port, s/d (s=source d=destination), dump mode (r=rx, t=tx, b=rx+tx)

#

# Some examples:

#

# Dump traffic for 172.30.1.0 network on port 1521:

#

# if authentication is request, downstream socks server have to check it;

# if resolution is request, downstream socks server does it before proxying

# the request toward the upstream socks server.

# dump 172.30.1.0/24 1521 d b

#

# ///

# DHost/Net DPort Dir Dump mode (r=rx,t=tx,b=rx+tx)

#

# dump 0.0.0.0/0 - dt

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

# TAG: permit/deny

#permit/deny src auth flag, host/network, src port, dst host/network, dst port,

#fixup, group, bandwidth (from 256 bytes per second to 2147483647), expdate

#

#Some examples:

#

# FTP Control + Passive Mode

#permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - - -

#

#FTP DATA Active Mode

#permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - - -

#permit - 172.0.0.0/8 - 0.0.0.0/0 - - - - -

#

#Query DNS

#permit - 0.0.0.0/0 - 172.30.0.1/32 53 - - - -

#

#Http + fixup

#permit - 0.0.0.0/0 - www.example.com 80 http - - -

#

#Http + fixup + profile + bandwidth (bytes x second)

#permit - 0.0.0.0/0 - www.example.com 80 http admin 10240 -

#

#Sftp + profile + bandwidth (bytes x second)

#permit - 0.0.0.0/0 - sftp.example.com 22 - developer 102400 -

#

#Http + fixup

#permit - 0.0.0.0/0 - web.example.com 80 - - - -

#

#Http + fixup + user autentication required with expiration date to 31/12/2006

#permit u 0.0.0.0/0 - web.example.com 80 - - - 31-12-2006

#

#Deny all connection to web.example.com

#deny - 0.0.0.0/0 - web.example.com - - - - -

#

#

# /

# AuthSHostSPortDHostDPortFixupGroupBandExpDate

#

permit u0.0.0.0/0-0.0.0.0/0-----

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

#1) File profiling:

#

#ss5 look for a file name specified in permit line in the /etc/ss5 directory.

#This file must contain user members. File profiling is the default option.

#

#2) Ldap profiling:

#

#ldap_profile_ip (directory internet address)

#ldap_profile_port (directory port)

#ldap_profile_base (ss5 replaces % with "group specified in permit line"

#if SS5LDAP_BASE if specified, otherwise if

#SS5LDAP_FILTER is specified, it uses base and search

#for group as attribute in user entry; see examples)

#ldap_profile_filter (ss5 uses filter for search operation)

#ldap_profile_dn (directory manager or another user authorized to

#query the directory)

#ldap_profile_pass ("dn" password)

#ldap_netbios_domain(If SS5_NETBIOS_DOMAIN option is set, ss5 map netbios

# domain user in authentication request with his configured

# directory sever. Otherwise no match is done and

# directory are contacted in order of configuration)

#

#3) Mysql profiling:

#

#mysql_profile_ip (mysql server internet address)

#mysql_profile_db (mysql db )

#mysql_profile_user (mysql username )

#mysql_profile_pass (mysql password )

#mysql_profile_sqlstring(sql base string for query. DEFAULT 'SELECT uname FROM grp WHERE gname like' )

#

#Some examples:

#

#Directory configuration for ldap profiling with SS5_LDAP_BASE option:

#in this case, ss5 look for attribute uid="username" with base ou="group",

#dc=example,dc=com where group is specified in permit line as

#"permit - - - - - group - -

#

#Note: in this case, attribute value is not userd

#

#ldap_profile_ip 10.10.10.1

#ldap_profile_port 389

#ldap_profile_base ou=%,dc=example,dc=com

#ldap_profile_filter uid

#ldap_profile_attribute gid

#ldap_profile_dn cn=root,dc=example,dc=com

#ldap_profile_pass secret

#ldap_netbios_domain dir

#

#Directory configuration for ldap profiling with SS5_LDAP_FILTER option:

#in this case, ss5 look for attributes uid="username" & "gid=group" with

#base dc=example,dc=com where group is specified in permit line as

#"permit - - - - - group - -

#

#Note: you can also use a base like "ou=%,dc=example,dc=com", where %

#will be replace with "group".

#

#ldap_profile_ip 10.10.10.1

#ldap_profile_port 389

#ldap_profile_base ou=Users,dc=example,dc=com

#ldap_profile_filter uid

#ldap_profile_attribute gecos

#ldap_profile_dn cn=root,dc=example,dc=com

#ldap_profile_pass secret

#ldap_domain_domain dir

#

#Sample OpenLdap log:

#conn=304 op=0 BIND dn="cn=root,dc=example,dc=com" mech=simple ssf=0

#conn=304 op=0 RESULT tag=97 err=0 text=

#conn=304 op=1 SRCH base="ou=Users,dc=example,dc=com" scope=1 filter="(&(uid=usr1)(gecos=Users))"

#conn=304 op=1 SRCH attr=gecos

#

# where ldap entry is:

#dn: uid=usr1,ou=Users,dc=example,dc=com

#uid: usr1

#cn: usr1

#objectClass: account

#objectClass: posixAccount

#objectClass: top

#userPassword:: dXNyMQ==

#loginShell: /bin/bash

#homeDirectory: /home/usr1

#uidNumber: 1

#gidNumber: 1

#gecos: Users

#

# SECTION

# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

#

# TAG: virtual

#

#virtual virtual identification (vid), real ip server

#

#Some examples:

#

#Two vip balancing on three real server each one

#virtual 1 172.30.1.1

#virtual 1 172.30.1.2

#virtual 1 172.30.1.3

#

#virtual 2 172.30.1.6

#virtual 2 172.30.1.7

#virtual 2 172.30.1.8

#

# Note: Server balancing only works with -t option, (threaded mode) and ONLY

#with "connect" operation.

#

# ///

# VidReal ip

#

#vitual--

一键复制

编辑

Web IDE

原始数据

按行查看

历史