DeleGate reference manual version 9.8

The Reference Manual of DeleGate version 9.8
Copyright (c) 1994-2000 Yutaka Sato <ysato AT etl.go.jp> <y DOT sato AT delegate.org>
Copyright (c) 1994-2000 Electrotechnical Laboratory (ETL), AIST, MITI
Copyright (c) 2001-2008 National Institute of Advanced Industrial Science and Technology (AIST)
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443

Permission to use this material for evaluation, copy this material for your own use, and distribute the copies via publicly accessible on-line media, without fee, is hereby granted provided that the above copyright notice and this permission notice appear in all copies. AIST makes no representations about the accuracy or suitability of this material for any purpose. it is provided "as is", without any express or implied warranties.

This document is written based on the latest version of DeleGate/9.X. Comments about this document are expected to be directed to mailto:feedback@delegate.org to be open and shared at http://www.delegate.org/feedback/. Watch DeleGate Home Page at http://www.delegate.org/ to see the latest status. Beginners are recommended to read a short tutorial at http://www.delegate.org/delegate/tutorial/ also. A collection of usage examples at http://www.delegate.org/delegate/HowToDG.html might be helpful to see what you can do with DeleGate.

[skeleton] [frame] ... these links are active only when accessed via origin HTTP-DeleGate

CFI CU-SeeMe DGAuth DNS FTP Gopher HostList HTTP ICP IMAP LDAP NNTP PAM POP ProtoList SMTP SockMux Socks SSI.shtml SSL TCPrelay Telnet UDPrelay Whois X

INDEX

NAME
SYNOPSIS
DESCRIPTION
OPTIONS ( -P -Q -f -r -v -d -D -F name=value )
Terminology
Parameters General SERVER ADMIN OWNER CRON INETD HOSTLIST CLUSTER CMAP DYLIB LDPATH LIBPATH DATAPATH DGCONF DGPATH DGOPTS DGSIGN SOCKOPT PORT Routing FORWARD ROUTE MASTER MASTERP PROXY SOCKS SOCKSTAP SSLTUNNEL VSAP CONNECT SRCIF TUNNEL RPORT Access control PERMIT REJECT REMITTABLE REACHABLE RELIABLE RELAY AUTH AUTHORIZER MYAUTH RIDENT Resource usage restriction MAXIMA TIMEOUT DELAY Cache control CACHE EXPIRE CACHEFILE ICP Mount MOUNT MountOptions URICONV BASEURL DELEGATE Data conversion CHARCODE CHARMAP HTMLCONV MIMECONV Filter control FCL FTOCL FFROMCL FSV FTOSV FFROMSV FMD FTOMD FFROMMD XCOM XFIL Local file usage CHROOT DGROOT SHARE UMASK LOGDIR LOGFILE PROTOLOG COUNTER Aging Host name resolution HOSTS RESOLV RES_CONF RES_NS RES_AF RES_RR RES_VRFY RES_WAIT RES_DEBUG Protocol specific HTTPCONF FILETYPE CGIENV ICPCONF FTPCONF NNTPCONF SMTPCONF SMTPGATE DNSCONF
ProtoList
HostList
Parameter Substitution
CFI and CFI Script
Proxying by URL Redirection
Protocol Specific Issue and Examples TCPrelay UDPrelay SockMux Socks DGAuth PAM HTTP SSI.shtml ICP FTP Telnet POP IMAP SMTP NNTP LDAP Whois X Gopher SSL DNS CU-SeeMe
Reserved Names
AF_LOCAL Sockets
Customization
Platform Specific Issue ( Unix MS-Windows OS/2 )
Defense Against Attackers
Gentle Restart
Functions
FILES
SEE ALSO
AUTHOR
FEEDBACK
DISTRIBUTION

--------- --------- --------- --------- --------- --------- --------- ---------
DELEGATED(8)                MAINTENANCE COMMANDS                   DELEGATED(8)

NAME

delegated - DeleGate server SYNOPSIS

[name=value]*

DESCRIPTION

DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including

DeleGate works as an application level proxy which interprets relayed protocol (control sequence and data structure) between a client and a server; various value added services are realized for recognized protocol. Also DeleGate works as a circuit level proxy which literally conveys transmission between a client and a server of arbitrary protocols on TCP or UDP.

DeleGate can be used to enforce access control restricting remittable protocols, reachable servers, and acceptable clients. DeleGate forces delay for penalty on repetition of forbidden access, or make defense shutting down service and sending automatic reports to administrator on suspicion of attack. A basic logging on circuit level common to arbitrary protocol and protocol dependent logging in some common formats are supported for some protocols.

DeleGate can act as a kind of application level router, controlling direct or indirect routes toward a destination server by selecting upstream proxy or Socks server. One of exploitable routes toward a server will be selected or tried in order depending on application protocol, destination host and source client.

As an application level proxy, DeleGate interpretively relays various application protocols, providing various value added services including caching or conversion for relayed data, of which structure depends on each application protocol. Based on interpretation of application protocols, DeleGate can be used as a protocol gateway which translates between client-side protocol and server-side protocol.

As a circuit level proxy, a DeleGate server literally conveys transmission bound to a specified server of a specified application protocol on TCP or UDP, or toward arbitrary servers based on Socks protocol.

As an application level proxy, DeleGate provides virtual view for resources in other servers, by aliasing, merging, and hiding real names (like URL which identifies a resource or a service) in real servers. It is like a generalized mechanism of NFS file mount, but unlikely it is realized by rewriting content of data. In other words, this is a mapping (rewriting) of virtual names in client to/from real names in server, where names are embedded in a protocol dependent data structure on request/response messages between a client and a server. With this function named mounting, for example, a resource http://hostiN/ is shown to client as if it is http://hostx/iN/. MOUNT can be used to customize built-in icons and messages of DeleGate too.

Communication between client and DeleGate or between DeleGate and server can be filtered or translated by user defined filter programs attached to DeleGate using a simple scheme named CFI (Common Filter Interface). Existing filter programs, from standard input to standard output, can be used as a CFI program without modification. Besides filtering by external programs, some of frequently used filtering operations are built-in to DeleGate, including HTTP header removal and generation.

All of local files of DeleGate, including log files and cache files, are placed under an individual root directory (DGROOT) as private files belong to the owner of the DeleGate by default. But to share them among different users, the path name, owner, and access permission of each file can be customized. Also log file name can be parameterized with date value for aging, and cache file name can be parameterized with hash value to distribute cache disks.

Although DeleGate can be controlled by a lot of options, only -Pport option and SERVER=protocol parameter are mandatory to operate in most case. The -P option specifies on which port DeleGate receives requests from clients. SERVER parameter specifies in which protocol DeleGate communicates with clients, and optionally to which destination server it will relay the communication.

Options can be loaded from local or remote resources with "+=URL" notation, typically from a local file like "+=/path/of/parameters" (see Parameter Substitution) (see DGCONF also)

   -P option  --  entrance port(s) to the DeleGate
              ==  -Pport[,port]*
        port  ==  [host:]portNum[/udp][/admin][/protocolName]
     portNum  ==  number[-number]

entrance port

host

portNum

port

port

host

An entrance port is made as a TCP port by default except UDP based application protocol (dns, icp, cuseeme, udprelay) is specified in SERVER=protocol parameter. And regardless of the protocol specified in SERVER, it can be made as a UDP port with postfix "/udp" like -Pport/udp.

If "/protocolName" is specified, as "-P21/ftp,80/http,1080/socks" for example, the DeleGate will act in the specified application protocol on the specified port, rather than in the default protocol specified in the SERVER parameter.

This option MUST be specified except in following cases. It is ignored when the DeleGate is invoked from inetd(8), or in most case of -Ffunction option, or when running as a tunnel server with SERVER="tunnel1".

   -Q option* --  entrance port to the DeleGate
              ==  -Qport

-Q option can be used to specify multiple entrance ports separately in multiple options. For example, a set of of options "-Q21 -Q80 -Q1080" is equivalent to a single option "-P21,80,1080".

   -f option  --  foreground execution
              ==  -f[v]

If specified, DeleGate runs in foreground keeping connected with current control tty so that it can be killed with SIGINT from the tty, and staying at (without changing

   -r option  --  restart

If specified, currently running DeleGate on the same entrance port if exist is finalized before starting this DeleGate. It has the same effect as doing

   -v option  --  logging level control
              ==  -v[vdtsau]

If specified, DeleGate will run in foreground like -f and log will be put on the control tty, not to

emergency shutout

   -d option  --  debugging of sub components
              ==  -d[hst]

-dh enables detailed logging of

   -D option  --  disabling sub components
              ==  -D[t]

-Dt disables the usage of thread (for SSL and gzip) to force using process.

