Common Notation

# delegated ...

implies invoking DeleGate by super-user to use a privileged port number

% delegated ...

implies invoking DeleGate by non super-user

firewall% delegated ...

implies running DeleGate on a host belongs to your site and reachable to/from internet

internal% delegated ...

implies running DeleGate on a internal host in your site which is isolated from internet

external% ...

implies doing something on a host external to your site

DeleGate with a SERVER=tcprelay parameter relays communication between a client and a server on a single TCP connection without interpreting what is transmitted on it. Thus an arbitrary application protocol on TCP, even if it is not in supported protocol list of DeleGate, can be relayed by SERVER=tcprelay. But value added services, including caching, mounting and logging, are not available in this case. Connecting to arbitrary destination servers depending on a request from a client is not possible. Application protocols which dynamically create other connections besides the main connection, like FTP, are not relayable. Application protocols which exchange some kind of name depends on an origin server on the protocol, like a full URL in HTTP, are not relayable too.

Example: two proxies on TCP with similar function

# delegated -P25 SERVER=smtp://mailserver
# delegated -P25 SERVER=tcprelay://mailserver:25

DeleGate with a SERVER=udprelay parameter relays communication between a server and clients on UDP without interpreting what is transmitted on it. It has similar merits/demerits to tcprelay for TCP. Also application protocols on which routing information are exchanged, like CU-SeeMe, are not relayable with udprelay.

Example: two proxies on UDP with similar function

# delegated -P53 SERVER=dns://nameserver
# delegated -P53 SERVER=udprelay://nameserver:53

Example: a gateway between UDP and TCP

// UDP clients and a TCP server
# delegated -P53 SERVER=udprelay://nameserver:53 CONNECT=tcp
// TCP clients and a UDP server
# delegated -P53/tcp SERVER=udprelay://nameserver:53


A pair of gateways like above can be used to convey UDP packets over TCP connections, but such relaying (tunneling) is realized more efficiently using SockMux with a single TCP connection.

"DGAuth" server by DeleGate provides Digest Authentication functionality remotely, over an experimental "DGAuth" protocol.

Example: DGAuth-DeleGate server and its client

hostS% delegated SERVER=dgauth -P8787
hostC% delegated SERVER=http -P8080 AUTHORIZER=-dgauth//hostS..8787

Example: DGAuth-DeleGate server and its client on the same host

hostX% delegated SERVER=dgauth
hostX% delegated SERVER=http -P8080 AUTHORIZER=-dgauth

A DGAuth server receives a set of components to be used to calculate digest for each application protocol, then return the digest, as follows.

Request:
  HTTP user nonce realm method uri
  APOP user nonce [realm] (not used currently)

Response:
  200 digest
  501 syntax error
  502 unknown user

PAM server

PAM server by DeleGate provides PAM (Pluggable Authentication Modules) functionality remotely, over an experimental protocol compatible with HTTP (PAM/HTTP).

Example: PAM-DeleGate server and its client

hostX% delegated -P8686 SERVER=httpam
hostY% delegated -P8023 SERVER=telnet AUTHORIZER=-pam//hostX/passwd

Example: PAM-DeleGate server and its client communicating over SSL

delegated hostX% -P8686 SERVER=httpam FCL=sslway
delegated hostY% -P8023 SERVER=telnet AUTHORIZER=-pam//hostX/passwd CMAP=sslway:FSV:pam

Note that most of PAM authentications need to be executed under the privilege of superuser on Unix (with OWNER="root" option). But you can avoid running your PAM-DeleGate server with superuser privilege by installing external program "dgpam" under DGROOT/subin/.

The default port number of the experimental PAM/HTTP server is 8686. Other ports can be specified as AUTHRIZER=-pam//host..port, for example as AUTHORIZER="-pam//hostX..8765/passwd".

PAM/HTTP protocol uses the format of HTTP compatible request/response messages as follows.

