Permission to use this material for evaluation, copy this material for your own use, and distribute the copies via publicly accessible on-line media, without fee, is hereby granted provided that the above copyright notice and this permission notice appear in all copies. AIST makes no representations about the accuracy or suitability of this material for any purpose. it is provided "as is", without any express or implied warranties.
PERMUTED INDEX
CFI
CU-SeeMe
DGAuth
DNS
FTP
Gopher
HostList
HTTP
ICP
IMAP
LDAP
NNTP
PAM
POP
ProtoList
SMTP
SockMux
Socks
SSI.shtml
SSL
TCPrelay
Telnet
UDPrelay
Whois
X
INDEX
-F
-P
-f
-r
-v
-d
-D
ADMIN
AF_LOCAL
Aging
AUTH
AUTHORIZER
BASEURL
CACHE
CACHEFILE
CERTDIR
CGIENV
CHARCODE
CHARMAP
CHROOT
CLUSTER
CMAP
CONNECT
COUNTER
CRON
DATAPATH
DELAY
DELEGATE
DGCONF
DGOPTS
DGPATH
DGROOT
DGSIGN
DNSCONF
DYLIB
EXPIRE
FCL
FFROMCL
FFROMMD
FFROMSV
FMD
FSV
FTOMD
FTOSV
FILETYPE
FORWARD
FTOCL
FTPCONF
HOSTLIST
HOSTS
HTMLCONV
HTTPCONF
ICP
ICPCONF
INETD
LDPATH
LIBPATH
LOGDIR
LOGFILE
MASTER
MASTERP
MAXIMA
MIMECONV
MOUNT
MountOptions
MYAUTH
NNTPCONF
OWNER
PERMIT
PORT
PROTOLOG
PROXY
REACHABLE
REJECT
RELAY
RELIABLE
REMITTABLE
RESOLV
RES_AF
RES_CONF
RES_DEBUG
RES_NS
RES_RR
RES_VRFY
RES_WAIT
RIDENT
ROUTE
RPORT
SERVER
SHARE
SMTPCONF
SMTPGATE
SockMux
SOCKOPT
SOCKS
SOCKSTAP
SOXCONF
SOCKMUX
SRCIF
SSLTUNNEL
STLS
SYSLOG
TIMEOUT
TLSCONF
TUNNEL
UMASK
URICONV
VSAP
XCOM
XFIL
TCPrelay
UDPrelay
SockMux
Socks
DGAuth
PAM
HTTP
SSI.shtml
ICP
FTP
Telnet
POP
IMAP
SMTP
NNTP
LDAP
Whois
X
Gopher
SSL
DNS
CU-SeeMe
--------- --------- --------- --------- --------- --------- --------- --------- DELEGATED(8) MAINTENANCE COMMANDS DELEGATED(8)
NAME
DeleGate works as an application level proxy which interprets relayed protocol (control sequence and data structure) between a client and a server; various value added services are realized for recognized protocol. Also DeleGate works as a circuit level proxy which literally conveys transmission between a client and a server of arbitrary protocols on TCP or UDP.
DeleGate can be used to enforce access control restricting remittable protocols, reachable servers, and acceptable clients. DeleGate forces delay for penalty on repetition of forbidden access, or make defense shutting down service and sending automatic reports to administrator on suspicion of attack. A basic logging on circuit level common to arbitrary protocol and protocol dependent logging in some common formats are supported for some protocols.
DeleGate can act as a kind of application level router, controlling direct or indirect routes toward a destination server by selecting upstream proxy or Socks server. One of exploitable routes toward a server will be selected or tried in order depending on application protocol, destination host and source client.
As an application level proxy, DeleGate interpretively relays various application protocols, providing various value added services including caching or conversion for relayed data, of which structure depends on each application protocol. Based on interpretation of application protocols, DeleGate can be used as a protocol gateway which translates between client-side protocol and server-side protocol.
As a circuit level proxy, a DeleGate server literally conveys transmission bound to a specified server of a specified application protocol on TCP or UDP, or toward arbitrary servers based on Socks protocol.
As an application level proxy, DeleGate provides virtual view for resources in other servers, by aliasing, merging, and hiding real names (like URL which identifies a resource or a service) in real servers. It is like a generalized mechanism of NFS file mount, but unlikely it is realized by rewriting content of data. In other words, this is a mapping (rewriting) of virtual names in client to/from real names in server, where names are embedded in a protocol dependent data structure on request/response messages between a client and a server. With this function named mounting, for example, a resource http://hostiN/ is shown to client as if it is http://hostx/iN/. MOUNT can be used to customize built-in icons and messages of DeleGate too.
Communication between client and DeleGate or between DeleGate and server can be filtered or translated by user defined filter programs attached to DeleGate using a simple scheme named CFI (Common Filter Interface). Existing filter programs, from standard input to standard output, can be used as a CFI program without modification. Besides filtering by external programs, some of frequently used filtering operations are built-in to DeleGate, including HTTP header removal and generation.
All of local files of DeleGate, including log files and cache files, are placed under an individual root directory (DGROOT) as private files belong to the owner of the DeleGate by default. But to share them among different users, the path name, owner, and access permission of each file can be customized. Also log file name can be parameterized with date value for aging, and cache file name can be parameterized with hash value to distribute cache disks.
Although DeleGate can be controlled by a lot of options, only -Pport option and SERVER=protocol parameter are mandatory to operate in most case. The -P option specifies on which port DeleGate receives requests from clients. SERVER parameter specifies in which protocol DeleGate communicates with clients, and optionally to which destination server it will relay the communication.
Options can be loaded from local or remote resources with "+=URL" notation, typically from a local file like "+=/path/of/parameters" (see Parameter Substitution) (see DGCONF also)
OPTIONS
An entrance port is made as a TCP port by default except UDP based
application protocol (dns, icp, cuseeme, udprelay) is specified in
SERVER=protocol parameter.
And regardless of the protocol specified in SERVER, it can be
made as a UDP port with postfix "/udp" like -Pport/udp.
This option MUST be specified except in following cases.
It is ignored when the DeleGate is invoked from inetd(8),
or in most case of -Ffunction option,
or when running as a tunnel server
with SERVER="tunnel1".
-P option -- entrance port(s) to the DeleGate
== -Pport[,port]*
port == [host:]portNum[/udp][/admin]
portNum == number[-number]
This option specifies on which entrance port DeleGate receives
requests from clients.
As a typical example, "-P8080" means it accepts request on TCP port
numbered 8080 on any network interface belong to the host machine.
When the host has multiple interfaces or multiple IP addresses
assigned to a single physical interface, you can select one of them
with the specification format -Phost:portNum, like
"-Plocalhost:8080" for example.
A DeleGate server can accept from multiple ports or (limited) multiple
network interfaces by -Pport,port,...
When no host is specified, only IPv4 addresses are accepted.
That is, -P8080 is the abbreviation of "-P0.0.0.0:8080".
To specify IPv6 address here, substitute each colon symbol in the
IPv6 address notation with an under score symbol. Fore example,
"-P__:8080" means accepting at port 8080 with the wild card address
of IPv6 "::". If necessary, a scope-ID can be specified with "%" symbol,
like "-Pfe80__12_34%en0:8080" for example.
Note: See SRCIF
as to selection of a source address of an outgoing connection.
-f option -- foreground execution
-r option -- restart
-v option -- logging level control
== -v[vdtsau]
-d option -- debugging of sub components
== -d[hst]
-D option -- disabling sub components
== -D[t]
-S option -- watch SIGCHLD signal
-T option -- trace system calls
== -T[xsdt]*
-F option -- extra function
== -Ffunction
-- option -- hiding command line arguments
parameter == name=value
conditional parameter == (condition)parameter
-e option == -ename=value
PARAMETERS
In the following list, parameters marked with "*" are repeatable like name=value1 name=value2 ... name=valueN. If the same parameter is defined both in environment and command line, the one in command line precedes to the one in environment. If other non-repeatable names are repeated, the lastly given value is taken.
Parameters marked with "+" can NOT be given in "+=parameters" scripts. Those parameters (including DGROOT, CHROOT, LDPATH, and DYLIB) need to be specified in command-line arguments or "implanted" into the executable file of DeleGate with the -Fimp option.
