SOCKS5 daemon Usually read the configuration file from/etc/socks5.conf. But if you use the –with-srvconffile=filename parameter when compiling the SOCKS5, you can change the file directory. If the system is FreeBSD, the configuration file defaults to/usr/local/etc/socks5.conf.
DESCRIPTION
This profile is read when the SOCKS5 daemon is started or when a hup signal is received. The configuration file holds the following information:
-Interface of the connection address.
-When the server connects directly to an address.
-When the server uses another proxy server.
-Request a required proxy connection.
The configuration file is divided into six parts:
-Ban host
-Authentication
-Interfaces
-Variables and flags
-Proxies
-Access Control
In each section, SOCKS5 reads each row in daemon order until a matching row is encountered. The order of the parts and the order of the rows in each section is very important. Each entry in a row must match.
BAN HOST ENTRIES
Ban host entries uses the following syntax to identify SOCKS5 daemon hosts that are not allowed to connect:
Ban Source-host Source-port
Ban does not allow authorization.
Source-host must be an effective hostpattern.
Source-port must be an effective portpattern.
SOCKS5 Daemon refused to initiate a connection from the Source-host source-port.
Authentication ENTRIES
Authentication entries determines how SOCKS5 daemon is authenticated. Use the following syntax:
Auth Source-host Source-port Auth-methods
Auth that this entry is an authentication entry.
Source-host must be an effective hostpattern.
Source-port must be an effective portpattern.
Auth-methods must be an effective authpattern.
SOCKS5 Daemon uses auth-methods to verify connection requests for Source-host Source-port.
Any authentication can work if the configuration file does not have a auth entry. Ignoring the Auth entry is equivalent to specifying the authentication method as auth– (any authentication method). If you use the Auth entry, the customer who does not match will be rejected.
SOCKS5 daemon does not require authentication, it does not receive user information unless the SOCKS5 is configured to require ident responses. Use the SOCKS5_DEMAND_IDENT environment variable to require a ident response. Please refer to SOCKS5 (1) For a complete list of SOCKS5 environment variables.
If SOCKS5 daemon to use Username/password authentication and has SOCKS4 clients to use this server, set the authorization order to n,u. For SOCKS5 clients, SOCKS5 Daemon first uses Username/password identity authentication.
SOCKS5 Daemon to check auth-methods segments in reverse order. Start with the last Auth-method.
INTERFACE ENTRIES
If a machine has multiple interfaces, multiple IP addresses, in most cases the administrator makes SOCKS5 use a specific interface and a specific address. By specifying that an internal host uses an inward interface, an external host uses an outward interface to prevent the external host from impersonating an internal host. It also requires SOCKS5 to decide which interface to bind when accepting a bind or sending a sendto. When SOCKS5 does not find a match in the configuration file, it uses Inaddr_any to bind, which means that the connection is accepted on any interface. Single-homed hosts do not require interface items. Interface items are required only for multiple interface hosts. The interface item uses the following format:
Interface Hostpattern Portpattern interface-address
I
Interface flag a interface item
Hostpattern specifies which source or target host can be connected
Portpattern Specifies the source or destination port that can be connected
Interface-address flag IP Address or interface name, for example: eth0
The interface item replaces the previous version of the route item. The current version is equivalent. In future versions, route items will not be supported.
VARIABLE ENTRIES
Variables and flags control system record number and type of files. The syntax is as follows:
Set Variable Value
SET specifies the initial environment variables used internally. Please refer to the SOCKS5 (1) Environment section.
PROXY ENTRIES
The Proxy entry specifies that daemon connects to a specific host through the SOCKS server. If the configuration file does not have this entry, daemon will connect directly to a specific host. The syntax is as follows:
Proxy-type dest-host Dest-port proxy-list
PROXY-TYPE Specifies the proxy server type. Valid values are as follows:
SOCKS5 SOCKSV5
SOCKS4 SOCKS version 4
Noproxy Direct Connection
The dest-host must be effective hostpattern
The dest-port must be effective portpattern
The proxy-list must be effective proxypattern
Daemon uses the server in Proxy-list to connect to the Dest-port of Dest-host. The server in proxy-list must conform to the Proxy-type.