   -S option  --  watch SIGCHLD signal

If specified, zombie processes of DeleGate will be immediately swept by watching the SIGCHLD signal. This option might be the default in future releases.

   -T option  --  trace system calls
              ==  -T[xsdt]*

If specified, signals occurred in DeleGate processes will be watched by the parent DeleGate using "ptrace(2)" then recorded into TRACELOG. If -Tx is specified, DeleGate process which is going to execute "execve(2)" system call will be trapped and killed. This will be useful for security enhancement preventing any unexpected execve() which can be the method of intruders. This -T option automatically turn on -S option to immediately respond to events occurred in children, but you can turn off if by adding "s" flag like "-Ts". Adding "d" flag like "-Txd" will make logging detailed, while adding "t" flag like "-Txt" will make logging terse.

   -F option  --  extra function
              ==  -Ffunction

If specified, DeleGate will work as a program of specified function rather than a DeleGate server. For example, "delegated -Fkill -Pport" means to kill the DeleGate running on the port. "

available functions

   -- option  --  hiding command line arguments

If specified, command line arguments before "--" are left visible to ps(1) command (with pstat(2) system call) on most of Unix systems. Without this, any arguments are hidden by default.

   parameter  ==  name=value

   conditional parameter == (condition)parameter

Some parameters and -v option can be restricted to be applied conditionally, by prefixing "(condition)" to a parameter. Currently, condition is a list of client host which is described in

   -e option  ==  -ename=value

delegated: A server process of DeleGate and the standard file name of a DeleGate program; the trailing "d" implies "daemon" or server (by convention on Unix)
specialist: A DeleGate configured to talk a specified client-side protocol (with SERVER=proto)
generalist: Also called MASTER-DeleGate which can talk arbitrary client-side protocol which will be determined at run-time (with SERVER="delegate") where clients are DeleGate which use this DeleGate as an upstream proxy (pointing by a MASTER parameter).
bound DeleGate: DeleGate bound to a specified destination server (with SERVER=proto://host)
unbound DeleGate: DeleGate not bound to any destination server (without SERVER=proto://host)
P-DeleGate (ex. HTTP-DeleGate): DeleGate communicate with clients in protocol P
Q/P-DeleGate (ex. FTP/HTTP-DeleGate): DeleGate communicate with clients in protocol P and communicate with servers in protocol Q
P proxy (ex. HTTP proxy): A proxy server which communicates with clients in protocol P

PARAMETERS

In the following list, parameters marked with "*" are repeatable like name=value1 name=value2 ... name=valueN. If the same parameter is defined both in environment and command line, the one in command line precedes to the one in environment. If other non-repeatable names are repeated, the lastly given value is taken.

Parameters marked with "+" can NOT be given in "+=parameters" scripts. Those parameters (including DGROOT, CHROOT, LDPATH, and DYLIB) need to be specified in command-line arguments or "implanted" into the executable file of DeleGate with the -Fimp option.

Parameters in this category are used to control common attributes of DeleGate independently of the purpose of usage or target application protocol.

name value format functionality

-- ---------- ------------------ ----------------------------------

SERVER proto://host:port client-side protocol and default server

ADMIN user@host.domain E-mail addr. of the admin. of this DeleGate

+ OWNER user[/group] with who's access right this DeleGate runs

* CRON crontab-spec cron compatible scheduler of actions

* INETD inetd-conf inetd like server configuration notation

* HOSTLIST name:hostList define a named HostList

* CLUSTER protocol:hostList define a cluster of servers

* CMAP map-spec mapping table about the current connection

+ DYLIB patternList file-name patterns of dynamic libraries
+ LDPATH dir;dir;... search path for DYLIB
LIBPATH dir:dir:... search path for library files
DATAPATH dir:dir:... search path for data files
DGPATH dir:dir:... search path for SUBSTITUTION resources
DGCONF dir/file the file of configuration parameters
DGOPTS option;option;... list of command line options
PORT portList reserve entrance ports like -P option

Routing

These parameters control the indirect routing toward the target server exploiting upstream proxies or Socks servers on the way to servers. If any target hosts are directly reachable on IP level from your DeleGate's host, these parameters may not necessary. Besides these parameters,

-- ---------- ------------------ ----------------------------------
* FORWARD proxy-_-proto:dst:src forward to proxy when from src to dst in proto
* ROUTE proxy-_-dst:src forward to proxy when from src to dst
* MASTER host:port connect via the upstream DeleGate
MASTERP [host:port] invoke a MASTER private to this DeleGate
* PROXY host:port connect via the upstream proxy
* SOCKS host[:port] connect via the socks server
SSLTUNNEL host:port connect via the SSL tunnel for HTTPS
VSAP host:port accept/connect via a remote host
* CONNECT ca,ma,di,so,... the order of trials of connection types
* SRCIF host[:port] source address of connection to server
TUNNEL type:scriptPath connect via the tunnel on serial line
RPORT {tcp|udp}[:host] return port from the MASTER-DeleGate

Access control

These parameters control who (client) can access to what (server) and how (protocol). The basic policy of default access control is designed so that clients on networks local to the host of DeleGate are permitted to access to any server. Note that the default value of

host

port

You must most carefully configure these parameters so that this DeleGate does not introduce a security hole, especially when it is running on a host which is directly accessible to/from the internet.

-- ---------- ------------------ ----------------------------------
* PERMIT proto:dst:src protocols/servers/clients to be permitted
* REJECT proto:dst:src protocols/servers/clients to be rejected
REMITTABLE ProtoList protocols remittable to the server
* REACHABLE dstHostList only specified server hosts are reachable
* RELIABLE srcHostList accept only from the specified client hosts
* RELAY proxy|delegate|no restrict proxying modes
* AUTH what:aproto:users authorized users for remote administration
* AUTHORIZER serv:proto:dst:src authentication server
* MYAUTH user:pass:proto:dst:src authentication client
RIDENT client|server forward socket addr. to upstream DeleGate

Resource usage restriction

-- ---------- ------------------ ----------------------------------
* MAXIMA what:number maxima of parallel sessions and etc.
* TIMEOUT what:seconds timeout of connection and etc.
* DELAY what:seconds delay for penalty

Cache control

Enable or disable cache and specify validity of cached data. Usage of cache is controlled in context of routing by

-- ---------- ------------------ ----------------------------------
CACHE do|no|ro control to do cache or not
* EXPIRE days|hours|secs expiration of the cached data
CACHEFILE fileNameSpec in which file cache data are stored
* ICP icpClientConfig configuration as an ICP client

Mount

Provide virtual view for other server(s) by URL mapping, filtering and aliasing resource names, to merge multiple servers, to translate between different protocols, to export internal servers, and so on. Also MOUNT can be used to

-- ---------- ------------------ ----------------------------------
* MOUNT "vURL rURL opt" map virtual URL to/from real URL
* URICONV convList:attrList control URI rewriting with MOUNT
BASEURL URL the base of (virtual) URL of this server
DELEGATE host:port limited form of BASEURL

Data conversion

-- ---------- ------------------ ----------------------------------
* CHARCODE JIS|EUC|SJIS|UTF8 character conversion for Japanese text
* CHARMAP [jis|ucs]:a-z/A-Z map character to character in text data
HTMLCONV deent|enent|pre decode/encode between HTML & plain text
MIMECONV thru|charcode control MIME encoder/decoder

Filter control

-- ---------- ------------------ ----------------------------------
FCL filterCommand filter between client and DeleGate
FTOCL filterCommand filter from DeleGate to client
FFROMCL filterCommand filter from client to DeleGate
FSV filterCommand filter between server and DeleGate
FTOSV filterCommand filter from DeleGate to server
FFROMSV filterCommand filter from server to DeleGate
FMD filterCommand filter between MASTER and this DeleGate
FTOMD filterCommand filter from this DeleGate to MASTER
FFROMMD filterCommand filter from MASTER to this DeleGate
XCOM filterCommand execute a command as a server
XFIL filterCommand execute a filter as a server

Local file usage

All of local files are integrated under DGROOT by default. You should not change nor specify these parameters if not necessary.