General
Routing
Access control
Resource usage restriction
Cache control
Mount
Data conversion
Filter control
Local file usage
Host name resolution
Example: a SERVER parameter for unbound Telnet-DeleGate
Parameters in this category are used to control common attributes
of DeleGate independently of the purpose of usage or
target application protocol.
name
value format
functionality
--
----------
------------------
----------------------------------
SERVER
proto://host:port
client-side protocol and default server
ADMIN
user@host.domain
E-mail addr. of the admin. of this DeleGate
+
OWNER
user[/group]
with who's access right this DeleGate runs
*
CRON
crontab-spec
cron compatible scheduler of actions
*
INETD
inetd-conf
inetd like server configuration notation
*
HOSTLIST
name:hostList
define a named HostList
*
CLUSTER
protocol:hostList
define a cluster of servers
*
CMAP
map-spec
mapping table about the current connection
+
DYLIB
patternList
file-name patterns of dynamic libraries
+
LDPATH
dir;dir;...
search path for DYLIB
LIBPATH
dir:dir:...
search path for library files
DATAPATH
dir:dir:...
search path for data files
DGPATH
dir:dir:...
search path for SUBSTITUTION resources
DGCONF
dir/file
the file of configuration parameters
DGOPTS
option;option;...
list of command line options
PORT
portList
reserve entrance ports like -P option
These parameters control the indirect routing toward the target server
exploiting upstream proxies or Socks servers on the way to servers.
If any target hosts are directly reachable on IP level from your
DeleGate's host,
these parameters may not necessary.
Besides these parameters,
ICP and MOUNT
have something to do with routing based on application protocols.
--
----------
------------------
----------------------------------
*
FORWARD
proxy-_-proto:dst:src
forward to proxy when from src to dst in proto
*
ROUTE
proxy-_-dst:src
forward to proxy when from src to dst
*
MASTER
host:port
connect via the upstream DeleGate
MASTERP
[host:port]
invoke a MASTER private to this DeleGate
*
PROXY
host:port
connect via the upstream proxy
*
SOCKS
host[:port]
connect via the socks server
SSLTUNNEL
host:port
connect via the SSL tunnel for HTTPS
VSAP
host:port
accept/connect via a remote host
*
CONNECT
ca,ma,di,so,...
the order of trials of connection types
*
SRCIF
host[:port]
source address of connection to server
TUNNEL
type:scriptPath
connect via the tunnel on serial line
RPORT
{tcp|udp}[:host]
return port from the MASTER-DeleGate
These parameters control who (client) can access to what (server)
and how (protocol).
The basic policy of default access control is designed so that
clients on networks local to the host of DeleGate are permitted
to access to any server.
Note that the default value of
REMITTABLE depends on
SERVER, and
IP-level reachability to DeleGate on a multi-homed host
may be restricted by -Phost:port option.
You must most carefully configure these parameters
so that this DeleGate does not introduce a security hole,
especially when it is running on a host
which is directly accessible to/from the internet.
--
----------
------------------
----------------------------------
*
PERMIT
proto:dst:src
protocols/servers/clients to be permitted
*
REJECT
proto:dst:src
protocols/servers/clients to be rejected
REMITTABLE
ProtoList
protocols remittable to the server
*
REACHABLE
dstHostList
only specified server hosts are reachable
*
RELIABLE
srcHostList
accept only from the specified client hosts
*
RELAY
proxy|delegate|no
restrict proxying modes
*
AUTH
what:aproto:users
authorized users for remote administration
*
AUTHORIZER
serv:proto:dst:src
authentication server
*
MYAUTH
user:pass:proto:dst:src
authentication client
RIDENT
client|server
forward socket addr. to upstream DeleGate
These parameters can be useful where available resources are
in severe condition; when the host of DeleGate is heavy loaded,
network bandwidth is narrow, or response from server can be slow.
--
----------
------------------
----------------------------------
*
MAXIMA
what:number
maxima of parallel sessions and etc.
*
TIMEOUT
what:seconds
timeout of connection and etc.
*
DELAY
what:seconds
delay for penalty
Enable or disable cache and specify validity of cached data.
Usage of cache is controlled in context of routing by
CONNECT too.
Removing stale cache file can be done periodically using
CRON.
--
----------
------------------
----------------------------------
CACHE
do|no|ro
control to do cache or not
*
EXPIRE
days|hours|secs
expiration of the cached data
CACHEFILE
fileNameSpec
in which file cache data are stored
*
ICP
icpClientConfig
configuration as an ICP client
Provide virtual view for other server(s) by URL mapping,
filtering and aliasing resource names,
to merge multiple servers,
to translate between different protocols,
to export internal servers,
and so on.
Also MOUNT can be used to customize
or replace built-in icons and messages.
--
----------
------------------
----------------------------------
*
MOUNT
"vURL rURL opt"
map virtual URL to/from real URL
*
URICONV
convList:attrList
control URI rewriting with MOUNT
BASEURL
URL
the base of (virtual) URL of this server
DELEGATE
host:port
limited form of BASEURL
Parameters to control built-in converter for text type data.
--
----------
------------------
----------------------------------
*
CHARCODE
JIS|EUC|SJIS|UTF8
character conversion for Japanese text
*
CHARMAP
[jis|ucs]:a-z/A-Z
map character to character in text data
HTMLCONV
deent|enent|pre
decode/encode between HTML & plain text
MIMECONV
thru|charcode
control MIME encoder/decoder
Insert a filter program on the way to/from client or server
to convert data transmitted between them.
--
----------
------------------
----------------------------------
FCL
filterCommand
filter between client and DeleGate
FTOCL
filterCommand
filter from DeleGate to client
FFROMCL
filterCommand
filter from client to DeleGate
FSV
filterCommand
filter between server and DeleGate
FTOSV
filterCommand
filter from DeleGate to server
FFROMSV
filterCommand
filter from server to DeleGate
FMD
filterCommand
filter between MASTER and this DeleGate
FTOMD
filterCommand
filter from this DeleGate to MASTER
FFROMMD
filterCommand
filter from MASTER to this DeleGate
XCOM
filterCommand
execute a command as a server
XFIL
filterCommand
execute a filter as a server
All of local files are integrated under DGROOT by default.
You should not change nor specify these parameters if not necessary.
--
----------
------------------
----------------------------------
+
CHROOT
dirPath
change the root of file system at start
+
DGROOT
dirPath
root directory of all of DeleGate files
*+
SHARE
dirPatternList
files to be shared among users
+
UMASK
mask
umask value in octal
VARDIR
dirPath
default base of log and cache
CACHEDIR
dirPath
where cache files are placed
ETCDIR
dirPath
where persistent management files are
LOGDIR
dirPath
where DeleGate logs are
LOGFILE
LogFilename
where DeleGate makes logging
PROTOLOG
LogFilename
httpd or wu-ftp compatible log file
ERRORLOG
LogFilename
where DeleGate make error logging
TRACELOG
LogFilename
where signal trace (by -T) is put
EXPIRELOG
LogFilename
file which records expire log
COUNTER
CounterOptions
access counters
WORKDIR
dirPath
where DeleGate should dump core (-_-;
ACTDIR
dirPath
where temporary files are placed
TMPDIR
dirPath
where invisible temporary files are placed
PIDFILE
fileName
where the DeleGate's PID is recorded
Resolve host name to/from IP address using DNS, NIS or local file.
Protocol specific
--
----------
------------------
----------------------------------
*
HOSTS
host/addr,...
private host/address mapping
RESOLV
file,nis,dns,sys
the order of resolvers to be used
RES_WAIT
sec:host
wait for resolver to be ready
RES_CONF
URL
where resolv.conf is
RES_NS
host[:port]
DNS server to be used
RES_AF
46 | 64 | 4 | 6
Address families (IPv4/v6) to be retrieved
RES_RR
HostList
enable Round Robin of IP-addresses
RES_VRFY
""
enable double check of reverse resolution
RES_DEBUG
number
debugging level of name resolution
--
----------
------------------
----------------------------------
*
HTTPCONF
what:conf
HTTP specific configuration
FILETYPE
suffix:fileType
mapping from filename to data type & etc.
