Examples

SS5 具有许多功能,因此以下示例对于配置 socks 服务器非常有用:

Example 1

对所有 ip 地址启用使用 PAM 的身份验证,并仅允许 CN=LOGON、CN=users、DC=it 目录组中的用户使用 SSH 访问 172.30/16 网络。

同时启用验证缓存,过期时间设置为 600 秒。

set SS5_PAM_AUTH
set SS5_AUTHCACHEAGE 600

ldap_profile_ip x.y.w.z
ldap_profile_port 389
ldap_profile_base DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=user1,CN=Users,DC=it
ldap_profile_pass xxxxxx

auth 0.0.0.0/0 - u

permit u 0.0.0.0/0 - 172.30.0.0/16 22 - CN=LOGON,CN=Users,DC=it -

Example 2

在特权端口(低于1024)上绑定 ss5:

ss5 -u root -b 0.0.0.0:1020

Example 3

一下配置项为 ss5 提供以下功能:

  1. PAM 认证使用 pam_winbind.so
  2. 多用户存储目录授权(Active Directory)
  3. 开启认证缓存
  4. 开启鉴权缓存
  5. Netbios 域支持
  6. 通过其他 socks 服务器向上游代理
  7. 流量转储到文件 
auth 0.0.0.0/0 - u

# Enable PAM authentication
set SS5_PAM_AUTH

# Set session timeout
set SS5_STIMEOUT 3600

# Enable Cache for authentication for 600 seconds
# set SS5_AUTHCACHEAGE 600

# Enable Cache for authorization for 600 seconds
# set SS5_AUTHOCACHEAGE 600

# Enable directory authorization with filter mode
set SS5_LDAP_FILTER

# Enable netbios domain mapping with directory
( socks username in the form: domainA\user1 )
set SS5_NETBIOS_DOMAIN

# Dump traffic data to file for connections through an Oracle db server
dump 182.10.10.20/32 1521 1

# Upstream proxy for 162.10.10.0 network
proxy 162.10.10.0/24 - 10.10.10.20 1080 -

# Permit http access to user who belong to WEB group into Active Directory
#Auth SHost SPort DHost DPort Fixup Group Band
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainA,DC=DomainA,DC=it -
permit u 0.0.0.0/0 - 182.10.0.0/16 80 - CN=WEB,CN=Users,DC=subDomainB,DC=DomainB,DC=it -

# Netbios domain (in case of MSdomainA\userA)
ldap_profile_ip 162.10.20.1
ldap_profile_port 389
ldap_profile_base DC=subDomainA,DC=DomainA,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainA,DC=DomainA,DC=it
ldap_profile_pass password
ldap_netbios_domain MSDomainA

# Netbios domain (in case of MSdomainB\userB)
ldap_profile_ip 162.10.30.1
ldap_profile_port 389
ldap_profile_base DC=subDomainB,DC=DomainB,DC=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=userReader,cn=Users,DC=subDomainB,DC=DomainB,DC=it
ldap_profile_pass password
ldap_netbios_domain MSdomainB

Example 4

一下配置项为 ss5 提供以下功能:

  1. GSS 认证和消息完整性检查
  2. 使用 Kerberos 主体名称对 Active Directory 进行目录授权
  3. 带宽分析 
auth 0.0.0.0/0 - k

# Enable verbose log
set SS5_VERBOSE

# Enable debug log
set SS5_DEBUG

# Enable directory authorization with filter mode
set SS5_LDAP_FILTER

# Set Principal Kerberos service name
set SS5_GSS_PRINC host@gssdomain.it

# Permit all traffic to users authenticated via Kerberos-GSS belong to group "Administrators" stored into Active Directory
permit k 162.10.10.0/24 - 182.10.10.0/24 - - cn=Administrators,cn=Builtin,dc=gssdomain,dc=it - -

# Limit to two, the number of concurrent connections a user belong to Kerberos GSSDOMAIN can establishes
bandwidth GSSDOMAIN-GRP 2 -