Request:
  GET /-/pam/service/auth HTTP/1.0
  Authorization: Basic BASE64of(User:Pass)

Response (one of followings):
  HTTP/1.0 200 OK, authorized
  HTTP/1.0 401 Not authorized
  HTTP/1.0 403 Forbidden to use the PAM server

The base of request URL "/-/pam/" can be replaced with an arbitrary path with PAMCONF="baseurl:/basePath/". The whole request URL can be replaced by PAMCONF="url:/path". The content of response message is not cared in the current specification but it could convey some authentication related data or capability information in future.

Following the format, you can easily develop your own PAM server, instead of PAM-DeleGate, using your own HTTP server with CGI or so.

"FTPxHTTP" is a HTTP server which can be used for tunneling the FTP protocol over HTTP by a (connectionless) sequence of usual HTTP requests (not by CONNECT but by GET and POST). It can be relayed by another HTTP proxy for forwarding, filtering or so.

Example:

hostX% delegated -P8021 SERVER=ftp MOUNT="/* ftpxhttp://hostY:8080/*"
hostY% delegated -P8080 SERVER=ftpxhttp MOUNT="/* ftp://hostZ/*"
client --FTP-- ftp://hostX:8021 --HTTP-- http://hostY:8080 --FTP-- ftp://hostZ

The yysh server provides remote login and remote command execution based on the YYSH and YYMUX protocol.

Example:

hostX% delegated -P6023 SERVER=yysh
hostY% delegated -Fyysh hostX:6023

YYMUX server

Example:
hostX% delegated -P6010 SERVER=yymux
hostY% delegated -P8080 SERVER=http YYMUX=hostX:6010

SOCKMUX parameter*  ==  SOCKMUX=host:port:option[,option]*
            option  ==  acc | con | ssl
                    --  default: none
                    --  status: tentative

If specified together with SOCKS, PROXY, MASTER (to chain two DeleGate), then the communication between DeleGate is multiplexed on a single persistent connection using SockMux. This is useful to reduce the delay to establish many connections repeatedly between DeleGate which are running distant from each other with long RTT.

host:port specifies the port toward which a SockMux persistent connection is established. The connection is established from the DeleGate with "con" option to the DeleGate with "acc" option.

Options:

acc -- accept a SockMux connection at "host:port".
con -- connect a SockMux connection to "host:port".
ssl -- use SSL instead of the "Credhy" encryption.

Example: SOCKS proxies chained over SockMux

hostA% delegated SOCKMUX=hostA:8000:acc SERVER=socks -P2080
hostB% delegated SOCKMUX=hostA:8000:con SERVER=socks -P1080 SOCKS=hostA:8000


Example: SOCKS proxies chained over SockMux connected from the server side

hostA% delegated SOCKMUX=hostB:8000:con SERVER=socks -P2080
hostB% delegated SOCKMUX=hostB:8000:acc SERVER=socks -P1080 SOCKS=hostA:8000


Example: HTTP proxies chained over SockMux

hostA% delegated SOCKMUX=hostA:8000:acc SERVER=http -P9080
hostB% delegated SOCKMUX=hostA:8000:con SERVER=http -P8080 PROXY=hostA:8000


Example: HTTP via SOCKS proxy chained over SockMux

hostA% delegated SOCKMUX=hostA:8000:acc SERVER=socks -P2080
hostB% delegated SOCKMUX=hostA:8000:con SERVER=http -P8080 SOCKS=hostA:8000

SOXCONF parameter*  ==  SOXCONF=confSpec[,confSpec]*
                    --  default: none

crypt:no

disable the encryption of SockMux packets.

packsize:SIZE [16k]

specify the size of a SockMux packet, 128 in minimum and 16k at the maximum.

SockMux is an experimental protocol designed for inter-DeleGate communication. It is a simple protocol for "port forwarding" to accept, relay and destroy connections, multiplexed over a single persistent connection. A pair of SockMux-DeleGate establish and retain a connection between them, then forward port from local to remote each other over the connection.