-- ---------- ------------------ ----------------------------------
+ CHROOT dirPath change the root of file system at start
+ DGROOT dirPath root directory of all of DeleGate files
*+ SHARE dirPatternList files to be shared among users
+ UMASK mask umask value in octal
VARDIR dirPath default base of log and cache
CACHEDIR dirPath where cache files are placed
ETCDIR dirPath where persistent management files are
LOGDIR dirPath where DeleGate logs are
LOGFILE LogFilename where DeleGate makes logging
PROTOLOG LogFilename httpd or wu-ftp compatible log file
ERRORLOG LogFilename where DeleGate make error logging
TRACELOG LogFilename where signal trace (by -T) is put
EXPIRELOG LogFilename file which records expire log
COUNTER CounterOptions access counters
WORKDIR dirPath where DeleGate should dump core (-_-;
ACTDIR dirPath where temporary files are placed
TMPDIR dirPath where invisible temporary files are placed
PIDFILE fileName where the DeleGate's PID is recorded

Host name resolution

-- ---------- ------------------ ----------------------------------
* HOSTS host/addr,... private host/address mapping
RESOLV file,nis,dns,sys the order of resolvers to be used
RES_WAIT sec:host wait for resolver to be ready
RES_CONF URL where resolv.conf is
RES_NS host[:port] DNS server to be used
RES_AF 46 | 64 | 4 | 6 Address families (IPv4/v6) to be retrieved
RES_RR HostList enable Round Robin of IP-addresses
RES_VRFY "" enable double check of reverse resolution
RES_DEBUG number debugging level of name resolution

Protocol specific

--	----------	------------------	----------------------------------
*	`HTTPCONF`	what:conf	HTTP specific configuration
	`FILETYPE`	suffix:fileType	mapping from filename to data type & etc.
	`CGIENV`	name,name,...	environment variables to be passed to CGI
*	`ICPCONF`	icpServerConfig	configuration as an ICP server
*	`FTPCONF`	what[:conf]	FTP specific configuration
*	`NNTPCONF`	what:conf	NNTP specific configuration
*	`SMTPCONF`	what:conf	SMTP specific configuration
	`SMTPGATE`	dirPath	SMTP to SMTP/NNTP g.w. configuration
*	`DNSCONF`	what:conf	configuration as a DNS server
*	`SOCKSTAP`	proto[:[dst][:src]]	interpret the protocol over SOCKS

SERVER parameter*   ==  SERVER=protocol[://host[:portNum]][:-:MountOptions]
           portNum  ==  [+|-]number
                    --  default: SERVER=delegate

SERVER=protocol specifies the protocol to be used for communication with clients, which will be the default protocol with servers.

Example: a SERVER parameter for unbound Telnet-DeleGate

SERVER=telnet

If SERVER="delegate" is given, the DeleGate will become a generalist (or MASTER-DeleGate), which acts as an upstream DeleGate of other DeleGates. Note that a generalist can remit arbitrary protocols by default, so that it can be dangerous without enough consideration on access control (see

If no destination server (host) is specified, it is to be be given by client somehow at run-time, on application level in protocol dependent way.

login

user

host

user name

The protocol with server is implicitly expected to be the same with the protocol with the client. Some protocols like HTTP have their inherent way to specify the protocol with the destination server. Otherwise it must be explicitly given with MOUNT parameter, like MOUNT="/news/* nntp://server/*" for example.

SERVER=protocol://host:portNum specifies the URL of destination server. The ":portNum" part is omittable as usual in URL if the number is that of standard port number of the protocol. A list of protocols and standard port numbers recognized by the DeleGate is available at: "http://delegate/-/builtin/mssgs/config.dhtml".

Port mapping: If a portNum is prefixed with "-" or "+", it means mapping the port number of the entrance port adding the specified offset, or using the port number as is by "-" with empty portNum.

Example: forwarding multiple ports to an another host

-P21,23,25,80 SERVER=tcprelay://host:-/

A special hostname "odst.-" can be used to refer the original destination host when the incoming data is forwarded by NAT.

Example: forwarding NAT to the original destination via a SOCKS proxy

-P9999 SERVER=tcprelay://odst.-:- SOCKS=sockshost

Note that a DeleGate bound to a specific server is not disabled to work as a proxy for arbitrary servers. Proxying ability must be restricted if necessary, using PERMIT, REACHABLE and RELAY parameters.

If a SERVER parameter is with ":-:MountOptions", the SERVER parameter will be dynamically selected if the condition specified in the MountOptions is evaluated to be true. As a special case, ":-:via=HostList" can be abbreviated as ":-:HostList".

Example: selecting an appropriate NNTP server for a client

SERVER="nntp://newsserver1:-:from={*.dom1}" SERVER="nntp://newsserver2:-:from={*.dom2}"

Example: {NNTP,SMTP,POP}-DeleGate as a single server

-P119,110,25 SERVER="nntp://nntpserver:-:{*:119}" SERVER="smtp://smtpserver:-:{*:25}" SERVER="pop://popserver:-:{*:110}"

ADMIN parameter     ==  ADMIN=user@host.domain
                    --  default: built in at compile time

- Shown in (error) messages to clients, as the name of the administrator of this DeleGate (HTTP, etc.).

- Shown in opening messages or in a help message to clients, as the name of the administrator (FTP, NNTP, Telnet).

- Sent as a default user name (in PASS command) on anonymous access to FTP servers.

- Sent as sender name (in FROM command) in access to remote SMTP server on verification by AUTH=anonftp:smtp-vrfy.

- Report messages are sent to the address on occurrence of fatal signals

OWNER parameter*    ==  OWNER=user[/group][:srcHostList]
                    --  default: OWNER="nobody/nogroup"
                    --  restriction: super-user only on most of Unix
                    --  restriction: setting the user of a service on Windows

This parameter is effective only when the invoker is a super-user. If specified, the DeleGate will run with the right of specified user, calling setuid(2) and setgid(2) system calls. User and group can be specified either in symbolic name or in id-number prefixed with "#" like "#1234".
If srcHostList is specified, owner of this DeleGate will be set to the user when the client host is included in the list. The user name "*" will be substituted by the user name of the client when it can be got from an

Example: run with the user ID corresponding to the user name of the client

OWNER="*:*@*".

On Windows, OWNER=user may be specified when it is invoked as a service, to set the user of the DeleGate service to be created. With empty user name as OWNER="", the user name is got from the USERNAME environment variable. The password can be specified with a PASS=pass parameter or an environment variable, or it will be asked on the console.

CRON parameter*     ==  CRON="crontab-spec"
       crontab-spec ==  minute hour day month dayOfWeek action
                    --  default: none

Cause an action at a time specified in the format of crontab-spec which is compatible with that of standard crontab(5) of cron(8) servers in Unix systems. If the action is prefixed with "/" then it is an external action which will be executed by the system(3) function. If the action is prefixed with "-" then it is a built-in internal action of DeleGate.

-suspend N -- suspend for N seconds
-restart -- restart the DeleGate
-exit -- finish the DeleGate
-expire N -- execute expiration for $CACHEDIR by "-atime +Nd"
-system command -- execute command as a shell command
/dir/command args -- equiv. to "-system /dir/command args"
- args -- equiv. to "/dir/delegated args"
-Ffunc args -- equiv. to "/dir/delegated -Ffunc args"

CRON="0 0 * * * -restart"
CRON="0 3 * * * -expire 3" (this is equivalent to followings)
CRON="0 3 * * * -Fexpire /path/of/cache -rm -atime +3 -sum"
CRON="0 3 * * * /path/of/delegated -Fexpire /path/of/cache -rm -atime +3 -sum"

INETD parameter*    ==  INETD="inetd-conf"
        inetd-conf  ==  port sockType proto waitStat uid execPath argList
              port  ==  [host:]portNum
          sockType  ==  stream | dgram
             proto  ==  tcp | udp
          waitStat  ==  nowait ("wait" is not yet supported)
                    --  default: none

Invoke a new DeleGate process with the specified configuration when a request is arrived at the specified port. The format of the inetd-conf specification is like that of standard inetd.conf(5) in Unix systems.
A default value of each field can be represented by "-". Default values of sockType, proto and waitStat are "stream", "tcp" and "nowait" respectively. The uid field will be used as

uid

execPath

argList.

delegated ADMIN=foo EXPIRE=1 INETD=conf1 INETD=conf2

conf1

conf2

Example:

HOSTLIST parameter* ==  HOSTLIST=listName:HostList

listName

listName

HostList

listName

newHostList

newHostList

Predefined named HostList:

HOSTLIST=.localnet:localhost,./.,-/.,.o/."
HOSTLIST=.socksdst:!.localnet

Example:

CLUSTER parameter*  ==  CLUSTER=[protoList]:ServerList
        ServerList  ==  [/R,]Server[,ServerList]
            Server  ==  Host[..Port]

If a list is prefixed with "/R", the servers in the list are tried in random order (the first server to be tried is selected randomly and other servers are tried in the round-robin order). It could be useful for load balancing among equivalent (proxy) servers.

