1# The desctiption of the structure and content of the config file 2 3## Empty lines, comments and commands 4 5The configuration file is processed line by line. Each line can be: 6 7* an empty line, i.e. does not contain anything but whitespace characters; 8* A comment. A comment is a line, where the first non-space character is a trellis `#`. 9* command. A string whose first nonwhite character is different from `#` character is considered a command. 10 11For example: 12``` 13# A comment with several empty lines below. 14 15 16 # This is also a comment. 17 # # # ##### And this is a comment too. 18 19# The next line is a command. 20log_level debug 21 22# Yet more commands below. 23bandlim.in 500kib 24bandlim.out 500kib 25acl.max.conn 1000 26``` 27 28**Note.**The comment must occupy the entire line. You cannot put comments on the same line as the command. For example, here is a valid comment: 29``` 30# No limits. 31bandlim.in 0 32``` 33But this is wrong: 34``` 35bandlim.in 0 # No limits. 36``` 37because in that case `# No limits` will be treated as a part of `bandlim.in` commands, and will cause a parsing error. 38 39## Repeated commands 40 41If a command is specified several times then each subsequent occurrence of the command replaces the value given by the previous occurrence. For example: 42 43``` 44bandlim.in 100 45 46bandlim.out 256kib 47 48bandlim.in 100kib 49 50bandlim.in 5mib 51``` 52 53In that case the the result value for `bandlim.in` will be 5MiB, all the previous values will be ignored. 54 55The exceptions are `acl` and `nserver` commands. 56 57## An example of config file 58 59``` 60# Set the log level. 61log_level trace 62 63# Set default bandwidth limits. 64# Those values will be used if a user has no personal limits. 65bandlim.in 700kib 66bandlim.out 700kib 67 68# IPs of name servers to use. 69nserver 8.8.8.8, 8.8.4.4, 1.1.1.1 70 71# Max number of parallel active connections to a single ACL. 72acl.max.conn 150 73 74# Size of I/O buffer for data transfer. 75acl.io.chunk_size 4kib 76 77# A list of denied ports. Users can't connect to those ports on target hosts. 78denied_ports 25, 83, 100-110, 465, 587 79 80# List of ACL. 81acl socks, port=3010, in_ip=127.0.0.1, out_ip=192.168.100.1 82acl socks, port=3011, in_ip=127.0.0.1, out_ip=192.168.100.1 83``` 84 85## Config file commands 86 87### acl 88 89Defines a single ACL. Every occurrence of ACL command defines a new ACL. 90 91Format: 92``` 93acl <TYPE>, <PARAMETERS> 94``` 95Where TYPE can have one of the following values: 96 97* `auto`. The type of the protocol will be detected automatically; 98* `socks`. ACL will serve only SOCKS5 protocol; 99* `http`. ACL will serve only HTTP/1.1 protocol. 100 101Parameters: 102 103* `port`. TCP-port for accepting incoming connections from users; 104* `in_ip`. IPv4 address for accepting incoming connections from users; 105* `out_ip`. IP address to be used as the source for outgoing connections. It can be either an IPv4 or IPv6 address. 106 107Parameters are specified in the format `name=value` and are separated by commas. 108 109The order of parameters after TYPE isn't significant. 110 111**Attention.** Every `acl` command should have an unique pair `in_ip` and `port`. 112 113Example: 114 115``` 116acl socks, port=8000, in_ip=127.0.0.1, out_ip=192.168.100.1 117acl auto, in_ip=192.168.100.1, port=3000, out_ip=192.168.100.1 118``` 119 120### acl.io.chunk_count 121 122Specifies a number of I/O buffers to be used for data transfer between a user and the target host. 123 124Format: 125``` 126acl.io.chunk_count UINT 127``` 128 129The value can be zero. 130 131Note that this number of buffers is created for each connection. That is, `chunk_count` of buffers will be created to serve the connection between the client and arataga. And the same number will be created to serve the connection between arataga and the target node. In fact, during normal operation, after all connections have been established and after data transfer has started, `chunk_count*2` of I/O buffers will be used. 132 133The default value is 4. 134 135This command is available since version 0.2.0. 136 137### acl.io.chunk_size 138 139Specifies the size in bytes for I/O buffers used for data transfer between a user and the target host. 140 141Format: 142``` 143acl.io.chunk_size UINT[suffix] 144``` 145 146where *suffix* is an optional suffix that denotes the units of measure: 147 148* if there is no suffix then the value is specified in bytes. For example: `acl.io.chunk_size 1024000`; 149* `b`, the value is specified in bytes. It means that `acl.io.chunk_sise 20000` is the same as `acl.io.chunk_size 20000b`; 150* `kib`, the value is specified in kibibytes (KiB, 1024 bytes in a kibibyte). For example, `acl.io.chunk_size 100kib` is the same as `acl.io.chunk_size 102400b`; 151* `mib`, the value is specified in mebibytes (MiB, 1048576 bytes in a mebibyte, or 1024 kibibytes). For example, `acl.io.chunk_size 5MiB` is the same as `acl.io.chunk_size 5242880b`, or `acl.io.chunk_size 5120kib`; 152* `gib`, the value is specified in gibitypes (GiB, 1073741824 bytes in a gibibyte, or 1024 mebibytes). 