CGIENV
name,name,...
environment variables to be passed to CGI
*
ICPCONF
icpServerConfig
configuration as an ICP server
*
FTPCONF
what[:conf]
FTP specific configuration
*
NNTPCONF
what:conf
NNTP specific configuration
*
SMTPCONF
what:conf
SMTP specific configuration
SMTPGATE
dirPath
SMTP to SMTP/NNTP g.w. configuration
*
DNSCONF
what:conf
configuration as a DNS server
*
SOCKSTAP
proto[:[dst][:src]]
interpret the protocol over SOCKS
SERVER parameter* == SERVER=protocol[://host[:portNum]][:-:MountOptions]
portNum == [+|-]number
-- default: SERVER=delegate
SERVER=protocol
specifies the protocol to be used for communication with clients,
which will be the default protocol with servers.
SERVER=telnet
If no destination server (host) is specified, it is to be be given by client somehow at run-time, on application level in protocol dependent way.
The protocol with server is implicitly expected to be the same with the protocol with the client. Some protocols like HTTP have their inherent way to specify the protocol with the destination server. Otherwise it must be explicitly given with MOUNT parameter, like MOUNT="/news/* nntp://server/*" for example.
SERVER=protocol://host:portNum specifies the URL of destination server. The ":portNum" part is omittable as usual in URL if the number is that of standard port number of the protocol. A list of protocols and standard port numbers recognized by the DeleGate is available at: "http://delegate/-/builtin/mssgs/config.dhtml". If a portNum is prefixed with "-" or "+", it means mapping the port number of the entrance port adding the specified offset, or using the port number as is by "-" with empty portNum.
Example: forwarding multiple ports to an another host
Note that a DeleGate bound to a specific server is not disabled to
work as a proxy for arbitrary servers.
Proxying ability must be restricted if necessary, using
PERMIT, REACHABLE and RELAY parameters.
If a SERVER parameter is with ":-:MountOptions",
the SERVER parameter will be dynamically selected if the condition
specified in the MountOptions
is evaluated to be true.
As a special case, ":-:via=HostList" can be abbreviated
as ":-:HostList".
Example: selecting an appropriate NNTP server for a client
Example: {NNTP,SMTP,POP}-DeleGate as a single server
Example:
run with the user ID corresponding to the user name of the client
On Windows, OWNER=user may be specified when it is
invoked as a service, to set the user of the DeleGate service to be created.
With empty user name as OWNER="", the user name is got from
the USERNAME environment variable. The password can be specified
with a PASS=pass parameter or an environment variable, or
it will be asked on the console.
Example:
Example:
Example:
If a list is prefixed with "/R", the servers in the list are tried
in random order (the first server to be tried is selected randomly and
other servers are tried in the round-robin order).
It could be useful for load balancing among equivalent (proxy) servers.
The retrial by this parameter is commonly applied to servers of any protocols
in the phase of establishment of a TCP connection to a server.
The retrial covers the authentication phase for several protocols.
In HTTP origin/gateway servers, the retrial may be caused depending on
the response from the server, including the response code 503
(Service Unavailable) and 404 (Not Found) for example.
Example:
If "fcl" is specified, a client may start SSL without STARTTLS negotiation.
Such implicit SSL negotiation from the client-side is detected by peeping
a SSL hand-shake packet on the connection from the client-side at the
beginning of a session for a certain period specified with imimSec.
The default value is "im0.25" (250m seconds).
"-im" disables this implicit SSL negotiation.
If a stlsSpec is followed with "/im" as STLS="fsv/im" for example,
SSL with the peer (with the server in this case) is applied without
the STARTTLS negotiation.
If non default SSLway command path or options are necessary to be used,
the SSLway command can be specified after stlsSpecs as
STLS="fcl,sslway -Vrfy -cert mycert.pem" for example.
Example:
Example:
For special gwproto, FORWARD works as a generalized notation of
MASTER, PROXY, SOCKS and SSLTUNNEL as follows.
If multiple FORWARD parameters are specified, they are tried in the order
of the definition.
If multiple routes to the destination server are available,
specified with a mixture of FORWARD and other parameters
(MASTER, PROXY, SOCKS or SSLTUNNEL),
the route defined by FORWARD is tried in precedence defined by "proxy" or
"master" in CONNECT.
Example: a gateway for HTTP clients to a HTTPS server reachable via SSLtunnel with authentication
A host specification in the dstHostList may be
prefixed with "proto://"
to restrict the protocol to be forwarded. For example,
ROUTE="http://host:port/-_-{ftp://*}:*"
means that only access to FTP servers are forwarded
to the HTTP-proxy at "http://host:port/".
A host specification in the dstHostList can be restricted further
with port number.
For example, ROUTE="http://host:port/-_-{*:21}:*" means that
only accesses to the port number 21 (FTP service) is forwarded to the
proxy.
Optional "/masterControl" can be:
Example:
Example:
Example:
connType:
Each connection type can be abbreviated by the first character as
{c,i,m,d,v,s,u} respectively.
Note:
In current implementation, "cache" will be tried first anyway if it is
included in the connSeq.
This parameter specifies the source address (of a network interface) of each
connection to a server.
This can be useful when the host of DeleGate has multiple network interfaces.
Also it can be used to specify the port to be used for accepting
a client connection by a SOCKS-DeleGate or a FTP-DeleGate.
In most cases, a special pattern "*" as host or port specifies
the wild-card IP address or port number.
In some cases, the special pattern "*" is used for the desired address and number
which is specified by a protocol,
like a port for FTP data connection (by PORT or PASV)
or a port for SOCKS (BIND and UDP-ASSOCIATE).
To explicitly specify the wild-card as an IP address and port number,
use "0.0.0.0" as host and "0" as port respectively.
Example:
The port for "ftp-data" connection which is assigned on demand and notified
to the peer,
that is from client to server by PORT or from server to client by PASV,
can be controlled separately by "ftp-data-port" or "ftp-data-pasv" respectively.
The source port for data connection, which is established from server to
client for PORT or from client to server for PASV,
can be controlled by "ftp-data-src".
Currently, the tunnelType must be "tty7" which means
transmission between DeleGates is done in 7bits stream.
When the type is "tty7", how the TUNNEL is established is described
in the specified SHIO-script file.
See "src/sample.shio" in the distribution package.
The name of a script file must be specified either in absolute path,
or in relative file name which will be retrieved in
LIBPATH.
The upstream DeleGate for TUNNEL must be invoked with
SERVER="tunnel1".
Example: make a tunnel without login dialogue
If multiple PERMIT parameters are given,
an access will be permitted if at least one of
those PERMITs indicates permission.
If no PERMIT parameter is given, access permission is controlled
by REMITTABLE, REACHABLE and RELIABLE parameters which can be
defined explicitly or implicitly depending on SERVER parameter.
Example:
unlimited permission to hosts on local net while only http://www to others
The special pattern "*" in ProtoList (dstHostList) means
all of permitted protocols (servers), which may be explicitly
defined with REMITTABLE (REACHABLE) parameters. These parameters
limits the widest possible permission. A protocol (server) is not permitted
if it is not permitted in REMITTABLE (REACHABLE) parameters defined
implicitly or explicitly.
Similarly, if more than one RELIABLE parameters are given explicitly,
they limit the widest acceptable clients in srcHostList of PERMIT.
The host specifications in the dstHostList can be further restricted
with port number like "host:portNumList".
For example, PERMIT="telnet:{*:23}:*" means permitting
telnet to any host but only on the standard port number (23).
A protocol name in the ProtoList can be modified with port number
and method like "protocolName/portNumList/methodList"
to restrict accessible ports and methods in the protocol.
For example, a series of PERMIT parameters,
PERMIT="ftp//readonly:Servers:Clients"
PERMIT="ftp:*:*"
means inhibiting uploading to Servers from Clients
while allowing uploading among other combinations of servers and clients.
When multiple DeleGate servers are chained using MASTER or PROXY
parameter, the original client identification information got at
the first DeleGate server (at the entrance of the chain) can be
forwarded to the upstream DeleGate server using RIDENT
parameter and will be examined using PERMIT parameter.