The retrial by this parameter is commonly applied to servers of any protocols in the phase of establishment of a TCP connection to a server. The retrial covers the authentication phase for several protocols. In HTTP origin/gateway servers, the retrial may be caused depending on the response from the server, including the response code 503 (Service Unavailable) and 404 (Not Found) for example.

Example:

CMAP parameter*     ==  CMAP=resultStr:mapName:connMap
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none

A generic parameter to make some parameters be conditional on the current connection. When the protocol, the destination and the source of the current connection match the connMap, this map is enabled providing resultStr string to be used for mapName.
Not only host name/address but also port number of destination servers can be used for matching in

TLSCONF parameter*  ==  TLSCONF=tlsConf[,tlsConf]*
           tlsConf  ==  what:value
                    --  default: TLSCONF=scache:do,xcache:do

-v[d|s]: specify the detailness of logging of TLS setup and relay. "-vd" make logging detailed whereas "-vs" suppresses any logging.
scache[:[do]|no|acc|con]: enable or disable the session caches. By default, both session caches for accept and connect are enabled. "no" disables both of these caches. "acc" enables only the cache for clients. "con" enables only the cache for servers.
xcache[:[do]|no|acc|con]: enable or disable the context cache for certificates of this DeleGate.
libs:libname[+libname]: specify the dynamic libraries for SSL in the order to be loaded instead of the default ones, as TLSCONF="libs:crypto+ssl" for example. A libname can be with a version number like "libssl.so.0.9.8" or in a full-path name like "/usr/local/lib/libcrypto.0.9.8.dylib".

STLS parameter*     ==  STLS=stlsSpecs[,sslwayCom][:connMap]
         stlsSpecs  ==  [-]stlsSpec[/im][/ssl][,stlsSpecs]
          stlsSpec  ==  fsv | fcl | mitm | imimSec
         sslwayCom  ==  {sslway [-Vrfy] [-CApath dir] ...}
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
                    --  restriction: applicable to HTTP, FTP, SMTP, POP, IMAP, SOCKS
                    --  required: SSLway

If "fcl" is specified, a client may start SSL without STARTTLS negotiation. Such implicit SSL negotiation from the client-side is detected by peeping a SSL hand-shake packet on the connection from the client-side at the beginning of a session for a certain period specified with imimSec. The default value is "im0.25" (250m seconds). "-im" disables this implicit SSL negotiation. If a stlsSpec is followed with "/im" as STLS="fsv/im" for example, SSL with the peer (with the server in this case) is applied without the STARTTLS negotiation.

If "mitm" is specified, it behaves like "-fcl,-fsv" that is if SSL is enabled in the client side then SSL on the server side is enabled. It can be used with a HTTP proxy DeleGate as a "secure proxy" or "SSL-tunnel" to peep the bidirectional communication in CONNECT method, relaying it as a usual HTTP applying filters and cache. ("mitm" means "Man-In-The-Middle" mode) If it is set optional as "STLS=-mitm" then the MITM mode is activated only when the client specified the server name prefixing with "-mitm." as "https://-mitm.host.domain/" for "https://host.domain/".

If non default SSLway command path or options are necessary to be used, the SSLway command can be specified after stlsSpecs as STLS="fcl,sslway -Vrfy -cert mycert.pem" for example.

Example:

STLS="fcl"

STLS="-fcl"

STLS="fsv,-fcl"

STLS="fsv/ssl" SERVER="ftp"

CERTDIR parameter   ==  CERTDIR=dir
                    --  default: ${ETCDIR}/certs
                    --  version: DeleGate/9.8.0 + OpenSSL0.9.8g or laters

CERTDIR specifies the directory as the repository of certificates to be used by

me.pem -- my certificate: The certificate of this DeleGate to be sent to clients (and to servers if requested). It may contain the private-key too. It can be a chained certificate followed with the certificates of intermediate CAs.
me-key.pem -- my private-key: This file is necessary if the private-key for me.pem is not contained in itself.
me-key.pas -- the pass-phrase for my private-key: This file is necessary if the private-key in me-key.pem is encrypted.
common.pas -- the pass-phrase common to private-keys: This file can be used as the default pass-phrase common to all encrypted private-keys.
sn.domain.pem -- the certificate for SNI: The certificate for the domain indicated by SNI (Server Name Indication). Like me.pem, it may be in the combination of sn.domain-key.pem and sn.domain-key.pas (or common.pas).
to-sv.pem -- my certificate to servers: The certificate like me.pem which is sent to servers only.
to-cl.pem -- my certificate to clients: The certificate like me.pem which is sent to clients only.
ca-sv.pem -- servers' CAs' certificates: The certificates of CAs to be used to verify acceptable certificates shown by servers. It may contain CRL too.
ca-cl.pem -- clients' CAs' certificates: The certificates of CAs to be used to verify acceptable certificates shown by clients. It may contain CRL too.

DGCONF parameter    ==  DGCONF=dir/file
                    --  default: DGCONF='${EXECDIR}/${EXECNAME}.conf'

DGCONF specifies the file of configuration parameters to be loaded, if exists, on the invocation. The default value is relative to the name of the executable file of DeleGate. For example, if the path of the executable is "X:/path/of/dg9_4_1.exe" then DGCONF="X:/path/of/dg9_4_1.conf".

DYLIB parameter     ==  DYLIB=libfilePattern[,libfilePattern]*
                    --  default: DYLIB='dglib*.so,lib*.so,dglib*.dylib,lib*.dylib'

Example:

DYLIB="" ... disable dynamic linking DYLIB="lib*.so,lib*.so.1" DYLIB="libz.so,libssl.so" DYLIB="+,lib*.so.0.9.7" DYLIB="/usr/lib/libz.so.1,/lib/libssl.so"

LDPATH parameter    ==  LDPATH=dirPath[;dirPath]*
                    --  default: LDPATH='${LIBDIR};${EXECDIR};${HOME}/lib;/usr/lib;/lib'

Specify where dynamic libraries (

LIBPATH parameter   ==  LIBPATH=dirPath[:dirPath]*
                    --  default: LIBPATH='.:${STARTDIR}:${LIBDIR}:${EXECDIR}:${ETCDIR}'

WORKDIR (.) -- the working directory STARTDIR -- the directory where the DeleGate is invoked LIBDIR -- ${DGROOT}/lib by default EXECDIR -- the directory where the executable file of DeleGate is placed ETCDIR -- ${DGROOT}/etc by default

DATAPATH parameter  ==  DATAPATH=dirPath[:dirPath]*
                    --  default: DATAPATH='.:${DGROOT}:${STARTDIR}

DGPATH parameter    ==  DGPATH=dirPath[:dirPath]*
                    --  default: DGPATH='+:.:${HOME}/delegate:${ETCDIR}'

The search path of parameter files. A special directory name "+" stands for the place where the "caller" resource (a parameter file referring the parameter file) is.

DGSIGN parameter    ==  DGSIGN=signatureSpec
                    --  default: DGSIGN="V.R.P/Y.M.D"

Specify the signature of the DeleGate to be shown to client or server. The full form signature "Version.Revision.Patch (Month Day, Year)" is represented as "V.R.P/Y.M.D". To hide the a specific part, replace the corresponding character with "x". For example, DGSIGN="V.x.x/Y.x.x" will make signature like "DeleGate/9.x.x (x x, 2005)".

DGOPTS parameter    ==  DGOPTS=opt[,opt]*
                    --  default: none

SOCKOPT parameter   ==  SOCKOPT=[no]name[:value]
                    --  default: reuse

[reuse] | noreuse: enables instant reuse of a port number. (SO_REUSEADDR)
share | [noshare]: enables simultaneous use of a port. (SO_REUSEPORT)
[shut] | noshut: do shutdown(socket,SD_SEND) before closing a socket

PORT parameter      ==  PORT=port[,port]*
              port  ==  [host:]portNum[/udp]
           portNum  ==  number[-number]
                    --  default: none

Make entrance ports as -P option does.