The persistent connection is established with "-Phost:port" parameter at receptor side, and "SERVER=sockmux://host:port" at connector side. The port to accept outgoing connections to be forwarded to remote is specified with PORT="listOfPorts parameter. The server to be connected for incoming connections from remote is specified with a postfix string ",-in" like SERVER="telnet://host:23,-in".

An incoming connection can be processed with DeleGate as a proxy of the specified protocol. If only protocol name is specified like SERVER="telnet,-in", or if "-in" is postfixed like "-in(option list)", then a DeleGate is invoked to process the connection. The option list is passed to the invoked DeleGate as the list of command line options. For example, SERVER="telnet://host,-in(+=config.cnf)" will invoke a DeleGate with command line options like ``delegated SERVER=telnet://host +=config.cnf''.

Example: bi-directional SockMux-DeleGate

hostX% delegated SERVER=sockmux -PhostX:9000 PORT=9023 SERVER="telnet://hostX,-in"
hostY% delegated SERVER=sockmux://hostX:9000 PORT=9023 SERVER="telnet://hostY,-in"
// a pair of SockMux-DeleGate is connected at the port "hostX:9000", then
// the port "hostX:9023" is forwarded to "telnet://hostY"
// the port "hostY:9023" is forwarded to "telnet://hostX"


Example: uni-directional SockMux-DeleGate

hostX% delegated SERVER=sockmux -PhostX:9000 SERVER="telnet://hostX,-in"
hostY% delegated SERVER=sockmux://hostX:9000 PORT=hostY:9023
// hostY:9023 is forwarded to "telnet://hostX".

Example: uni-directional to proxy-Telent-DeleGate

hostX% delegated SERVER=sockmux -PhostX:9000 PORT=hostX:9023
hostY% delegated SERVER=sockmux://hostX:9000 SERVER="telnet,-in"
// hostX:9023 is forwarded to a Telnet proxy on hostY.

When SockMux is used just to relay data between sockets, without interpreting the application protocol relayed over SockMux, such relaying can be represented with simpler expression using DEST parameter instead of SERVER as follows:

DEST=host:port[:srcHostList] for SERVER=tcprelay://host:port,-in[:-:srcHostList]
DEST=host:port/udp[:srcHostList] for SERVER=udprelay://host:port,-in[:-:srcHostList]

Example: tcprelay over SockMux

hostX% delegated SERVER=sockmux://hostY:9000 PORT=hostX:111
hostY% delegated SERVER=sockmux -PhostY:9000 DEST=hostT:111
// hostX:111/tcp is forwarded to the server at hostT:111/tcp via hostY.

Example: relaying UDP over SockMux/TCP

hostX% delegated SERVER=sockmux://hostY:9000 PORT=hostX:53/udp
hostY% delegated SERVER=sockmux -PhostY:9000 DEST=hostU:53/udp
// hostX:53/udp is forwarded to the server at hostU:53/udp via hostY.

Another way to establish a persistent connection between two SockMux-DeleGate is using a FIFO device like named pipe. It is specified like SERVER=sockmux:commtype@fifoName where commtype is one of "commin", "commout", and "comm", which represents uni-directional input, uni-directional output and bi-directional input/output respectively.

Example: use fifo device on a host

% mkfifo /tmp/com0
% mkfifo /tmp/com1
serv1) SERVER=sockmux:commin@/tmp/com0 SERVER=sockmux:commout@/tmp/com1 ...
serv2) SERVER=sockmux:commin@/tmp/com1 SERVER=sockmux:commout@/tmp/com0 ...


Example: use communication port between two hosts (not tested yet)

host1) SERVER=sockmux:comm@com1 ...
host2) SERVER=sockmux:comm@com2 ...


The persistent connection can be established by a given external program invoked by DeleGate. The process of the program is passed a socket to/from DeleGate at file descriptor number 0 and 1;

Example: establish connection by external command

% SERVER="sockmux:proc@connectCommand" ...


