test

Oracle iPlanet Web Proxy Server 4.0.14 Configuration File Reference

socks5.conf

The proxy uses the <install-root>/<instance-directory>/config/socks5.conf file to control access to the SOCKS proxy server SOCKD and its services. Each line defines the behavior of the proxy when it gets a request that matches the line.

When SOCKD receives a request, it checks the request against the instructions in <install-root>/<instance-directory>/config/socks5.conf. When it finds an instruction that matches the request, the request is permitted or denied based on the first word in the instruction (permit or deny). Once it finds a matching instruction, the daemon ignores the remaining lines in the file. If no matching instructions are found, the request is denied. You can also specify actions to take if the client’s identd or user ID is incorrect by using #NO_IDENTD: or #BAD_ID as the first word of the instruction. Each line can be up to 1023 characters long.

The sections in the socks5.conf file do not have to appear in the following order. However, because the daemon uses only the first line that matches a request, the order of the lines within each section is extremely important. The five sections of the socks5.conf file are:

When the SOCKS daemon receives a request, it sequentially reads the lines in each of these five sections to check for a match to the request. When it finds a line that matches the request, it reads the line to determine whether to permit or deny the request. If there are no matching lines, the request is denied.

Authentication/Ban Host Entries

There are two lines in authentication/ban host entries. The first line is the authentication line. The second line is the ban host line.

Syntax 

auth source-hostmask source-portrange auth-methods

Parameters

source-hostmask identifies which hosts the SOCKS server will authenticate.

source-portrange identifies which ports the SOCKS server will authenticate.

auth-methods are the methods to be used for authentication. You can list multiple authentication methods in order of your preference. In other words, if the client does not support the first authentication method listed, the second method will be used instead. If the client does not support any of the authentication methods listed, the SOCKS server will disconnect without accepting a request. Separate multiple authentication methods by commas with no spaces in between. Possible authentication methods are:

The second line in the authentication/ban host entry is the ban host line.

Syntax 

ban source-hostmask source-portrange

Parameters

source-hostmask identifies which hosts are banned from the SOCKS server.

source-portrange identifies the ports from which the SOCKS server will not accept requests.

Example 

auth 127.27.27.127 1024 u,-ban 127.27.27.127 1024

Routing Entries

Syntax 

route dest-hostmask dest-portrange interface/address

Parameters

dest-hostmask indicates the hosts for which incoming and outgoing connections must go through the specified interface.

dest-portrange indicates the ports for which incoming and outgoing connections must go through the specified interface.

interface/address indicates the IP address or name of the interface through which incoming and outgoing connections must pass. IP addresses are preferred.

Example

route 127.27.27.127 1024 le0

Variables and Flags

Syntax 

set variable value

Parameters

variable indicates the name of the variable to be initialized.

value is the value to set the variable to.

Example 

set SOCKS5_BINDPORT 1080

Available Settings

The following settings are those that can be inserted into the variables and flags section of the socks5.conf file. These settings will be taken from the administration forms, but they can be added, changed, or removed manually as well.

SOCKS5_BINDPORT

The SOCKS5_BINDPORT setting sets the port at which the SOCKS server will listen. This setting cannot be changed during rehash.

Syntax 

set SOCKS5_BINDPORT port-number

Parameters

port-number is the port at which the SOCKS server will listen.

Example 

set SOCKS5_BINDPORT 1080

SOCKS5_PWDFILE

The SOCKS5_PWDFILE setting is used to look up user name/password pairs for user name/password authentication.

Syntax 

set SOCKS5_PWDFILE full-pathname

Parameters

full-pathname is the location and name of the user name/password file.

Example 

set SOCKS5_PWDFILE /etc/socks5.passwd

SOCKS5_LOGFILE

The SOCKS5_LOGFILE setting is used to determine where to write log entries.

Syntax 

set SOCKS5_LOGFILE full-pathname

Parameters

full-pathname is the location and name of the SOCKS logfile.

Example 

set SOCKS-5_LOGFILE /var/log/socks5.log

SOCKS5_NOIDENT

THe SOCKS5_NOIDENT setting disables Ident so that SOCKS does not try to determine the user name of clients. Most servers should use this setting unless they will be acting mostly as a SOCKS4 server. SOCKS4 uses ident as authentication.

Syntax 

set SOCKS5_NOIDENT

Parameters

None.

SOCKS5_DEMAND_IDENT

The SOCKS5_DEMAND_IDENT setting sets the Ident level to “require an ident response for every request.” Using Ident in this way dramatically affects the performance of your SOCKS server. If neither SOCKS5_NOIDENT or SOCKS5_DEMAND_IDENT is set, then the SOCKS server will make an Ident check for each request. The server will fulfill requests regardless of whether an Ident response is received.

Syntax 

set SOCSK5_DEMAND_IDENT

Parameters

None.

SOCKS5_DEBUG

The SOCKS5_DEBUG setting causes the SOCKS server to log debug messages. You can specify the type of logging your SOCKS server will use.

If it’s not a debug build of the SOCKS server, only the value 1 is valid.

Syntax 

set SOCSK5_DEBUG number

Parameters

number determines the number of the type of logging your server will use. Possible values are:

Example 

set SOCKS5_DEBUG 2

SOCKS5_USER

The SOCKS5_USER setting specifies the user name to use when authenticating to another SOCKS server. This is used when the SOCKS server is routed through another downstream SOCKS server which requires authentication.

Syntax 

set SOCKS5_USER user-name

Parameters

user-name is the user name the SOCKS server will use when authenticating to another SOCKS server.