FORWARD parameter*  ==  FORWARD=gatewayURL[-_-connMap]
        gatewayURL  ==  gwproto://[user:pass@]gwhost[:gwport]
           connMap  ==  protoList:dstHostList:srcHostList
                    --  default: none

gatewayURL

connMap

protoList

dstHostList

srcHostList

connMap

gatewayURL

user

pass

gwhost

gwhost

gwproto

gwhost

gwport

dstHostList

srcHostList

gwproto

gwhost

gwport

dstHostList

srcProtoList

For special gwproto, FORWARD works as a generalized notation of MASTER, PROXY, SOCKS and SSLTUNNEL as follows.

delegate -- forward to a DeleGate: MASTER=gwhost:gwport:dstHostList
FORWARD=delegate://gwhost:gwport/-_-*:dstHostList:*
http, ftp, telnet -- forward to an application level proxy (HTTP, FTP, or Telnet): PROXY=gwhost:gwport:dstHostList
FORWARD=gwproto://gwhost:gwport/-_-*:dstHostList:*
socks -- forward to a SOCKS server: SOCKS=gwhost:gwport[/socksOpt]:dstHostList:srcHostList
FORWARD=socks://gwhost:gwport[/socksOpt]-_-*:dstHostList:srcHostList
ssltunnel -- forward to a SSL-tunnel (HTTP proxy with the CONNECT method): SSLTUNNEL=gwhost:gwport
FORWARD="ssltunnel://gwhost:gwport/-_-*:*:*"
direct -- directly connect to the server: CONNECT="direct:protoList:dstHostList:srcHostList"
FORWARD="direct-_-protoList:dstHostList:srcHostList"
noroute -- don't try connection to the server: CONNECT="cache:protoList:dstHostList:srcHostList"
FORWARD="noroute-_-protoList:dstHostList:srcHostList"

If multiple FORWARD parameters are specified, they are tried in the order of the definition. If multiple routes to the destination server are available, specified with a mixture of FORWARD and other parameters (MASTER, PROXY, SOCKS or SSLTUNNEL), the route defined by FORWARD is tried in precedence defined by "proxy" or "master" in CONNECT.

Example: a gateway for HTTP clients to a HTTPS server reachable via SSLtunnel with authentication

MOUNT="/* https://sslhost/*" STLS=fsv:https:sslhost FORWARD=ssltunnel://user:pass@proxyhost:8080-_-https:sslhost

ROUTE parameter*    ==  ROUTE=proto://host:port/-_-dstHostList:srcHostList
                    --  default: none

A host specification in the dstHostList may be prefixed with "proto://" to restrict the protocol to be forwarded. For example, ROUTE="http://host:port/-_-{ftp://*}:*" means that only access to FTP servers are forwarded to the HTTP-proxy at "http://host:port/".

A host specification in the dstHostList can be restricted further with port number. For example, ROUTE="http://host:port/-_-{*:21}:*" means that only accesses to the port number 21 (FTP service) is forwarded to the proxy.

MASTER parameter*   ==  MASTER=host:port[/masterControl][:dstHostList]
                    --  default: none

This parameter specifies an upstream generalist DeleGate (MASTER-DeleGate) to which this DeleGate will forward requests. Forwarding to a MASTER-DeleGate can be filtered by postfixing ":dstHostList"; only request toward destination servers listed in dstHostList are forwarded to the MASTER-DeleGate. When multiple MASTERs are given, they are tried in order until connection to a MASTER succeed.

Optional "/masterControl" can be:

cache -- use the MASTER only if cache hits in the MASTER
teleport -- make a persistent

MASTERP parameter   ==  MASTERP=[host:port]
                    --  default: none

connection cache

RPORT parameter     ==  RPORT={tcp|udp}[:host]
                    --  default: none

This parameter should be used together with MASTER parameter. If specified, a connection (for response data transfer) from the MASTER-DeleGate to this DeleGate is established separately from the connection (for request data transfer) from the DeleGate to its MASTER-DeleGate. A specified type of response connection will be made from the MASTER toward the delegate at the specified host.

PROXY parameter*    ==  PROXY=host:port[:dstHostList]
                    --  default: none
                    --  restriction: applicable to HTTP, FTP, Telnet

Example:

SERVER=http PROXY=proxyhost:8080:!*.localdomain SERVER=ftp PROXY=proxyhost:proxyport

SOCKS parameter*    ==  SOCKS=host[:[port][/socksOpt][:dstHostList[:srcHostList]]]
          socksOpt  ==  [ -4 | -r ]*
                    --  default: none

Specify to use Socks server on host. The server is expected to recognize Socks version 5 protocol. If the server supports only version 4, specify "-4" option like "SOCKS=host:port/-4".
The "-r" option controls which of DeleGate or Socks server does the name resolution (from the host name of a target host to its IP address). With a SocksV4 server, name resolution is done by DeleGate by default. "-r" option make the resolution be delegated to the server (This is applicable if the server supports extended Socks4A protocol). With a SocksV5 server, name resolution is delegated to the server by default, and "-r" option make the resolution be done locally by DeleGate.
By default, the connection establishment via Socks will be tried after all of other trials failed, but you can control the order by the

dstHostList

HOSTLIST=".socksdst:!.localnet"

Example:

CONNECT=s,d SOCKS="sockshost:1080:!.localnet,!*.my.domain"

SSLTUNNEL parameter ==  SSLTUNNEL=host:port
                    --  default: none

SSL tunneling

VSAP parameter      ==  VSAP=host:port
                    --  default: none

Example:

firewall% delegated -P8000 SERVER=vsap PORT=8080-8090

internal% delegated -P8080@firewall:8000 ...

internal% delegated -P8080 CONNECT="{vsap/firewall:8000}" ...

internal% delegated -P8080 VSAP=firewall:8000 ...

CONNECT parameter*  ==  CONNECT=connSeq[:connMap]
           connSeq  ==  connType[,connType]*
          connType  ==  cache|icp|proxy|master|https|vsap|direct|socks|udp
           connMap  ==  ProtoList[:dstHostList[:srcHostList]]
                    --  default: CONNECT="c,i,m,h,v,s,d:*:*:*"

connType:

cache	-- CACHE search (without connection)
icp	-- via a PROXY hinted by ICP server
proxy	-- via a PROXY server
master	-- via a PROXY or a MASTER-DeleGate server
https	-- via a SSLTUNNEL (SSL tunnel on HTTP)
vsap	-- via a VSAP server
direct	-- direct connection to the target server
socks	-- via SOCKS servers
udp	-- by UDP
None	-- don't connect

Each connection type can be abbreviated by the first character as {c,i,m,d,v,s,u} respectively.
If ProtoList and dstHostList are given, this control is applied only to the protocols and hosts included in the lists. For example, to use cached data in a host which is not connected to external networks, specify as CONNECT="cache:*:!./@".

Note: In current implementation, "cache" will be tried first anyway if it is included in the connSeq.

SRCIF parameter*    ==  SRCIF=host[:[port][:connMap]]
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: SRCIF="*:*:*:*:*"

This parameter is useful for DeleGate running on a multi-homed host or on a host behind a firewall with packet filtering.

This parameter specifies the source address (of a network interface) of each connection to a server. This can be useful when the host of DeleGate has multiple network interfaces. Also it can be used to specify the port to be used for accepting a client connection by a SOCKS-DeleGate or a FTP-DeleGate.

In most cases, a special pattern "*" as host or port specifies the wild-card IP address or port number. In some cases, the special pattern "*" is used for the desired address and number which is specified by a protocol, like a port for FTP data connection (by PORT or PASV) or a port for SOCKS (BIND and UDP-ASSOCIATE). To explicitly specify the wild-card as an IP address and port number, use "0.0.0.0" as host and "0" as port respectively.

Example:

SRCIF="*:0:ftp-data"

SRCIF="*:8020-8120:ftp-data"

SRCIF="150.29.202.120:*:tcpbind"

SRCIF="150.29.202.120:*:udpbind"

The port for "ftp-data" connection which is assigned on demand and notified to the peer, that is from client to server by PORT or from server to client by PASV, can be controlled separately by "ftp-data-port" or "ftp-data-pasv" respectively. The source port for data connection, which is established from server to client for PORT or from client to server for PASV, can be controlled by "ftp-data-src".

TUNNEL parameter    ==  TUNNEL=tunnelType:script
        tunnelType  ==  tty7
                    --  default: none

If specified, communication with an upstream DeleGate will be tunneled via the standard input/output of the command. The tunnel can be made of any kind of channel, a raw serial line for example, as long as it provides bi-directional transmission on it. Possibly it may be the channel to the DeleGate which will be invoked from inetd at remote host.

Currently, the tunnelType must be "tty7" which means transmission between DeleGates is done in 7bits stream. When the type is "tty7", how the TUNNEL is established is described in the specified SHIO-script file. See "src/sample.shio" in the distribution package. The name of a script file must be specified either in absolute path, or in relative file name which will be retrieved in LIBPATH. The upstream DeleGate for TUNNEL must be invoked with SERVER="tunnel1".