The destination SERVER for an incoming connection from remote can be selected depending on which port it was accepted. A SERVER parameter postfixed with ":-:-Pxxxx" will be applied only to connections which is accepted on remote host with PORT=xxxx.

Example: forwarding multiple port

hostX% ... PORT=8023,8080
hostY% ... SERVER=telnet,-in:-:-P8023 SERVER=http,-in:-:-P8080
// hostX:8023 is forwarded to Telnet-proxy on hostY
// hostX:8080 is forwarded to HTTP-proxy on hostY


NOTE: forwarding FTP data connection is not supported (yet).

HTMUX parameter     ==  HTMUX=sv[:[hostList][:portList]]
                     |  HTMUX=cl:host:port
                     |  HTMUX=px:host:port
                    --  restriction: requires CAPSKEY
                    --  default: none

HTMUX is used to accept requests at a port which is not directly accessible from a DeleGate to serve the requests. Typically it is a port on a remote host. HTTP DeleGate acts as a HTMUX server when given HTMUX=sv parameter. A DeleGate for any application protocol can act as a HTMUX client specifying its HTMUX server with HTMUX=cl:host:port parameter. A HTMUX server accepts TCP connections at a port (specified by a HTMUX client) on the host and relays the connections to HTMUX clients.

Not only incoming connections but also outgoing connections from a HTMUX client is established via the HTMUX server by default. This might not necessary for a DeleGate that relays incoming request to internal server. In such case, use the CONNECT parameter to specify such connections to be established directory, as CONNECT="direct:*:192.168.1.*" for example.

Example:

hostX% delegated -P192.168.1.1:9876 HTMUX=sv SERVER=http
hostI% delegated -Pxx.xx.xx.xx:8080 HTMUX=cl:192.168.1.1:9876 SERVER=http
hostJ% delegated -Pxx.xx.xx.xx:8021 HTMUX=cl:192.168.1.1:9876 SERVER=ftp


This example implies that hostX is a multi-homed host with a private addresses 192.168.1.1 and a global address xx.xx.xx.xx. The DeleGate on hostX acts as a HTMUX server. HTTP DeleGate on hostI and FTP DeleGate on hostJ act as HTMUX client which remotely accepts requests (arrived at xx.xx.xx.xx) via the HTMUX server on HostX.

A pair of HTMUX server and client uses a single persistent connection to relay multiple parallel connections on it multiplexing them by the SockMux protocol.
This feature must not be exploited maliciously, for example to invite incoming connections violating a restriction on a firewall. Therefore you need to install CAPSKEY to enable this feature. Other usages of HTMUX being disabled by default are non-direct connection between client and server (connection via NAT or proxy), too large clock skew between client and server (300 seconds by default), or inserting SSL encryption between client and server.

There are two ways to enable non-direct connection for HTMUX. One way is to install a CAPSKEY to enable indirect HTMUX connection. Another way is inserting a HTMUX proxy as the following example.

Example: cascading HTMUX with a HTMUX proxy

hostX% delegated -PhostX:9876 HTMUX=sv SERVER=http
hostI% delegated -PhostI:6789 HTMUX=px:hostX:9876 SERVER=http
hostJ% delegated -PhostX:8080 HTMUX=cl:hostI:6789 SERVER=http


The persistent connection between HTMUX client and server is capable to convey connections bi-directionally, thus can be used to make a pair of proxies over it. Each proxy accepts requests at the local port and forwards them to the remote peer as the following example.