153 154The value can't be zero. 155 156**Note:** During the process of connecting a client to an ACL, there may be several exchanges between the client and the ACL as long as the client is authenticated. During these exchanges, intermediate I/O buffers are used, the size of which is determined based on the client protocol. After the client is successfully authenticated and a connection to the remote host is established, the ACL begins to use the I/O buffers for the main data exchange. And just the size of these buffers is set by the `acl.io.chunk_size` parameter. 157 158The larger the value of `acl.io.chunk_size`, the more efficiently large amounts of data will be transferred. But the more memory the ACL will consume as the number of simultaneous connections increases. 159 160The default value is 8kib. 161 162### acl.max.conn 163 164Specifies the max number of active parallel connections for one ACL. 165 166Format: 167``` 168acl.max.conn UINT 169``` 170 171When the number of simultaneously accepted connections reaches the value set in `acl.max.conn`, accepting new connections to this ACL is paused until the number of connections drops below the threshold set in `acl.max.conn`. 172 173The value can't be zero. 174 175The default value is 100. 176 177### bandlim.in 178 179Specifies the bandwidth limit for data from the target host to a user (incoming data for the user). That limit is used if a user hasn't the personal limit for incoming data. 180 181Format: 182``` 183bandlim.in UINT[suffix] 184``` 185 186where *suffix* is an optional suffix that denoted the units of measure: 187 188* `b` for bytes per second. Thus, value `bandlim.in 300000b` means the limit 300000 bytes per second; 189* `kib` for kibibytes per second. Value `bandlim.in 30kib` means the limit 30kib or 30720 bytes per second; 190* `mib` for mebibytes per second. Value `bandlim.in 2mib` means the limit 2mib (or 2040kib or 2088960 bytes) per second; 191* `gib` for gibibytes per second. Value `bandlim.in 1gib` means the limit 1gib (or 1024mib, or 1048576kib, or 1073741824 bytes) per second; 192* `kibps` for kibibits per second. Thus, value `bandlim.in 300kibps` means 307200 bits/sec or 38400 bytes/sec; 193* `mibps` for mebibits per second. Thus, value `bandlim.in 5mibps` means 5242880 bits/sec or 655360 bytes/sec; 194* `gibps` for gibibits per second. Thus, value `bandlim.in 1gibps` means 1073741824 bits/sec or 134217728 bytes/sec (131072 kibibytes/sec or 128 mebibytes/sec); 195* `kbps` for kilobits per second. Value `bandlim.in 300kpbs` means 300000 bits/sec or 37500 bytes/sec (~37 kibibytes/sec); 196* `mpbs` for megabits per second. Value `bandlim.in 5mpbs` means 5000000 bits/sec or 625000 bytes/sec (~610 kibibytes/sec); 197* `gpbs` for gigabits per second. Value `bandlim.in 1gbps` means 1000000000 bits/sec or 125000000 bytes/sec (~122070 kibibytes/sec or ~119 mebibytes/sec). 198 199Value 0 means that there is no bandwidth limit for incoming data for a user. 200 201Default value 0. It means that if `bandlim.in` isn't specified then there is no bandwidth limit for incoming data for a user. 202 203### bandlim.out 204 205Specifies the bandwidth limit for data from a user to the target host (outgoing data from the user). That limit is used if a user hasn't the personal limit for outgoing data. 206 207Format: 208``` 209bandlim.out UINT[suffix] 210``` 211 212where *suffix* is an optional suffix that denotes units of measure (see the description of `bandlim.in` command for more details). 213 214Value 0 means that there is no bandwidth limit for outgoing data from a user. 215 216Default value 0. It means that if `bandlim.in` isn't specified then there is no bandwidth limit for outgoing data from a user. 217 218### denied_ports 219 220Specifies a list of denied ports. Users can't connect to those ports on remote hosts. 221 222The list can contain separate port numbers and ranges. All values must be separated by commas. 223 224For example: 225``` 226denied_ports 25, 83, 100-110, 465, 587 227``` 228 229This list is empty by default. 230 231### dns_cache_cleanup_period 232 233Specifies the period of cleaning the cache with DNS lookup results. 234 235Format: 236``` 237dns_cache_cleanup_period UINT[suffix] 238``` 239 240where *suffix* is an optional suffix that denotes units of measure: `ms`, `s` or `min`. If *suffix* isn't present then the value is treated as being specified in seconds. 241 242Default value: 30s. 243 244### http.limits.field_name 245 246Specifies the max allowed length of HTTP header field name. 247 248If arataga detects a HTTP header field that name is longer than the value of `http.limits.field_name` then the processing of such HTTP request/response will be cancelled. 