Example:
forbid mail-clients to remove message on mail-servers
If a protocol name is followed by "/portNumList",
only ports listed in
the PortList is permitted.
A PortList can be followed by "/methodList" which restricts
available methods in the protocol.
A pseudo method "readonly" is used to prohibit methods for modification.
For example, REMITTABLE="ftp//readonly" make a FTP-DeleGate be
"read only" which inhibits uploading to FTP servers.
Protocol Specific Default:
Exception:
If the first member of a list is "+", it means the default list of
permitted protocols. For example, REMITTABLE="+,-https/80,-wais,file"
with SERVER=http means REMITTABLE="http,https/443,gopher,ftp,file".
Note that multiple RELIABLE parameters like
RELIABLE=Hosts1 RELIABLE=Hosts2 will be interpreted
being simply concatenated into a single RELIABLE="Hosts1,Hosts2",
which will NOT mean "Hosts1 or Hosts2"
if Hosts1 or Hosts2 includes some
negation or
composite operators.
You are recommended to use multiple PERMIT parameters instead
if you are not sure what does these mean.
RELAY="no" means working as an origin HTTP server without relaying
(Origin HTTP server is a usual server which accepts requests in usual
format, not in format for proxies, that is URL in request is neither
in full format nor in "/-_-" format, but in absolute format).
So called "transparent-proxy" ability is enabled by "RELAY=vhost".
RELAY="vhost" can be used for origin HTTP server with relaying to arbitrary
virtual hosts. This option enables a HTTP request to be forwarded to
arbitrary destination server, indicated in "Host:" field in request header,
without explicit MOUNT. This automatic relaying is done only when the
request URL is not MOUNTed, thus is not so likely because most DeleGate
working as origin server have MOUNT parameter for the root URL ("/*").
Example:
Default:
In HTTP-DeleGate, user declares "who am i" giving an
Authorization header (in request message), which consists of
Username:Password,
where Username can be in a form of User@Host.
Currently following categories of authentication/authorization
are supported:
-- in any protocol DeleGate --
-- in FTP server and FTP/HTTP gateway --
-- in proxy and origin HTTP server --
In the case where the FTP-server based authentication is used,
a recommended user name of the authorization information is
e-mail address like "user@host.domain"
so that it can be commonly used for both AUTH="anonftp" and AUTH="proxy".
Note that even a client authorized by an auth-server is not permitted
if the client's host does not pass other access controls
(RELIABLE and PERMIT).
To permit any authorized client regardless of its host, specify as
RELIABLE="-a/*". Also RELIABLE="*" works for this purpose
but is not safe on modifications of configuration and DeleGate.
Adding connMap, an auth-server can be selected conditionally on
a combination of destination protocol, server host and client host.
The authServList is a host name of authentication server, or a
list of host names of authentication servers.
If authServList is followed with "@realmValue", the value is
used to define the realm of protection space in HTTP-DeleGate.
It can be overridden by MountOption "realm=realmValue" for each MOUNT point.
Currently, the default protocol of remote authentication/authorization server
is that of FTP protocol with USER and PASS commands. Thus any real FTP
server can be used as an authentication/authorization server of DeleGate.
Another way of maintaining DeleGate's own lists for
authentication/authorization is using
-Fauth function.
There are built-in auth-servers to be used as authServ as follows:
Example:
Example:
The result of the authentication by the command is shown in its output string
or by its exit code.
The command may puts a string to its standard output to show the result
in the form of a status response of the FTP protocol, that is,
"230" for success and "530" for failure.
Otherwise the exit code of the process is used, the value zero for success
and non-zero values for failure.
Example: passing username in argument while password in environment variable
[the content of the myauth command]
If only authentication of user is necessary without authorization,
the following special name will be useful as a authServList.
Example:
The pair of username+password which is sent from a client can be forwarded
to the server by MYAUTH="%U:%P"
(supported in HTTP and FTP only).
NOTE:
For authentication with proxies, it is strongly recommended to use
FORWARD with a gateway-URL including
authentication information instead of MYAUTH.
For example,
SOCKS=host:port with MYAUTH=user:pass
can be represented as
FORWARD=socks://user:pass@host:port.
Example:
Example:
Each value specifies the maximum delay time and delay time increases
according as the error count increases.
If a vURL is terminated with "*"
then partially matched path is also rewritten.
If a rURL is terminated with "*" then remaining part
in the partially matched path will be copied after the rURL.
Example: a MOUNT for HTTP-DeleGate
If "=" is specified as vURL or rURL,
it means mount as is without
rewriting for the vURL in a request,
or rewriting for rURL in a response.
The port number of the destination server (in rURL)
can be prefixed with "-" or "+"
to be determined dynamically
by offsetting from the port number of the entransport,
as in SERVER parameter.
If the rURL is of "file:path" and the path is
a relative one, then the data file is searched under the
DGROOT directory or directories listed in
DATAPATH.
If a rURL is prefixed as "vurl:rURL", the rewritten
URL (in a request message) from vURL to rURL will be
rewritten by another MOUNT again.
This recursive MOUNT is not applied to the rewriting a URL in response data
from rURL to vURL,
therefore it does not work as expected in HTTP where such reverse rewriting
of URL in response is expected too.
Example: recursive MOUNT
Abbreviations
To make configurations be simple and reusable, special abbreviated
formats of URL can be used in MOUNT parameter.
If "=" is specified as protocol-name, host-name
or port-number in rURL which consists of
protocol-name://host-name:port-number/url-path,
then it represents that of the DeleGate itself (i.e. that of vURL).
URLs beginning with "//" represents further abbreviations,
"///path" for "=://=:=/path" (in the same protocol,host and port)
and
"//serv..." for "=://serv..." (in the same protocol).
Abbreviated host-name and port-number is substituted by
that of the virtual host (given in HTTP Host: field) if exists,
or by that of the real interface with the client.
To explicitly specify the real interface, use "-P" for
"host-name:port-number part like "http://-P/path".
Example: abbreviation in rURL of MOUNT parameter
Complex Matching and Rewriting
A pattern following "*%" in vURL and rURL represents
a pattern for complex matching specified in the format like that of scanf(3).
Each format specification consists of a specification following "%",
like "%c", "%[a-z]" and so on.
The extended format "%S" has variable meanings determined by its
adjacent character, i.e. "%Sx" means "%[^x]x":
ex. "%S." for "%[^.]." and "%S/" for "%[^/]/".
"%(N)" in rURL means copying Nth element in
vURL.
If a vURL pattern ends with "$" character, then complete
matching to the end of URL string is required.
Example: complex matching and rewriting
CONDITIONS:
The first group of options are to make MOUNT be conditional
depending on source and destination (client and server).
When a MOUNT parameter have a MountOption
including one or more conditions,
the MOUNT will be ignored without all of conditions are true.
SERVER="nntp://newsserver1:-:from={*.dom1}"
SERVER="nntp://newsserver2:-:from={*.dom2}"
-P119,110,25
SERVER="nntp://nntpserver:-:{*:119}"
SERVER="smtp://smtpserver:-:{*:25}"
SERVER="pop://popserver:-:{*:110}"
ADMIN parameter == ADMIN=user@host.domain
-- default: built in at compile time
This parameter must be correctly given especially when the DeleGate runs on
a host directly reachable to/from internet.
This E-mail address will be used as follows:
- Shown in (error) messages to clients, as the name of
the administrator of this DeleGate
(HTTP, etc.).
- Shown in opening messages or in a help message to clients,
as the name of the administrator (FTP, NNTP, Telnet).
- Sent as a default user name (in PASS command)
on anonymous access to FTP servers.
- Sent as sender name (in FROM command)
in access to remote SMTP server on verification
by AUTH=anonftp:smtp-vrfy.
- Report messages are sent to the address
on occurrence of fatal signals
OWNER parameter* == OWNER=user[/group][:srcHostList]
-- default: OWNER="nobody/nogroup"
-- restriction: super-user only on most of Unix
-- restriction: setting the user of a service on Windows
This parameter is effective only when the invoker is a super-user.
If specified, the DeleGate will run with the right of specified
user, calling setuid(2) and setgid(2) system calls. User and group
can be specified either in symbolic name or in id-number prefixed
with "#" like "#1234".