Example: using HTMUX to make symmetric proxies (the simplest generic configuration)

hostX% delegated -P9876 HTMUX=sv SERVER=http
hostY% delegated -P8080 HTMUX=cl:hostX:9876 SERVER=http

In this example, -P8080 is equivalent to a wild-card address expression "-P*:8080" to accept from the port number 8080 on any network interfaces on the host. Therefore requests to the port 8080 on any interface on hostX is forwarded to the servers via the DeleGate on hostY as a HTMUX client (and a HTTP proxy). Symmetrically, requests to the port 8080 on any interface on hostY is forwarded to the servers via the DeleGate on hostX as a HTTP proxy (and a HTMUX server at hostX:9876).
(Again, note that this feature is disabled by default and needs CAPSKEY to enable it)

The port to be used on the server side and on the client side can be specified separately with the "/local" and "/remote" modifiers for -P or -Q option. "/local" marks a port to be used on the local host (on a HTMUX client), and "/remote" marks the port to be used on the remote host (on a HTMUX server). The specification "-P8080" in the above example is equivalent to "-P*:8080/remote,*:8080/local".

Example: using HTMUX bi-directionally

hostX% delegated -PhostX:9876 HTMUX=sv SERVER=http
hostI% delegated -Plocalhost:8081 HTMUX=cl:hostX:9876 SERVER=http
hostJ% delegated -P8082/remote,8083/local HTMUX=cl:hostX:9876 SERVER=http

In this example, between hostX and hostI, requests to localhost:8081 on each host are forwarded to the peer (equivalent to "-Plocalhost:8081/remote,localhost:8081/local") Between hostX and hostJ, hostX:8082 and hostJ:8083 are forwarded to the peer (equivalent to "-PhostX:8082/remote,hostJ:8083/local")

Example: using HTMUX only for outbound requests

hostX% delegated -PhostX:9876 HTMUX=sv SERVER=http
hostI% delegated -Plocalhost:8084/local HTMUX=cl:hostX:9876 SERVER=http

This is an example to use HTMUX only for outbound requests. It works even without the HTMUX parameter, but with HTMUX, a single persistent connection is used between the server and client. This usage of HTMUX is enabled by default when DeleGate is executed in foreground (with -fv option, running not as a service or a daemon), without restrictions described as above, and don't require CAPSKEY.

CAPSKEY parameter*  ==  CAPSKEY=opaque
                    --  default: none

Some functionalities of DeleGate are disabled by default and need CAPSKEY to be enabled. You can get automatically issued CAPSKEY for evaluation use via mail. Run DeleGate as "delegated -Fcapsreq ADMIN=Email-address" and follow the instruction shown in the output.

Socks-DeleGate with SERVER=socks accepts both SocksV4 and SocksV5, whereas SERVER=socks4 and SERVER=socks5 accepts only SocksV4 and SocksV5 respectively. Currently, only USER/PASS authentication scheme of SocksV5 is supported.

Example: Socks-DeleGate

# delegated -P1080 SERVER=socks
Example: forwarding to an upstream Socks server
# delegated -P1080 SERVER=socks SOCKS=sockhost

To accept an incoming TCP connection via a SOCKS-DeleGate server, the network interface to be used for it is selected automatically by DeleGate (based on the DST.ADDR or DSTIP which is sent from a SOCKS client as the parameter of the BIND command). With the SRCIF parameter, you can select a network interface (and port number) manually, with the pseudo protocol name "tcpbind". The complete syntax of the parameter is SRCIF= "[host]:[port]:tcpbind[:dstHostList[:srcHostList]]". Typically, only the host filed is specified to select a network interface, like SRCIF="150.29.202.120::tcpbind" for example.

NOTE: When you chain DeleGate with another SOCKS server, it may cause problems in UDP relaying due to the private and tentative extensions to the SOCKS protocol by DeleGate. The following SRCIF parameters can be useful to escape such problems.

• SRCIF="host:port:socks-udp-tosv" -- network interface to servers
  SRCIF="0.0.0.0:0:socks-udp-tosv" makes DeleGate as a SOCKS client behave compliantly to the SOCKSv5 specification on UDP ASSOCIATE.
  
• SRCIF="host:port:socks-udp-tocl" -- network interface to clients
  SRCIF="0.0.0.0:0:socks-udp-tocl" suppresses the failure in DeleGate as a SOCKS server trying to bind a UDP socket to a specific port number.