249 250Format: 251``` 252http.limits.field_name UINT[suffix] 253``` 254 255where optional *suffix* denotes units of measure: `b`, `kib`, `mib` or `gib`. If *suffix* isn't present then the value is treated as being specified in bytes. 256 257Default value: 2KiB. 258 259### http.limits.field_value 260 261Specifies the max allowed length of HTTP header field value. 262 263If arataga detects a HTTP header field that value is longer than the value of `http.limits.field_value` then the processing of such HTTP request/response will be cancelled. 264 265Format: 266``` 267http.limits.field_value UINT[suffix] 268``` 269 270where optional *suffix* denotes units of measure: `b`, `kib`, `mib` or `gib`. If *suffix* isn't present then the value is treated as being specified in bytes. 271 272Default value: 10KiB. 273 274### http.limits.request_target 275 276Specifies the max allowed length of request-target in the start line of an incoming HTTP request. 277 278If arataga detects a request-target that value is longer than the value of `http.limits.request_target` then the processing of such HTTP request will be cancelled. 279 280Format: 281``` 282http.limits.request_target UINT[suffix] 283``` 284 285where optional *suffix* denotes units of measure: `b`, `kib`, `mib` or `gib`. If *suffix* isn't present then the value is treated as being specified in bytes. 286 287Default value: 8KiB. 288 289### http.limits.status_line 290 291Specifies the max allowed length of status-line in an incoming HTTP response. 292 293If arataga detects a status-line that value is longer than the value of `http.limits.status_line` then the processing of such HTTP response will be cancelled. 294 295Format: 296``` 297http.limits.status_line UINT[suffix] 298``` 299 300where optional *suffix* denotes units of measure: `b`, `kib`, `mib` or `gib`. If *suffix* isn't present then the value is treated as being specified in bytes. 301 302Default value: 1KiB. 303 304### http.limits.total_headers_size 305 306Specifies the max allowed total size of all HTTP header fields. 307 308If arataga detects that the total size of all HTTP header fields is greater than the value of `http.limits.total_headers_size` then the processing of such HTTP request/response will be cancelled. 309 310Format: 311``` 312http.limits.total_headers_size UINT[suffix] 313``` 314 315where optional *suffix* denotes units of measure: `b`, `kib`, `mib` or `gib`. If *suffix* isn't present then the value is treated as being specified in bytes. 316 317Default value: 80KiB. 318 319### log_level 320 321Specifies the minimal severity level for messages to be stored in log. 322 323Log messages with that level or a more highest level will be stored in log, 324 all other messages will be ignored. 325 326Format: 327``` 328log_level <LEVEL> 329``` 330 331where LEVEL can be `trace`, `debug`, `info`, `warn`, `error`, `crit`. 332 333Special value `off` turns the logging off. 334 335By default the value for arataga's command line is used. 336 337If `log_level` is set in the config then its value overrides the value from the command line. 338 339### nserver 340 341Enumerates IPv4 addresses of name servers to use. 342 343**Mandatory command.** At least one `nserver` command must be specified in the config file. 344 345Format: 346``` 347nserver <IPv4>[, <IPv4>[, <IPv4> [...]]] 348``` 349 350There could be several `nserver` commands in the config file. Values from all of them are grouped into one list. For example: 351 352``` 353nserver 8.8.8.8, 8.8.4.4 354nserver 9.9.9.9 355nserver 1.1.1.1, 1.0.0.1 356``` 357 358In that case arataga will use list of 5 IP-addresses: 8.8.8.8, 8.8.4.4, 9.9.9.9, 1.1.1.1, 1.0.0.1. 359 360*Note.* Since v.0.4. 361 362### timeout.authentification 363 364Specifies the maximum time to wait for an authentication result. 365 366If no response is received to the time specified in `timeout.authentification`, the client is considered unauthenticated and will be disconnected. 367 368Format: 369``` 370timeout.authentification UINT[suffix] 371``` 372 373where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 374 375If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 376 377The default is 1500ms. 378 379### timeout.connect_target 380 381Specifies the maximum time to wait for the result of connection to the target host. 382 383If the `timeout.connect_target` timeout fails to connect to the target host, a negative result is sent to the client. 384 385Format: 386``` 387timeout.connect_target UINT[suffix] 388``` 389 390where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 391 392If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 393 394The default is 5s. 395 396### timeout.dns_resolving 397 398Sets the maximum time to wait for the result of a DNS lookup for the target host. 399 400If during `timeout.dns_resolving` the IP address could not be found by the domain name, a negative result is sent to the user. 401 402Format: 403``` 404timeout.dns_resolving UINT[suffix] 405``` 406 407where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 408 409If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 410 411The default is 4s. 412 413### timeout.failed_auth_reply 414 415Specifies the delay time before sending a negative authentication result. 