Example: make a tunnel without login dialogue

TUNNEL=tty7:tunnel.shio

o rsh host delegated SERVER=tunnel1\n i READY\r\n =

TUNNEL=tty7:tunnel.shio

o telnet hostname\n i login: o username\n i Password: o password\n i % o delegated SERVER=tunnel1 \n i READY\r i \n =

SHIO-script

command

host

port

PERMIT parameter*   ==  PERMIT=connMap
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none

srcHostList

dstHostList

ProtoList

If multiple PERMIT parameters are given, an access will be permitted if at least one of those PERMITs indicates permission. If no PERMIT parameter is given, access permission is controlled by REMITTABLE, REACHABLE and RELIABLE parameters which can be defined explicitly or implicitly depending on SERVER parameter.

Example: unlimited permission to hosts on local net while only http://www to others

PERMIT="*:*:.localnet" PERMIT="http:www:*"

The special pattern "*" in ProtoList (dstHostList) means all of permitted protocols (servers), which may be explicitly defined with REMITTABLE (REACHABLE) parameters. These parameters limits the widest possible permission. A protocol (server) is not permitted if it is not permitted in REMITTABLE (REACHABLE) parameters defined implicitly or explicitly. Similarly, if more than one RELIABLE parameters are given explicitly, they limit the widest acceptable clients in srcHostList of PERMIT.

The host specifications in the dstHostList can be further restricted with port number like "host:portNumList". For example, PERMIT="telnet:{*:23}:*" means permitting telnet to any host but only on the standard port number (23).

A protocol name in the ProtoList can be modified with port number and method like "protocolName/portNumList/methodList" to restrict accessible ports and methods in the protocol. For example, a series of PERMIT parameters, PERMIT="ftp//readonly:Servers:Clients" PERMIT="ftp:*:*" means inhibiting uploading to Servers from Clients while allowing uploading among other combinations of servers and clients.

When multiple DeleGate servers are chained using MASTER or PROXY parameter, the original client identification information got at the first DeleGate server (at the entrance of the chain) can be forwarded to the upstream DeleGate server using RIDENT parameter and will be examined using PERMIT parameter.

REJECT parameter*   ==  REJECT=connMap
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none

Example: forbid mail-clients to remove message on mail-servers

REJECT="pop//DELE:mail-server:mail-client" REJECT="imap//EXPUNGE:mail-server:mail-client"

REMITTABLE parameter == REMITTABLE=ProtoList
                    --  default: REMITTABLE="*" for generalist
                    --  default: REMITTABLE="." for specialist

ProtoList

If a protocol name is followed by "/portNumList", only ports listed in the PortList is permitted. A PortList can be followed by "/methodList" which restricts available methods in the protocol. A pseudo method "readonly" is used to prohibit methods for modification. For example, REMITTABLE="ftp//readonly" make a FTP-DeleGate be "read only" which inhibits uploading to FTP servers.

Protocol Specific Default:

generalist-DeleGate: REMITTABLE="*" -- any protocol is remittable
HTTP-DeleGate: REMITTABLE="http,https/{80,443},gopher,ftp,wais" -- usual protocols expected to be relayed by HTTP-proxies
Telnet-DeleGate: REMITTABLE="telnet/23" -- restricted to be accessible only toward standard Telnet port (23). This restriction can be disarmed by specifying like REMITTABLE="telnet".

Exception:

Path1

Proto

Server

Path2

Proto

Server

If the first member of a list is "+", it means the default list of permitted protocols. For example, REMITTABLE="+,-https/80,-wais,file" with SERVER=http means REMITTABLE="http,https/443,gopher,ftp,file".
Note that "https" implies that non-HTTPS protocol on the SSLtunnel may be detected and rejected. If arbitrary protocol is to be relayed on the SSLtunnel, specify "ssltunnel" instead of "https" like REMITTABLE="+,ssltunnel".

REACHABLE parameter* ==  REACHABLE=dstHostList
                    --  default: REACHABLE="*" (any host is reachable)

Only requests directed to the servers on the hosts (or networks) listed in dstHostList will be accepted by the DeleGate. When you use

RELIABLE parameter* ==  RELIABLE=srcHostList
                    --  default: RELIABLE=".localnet"

srcHostList

Note that multiple RELIABLE parameters like RELIABLE=Hosts1 RELIABLE=Hosts2 will be interpreted being simply concatenated into a single RELIABLE="Hosts1,Hosts2", which will NOT mean "Hosts1 or Hosts2" if Hosts1 or Hosts2 includes some negation or composite operators. You are recommended to use multiple PERMIT parameters instead if you are not sure what does these mean.

RELAY parameter*    ==  RELAY=relayTypeList[:connMap]
     relayTypeList  ==  relayType[,relayType]*
         relayType  ==  proxy | delegate | vhost | no | nojava | noapplet
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: RELAY="delegate,vhost,nojava:*:*:.localnet"
                                 RELAY="proxy:*:*:*"

This parameter controls in which way the DeleGate works as a HTTP server. DeleGate as a HTTP proxy server works in two ways (proxying modes): as a standard (CERN compatible) HTTP proxy which accepts full URL in a request ("proxy" relayType), and as a DeleGate original proxy which accepts

relayType

connMap

RELAY="no" means working as an origin HTTP server without relaying (Origin HTTP server is a usual server which accepts requests in usual format, not in format for proxies, that is URL in request is neither in full format nor in "/-_-" format, but in absolute format).

So called "transparent-proxy" ability is enabled by "RELAY=vhost". RELAY="vhost" can be used for origin HTTP server with relaying to arbitrary virtual hosts. This option enables a HTTP request to be forwarded to arbitrary destination server, indicated in "Host:" field in request header, without explicit MOUNT. This automatic relaying is done only when the request URL is not MOUNTed, thus is not so likely because most DeleGate working as origin server have MOUNT parameter for the root URL ("/*").

With "nojava" combined with other relayType, <APPLET>, <EMBED> and <OBJECT> tags relayed in the relayType will be disabled (being replaced with <killed-TagName>). With "noapplet", only <APPLET> tags are disabled. When the relayType "delegate" is enabled by a RELAY parameter, using "nojava" like the default shown above is strongly recommended.

Example:

Default:

Both "proxy" and "delegate" modes are allowed to users on ".localnet", while only "proxy" mode is allowed to other users.

AUTH parameter*     ==  AUTH=what:authProto:who
                    --  default: none

Authorize who to do what. Authentication of user will be done using protocol specified in authProto. Identification about "who the client's user is" is done based on Identification protocol to the client host if it supports the protocol. Otherwise FTP-server may be used as an authentication server.

In HTTP-DeleGate, user declares "who am i" giving an Authorization header (in request message), which consists of Username:Password, where Username can be in a form of User@Host.
Given a set of User, Host and Password, DeleGate tries to login to the (FTP) server on Host with User and Password. If succeed, then the client is authenticated to be User@Host.

Currently following categories of authentication/authorization are supported:

-- in any protocol DeleGate --

AUTH="admin[:authServ[:[listOfUsers][:listOfHosts]]]"

Enables the remote configuration and administration of DeleGate via HTTP (or HTTPS) at "http://delegateHost:Port/-/admin/". It allows a user to do remote administration if the user is authenticated with authServ, and if the user is in listOfUsers. For example, AUTH=admin:-pam:user authorizes the user if authenticated with PAM. AUTH=admin is the abbreviation of AUTH="admin:-pam:%O" where "%O" represents the owner of this DeleGate process. Empty authServ as AUTH=admin::user:pass means authorizing the username user with password pass. If ":listOfHosts" is specified, users to be authorized must access from a client hosts in the list.
A DeleGate of arbitrary protocol (regardless of SERVER=protocol) can have a port for remote administration by specifying a port devoted to administration with "/admin" modifier like "-PuserPort,adminPort/admin" option.
Example:

SERVER=pop -P110,9110/admin AUTH=admin::admin:password

delegateHost

-- in FTP server and FTP/HTTP gateway --

AUTH="anonftp:*:passWord": If specified, A DeleGate forwards E-mail address of a client's user (which is declared by the user) to the target FTP server as an anonymous password. Without this AUTH, HTTP-DeleGate will send ADMIN's E-mail address by default.
The E-mail address must be in the form of user@host, otherwise (if the host part is not given) the FTP login is rejected by DeleGate.
HTTP-DeleGate asks anonymous users to declare his/her E-mail address as Username part in Authorization. If passWord field is specified as "*" (i.e. AUTH="anonftp:*:*"), then any Password in the Authorization will be acceptable.
In FTP-DeleGate, the E-mail address must be given as a password (in PASS command) for the anonymous user, and the password is used for matching with passWord too.
The second field must be "*" in current implementation.
AUTH="anonftp:smtp-vrfy:*": If specified, DeleGate verifies (using the SMTP protocol) the validity of E-mail address given by anonymous users. In HTTP-DeleGate, the E-mail address must be given as Username part in Authorization. In FTP-Delegate, it must be given as a password for the anonymous user. With this AUTH, invalid E-mail addresses can be rejected. When the address is valid but is in a format like "user@host", it will be expanded automatically to a FQDN format like "user@host.domain".
If the third field is "-" (i.e. AUTH="anonftp:smtp-vrfy:-@*") only the connectivity to mail server at "host.domain" is checked.