Example 

set SOCKS5_USER mozilla

SOCKS5_PASSWD

The SOCKS5_PASSWD setting sets the password to use when authenticating to another SOCKS server. Sometimes a SOCKS server passes through another SOCKS server on its way to the Internet. If you define SOCKS5_USER, sockd will authenticate to other SOCKS servers with a user name and password.

Syntax 

set SOCKS5_PASSWD password

Parameters

password is the password the SOCKS server will use when authenticating to another SOCKS server.

Example 

set SOCKS5_PASSWD m!2@

SOCKS5_NOREVERSEMAP

The SOCKS5_NOREVERSEMAP setting instructs sockd not to use reverse DNS. Reverse DNS translates IP addresses into host names. Using this setting can increase the speed of the SOCKS server.

If you use domain masks in the configuration file, the SOCKS server will have to use reverse DNS, so this setting will have no effect.

Syntax 

set SOCKS5_NOREVERSEMAP

Parameters

None.

SOCKS5_HONORBINDPORT

The SOCKS5_HONORBINDPORT setting allows the client to specify the port in a BIND request. If this setting is not specified, the SOCKS server ignores the client’s requested port and assigns a random port.

Syntax 

set SOCKS5_HONORBINDPORT

Parameters

None.

SOCKS5_ALLOWBLANKETBIND

The SOCKS5_ALLOWBLANKETBIND setting allows the client to specify an IP address of all zeros (0.0.0.0) in a BIND request. If this setting is not specified, the client must specify the IP address that will be connecting to the bind port. An IP of all zeros is interpreted to mean that any IP address can connect.

Syntax 

set SOCKS5_ALLOWBLANKETBIND

Parameters

None.

SOCKS5_WORKERS

The SOCKS5_WORKERS setting tunes the performance of the SOCKS server by adjusting the number of worker threads. Worker threads perform authentication and access control for new SOCKS connections. If the SOCKS server is too slow, you should increase the number of worker threads. If the server is unstable, decrease the number of worker threads.

The default number of worker threads is 40. The typical number of worker threads falls between 10 and 150.

Syntax 

set SOCKS5_WORKERS number

Parameters

number is the number of worker threads the SOCKS server will use.

Example 

set SOCKS5_WORKERS 40

SOCKS5_ACCEPTS

The SOCKS5_ACCEPTS setting tunes the performance of the SOCKS server by adjusting the number of accept threads. Accept threads sit on the SOCKS port listening for new SOCKS requests. If the SOCKS server is dropping connections, increase the number of accept threads. If it is unstable, decrease the number of accept threads.

The default number of accept threads is 1. The typical number of accept threads falls between 1 and 10.

Example 

set SOCKS5_ACCEPTS number

Parameters

number is the number of accepts threads the SOCKS server will use.

Example 

set SOCKS5_ACCEPTS 1

LDAP_URL

The LDAP-URL setting sets the URL for the LDAP server.

Syntax 

set LDAP-URL URL

Parameters

URL is the URL for the LDAP server used by SOCKS.

Example 

set LDAP-URL ldap://name:8180/0=Netscape,c=US

LDAP_USER

The LDAP-USER setting sets the user name that the SOCKS server will use when accessing the LDAP server.

Syntax 

set LDAP-USER user-name

Parameters

user-name is the user name SOCKS will use when accessing the LDAP server.

Example 

set LDAP-USER uid=admin

LDAP_PASSWD

The LDAP-PASSWD setting sets the password that the SOCKS server will use when accessing the LDAP server.

Syntax 

set LDAP-PASSWD password

Parameters

password is the password SOCKS will use when accessing the LDAP server.

Example 

set LDAP-PASSWD T$09

SOCKS5_TIMEOUT

The SOCKS5-TIMEOUT setting specifies the idle period that the SOCKS server will keep a connection alive between a client and a remote server before dropping the connection.

Syntax 

set SOCKS5_TIMEOUT time

Parameters

time is the time, in minutes, that SOCKS will wait before timing out. The default value is 10. The value can range from 10 to 360, including both these values.

Example 

set SOCKS5_TIMEOUT 30

Proxy Entries

Syntax 

proxy-type dest-hostmask dest-portrange proxy-host proxy-port

Parameters

proxy-type indicates the type of proxy server. This value can be:

dest-hostmask indicates the hosts for which the proxy entry applies.

dest-portrange indicates the ports for which the proxy entry applies.

proxy-host indicates the names or IP of the proxy servers to use.

proxy-port indicates the ports of the proxy servers to use

Example 

socks5 127.27.27.127 1080 proxy1

Access Control Entries

Syntax 

permit|deny auth-type connection-type source-hostmask dest-hostmask source-portrange dest-portrange 
	[LDAP-group]

Parameters

auth-type indicates the authentication method for which this access control line applies.

connection-type indicates the type of command the line matches. Possible command types are:

source-hostmask indicates the hosts for which the access control entry applies.

dest-hostmask indicates the hosts for which the access control entry applies.

source-portrange indicates the ports for which the access control entry applies.

dest-portrange is the port number of the destination.

LDAP-group is the group to deny or permit access to. This value is optional. If no LDAP group is identified, the access control entry applies to everyone.

Example 

permit u c - - - [0-1023] group1

Specifying Ports

You will need to specify ports for many entries in your socks5.conf file. Ports can be identified by a name, number, or range. Ranges that are inclusive should be surrounded by square brackets ([ ]). Ranges that are not inclusive should be in parentheses.