#
# SECTION       <VARIABLES AND FLAGS>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
#  TAG: set
#
#       set option name:
#
#       SS5_DNSORDER    		->   order dns answer
#       SS5_VERBOSE       		->   enable verbose output to be written into logfile
#       SS5_DEBUG         		->   enable debug output to be written into logfile
#       SS5_CONSOLE        		->   enable web console
#       SS5_ATIMEOUT       		->   for future uses
#       SS5_STIMEOUT       		->   set session idle timeout (default 1800 seconds,
#                                                         0 for infinite)
#       SS5_LDAP_TIMEOUT   		->   set ldap query timeout
#       SS5_LDAP_BASE      		->   set BASE method for profiling (see PROFILING section)
#                                    	     It is default option!
#       SS5_LDAP_FILTER   		->   set FILTER method for profiling (see PROFILING
#                                            section)
#       SS5_SRV   	    		->   enable ss5srv admin tool
#       SS5_PAM_AUTH       		->   set PAM authentication
#       SS5_RADIUS_AUTH    		->   set RADIUS authentication
#       SS5_RADIUS_INTERIM_INT       	->   set interval beetwen interim update packet
#       SS5_RADIUS_INTERIM_TIMEOUT   	->   set interim response timeout 
#       SS5_AUTHCACHEAGE   		->   set age in seconds for authentication cache
#       SS5_AUTHOCACHEAGE  		->   set age in seconds for authorization cache
#       SS5_STICKYAGE      		->   set age for affinity
#       SS5_STICKYSESSION  		->   enable affinity session
#       SS5_SUPAKEY        		->   set SUPA secret key (default SS5_SERVER_S_KEY)
#       SS5_ICACHESERVER   		->   set internet address of ICP server
#       SS5_GSS_PRINC      		->   set GSS service principal
#       SS5_PROCESSLIFE    		->   set number of requests process must servs before 
#                                    	     closing
#       SS5_NETBIOS_DOMAIN 		->   enable netbios domain mapping with directory store, 
#                                    	     during autorization process
#       SS5_SYSLOG_FACILITY		->   set syslog facility
#       SS5_SYSLOG_LEVEL		->   set syslog level
#
# ///////////////////////////////////////////////////////////////////////////////////

#
# SECTION 	<AUTHENTICATION>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
#  TAG: auth
#
# 	auth source host, source port, authentication type
#
# 	Some examples:
#
# 	Authentication from 10.253.8.0 network
#   		auth 10.253.8.0/22 - u
#
# 	Fake authentication from 10.253.0.0 network. In this case, ss5 request 
#	authentication but doesn't check for password. Use fake authentication 
#	for logging or profiling purpose.
#   		auth 10.253.0.0/16 - n
#
# 	Fake authentication: ss5 doesn't check for correct password but fetchs 
#	username for profiling.
#   		auth 0.0.0.0/0 - n
#
#  TAG: external_auth_program
#
# 	external_auth_program program name and path 
#
# 	Some examples:
#
# 	Use shell file to autheticate user via ldap query
#   		external_auth_program /usr/local/bin/ldap.sh
#
#  TAG: RADIUS authentication could be used setting SS5_RADIUS_AUTH option and 
#       configuring the following attributes:
#
#       radius_ip               (radius address)
#       radius_bck_ip           (radius secondary address)
#       radius_auth_port        (radius authentication port, DFAULT = 1812)
#       radius_acct_port        (radius authorization  port, DFAULT = 1813)
#       radius_secret           (secret password betw
#
#
#
# ///////////////////////////////////////////////////////////////////////////////////
#       SHost           SPort           Authentication
#
#auth    0.0.0.0/0               -               -


#
# SECTION 	<BANDWIDTH>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
#  TAG: bandwidth
#
# 	bandwidth group, max number of connections, bandwidth, session timeout 
#
# 	Some examples:
#
# 	Limit connections to 2 for group Admin
#   		bandwidth Admin 2 - -
#
# 	Limit bandwidth to 100k for group Users
#   		bandwidth Users - 102400 -
#
#       note: if you enable bandwith profiling per user, SS5 use this value instead of
#             value specified into permit directive.
#
# ///////////////////////////////////////////////////////////////////////////////////
#                   Group          MaxCons     Bandwidth   Session timeout
#       bandwidth   grp1           5           -           -