-- in proxy and origin HTTP server --

AUTH=proxy:{ident|auth|pauth}

Specify identification/authorization protocols for the DeleGate as a HTTP proxy server. This parameter is checked only when access control for user is specified in PERMIT or RELIABLE.

ident	-- Identification protocol [default]
pauth	-- Use Proxy-Authorization field "user@host:password"
auth	-- Use Authorization field "user@host:password"

Example:

AUTH=proxy:auth PERMIT="*:*:{*,!?}@*"

Note:

When the client does not support Proxy-Authentication, you are obliged to use "proxy:auth" for Authentication. In such case, note that the client cannot access resources which requires Authentication.

In the case where the FTP-server based authentication is used, a recommended user name of the authorization information is e-mail address like "user@host.domain" so that it can be commonly used for both AUTH="anonftp" and AUTH="proxy".

AUTHORIZER parameter* ==  AUTHORIZER=authServList[@realmValue][:connMap]
       authServList  ==  authServ[,authServ]* | & | *
           authServ  ==  authHost[/portNum][(reprUser)]
           authHost  ==  hostName | hostAddr
         realmValue  ==  word | {words separated with space}
            connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
                    --  restriction: applicable to Telnet, FTP, NNTP, SMTP, IMAP, Socks, SockMux, and HTTP

Specify the server for authentication and authorization ("auth-server"). If specified, an access by a client is not permitted without authenticated successfully by the auth-server, sending an appropriate pair of user-name and pass-word over the application protocol. Two special authServ "-none" and "-never" are exceptions to make authentication unnecessary. If authServ is followed by "(reprUser)", the users successfully authenticated in the authServ are represented by reprUser as a representative user.

Note that even a client authorized by an auth-server is not permitted if the client's host does not pass other access controls (RELIABLE and PERMIT). To permit any authorized client regardless of its host, specify as RELIABLE="-a/*". Also RELIABLE="*" works for this purpose but is not safe on modifications of configuration and DeleGate.

Adding connMap, an auth-server can be selected conditionally on a combination of destination protocol, server host and client host. The authServList is a host name of authentication server, or a list of host names of authentication servers. If authServList is followed with "@realmValue", the value is used to define the realm of protection space in HTTP-DeleGate. It can be overridden by MountOption "realm=realmValue" for each MOUNT point.

Currently, the default protocol of remote authentication/authorization server is that of FTP protocol with USER and PASS commands. Thus any real FTP server can be used as an authentication/authorization server of DeleGate. Another way of maintaining DeleGate's own lists for authentication/authorization is using -Fauth function.

There are built-in auth-servers to be used as authServ as follows:

-none -- allow without caring if authentication is given or not
-never -- disallow without careing if authentication is given or not
-any -- any combination of username + password is acceptable
-anonftp -- username is "ftp" or "anonymous" and password includes "@"
-dgauth[.realm] -- password is sent safely as a digest (HTTP and APOP)
-pam/service -- username + password is checked by PAM
-list{user:pass,...} -- the pair of username and password is in the list
-fail.badpass -- disallow if the username exists but password is wrong
-fail.nopass -- disallow if password is not given or empty
-cmd{cmd arg ...}{ENV=val ...} -- external command for authentication
-ntht -- NTLM over HTTP (Win32 only)
-login -- logon to the local host (Win32 only)
-man -- manual authentication on demand

DGAuth: -dgauth[.realm][{user:pass,...}]

Authentication scheme based on digested password, specific to each application protocol, is enabled with "AUTHORIZER=-dgauth". This kind of authentication scheme, at least APOP proxy or HTTP Digest/Basic gateway does, requires the original cleartext of password. A simple way to do so is giving directly a list of pairs of username and password as -dgauth{user1:pass1,user2:pass2,...}. Another way is storing passwords by DeleGate with "-Fauth -a username:password -dgauth". Since passwords for -dgauth is stored in encrypted form, a keyword is required for the encryption. Specify the keyword as CRYPT=pass:keyword or answer it interactively afterwards. Otherwise, DGAuth can be delegated to a remote DGAuth server. DGAuth generates a session identifier which is retained identically during the session started by an authentication, then passed to CFI/CGI programs in environment variable "X_DIGEST_SESSION" and can be logged into PROTOLOG.

Example:

SERVER=http AUTHORIZER=-dgauth

SERVER=pop MOUNT="* pop://server/*" AUTHORIZER=-dgauth

PAM: -pam[/service]

On platforms where PAM (Pluggable Authentication Modules) is available, it can be used for authentication with the syntax AUTHORIZER="-pam/service", for example as AUTHORIZER="-pam/passwd", AUTHORIZER="-pam/ftp" and so on.
Note that most of PAM authentications need to be executed under the privilege of superuser on Unix (with OWNER="root" option). But you can avoid running your DeleGate with superuser privilege by installing external program "dgpam" under DGROOT/subin/. Also PAM authentication can be delegated to a remote PAM server.

LIST: -list{user[:pass],...}

An element of the list can be user only without ":pass" which means matching user name only and don't care the password. In the "-list{user:pass,...}", substitution by "[date+format]" can be used in user and pass. For example, AUTHORIZER="-list{guest:[date+%y%m]}" means accepting usrename "guest" with password "0405" in May 2004.

Example:

AUTHORIZER="-list{u1:p1,u2:p2}(local),-pam,-none(anonymous)"

CMD: -cmd{cmd arg ...}[{ENV=val ...}[{input-pattern}]]

Do the authentication with an external command cmd. Values to be used the authentication to be passed to the command is specified with the format as "%format" like %U for username and %P for password. A parameter can be passed in command-line argument, in environment variable or in the standard input of the command. If the environment and input-pattern is omitted as AUTHORIZER="-cmd{cmd}, the pair of user name and password is passed by default as if implicitly specified as AUTHORIZER="-cmd{cmd}{DG_USER=%U DG_PASS=%P}{USER %U\nPASS %P\n}".

The result of the authentication by the command is shown in its output string or by its exit code. The command may puts a string to its standard output to show the result in the form of a status response of the FTP protocol, that is, "230" for success and "530" for failure. Otherwise the exit code of the process is used, the value zero for success and non-zero values for failure.

Example: passing username in argument while password in environment variable

AUTHORIZER="-cmd{myauth %U}{MYPASS=%P}"

[the content of the myauth command]
#!/bin/sh if [ "$1" = "user1" -a "$MYPASS" = "pass1" ]; then echo "230 SUCCESS" else echo "530 FAILURE" fi

If only authentication of user is necessary without authorization, the following special name will be useful as a authServList.

authHost

user

authHost

Example:

SERVER=telnet AUTHORIZER="&:::!*.local.domain"

SERVER=telnet AUTHORIZER="localhost" RELIABLE="*"

SERVER=socks AUTHORIZER=-socks.users

MYAUTH parameter*   ==  MYAUTH=username:password[:connMap]
                    --  default: none
                    --  restriction: applicable to Socks, VSAP, SMTP, and HTTP

Specify authorization information to be sent to an upstream server/proxy. Special characters in username or password must be escaped with "%XX" where XX is hexadecimal representation of a character code (see ascii(7)). Special characters to be escaped are: TAB ("%09"), SPACE ("%20"), '"' ("%22"), '%' ("%25"), ':' ("%3A"), '{' ("%7B"), and '}' ("%7D").

The pair of username+password which is sent from a client can be forwarded to the server by MYAUTH="%U:%P" (supported in HTTP and FTP only).

NOTE: For authentication with proxies, it is strongly recommended to use FORWARD with a gateway-URL including authentication information instead of MYAUTH. For example, SOCKS=host:port with MYAUTH=user:pass can be represented as FORWARD=socks://user:pass@host:port.