If srcHostList is specified, owner of this DeleGate will be set to
the user when the client host is included in the list. The user
name "*" will be substituted by the user name of the client when
it can be got from an
Identification server on the client host.
OWNER="*:*@*".
CRON parameter* == CRON="crontab-spec"
crontab-spec == minute hour day month dayOfWeek action
-- default: none
Cause an action at a time specified in the format of crontab-spec
which is compatible with that of standard crontab(5) of cron(8)
servers in Unix systems.
If the action is prefixed with "/" then it is an external action
which will be executed by the system(3) function. If the action is
prefixed with "-" then it is a built-in internal action of DeleGate.
-suspend N -- suspend for N seconds
-restart -- restart the DeleGate
-exit -- finish the DeleGate
-expire N -- execute expiration for $CACHEDIR
by "-atime +Nd"
-system command
-- execute command as a shell command
/dir/command args
-- equiv. to "-system /dir/command args"
- args
-- equiv. to "/dir/delegated args"
-Ffunc args
-- equiv. to "/dir/delegated -Ffunc args"
CRON="0 0 * * * -restart"
CRON="0 3 * * * -expire 3" (this is equivalent to followings)
CRON="0 3 * * * -Fexpire /path/of/cache -rm -atime +3 -sum"
CRON="0 3 * * * /path/of/delegated -Fexpire /path/of/cache -rm -atime +3 -sum"
INETD parameter* == INETD="inetd-conf"
inetd-conf == port sockType proto waitStat uid execPath argList
port == [host:]portNum
sockType == stream | dgram
proto == tcp | udp
waitStat == nowait ("wait" is not yet supported)
-- default: none
Invoke a new DeleGate process with the specified configuration when
a request is arrived at the specified port. The format of the
inetd-conf specification is like that of standard inetd.conf(5)
in Unix systems.
A default value of each field can be represented by "-".
Default values of sockType, proto and waitStat
are "stream", "tcp" and "nowait" respectively.
The uid field will be used as
OWNER parameter in the invoked process.
Specifying "-" as uid value means
invoking DeleGate without OWNER parameter.
If execPath is "-",
it means to start child DeleGate process with the given argList.
The configuration of the parent DeleGate process is inherited to
child DeleGates. For example, when a parent DeleGate is invoked
like:
delegated ADMIN=foo EXPIRE=1 INETD=conf1 INETD=conf2
these ADMIN and EXPIRE parameters are inherited to DeleGates
described in conf1 and conf2.
INETD="8080 stream tcp nowait nobody - SERVER=http"
INETD="8080 - - - nobody - SERVER=http" (equivalent to the above)
INETD="8119 - - - - - SERVER=nntp://nntpserver/"
INETD="8888 - - - - /bin/date date" (equivalent to the following)
INETD="8888 - - - - - SERVER=exec XCOM="/bin/date date"'
INETD="8888 dgram udp - - /bin/date date"
INETD="localhost:8888 - - - - - /bin/sh sh"
INETD=+=/path/of/inetd.conf (load configuration from a file)
HOSTLIST parameter* == HOSTLIST=listName:HostList
Define a named HostList with the name listName.
A named HostList can be referred in other HostLists.
If multiple HOSTLIST parameters with the same listName are defined,
the lastly defined one is referred.
If a HostList is prefixed with "+,"
like HOSTLIST="listName:+,newHostList"
then the newHostList is appended to the current definition of the list.
// redefine .localnet
HOSTLIST=".localnet:localhost,./32,192.168.*"
// exclude localhost form the predefined .localnet
HOSTLIST=".localnet:+,!localhost"
CLUSTER parameter* == CLUSTER=[protoList]:ServerList
ServerList == [/R,]Server[,ServerList]
Server == Host[..Port]
The CLUSTER parameter defines an ordered set of alternative or
complemental servers (origin or proxy).
It is referred when DeleGate failed to connect or authenticate with
an upstream proxy server or an origin server.
It is applied to proxy server specified in
MASTER, PROXY, SSLTUNNEL, SOCKS,
or an origin server specified in SERVER or
in the right-hand of MOUNT.
CLUSTER=http:www1,www2,www3..8080 MOUNT="/* http://www1/*"
CLUSTER=ftp:ftp1,ftp2,ftp3 MOUNT="/* ftp://ftp1/*"
CLUSTER=http-proxy:/R,px1..8080,px2..9090,px3..8080 PROXY=px1:8080
CLUSTER=socks:/R,sock1,sock2,sock3 SOCKS=socks1
CMAP parameter* == CMAP=resultStr:mapName:connMap
connMap == ProtoList:dstHostList:srcHostList
-- default: none
A generic parameter to make some parameters be conditional on the current connection.
When the protocol, the destination and the source
of the current connection match the connMap,
this map is enabled providing resultStr string
to be used for mapName.
Not only host name/address but also port number of destination servers
can be used for matching in dstHostList.
A typical usage of this parameter is for applying
filter conditionally.
TLSCONF parameter* == TLSCONF=tlsConf[,tlsConf]*
tlsConf == what:value
-- default: TLSCONF=scache:do,xcache:do
STLS parameter* == STLS=stlsSpecs[,sslwayCom][:connMap]
stlsSpecs == [-]stlsSpec[/im][/ssl][,stlsSpecs]
stlsSpec == fsv | fcl | mitm | imimSec
sslwayCom == {sslway [-Vrfy] [-CApath dir] ...}
connMap == ProtoList:dstHostList:srcHostList
-- default: none
-- restriction: applicable to HTTP, FTP, SMTP, POP, IMAP, SOCKS
-- required: SSLway
This parameter controls the initiation of SSL (TLS) based on a negotiation
between client and server in each application protocol.
The common scheme of the negotiation is known as "STARTTLS".
"fsv" specifies using SSL with server and "fcl" specifies using SSL with client.
When SSL is not supported on a connection, the STARTTLS negotiation will fail
and the connection will be closed by default.
To continue a session even when SSL is not available,
prefix "-" to "fsv" or "fcl".
STLS="fcl" -- use SSL with client (exit the session if not available)
STLS="-fcl" -- use SSL with client if available
STLS="fsv,-fcl" -- use SSL with server, and with client if available
STLS="fsv/ssl" SERVER="ftp" -- use AUTH SSL instead of AUTH TLS
CERTDIR parameter == CERTDIR=dir
-- default: ${ETCDIR}/certs
-- version: DeleGate/9.8.0 + OpenSSL0.9.8g or laters
CERTDIR specifies the directory as the repository of certificates to be used
by SSLway.
Certificate files in the directory are named as follows.
All of these files are optional.
DGCONF parameter == DGCONF=dir/file
-- default: DGCONF='${EXECDIR}/${EXECNAME}.conf'
DGCONF specifies the file of configuration parameters to be loaded,
if exists, on the invocation.
The default value is relative to the name of the executable file of
DeleGate. For example, if the path of the executable is
"X:/path/of/dg9_4_1.exe" then DGCONF="X:/path/of/dg9_4_1.conf".
DYLIB parameter == DYLIB=libfilePattern[,libfilePattern]*
-- default: DYLIB='dglib*.so,lib*.so,dglib*.dylib,lib*.dylib'
DYLIB specifies a list of file name patterns for dynamic linking
library files to be retrieved. The character "*" in each pattern is
replaced with the library name to be retrieved, for example with
a pattern "lib*.so", "libssl.so" is retrieved for "ssl".
A special pattern "+" means to include the default list.
If a pattern is not in full-path format, the library file will be
retrieved in some directories which depends on the system configuration
or an environment variable like LD_LIBRARY_PATH or so.
A pattern can be in full-path like "/usr/local/ssl/lib/lib*.so", or
without "*" character like "/usr/local/ssl/lib/libssl.so".
DYLIB="" ... disable dynamic linking
DYLIB="lib*.so,lib*.so.1"
DYLIB="libz.so,libssl.so"
DYLIB="+,lib*.so.0.9.7"
DYLIB="/usr/lib/libz.so.1,/lib/libssl.so"
LDPATH parameter == LDPATH=dirPath[;dirPath]*
-- default: LDPATH='${LIBDIR};${EXECDIR};${HOME}/lib;/usr/lib;/lib'
Specify where dynamic libraries (DYLIB) are searched.