#
# SECTION	<PROXIES>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
#  TAG: proxy/noproxy
#
#	proxy/noproxy dst host/network, dst port, socks proxy address, port address, ver
#
#	Some examples:
#
#	Proxy request for 172.0.0.0 network to socks server 10.253.9.240 on port 1081: 
#
#   	if authentication is request, downstream socks server have to  check it; 
#   	if resolution is request, downstream socks server does it before proxying 
#	the request toward the upstream socks server.
#   		proxy 172.0.0.0/16 - 10.253.9.240 1081
#
#       SS5 makes direct connection to 10.253.0.0 network (in this case, port value is not 
#       verified) without using upstream proxy server
#   		noproxy 0.0.0.0/0 - 10.253.0.0/16 1080 -
#
# ///////////////////////////////////////////////////////////////////////////////////
#       	DHost/Net		DPort	DProxyip	DProxyPort SocksVer
#
#	proxy	0.0.0.0/0		-	1.1.1.1		-	   -

#
# SECTION       <DUMP>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
#  TAG: dump
#
#       dump host/network, port, s/d (s=source d=destination), dump mode (r=rx, t=tx, b=rx+tx)
#
#       Some examples:
#
#       Dump traffic for 172.30.1.0 network on port 1521:
#
#       if authentication is request, downstream socks server have to  check it;
#       if resolution is request, downstream socks server does it before proxying
#       the request toward the upstream socks server.
#               dump 172.30.1.0/24 1521 d b
#
# ///////////////////////////////////////////////////////////////////////////////////
#              DHost/Net               DPort   Dir 	Dump mode (r=rx,t=tx,b=rx+tx)
#
#       dump   0.0.0.0/0               -       d	t

#
# SECTION	<ACCESS CONTROL>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
#
#  TAG: permit/deny
#	permit/deny src auth flag, host/network, src port, dst host/network, dst port, 
#	fixup, group, bandwidth (from 256 bytes per second to 2147483647), expdate
#
#	Some examples:
#
# 	FTP Control + Passive Mode
#		permit - 0.0.0.0/0 - 172.0.0.0/8 21 - - - -
#
#	FTP DATA Active Mode
#		permit - 0.0.0.0/0 	- 172.0.0.0/8 	21 	- - - -
#		permit - 172.0.0.0/8 	- 0.0.0.0/0 	- 	- - - -
#
#	Query DNS
#		permit - 0.0.0.0/0 - 172.30.0.1/32 53 - - - -
#
#	Http + fixup
#		permit - 0.0.0.0/0 - www.example.com 80 http - - -
#
#	Http + fixup + profile + bandwidth (bytes x second)
#		permit - 0.0.0.0/0 - www.example.com 80 http admin 10240 -
#
#	Sftp + profile + bandwidth (bytes x second)
#		permit - 0.0.0.0/0 - sftp.example.com 22 - developer 102400 -
#
#	Http + fixup 
#		permit - 0.0.0.0/0 - web.example.com 80 - - - -
#
#	Http + fixup + user autentication required with expiration date to 31/12/2006
#		permit u 0.0.0.0/0 - web.example.com 80 - - - 31-12-2006
#
#	Deny all connection to web.example.com
#		deny - 0.0.0.0/0 - web.example.com - - - - -
#
#
# /////////////////////////////////////////////////////////////////////////////////////////////////
#      Auth	SHost		SPort	DHost		DPort	Fixup	Group	Band	ExpDate
#
#permit -	0.0.0.0/0	-	0.0.0.0/0	-	-	-	-	-	