Example:

MYAUTH=userS:passS:socks MYAUTH=userV:passV:vsap MYAUTH=userM:passM:smtp:smtpserverM MYAUTH=userH:passH:http:httpserverH MYAUTH=userP:passP:http-proxy:httpproxyP

RIDENT parameter    ==  RIDENT=ridentType[,ridentType]*
       ridentType   ==  client | server
                    --  default: none

Example:

host1# delegated -P8080 RIDENT=server MASTER=host2:8080 host2# delegated -P8080 RIDENT=client

MAXIMA parameter*   ==  MAXIMA=what:number,...
                    --  default: MAXIMA=listen:20,ftpcc:2,...

randstack	--	randomization range of stack base for security [32]
randenv	--	randomization range of environment variables base [1024]
randfd	--	randomization range of client socket file-descriptor [32]
listen	--	max. size of the queue for entrance port [20]
delegated	--	max. number of DeleGate processes runnable at a time [64]
service	--	max. number of services per delegated process [unlimited]
standby	--	max. number of standby process [32]
conpch	--	max. number of connections at a time per client host [unlimited]
ftpcc	--	max. number of FTP connection cache servers to a host [16]
nntpcc	--	max. number of NNTP connection cache processes to a host[16]
http-cka	--	(replaced by HTTPCONF=max-cka)
http-ckapch	--	(replaced by HTTPCONF=max-ckapch)
udprelay	--	max. number of parallel UDPrelay client [256]
winmtu	--	max. unit of send() on Win32 [1024]

TIMEOUT parameter*  ==  TIMEOUT=what:seconds,...
                    --  default: TIMEOUT=dns:10,acc:10,con:10,lin:30,...

Specify timeout period (in seconds by default) of what.

The timeout value "0" means "never timeout" (unlimited). The unit of period is second by default, but can be changed like 1d(day), 1h(hour), 1m(minute).

shutout	--	disarming emergent shutout set on fatal error [1800]
dns	--	for DNS lookup [10]
dnsinv	--	for DNS inverse lookup [6]
acc	--	for accept from client (include FTP data connection) [10]
con	--	for connection to the server [10]
lin	--	LINGER for output [30]
authorizer	--	expiration of authorization by AUTHORIZER [unlimited]
dgnonce	--	for AUTHORIZER=-dgauth (lifetime of "nonce") [60]
ident	--	for connection to Ident server [1]
rident	--	for receiving RIDENT=client info. [1.0]
io	--	general I/O (no data transmission) [600]
silence	--	no data transmission either from client or server [0] (applicable only to tcprelay)
hello	--	for HELLO negotiation with the MASTER [30]
login	--	for login to proxy (Telnet,FTP,SOCKS) [60]
daemon	--	delegated [unlimited]
restart	--	cause restart at every specified period [unlimited]
standby	--	keep the delegated alive on standby for next client [30]
takeover	--	taking over a downloading to cache after client's disconnection [5] (after the disconnection of the client which initiated the downloading)
ftpcc	--	for keeping alive FTP Connection Cache [120]
nntpcc	--	for keeping alive NNTP Connection Cache [300]
http-cka	--	(replaced by HTTPCONF=tout-cka)
cfistat	--	for status information from -s,filter [1.0]

DELAY parameter*    ==  DELAY=what:seconds
                    --  default: DELAY=reject:60,unknown:60,...

reject	--	continuous Reject resp. from self or MOUNTed servers [60]
unknown	--	continuous Unknown resp. from self or MOUNTed servers [60]
reject_p	--	continuous Reject resp. from origin server [0]
unknown_p	--	continuous Unknown resp. from origin server [0]

Each value specifies the maximum delay time and delay time increases according as the error count increases.

MOUNT parameter*    ==  MOUNT="vURL rURL [MountOptions]"
                    --  default: MOUNT="/* SERVER_URL*"

vURL

rURL

vURL

rURL

rURL

vURL

HTTP -- URL or part of it appeared in header or HTML body (tags)
FTP -- file name in command and status response
NNTP -- newsgroup name in command, status response, and user data (header)
POP -- user and host name in USER,PASS,APOP command
IMAP -- user and host name in LOGIN command
SMTP -- mail address in the RCPT command
Telnet -- hostname and port number of destination server
LDAP -- base object name in requests/responses

If a vURL is terminated with "*" then partially matched path is also rewritten. If a rURL is terminated with "*" then remaining part in the partially matched path will be copied after the rURL.

Example: a MOUNT for HTTP-DeleGate

MOUNT="/abc/* http://host/*"

host

If "=" is specified as vURL or rURL, it means mount as is without rewriting for the vURL in a request, or rewriting for rURL in a response.

The port number of the destination server (in rURL) can be prefixed with "-" or "+" to be determined dynamically by offsetting from the port number of the entransport, as in SERVER parameter.

A special host name "odst.-" in rURL (or in the SERVER parameter) represents the original destination host of the TCP connection from the client via NAT (provided by iptables on Linux). It can be used to configure a transparent proxy (or gateway) for arbitrary protocols. The original destination port number can be referred with "-" as "odst.-:-". The number can be mapped with an offset value as "-8000" or "+8000" for example. The name "odst.-" can be used in the "rserv" MountOption too.

If the rURL is of "file:path" and the path is a relative one, then the data file is searched under the DGROOT directory or directories listed in DATAPATH.

If a rURL is prefixed as "vurl:rURL", the rewritten URL (in a request message) from vURL to rURL will be rewritten by another MOUNT again. This recursive MOUNT is not applied to the rewriting a URL in response data from rURL to vURL, therefore it does not work as expected in HTTP where such reverse rewriting of URL in response is expected too.

Example: recursive MOUNT

MOUNT="/x/* vurl:/f/x/*" MOUNT="/y/* vurl:/f/y/*" MOUNT="/f/* ftp://server/*"

/x/path

ftp://server/x/path

ftp://server/x/path

/f/x/path

Abbreviations

To make configurations be simple and reusable, special abbreviated formats of URL can be used in MOUNT parameter. If "=" is specified as protocol-name, host-name or port-number in rURL which consists of protocol-name://host-name:port-number/url-path, then it represents that of the DeleGate itself (i.e. that of vURL). URLs beginning with "//" represents further abbreviations, "///path" for "=://=:=/path" (in the same protocol,host and port) and "//serv..." for "=://serv..." (in the same protocol).

Abbreviated host-name and port-number is substituted by that of the virtual host (given in HTTP Host: field) if exists, or by that of the real interface with the client. To explicitly specify the real interface, use "-P" for "host-name:port-number part like "http://-P/path".

Example: abbreviation in rURL of MOUNT parameter

MOUNT="/x/* =://=:=/y/*" -> http://vhost:9080/y/ MOUNT="/x/* ///y/*" -> (the abbreviation of the above) MOUNT="/x/* //-P/y/*" -> http://dhost:9080/y/ MOUNT="/x/* =://serv/y/*" -> http://serv:80/y/ MOUNT="/x/* //serv/y/*" -> (the abbreviation of the above) MOUNT="/x/* //serv:=/y/*" -> http://serv:9080/y/ MOUNT="/x/* //=:9088/y/*" -> http://vhost:9088/y/ MOUNT="/x/* https://=/y/*" -> https://vhost:443/y/

Complex Matching and Rewriting

A pattern following "*%" in vURL and rURL represents a pattern for complex matching specified in the format like that of scanf(3). Each format specification consists of a specification following "%", like "%c", "%[a-z]" and so on. The extended format "%S" has variable meanings determined by its adjacent character, i.e. "%Sx" means "%[^x]x": ex. "%S." for "%[^.]." and "%S/" for "%[^/]/". "%(N)" in rURL means copying Nth element in vURL. If a vURL pattern ends with "$" character, then complete matching to the end of URL string is required.

Example: complex matching and rewriting

// Requested URL: http://dhost/x/abc/def MOUNT="/x/*%S/%S ///y/*%S.%S" -> http://dhost/y/abc.def MOUNT="/x/*%S/%S ///y/*%(1)/%(0)" -> http://dhost/y/def/abc MOUNT="/x/*%1[a-z]%S http://w/*%S/%S" -> http://w/a/bc/def

MountOptions == option[,option]*

MountOptions is a list of options, to make MOUNT be conditional, or to apply some functions only to MOUNTed URLs. Some of them are common to any protocol and others are specific to a protocol (

CONDITIONS: The first group of options are to make MOUNT be conditional depending on source and destination (client and server). When a MOUNT parameter have a MountOption including one or more conditions, the MOUNT will be ignored witho