SOCKSTAP parameter*  ==  SOCKSTAP=ProtoList[:[dstHostList][:[srcHostList][:params]]]
                     --  default: none

If specified with a SOCKS server, the data stream relayed over the SOCKS is interpreted in each application protocol. For example, with SOCKSTAP=http, the delegated act as a server of SERVER=http when the relayed protocol is detected to be the HTTP protocol.

Example: Socks-DeleGate which do caching for HTTP and FTP

% delegated -P1080 SERVER=socks CACHE=do SOCKSTAP=http,ftp

Example: Socks-DeleGate which do caching for HTTP with an upstream proxy

% delegated -P1080 SERVER=socks SOCKSTAP="http:::CACHE=do PROXY=pxserv:8080"

See http://www.delegate.org/delegate/sockstap/> for more details.

HTTP proxy/server

Example: DeleGate as an HTTP proxy
firewall% delegated -P8080 SERVER=http

Then use this DeleGate from your client on the internal host, specifying "firewall:8080" as the proxy for HTTP, HTTPS (Security), FTP, Gopher, Wais, and so on.

Example: cascaded DeleGate as an HTTP proxy

firewall% delegated -P8888 SERVER=delegate RELIABLE=internal
internal% delegated -P8080 SERVER=http MASTER=firewall:8888


Run a generalist DeleGate on the firewall which only accepts request from internal host, then run a specialist on internal which use the generalist on firewall host. A generalist can be shared as an upstream DeleGate from multiple DeleGates of arbitrary protocol.

Example: DeleGate as an origin HTTP server

host# delegated -P80 SERVER=http \

MOUNT="/* /path/of/www/*" RELAY=no RELIABLE="*"

A file with a name with ".cgi" extension is treated as a CGI script. Also you can use arbitrary name of CGI scripts under a specified directory with a MOUNT like:
MOUNT="/xxx/* cgi:/path/of/cgi-bin/*"

Example: DeleGate as a CGI program

You can use DeleGate as a CGI program from a HTTP server. For example, specify in the "httpd.conf" file of your HTTP server(A) as follows.
Exec /other/* /path/of/cgi-delegate
Then write the content of the file /path/of/cgi-delegate as follows:
#!/bin/sh


delegated -Fcgi

MOUNT="/-* =" \
MOUNT="/www2/* http://wwwserv2/*" \
MOUNT="/news/* nntp://newsserv/*"


This will add a pseudo sub tree "/other/" onto server(A) including /other/www2/ which is a content of a HTTP server "wwwserv2", and /other/news/ which is a content of a NNTP server "newsserv".

HTTP Transfer Log Format

The format of PROTOLOG for HTTP protocol can be modified with a optional format specification postfixed after the LogFilename as PROTOLOG="LogFilename:format". In this case, default file name can be omitted. For example, PROTOLOG=":%X" specifies making a NCSA like extended common logfile format. The default format is PROTOLOG=":%C %D".

%C	-- common logfile format of CERN-HTTPD
%c	-- same as %C except the date is recorded in millisecond precision
%D	-- extension by DeleGate (connTime+relayTime:status)
%X	== '%C "%r" "%u"' common logfile format with Referer and User-Agent
%r	-- Referer field in the request message
%u	-- User-Agent field in the request message
%S	-- status of CONNECTion to the server (c,m,p,d,s,v)
%s	-- session Id by HTTPCONF=session
%As	-- session Id in Digest Authorization
%{field}	-- arbitrary field in the request message

The client information part in %C, which records hostname, Ident, and username by default, can be modified by AUTH="log:" parameter.