LIBPATH parameter == LIBPATH=dirPath[:dirPath]*
-- default: LIBPATH='.:${STARTDIR}:${LIBDIR}:${EXECDIR}:${ETCDIR}'
Library files, including parameter files,
CFI scripts and filter programs,
are searched in multiple directories in order specified in LIBPATH
if it is specified as relative path.
By default, LIBPATH is a ordered list of the following directories:
WORKDIR (.) -- the working directory
STARTDIR -- the directory where the DeleGate is invoked
LIBDIR -- ${DGROOT}/lib by default
EXECDIR -- the directory where the executable file of DeleGate is placed
ETCDIR -- ${DGROOT}/etc by default
DATAPATH parameter == DATAPATH=dirPath[:dirPath]*
-- default: DATAPATH='.:${DGROOT}:${STARTDIR}
The list of directories each contains data files to be provided to
client. This parameter is used by a DeleGate which generates response
data from local file specified in relative path like
MOUNT="/path/* file:dir/*".
DGPATH parameter == DGPATH=dirPath[:dirPath]*
-- default: DGPATH='+:.:${HOME}/delegate:${ETCDIR}'
The search path of parameter files.
A special directory name "+" stands for the place
where the "caller" resource
(a parameter file referring the parameter file) is.
DGSIGN parameter == DGSIGN=signatureSpec
-- default: DGSIGN="V.R.P/Y.M.D"
Specify the signature of the DeleGate to be shown to client or server.
The full form signature "Version.Revision.Patch (Month Day, Year)" is
represented as "V.R.P/Y.M.D". To hide the a specific part, replace the
corresponding character with "x". For example, DGSIGN="V.x.x/Y.x.x"
will make signature like "DeleGate/9.x.x (x x, 2005)".
DGOPTS parameter == DGOPTS=opt[,opt]*
-- default: none
A list of command line options.
This may be useful when those options like -P or -v,
not in name=value format,
are to be given in an environment variable.
SOCKOPT parameter == SOCKOPT=[no]name[:value]
-- default: reuse
Set socket options.
PORT parameter == PORT=port[,port]*
port == [host:]portNum[/udp]
portNum == number[-number]
-- default: none
Make entrance ports as -P option does.
FORWARD parameter* == FORWARD=gatewayURL[-_-connMap]
gatewayURL == gwproto://[user:pass@]gwhost[:gwport]
connMap == protoList:dstHostList:srcHostList
-- default: none
Forwards a request
toward a proxy server specified in gatewayURL
if the request matches the condition specified in connMap,
that is, the request is in a protocol listed in protoList and
for servers listed in dstHostList and
from clients in srcHostList.
If connMap is omitted, any request are forwarded to the
gatewayURL unconditionally.
If an authentication information is given as "user:pass@"
prefixed to gwhost, it is used on the authentication phase
after the connection with the gwhost.
FORWARD is a generalized notation of ROUTE and
the following two notations are equivalent.
ROUTE=gwproto://gwhost:gwport/-_-dstHostList:srcHostList
FORWARD=gwproto://gwhost:gwport/-_-*:dstHostList:srcProtoList
FORWARD=delegate://gwhost:gwport/-_-*:dstHostList:*
FORWARD=gwproto://gwhost:gwport/-_-*:dstHostList:*
FORWARD=socks://gwhost:gwport[/socksOpt]-_-*:dstHostList:srcHostList
FORWARD="ssltunnel://gwhost:gwport/-_-*:*:*"
FORWARD="direct-_-protoList:dstHostList:srcHostList"
FORWARD="noroute-_-protoList:dstHostList:srcHostList"
MOUNT="/* https://sslhost/*"
STLS=fsv:https:sslhost
FORWARD=ssltunnel://user:pass@proxyhost:8080-_-https:sslhost
ROUTE parameter* == ROUTE=proto://host:port/-_-dstHostList:srcHostList
-- default: none
Forwards requests from hosts in srcHostList
to the resources listed in dstHostList
toward the server at host:port
in proto protocol.
ROUTE is a generalized notation for MASTER and PROXY.
MASTER="host:port:dstHostList" is the abbreviation of
ROUTE="delegate://host:port/-_-dstHostList:*".
PROXY="host:port:dstHostList"
with SERVER=proto is equals to
ROUTE="proto://host:port/-_-dstHostList:*".
MASTER parameter* == MASTER=host:port[/masterControl][:dstHostList]
-- default: none
This parameter specifies an upstream generalist DeleGate (MASTER-DeleGate)
to which this DeleGate will forward requests.
Forwarding to a MASTER-DeleGate can be filtered
by postfixing ":dstHostList";
only request toward destination servers listed in dstHostList are
forwarded to the MASTER-DeleGate.
When multiple MASTERs are given, they are tried in order until connection
to a MASTER succeed.
cache -- use the MASTER only if cache hits in the MASTER
teleport -- make a persistent Teleport connection to the MASTER
MASTERP parameter == MASTERP=[host:port]
-- default: none
Invoke a MASTER-DeleGate private to this DeleGate.
HTTP-DeleGate working as a gateway to another protocol needs
MASTER-DeleGate to do connection cache for FTP and NNTP.
MASTERP may be specified with MASTER to force data caching at
the local host when the MASTER is running at a remote host.
RPORT parameter == RPORT={tcp|udp}[:host]
-- default: none
This parameter should be used together with MASTER parameter.
If specified, a connection (for response data transfer) from the
MASTER-DeleGate to this DeleGate is established separately from the
connection (for request data transfer) from the DeleGate to its
MASTER-DeleGate. A specified type of response connection will be
made from the MASTER toward the delegate at the specified host.
PROXY parameter* == PROXY=host:port[:dstHostList]
-- default: none
-- restriction: applicable to HTTP, FTP, Telnet
Specify an upstream proxy (specialist DeleGate or standard proxies)
to which the DeleGate should forward requests.
If dstHostList is specified, forwarding to the upstream proxy
is done only when the destination host is in the list.
Only HTTP, FTP, and Telnet specialist DeleGate can specify this parameter.
SERVER=http PROXY=proxyhost:8080:!*.localdomain
SERVER=ftp PROXY=proxyhost:proxyport
SOCKS parameter* == SOCKS=host[:[port][/socksOpt][:dstHostList[:srcHostList]]]
socksOpt == [ -4 | -r ]*
-- default: none
Specify to use Socks server on host. The server is expected
to recognize Socks version 5 protocol. If the server supports only
version 4, specify "-4" option like "SOCKS=host:port/-4".
The "-r" option controls which of DeleGate or Socks server does the name
resolution (from the host name of a target host to its IP address).
With a SocksV4 server, name resolution is done by DeleGate by default.
"-r" option make the resolution be delegated to the server
(This is applicable if the server supports extended Socks4A protocol).
With a SocksV5 server, name resolution is delegated to the server
by default, and "-r" option make the resolution be done locally by DeleGate.
By default, the connection establishment via Socks will be tried
after all of other trials failed, but you can control the order by
the CONNECT parameter.
If the dstHostList part is omitted, the default value for it is
"!.localnet". This default value can be changed
by redefining the named HostList ".socksdst"
which is predefined as HOSTLIST=".socksdst:!.localnet"
CONNECT=s,d
SOCKS="sockshost:1080:!.localnet,!*.my.domain"
SSLTUNNEL parameter == SSLTUNNEL=host:port
-- default: none
Use a HTTP proxy with the standard SSL tunneling feature
(on HTTP with CONNECT method)
running at host:port as a circuit level proxy
for target servers of arbitrary protocols.
VSAP parameter == VSAP=host:port
-- default: none
Specify a VSAP server to be used for accepting from clients or for
connecting to clients. VSAP is a remote socket mapping server
which enables servers to accept a TCP connection via a remote host
as well as to connect via a remote host.
// VSAP server
firewall% delegated -P8000 SERVER=vsap PORT=8080-8090
// accept via VSAP
to provide internal servers for external clients
internal% delegated -P8080@firewall:8000 ...
// connect via VSAP,
working as a proxy server for internal clients
internal% delegated -P8080 CONNECT="{vsap/firewall:8000}" ...