#
# SECTION	<PROFILING>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
# 
#	1) File profiling:
#
#	ss5 look for a file name specified in permit line in the /etc/ss5 directory. 
#	This file must contain user members. File profiling is the default option.
#
#	2) Ldap profiling:
#
#	ldap_profile_ip     	(directory internet address) 
#	ldap_profile_port   	(directory port) 
#	ldap_profile_base   	(ss5 replaces % with "group specified in permit line"
#				if SS5LDAP_BASE if specified, otherwise if 
#				SS5LDAP_FILTER is specified,  it uses base and search
#				for group as attribute in user entry; see examples)
#	ldap_profile_filter 	(ss5 uses filter for search operation)
#	ldap_profile_dn     	(directory manager or another user authorized to 
#				query the directory)
#	ldap_profile_pass   	("dn" password)
#	ldap_netbios_domain	(If SS5_NETBIOS_DOMAIN option is set, ss5 map netbios 
#                                domain user in authentication request with his configured 
#                                directory sever. Otherwise no match is done and 
#                                directory are contacted in order of configuration)
#
#	3) Mysql profiling:
#
#	mysql_profile_ip     	(mysql server internet address) 
#	mysql_profile_db   	(mysql db )
#	mysql_profile_user 	(mysql username )
#	mysql_profile_pass 	(mysql password )
#	mysql_profile_sqlstring	(sql base string for query. DEFAULT 'SELECT uname FROM grp WHERE gname like' )
#
#	Some examples:
#
#	Directory configuration for ldap profiling with SS5_LDAP_BASE option:
#	in this case, ss5 look for attribute uid="username" with base ou="group",
#	dc=example,dc=com where group is specified in permit line as 
#	"permit - - - - - group - -
#
#	Note: in this case, attribute value is not userd
#
#		ldap_profile_ip        10.10.10.1
#		ldap_profile_port      389
#		ldap_profile_base      ou=%,dc=example,dc=com
#		ldap_profile_filter    uid
#		ldap_profile_attribute gid
#		ldap_profile_dn        cn=root,dc=example,dc=com
#		ldap_profile_pass      secret
#		ldap_netbios_domain    dir 
#
#	Directory configuration for ldap profiling with SS5_LDAP_FILTER option:
#	in this case, ss5 look for attributes uid="username" & "gid=group" with 
#	base dc=example,dc=com where group is specified in permit line as 
#	"permit - - - - - group - -
#
#	Note: you can also use a base like "ou=%,dc=example,dc=com", where % 
#	will be replace with "group".
#
#		ldap_profile_ip        10.10.10.1
#		ldap_profile_port      389
#		ldap_profile_base      ou=Users,dc=example,dc=com
#		ldap_profile_filter    uid
#		ldap_profile_attribute gecos
#		ldap_profile_dn        cn=root,dc=example,dc=com
#		ldap_profile_pass      secret
#		ldap_domain_domain     dir 
#
#	Sample OpenLdap log:
#	conn=304 op=0 BIND dn="cn=root,dc=example,dc=com" mech=simple ssf=0
#	conn=304 op=0 RESULT tag=97 err=0 text=
#	conn=304 op=1 SRCH base="ou=Users,dc=example,dc=com" scope=1 filter="(&(uid=usr1)(gecos=Users))"
#	conn=304 op=1 SRCH attr=gecos
#
# 	where ldap entry is:
#	dn: uid=usr1,ou=Users,dc=example,dc=com
#	uid: usr1
#	cn: usr1
#	objectClass: account
#	objectClass: posixAccount
#	objectClass: top
#	userPassword:: dXNyMQ==
#	loginShell: /bin/bash
#	homeDirectory: /home/usr1
#	uidNumber: 1
#	gidNumber: 1
#	gecos: Users

#
# SECTION	<SERVER BALANCE>
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
# 
#  TAG: virtual
#
#	virtual virtual identification (vid), real ip server
#
#	Some examples:
#
#	Two vip balancing on three real server each one
#		virtual 1 172.30.1.1
#		virtual 1 172.30.1.2
#		virtual 1 172.30.1.3
#
#		virtual 2 172.30.1.6
#		virtual 2 172.30.1.7
#		virtual 2 172.30.1.8
#
# 	Note: Server balancing only works with -t option, (threaded mode) and ONLY 
#	with "connect" operation.
#
# ///////////////////////////////////////////////////////////////////////////////////
#      	Vid	Real ip
#
#vitual	-	-