The session identifier put by "%s" is generated by specifying HTTPCONF=session:cookie option while "%As" is generated by AUTHORIZER=-dgauth option. The format of session identifier is as this:

time.pid.proc#+conn#[+req#].reqnum

For example, "031114-173045.1234.5+6+7.9" means that it is the 9th request from the client in the session started at 17:30:45 on November 14 by the process of PID=1234. The start of the session is recorded in LOGFILE as this:

11/14 17:30:45 [1234] 5+6/7: NewSession 031114-173045.1234.5+6+7.0

Note that the reqnum part may not be unique because of parallel or pipelined requests generated by a client as the owner of the session. Note that the reqnum part for "%As" may not be incremented on each request because the container of session identifier, the opaque" parameter in Digest Authentication in this case, may not be updated on each request.

HTTPCONF parameter  ==  HTTPCONF=what:conf

welcome:listOfWelcomeFiles

-- default: welcome.{dgp,shtml,html,cgi},index.{dgp,shtml,html,cgi},-dir.html
A list of index files or CGI scripts which should be used for URLs of directories ending with "/" like "/path/". This is a list of candidate file names. The list may be ended with "-dir.html" which means a built-in index generator. If the list is empty, empty data is substituted for index data.

search:pathOfSearchScript

-- default: none
The path of a CGI script to be applied for URLs with search part like "/path?search". This is a global specification applied for all URLs. Also you can specify a local search script for each MOUNT point like

MOUNT="/path2/* /root/of/path2/* search:script2".

This local specification is prior to the global one. A special local specification "search:-" can be used just to ignore the global specification for the MOUNT point.

nvserv:noauto | auto | alias | gen | none

-- default: HTTPCONF=nvserv:noauto
Automatically detects virtual servers in MOUNT parameters and notate each of them as a MOUNT rule to be applied only to a virtual server. It can be done manually by specifying "nvserv" MountOption for each MOUNT parameter. "nvserv:alias" means detecting target servers of host names with common IP-addresses and notate them as virtual servers. "nvserv:gen" means notating MOUNT parameters with "genvhost" MountOption as virtual servers. "nvserv:auto" is equivalent to "nvserv:alias,gen". The guessing can be overridden by explicitly specifying the avserv MountOption for each MOUNT parameter. "nvserv:none" disables any treatment of virtual servers which are detected automatically or specified explicitly by the "nvserv" MountOption.

methods:listOfAcceptableMethods

-- default: methods:OPTIONS,GET,HEAD,POST,PUT,...
-- See the output to LOGFILE with HTTPCONF=methods:"+"
Limit or add HTTP methods to be accepted.


Example:

HTTPCONF=methods:GET,HEAD -- accept only GET and HEAD
HTTPCONF=methods:-POST,-PUT -- don't accept POST and PUT
HTTPCONF=methods:+,NEWMETHOD1 -- add NEWMETHOD1 to be accepted
HTTPCONF=methods:* -- accept any methods


rvers:listOfAcceptableResponseVersions

-- default: rvers:HTTP
Add versions in response message from HTTP servers.

Example:

HTTPCONF=rvers:+,ICY
HTTPCONF=rvers:* -- accept any response version

post-ccx-type:listOfTypes

-- default: post-ccx-type:x-www-form-urlencoded
Specify the list of names of Content-Type of request message to which conversion by CHARCODE is applied.

Example:

HTTPCONF=post-ccx-type:+,multipart/form-data

cryptCookie:listOfCookies:cryptKey


listOfCookies == attributes[@domains]
attributes == attribute | {attribute,attribute,...}
domains == domain | {domain,domain,...}
domain == [.]domainName
cryptKey == string | %a | %P

encrypt specified attributes in a Set-Cookie response to be stored in a client, then decrypt and forward the Cookie request only to the originator of the Cookie. An attribute in a Cookie is specified as "attribute@host" or "attribute@.domain". In the former case, a cookie generated by a host is encrypted and echoed to host only. In the latter case, a cookie generated by hosts in the domain can be echoed to hosts in the domain. The special string "%a" in cryptKey is substituted by the IP-address of the client. This makes the crypted Cookie be usable only by clients on the host of the IP-address.