// accept and connect via VSAP server
internal% delegated -P8080 VSAP=firewall:8000 ...
CONNECT parameter* == CONNECT=connSeq[:connMap]
connSeq == connType[,connType]*
connType == cache|icp|proxy|master|https|vsap|direct|socks|udp
connMap == ProtoList[:dstHostList[:srcHostList]]
-- default: CONNECT="c,i,m,h,v,s,d:*:*:*"
This parameter controls the order of trials for connection to the
target server using several connection method as followings:
cache -- CACHE search (without connection)
icp -- via a PROXY hinted by ICP server
proxy -- via a PROXY server
master -- via a PROXY or a MASTER-DeleGate server
https -- via a SSLTUNNEL (SSL tunnel on HTTP)
vsap -- via a VSAP server
direct -- direct connection to the target server
socks -- via SOCKS servers
udp -- by UDP
None -- don't connect
If ProtoList and dstHostList are given, this control is applied only
to the protocols and hosts included in the lists. For example,
to use cached data in a host which is not connected to external networks,
specify as CONNECT="cache:*:!./@".
SRCIF parameter* == SRCIF=host[:[port][:connMap]]
connMap == ProtoList:dstHostList:srcHostList
-- default: SRCIF="*:*:*:*:*"
This parameter is useful for DeleGate running on a multi-homed host or
on a host behind a firewall with packet filtering.
SRCIF="*:0:ftp-data"
// use a random port number for FTP data connection
SRCIF="*:8020-8120:ftp-data"
// use a port number in the specified range
SRCIF="150.29.202.120:*:tcpbind"
// use the specified address to accept via SOCKS
SRCIF="150.29.202.120:*:udpbind"
// use the specified address to relay UDP on SOCKS
TUNNEL parameter == TUNNEL=tunnelType:script
tunnelType == tty7
-- default: none
If specified, communication with an upstream DeleGate will be tunneled
via the standard input/output of the command.
The tunnel can be made of any kind of channel,
a raw serial line for example,
as long as it provides bi-directional transmission on it.
Possibly it may be the channel to the DeleGate
which will be invoked from inetd at remote host.
TUNNEL=tty7:tunnel.shio
Example: make a tunnel with login dialogue
[content of tunnel.shio]
o rsh host delegated SERVER=tunnel1\n
i READY\r\n
=
TUNNEL=tty7:tunnel.shio
As shown in above examples, the first line in a SHIO-script file is
expected to be a shell command like "o command\n" to establish a
connection to a remote server.
Another way to establish a connection is putting "c host:port"
on the first line. No shell nor shell command is invoked in this case.
[content of tunnel.shio]
o telnet hostname\n
i login:
o username\n
i Password:
o password\n
i %
o delegated SERVER=tunnel1 \n
i READY\r
i \n
=
PERMIT parameter* == PERMIT=connMap
connMap == ProtoList:dstHostList:srcHostList
-- default: none
A PERMIT parameter specifies what kind of accesses should be
permitted by this DeleGate. An access will be permitted if the
access is from a client host included in srcHostList,
and to a server host included in dstHostList,
and with a protocol included in ProtoList.
PERMIT="*:*:.localnet"
PERMIT="http:www:*"
REJECT parameter* == REJECT=connMap
connMap == ProtoList:dstHostList:srcHostList
-- default: none
REJECT parameter specifies what kind of access is to be rejected
in the same syntax with PERMIT.
It can be more convenient than PERMIT
when cases to be rejected are exceptional and
are easier to describe than cases to be permitted.
REJECT="pop//DELE:mail-server:mail-client"
REJECT="imap//EXPUNGE:mail-server:mail-client"
REMITTABLE parameter == REMITTABLE=ProtoList
-- default: REMITTABLE="*" for generalist
-- default: REMITTABLE="." for specialist
Only protocols (to the server) listed in ProtoList will be permitted
by this DeleGate.
For generalist (a DeleGate with SERVER="delegate" parameter) any
protocols are permitted by default. For specialist, only the protocol
specified in the SERVER parameter (which can be represented by ".")
is permitted by default.
When the current destination server is determined by
a MOUNT parameter like
MOUNT="Path1 Proto://Server/Path2",
the protocol Proto is automatically allowed as a destination
protocol with Server, regardless of REMITTABLE restriction.
Note that "https" implies that non-HTTPS protocol on the SSLtunnel may
be detected and rejected.
If arbitrary protocol is to be relayed on the SSLtunnel,
specify "ssltunnel" instead of "https" like REMITTABLE="+,ssltunnel".
REACHABLE parameter* == REACHABLE=dstHostList
-- default: REACHABLE="*" (any host is reachable)
Only requests directed to the servers on the hosts (or networks)
listed in dstHostList will be accepted by the DeleGate.
When you use multiple REACHABLE parameters,
you must be certain of the meaning.
RELIABLE parameter* == RELIABLE=srcHostList
-- default: RELIABLE=".localnet"
Only requests sent from clients on hosts (or networks)
listed in srcHostList
will be accepted by the DeleGate.
By default, only accesses from client hosts on networks
local to the host of the DeleGate (.localnet)
are permitted.
RELAY parameter* == RELAY=relayTypeList[:connMap]
relayTypeList == relayType[,relayType]*
relayType == proxy | delegate | vhost | no | nojava | noapplet
connMap == ProtoList:dstHostList:srcHostList
-- default: RELAY="delegate,vhost,nojava:*:*:.localnet"
RELAY="proxy:*:*:*"
This parameter controls in which way the DeleGate works as a HTTP server.
DeleGate as a HTTP proxy server works in two ways (proxying modes):
as a standard (CERN compatible) HTTP proxy which accepts full URL
in a request ("proxy" relayType),
and as a DeleGate original proxy which accepts
/-_-URL in a request
and rewrites URLs in the response ("delegate" relayType).
In a full specification format with ":connMap",
available proxying modes
can be classified by combination of server protocol, server host and
client host.
RELAY=no ... do not work as a proxy (origin server only)
RELAY=proxy ... CERN compatible mode only
RELAY=delegate ... DeleGate mode only (/-_-URL)
RELAY=proxy,delegate ... both CERN and DeleGate mode
RELAY=proxy,noapplet ... inhibit <APPLET> tag to be relayed by proxy
Both "proxy" and "delegate" modes are allowed to users on ".localnet",
while only "proxy" mode is allowed to other users.
AUTH parameter* == AUTH=what:authProto:who
-- default: none
Authorize who to do what.
Authentication of user will be done using protocol specified in
authProto.
Identification about "who the client's user is"
is done based on Identification protocol to the client host
if it supports the protocol.
Otherwise FTP-server may be used as an authentication server.
Given a set of User, Host and Password,
DeleGate tries to login to the (FTP) server on Host
with User and Password.
If succeed, then the client is authenticated to be
User@Host.
A DeleGate of arbitrary protocol (regardless of SERVER=protocol)
can have a port for remote administration
by specifying a port devoted to administration with "/admin" modifier like
"-PuserPort,adminPort/admin" option.
Example:
SERVER=pop -P110,9110/admin AUTH=admin::admin:password
The URL for remote administration of this DeleGate (as a POP proxy) is
"https://delegateHost:9110/-/admin/"
The E-mail address must be in the form of user@host,
otherwise (if the host part is not given) the FTP login is
rejected by DeleGate.
HTTP-DeleGate asks anonymous users to declare his/her E-mail address
as Username part in Authorization.
If passWord field is specified as "*" (i.e. AUTH="anonftp:*:*"),
then any Password in the Authorization will be acceptable.
In FTP-DeleGate, the E-mail address must be given as a password (in PASS
command) for the anonymous user, and the password is used for matching
with passWord too.
The second field must be "*" in current implementation.
Example:
ident -- Identification protocol [default]
pauth -- Use Proxy-Authorization field "user@host:password"
auth -- Use Authorization field "user@host:password"
AUTH=proxy:auth PERMIT="*:*:{*,!?}@*"
Note:
// Any user at any host is allowed as long as he/she is identified.
When the client does not support Proxy-Authentication,
you are obliged to use "proxy:auth" for Authentication.
In such case, note that the client cannot access
resources which requires Authentication.