ACCESS Control ENTRIES
The access Control section determines whether a connection request is allowed or denied by daemon. If the access control item does not match a connection request, even the authorized host cannot establish a connection. The syntax is as follows:
Permit auth cmd src-host dest-host src-port dest-port [usr-list]
Deny auth cmd src-host dest-host src-port dest-port [user-list]
Auth must be a valid Authpattern and specify a list of authorization methods.
CMD must be a valid authpattern that specifies the commands that the customer on Src-host can execute on the dest-host.
The src-port must be effective portpattern
The dest-port must be effective portpattern
The user-list must be effective userpattern
PATTERNS
Hostpattern
SOCKS5 uses IP addresses and masks in the following format:
Hostip/mask Standard IP Mask method
-Match all hosts
N1. Equivalent to n1.0.0.0/255.0.0.0
Ni.n2. Equivalent to ni.n2.0.0/255.255.0.0
N1.n2.n3. Equivalent to ni.n2.n3.0/255.255.255.0
. domain.name host name must end with. domain.name
A.host.name host name must be A.host.name
If you use a domain name, socks5_reversemap must be set. Because hostnames and domains rely on DNS, the method of IP address masking is recommended. There are a number of situations that can cause reverse DNS queries to work abnormally.
Socks5.conf also supports the old Hostpattern syntax, we recommend the use of new syntax, the new syntax is more readable.
Portpattern
Specify the port with the service name, number, or range. The brackets include boundaries, and parentheses do not include boundaries. Specifies a range of two digits or service names, separated by commas, with no spaces. The syntax is as follows:
TFTP TFTP service port, usually 69
80 Port 80
-All ports
[100,1000] ports 100 to 1000
(100,1000) ports 101 to 999
(100,1000) ports 101 to 1000
Authpattern
Specifies the authentication type, SOCKS5 daemon checks the authorization mode in reverse order. The syntax is as follows:
N No Certification
U Username/password
K Kerberos 5 (GSS-API)
-Any authentication method
The back of the authentication method priority higher than the front, if you enter:
N,u,k
Server first requests Kerberos authentication, if SOCKS5 client does not install using Kerberos,server to use Username/password authentication. Because SOCKS4 client cannot use Kerberos or Username/password authentication methods. Serverz to SOCKS4 client does not require authentication.
If input: N,k,u
Server first requests Username/password authentication.
Commandpattern
Specifies a command that can be separated by commas, with no spaces in between. SOCKS5.CONF recognizes the following commands:
C Connect
b Bind
U UDP
P Ping
T traceroute
-All commands
Userpattern
You can specify multiple users separated by commas, and the user type must match the authentication method. For example, if you use Username/password authentication, SOCKS5 daemon thinks you are a SOCKS5 user, and if you use Kerberos authentication, SOCKS5 daemon Think you are a Kerberos user. A dash, "-", matches all users.
Proxypattern
Specifies the server in order, separated by commas. The client uses the following server only if the previous server is not valid.
Examples
Please refer to the examples directory for more information.
Auth--K
Permit k–111.111.111. - - -
Only Kerberos-authenticated C-Net 111.111.111.0 users can use this server.
SOCKS5--S5srv1,s5srv2
Permit----mydomain.com--
All SOCKS5 connection requests are passed through the S5SRV1. If S5SRV1 is unavailable, all SOCKS5 connection requests pass S5SRV2. Only. mydomain.com customers can use this server.
Auth Otherserver–k
Noproxy. internal.net.com–
SOCKS5--Otherserver
Permit----internal.net.com--
Permit K–otherserver--
. internal.net.com customers can use the server and do not require Kerberos authentication. SOCKS5 server can connect directly to. internal.net.com. And for other hosts through the Otherserver agent. Otherserver is also SOCKS5 server, and you must use Kerberos authentication to use this agent.
POOR configurations
As in the case of other software, the proper configuration is necessary for security reasons. such as the following:
Permit----
is not supposed to be used. With such a setting, a malicious user could use the SOCKS5 server as their springboard to attack other systems.
ALSO
SOCKS5 (1), libsocks5.conf (5), sockd4_to_5.pl (1)
AUTHORS
NWSL SOCKS5 Development Team
Send comments to Socks5-comments@socks.nec.com