# Kerberos domain (in case of userA@GSSDOMAIN.IT)
ldap_profile_ip 162.10.20.1
ldap_profile_port 389
ldap_profile_base cn=Users,dc=gssdomain,dc=it
ldap_profile_filter cn
ldap_profile_attribute MemberOf
ldap_profile_dn CN=Administrator,cn=Users,dc=gssdomain,dc=it
ldap_profile_pass password
ldap_netbios_domain GSSDOMAIN.IT

Example 5

使用 radius 进行身份验证并进行 mysql 分析

set SS5_VERBOSE
set SS5_CONSOLE
set SS5_DEBUG
set SS5_SRV

set SS5_RADIUS_AUTH

radius_ip 127.0.0.1
radius_auth_port 1812
radius_acct_port 1813
radius_secret radiuspwd

# DEFAULT "SELECT uname FROM grp WHERE gname like"
mysql_profile_ip 127.0.0.1
mysql_profile_db radius
mysql_profile_user root
mysql_profile_pass password
mysql_profile_sqlstring SELECT username FROM radusergroup WHERE groupname like

auth 0.0.0.0/0 - u

permit u 192.168.1.99/32 - 0.0.0.0/0 - - grp1 - -

Example 6

使用 172.30.20.1 别名 ip 作为源 ip 到达 192.168.20.0 网络

ss5.ha 文件包含:

route 192.168.20.0/24 172.30.20.1 - d

Example 7

要启动多个实例,请创建一个单独的启动脚本,如下所示:

  • 具有默认选项的第一个实例:

    /usr/sbin/ss5 -t -u root
    • 具有自定义选项的第二个实例: 
    export SS5_SOCKS_PORT=1081
export SS5_CONFIG_FILE=/tmp/ss5.conf
export SS5_PASSWORD_FILE=/tmp/ss5.passwd
export SS5_LOG_FILE=/tmp/ss5.log
export SS5_PROFILE_PATH=/tmp

启动第二个实例

#/usr/sbin/ss5 -t -u root
#
[INFO] found environment SS5_PROFILE_PATH: /tmp
[INFO] found environment SS5_LOG_FILE: /tmp/ss5.log
[INFO] found environment SS5_SOCKS_PORT: 1081
[INFO] found environment SS5_CONFIG_FILE: /tmp/ss5.conf
[INFO] found environment SS5_PASSWORD_FILE: /tmp/ss5.passwd

Example 8

要设置不同的上游代理配置,请参见以下内容:带有身份验证的 v5 版本

  • upstream ss5.conf 
auth 0.0.0.0/0 - u
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -
  • downstream ss5.conf 
proxy 0.0.0.0/0 - 192.168.1.101 1081 -
auth 0.0.0.0/0 - u
permit u 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 5 without authentication

  • upstream ss5.conf 
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -
  • downstream ss5.conf 
proxy 0.0.0.0/0 - 192.168.1.101 1081 -
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 5 to 4

  • upstream ss5.conf 
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -
  • downstream ss5.conf 
proxy 0.0.0.0/0 - 192.168.1.101 1081 4
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 5 to 4 with downstream authentication

  • upstream ss5.conf 
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -
  • downstream ss5.conf 
proxy 0.0.0.0/0 - 192.168.1.101 1081 4
auth 0.0.0.0/0 - u
permit u 0.0.0.0/0 - 0.0.0.0/0 - - - - -

Version 4

  • upstream ss5.conf 
auth 0.0.0.0/0 - -
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -
  • downstream ss5.conf 
proxy 0.0.0.0/0 - 192.168.1.101 1081 -
auth 0.0.0.0/0 - u
permit - 0.0.0.0/0 - 0.0.0.0/0 - - - - -

参考

http://ss5.sourceforge.net/examples.htm

Copyright © 温玉 2021 | 浙ICP备2020032454号 all right reserved,powered by Gitbook该文件修订时间: 2022-09-09 09:28:27

results matching ""

    No results matching ""