AUTHORIZER parameter* == AUTHORIZER=authServList[@realmValue][:connMap]
authServList == authServ[,authServ]* | & | *
authServ == authHost[/portNum][(reprUser)]
authHost == hostName | hostAddr
realmValue == word | {words separated with space}
connMap == ProtoList:dstHostList:srcHostList
-- default: none
-- restriction: applicable to Telnet, FTP, NNTP, SMTP, IMAP, Socks, SockMux, and HTTP
Specify the server for authentication and authorization ("auth-server").
If specified, an access by a client is not permitted without
authenticated successfully by the auth-server,
sending an appropriate pair of user-name and pass-word
over the application protocol.
Two special authServ "-none" and "-never" are exceptions
to make authentication unnecessary.
If authServ is followed by "(reprUser)", the users
successfully authenticated in the authServ are represented by
reprUser as a representative user.
// a HTTP proxy or server with the Digest authentication with clients.
SERVER=http AUTHORIZER=-dgauth
// a POP proxy which uses APOP authentication with clients.
SERVER=pop MOUNT="* pop://server/*" AUTHORIZER=-dgauth
Note that most of PAM authentications need to be executed under the
privilege of superuser on Unix (with OWNER="root" option).
But you can avoid running your DeleGate with superuser privilege by
installing external program "dgpam" under DGROOT/subin/.
Also PAM authentication can be delegated to a remote
PAM server.
AUTHORIZER="-list{u1:p1,u2:p2}(local),-pam,-none(anonymous)"
// a user may be authenticated as "local" or as some user name in PAM,
// or "anonymous" otherwise
AUTHORIZER="-cmd{myauth %U}{MYPASS=%P}"
#!/bin/sh
if [ "$1" = "user1" -a "$MYPASS" = "pass1" ]; then
echo "230 SUCCESS"
else
echo "530 FAILURE"
fi
"&" -- the client host (user name on the client host is required)
"*" -- any authHost specified by the client as "user@authHost"
// clients from outside of local.domain is required authentication
SERVER=telnet AUTHORIZER="&:::!*.local.domain"
// any clients is allowed if the user is authenticated with localhost
SERVER=telnet AUTHORIZER="localhost" RELIABLE="*"
// using DeleGate's own list of "-socksusers" maintained with
"-Fauth"
SERVER=socks AUTHORIZER=-socks.users
MYAUTH parameter* == MYAUTH=username:password[:connMap]
-- default: none
-- restriction: applicable to Socks, VSAP, SMTP, and HTTP
Specify authorization information to be sent to an upstream server/proxy.
Special characters in username or password must be escaped
with "%XX" where XX is hexadecimal representation of
a character code (see ascii(7)).
Special characters to be escaped are:
TAB ("%09"), SPACE ("%20"), '"' ("%22"), '%' ("%25"), ':' ("%3A"),
'{' ("%7B"), and '}' ("%7D").
MYAUTH=userS:passS:socks
MYAUTH=userV:passV:vsap
MYAUTH=userM:passM:smtp:smtpserverM
MYAUTH=userH:passH:http:httpserverH
MYAUTH=userP:passP:http-proxy:httpproxyP
RIDENT parameter == RIDENT=ridentType[,ridentType]*
ridentType == client | server
-- default: none
If RIDENT="server" is specified, identification information about the
client socket got by getsockname(2) and getpeername(2) will be
forwarded to the PROXY or MASTER-DeleGate which will receive the
information by RIDENT="client", and will use it for access control.
A DeleGate server with RIDENT="client" can accept both from DeleGate
with RIDENT="server" and other proxy servers with no RIDENT support.
An intermediate DeleGate in a chain of cascaded DeleGate servers
should be given RIDENT="client,server".
host1# delegated -P8080 RIDENT=server MASTER=host2:8080
host2# delegated -P8080 RIDENT=client
MAXIMA parameter* == MAXIMA=what:number,...
-- default: MAXIMA=listen:20,ftpcc:2,...
Specify the maximum number of resource usage, processes, connections, etc.
randstack -- randomization range of stack base for security [32]
randenv -- randomization range of environment variables base [1024]
randfd -- randomization range of client socket file-descriptor [32]
listen -- max. size of the queue for entrance port [20]
delegated -- max. number of DeleGate processes runnable at a time [64]
service -- max. number of services per delegated process [unlimited]
standby -- max. number of standby process [16]
conpch -- max. number of connections at a time per client host [unlimited]
ftpcc -- max. number of FTP connection cache servers to a host [16]
nntpcc -- max. number of NNTP connection cache processes to a host[16]
http-cka --
(replaced by HTTPCONF=max-cka)
http-ckapch --
(replaced by HTTPCONF=max-ckapch)
udprelay -- max. number of parallel UDPrelay client [256]
winmtu -- max. unit of send() on Win32 [1024]
TIMEOUT parameter* == TIMEOUT=what:seconds,...
-- default: TIMEOUT=dns:10,acc:10,con:10,lin:30,...
Specify timeout period (in seconds by default) of what.
The timeout value "0" means "never timeout" (unlimited).
The unit of period is second by default,
but can be changed like 1d(day), 1h(hour), 1m(minute).
DELAY parameter* == DELAY=what:seconds
-- default: DELAY=reject:60,unknown:60,...
Delay for specified seconds before doing what.
reject -- continuous Reject resp. from self or MOUNTed servers [60]
unknown -- continuous Unknown resp. from self or MOUNTed servers [60]
reject_p -- continuous Reject resp. from origin server [0]
unknown_p -- continuous Unknown resp. from origin server [0]
MOUNT parameter* == MOUNT="vURL rURL [MountOptions]"
-- default: MOUNT="/* SERVER_URL*"
Map vURL to/from the rURL.
URLs matches with vURL in a request message from a client
are rewritten to rURL and forwarded to a server, and
URLs matches with rURL in a response message from the server
is rewritten to vURL and forwarded to the client.
What is rewritten by MOUNT in each protocol is like follows:
MOUNT="/abc/* http://host/*"
// rewrites "/abc/def" to/from "http://host/def"
MOUNT="/x/* vurl:/f/x/*"
MOUNT="/y/* vurl:/f/y/*"
MOUNT="/f/* ftp://server/*"
// "/x/path" is rewritten to "ftp://server/x/path"
// "ftp://server/x/path" is rewritten to "/f/x/path"
// DeleGate's parameters: SERVER=http -Pdhost:9080 ...
// Requested URL: http://vhost:9080/x/
MOUNT="/x/* =://=:=/y/*" -> http://vhost:9080/y/
MOUNT="/x/* ///y/*" -> (the abbreviation of the above)
MOUNT="/x/* //-P/y/*" -> http://dhost:9080/y/
MOUNT="/x/* =://serv/y/*" -> http://serv:80/y/
MOUNT="/x/* //serv/y/*" -> (the abbreviation of the above)
MOUNT="/x/* //serv:=/y/*" -> http://serv:9080/y/
MOUNT="/x/* //=:9088/y/*" -> http://vhost:9088/y/
MOUNT="/x/* https://=/y/*" -> https://vhost:443/y/
// Requested URL: http://dhost/x/abc/def
MOUNT="/x/*%S/%S ///y/*%S.%S" -> http://dhost/y/abc.def
MOUNT="/x/*%S/%S ///y/*%(1)/%(0)" -> http://dhost/y/def/abc
MOUNT="/x/*%1[a-z]%S http://w/*%S/%S" -> http://w/a/bc/def
MountOptions == option[,option]*
MountOptions is a list of options, to make MOUNT be conditional,
or to apply some functions only to MOUNTed URLs.
Some of them are common to any protocol
and others are specific to a protocol (
HTTP,
NNTP
).
Note that this option is applicable to any client side protocol, that is,
not only HTTP-DeleGate but also DeleGate for FTP, POP, NNTP, etc. can
switch destination server based on the client side interface if
its has an IP address distinguishable from others.
When the DeleGate is acting as an origin HTTP server and a virtual
host name is shown in "Host: host" field in the request message,
the virtual name is examined prior to the real host name. If
multiple virtual names are bound to the same IP-address,
prefix "-" to the virtual hostname like "host=-hostname" to
distinguish among virtual names.