416 417If the client failed to authenticate, the negative result can be sent to the client not immediately, but after a specified time (to prevent, for example, simple password brute-forcing attempts). The size of this pause is set with the `timeout.failed_auth_reply` command. 418 419Format: 420``` 421timeout.dns_resolving UINT[suffix] 422``` 423 424where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 425 426If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 427 428The default is 750ms. 429 430### timeout.http.headers_complete 431 432Specifies the maximum time to wait for the client to finish reading all headers of an incoming HTTP request. 433 434If all headers were not read within the allotted time (for example, the client stopped sending data from its side or sends it at a very low speed), the client is sent a 408 Request Timeout response and the incoming connection is closed. 435 436Format: 437``` 438timeout.http.headers_complete UINT[suffix] 439``` 440 441where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 442 443If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 444 445The default is 5s. 446 447### timeout.http.negative_response 448 449Specifies the maximum time to send a negative response to a user. 450 451If a user sent a request that cannot be processed, a negative response is sent to the user. A limit is imposed on the sending time of this response. If the response was not sent within the allotted time (for example, the user stopped reading the data), the connection is forcibly closed. 452 453Format: 454``` 455timeout.http.negative_response UINT[suffix] 456``` 457 458where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 459 460If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 461 462The default is 2s. 463 464### timeout.idle_connection 465 466Specifies the maximum idle time for connections with no activity. 467 468If there is no incoming data from either side during the time specified in `timeout.idle_connection`, the connection is forcibly closed. 469 470Format: 471``` 472timeout.idle_connection UINT[suffix] 473``` 474 475where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 476 477If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 478 479The default is 5min. 480 481### timeout.protocol_detection 482 483Specifies the maximum time for the ACL to determine which protocol a user will use. 484 485If in the time specified in `timeout.protocol_detection` the client has not sent enough bytes to determine the communication protocol, the connection is forcibly closed. 486 487This value protects against situations where the client connects and does not send any data. Or it sends them at a very slow rate (e.g., 1 byte per minute). 488 489Format: 490``` 491timeout.protocol_detection UINT[suffix] 492``` 493 494where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 495 496If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 497 498The default is 3s. 499 500### timeout.socks.bind 501 502Sets the maximum time that a connection from both sides must be established when the SOCKS BIND command is executed. 503 504When the SOCKS BIND command is executed, a new server socket is opened on the ACL line and its address is returned to the client. A new connection must be made from the target node to this server socket. The SOCKS BIND command can then be considered executed and the client can exchange data with the remote host. 505 506If the time specified in `timeout.socks.bind ` has not made a new connection from the target node, the client is sent a negative result of the command SOCKS BIND. And the connection to the client is forcibly closed. 507 508Format: 509``` 510timeout.socks.bind UINT[suffix] 511``` 512 513where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 514 515If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 516 517The default is 20s. 518 519### timeout.socks.handshake 520 521Specifies the maximum time for the client to complete the SOCKS5 connection procedure. That is, the client must send the authentication method, then authenticate and send the CONNECT (or BIND) command. 522 523If in the time specified in `timeout.socks.handshake` the client has not sent enough bytes to establish a normal SOCKS connection, the connection is forcibly closed. 524 525This value protects against situations where the client connected sends data at a very slow rate (e.g., 1 byte per second). 526 527Format: 528``` 529timeout.socks.handshake UINT[suffix] 530``` 531 532where the optional *suffix* denotes the unit of measure in which the value is specified: `ms`, ``s` or `min`. If *suffix* is not specified, the unit is seconds. 533 534If the suffix is specified, it must be written in lowercase letters. For example: 1200ms, 15s, etc. 535 536The default is 5s. 537 538