Example:

HTTPCONF="cryptCookie:SessionID@host1.dom1,UserID@.dom2:nanjamonja"
HTTPCONF="cryptCookie:UserID@.dom:nanjamonja"
HTTPCONF="cryptCookie:UserID@{host1.dom,host2.dom}:nanjamonja"


kill-[i][qr]head: listOfHeaders

erase header fields listed in listOfHeaders before forwarding a request/response message to server/client. "kill-qhead" is applied only to request message to server and "kill-rhead" is applied only to response message to client. If "i" is prefixed as "kill-iqhead:Pragma,Cache-Control", the specified fields are erased before DeleGate interpret it as the HTTP headers.

Example:

HTTPCONF=kill-qhead:Referer
HTTPCONF=kill-qhead:If-*,Accept-*
HTTPCONF=kill-rhead:Set-Cookie


add-[i][qr]head:name:body

add a header name:body to forwarded request/response message. Client's identity information can be inserted into body string with "%format" notation. If "i" is prefixed as "add-ihead:Pragma:no-cache", then the specified field with the body is added to the input to be interpreted by DeleGate as a HTTP header from the client or the server.

Example:

HTTPCONF="add-qhead:X-Forward-For:%a"


replace-[i][qr]head:name:body

replace headers of "name:" with "name:body" in forwarded request/response message. This is equivalent to the combination of kill-head and add-head.

Example:

HTTPCONF=replace-qhead:Referer:http://x.y.z
HTTPCONF=kill-qhead:Referer HTTPCONF=add-qhead:Referer:http://x.y.z

kill-tag: listOfTags

disable a tag listed in listOfTags when it it used in a text/html response from a server.

Example:

HTTPCONF=kill-tag:SCRIPT,APPLET


ver:1.0

act as a HTTP/1.0 client/server

svver:1.0

act as a HTTP/1.0 client against servers (send request in HTTP/1.0)

clver:1.0

act as a HTTP/1.0 server against clients (do not use chunked encoding in response)

acc-encoding:encoding [-thrugzip]

Accept-Encoding header to be sent to server. This is applied to DeleGate which does some interpretation of content with MOUNT, CHARCODE, CACHE, etc. To do such interpretation, the content (response body) is not to be encoded in a format unknown to DeleGate. "identity" specifies disabling any encoding of content in the server. "-thrugzip" specifies forwarding Accept-Encoding:gzip from client to server. If the program "gzip" is not available on the host of DeleGate (i.e. not found in LIBPATH), "identity" is sent regardlessly.

gen-encoding:encoding [gzip]

The encoding applied to the content sent from DeleGate to client. Only "gzip" is available in the current implementations. "identity" and others disable any encoding.

tout-wait-reqbody:period [30]

max. period to wait the first data in request body.

tout-in-reqbody:period [15]

max. period to wait next data in request body. (adjustable for a slow filter program at the client side)

tout-buff-reqbody:period [5]

max. period to do buffering request message to server

tout-buff-resbody:period [8]

max. period to do buffering response message to client

tout-cka:period [5]

max. period to keep a connection with the client alive. (the timeout is ten times longer for the first connection from each client host)

max-cka:number [20]

max. number of requests to be relayed on a single connection in keep-alive. (ten times larger value is given to the first connection from each client host)
This is applied to the communication over a connection of SSLtunnel by the CONNECT method too. A pair of upstream and downstream data is regarded as a pair of request and response on HTTP, then the maximum number of such pairs is restricted.

max-ckapch:number [8]

max. number of connections in keep-alive at a time for each client host.

max-reqline:length [8k]

max. length of request line to be accepted.

max-reqhead:length [12k]

max. length of request header to be accepted.

max-gw-reqline:length [512]

max. length of request line to be forwarded to another server in another protocol.

max-hops:number [20]

max. number of hops in the chain of HTTP proxies.

tout-resp:period [TIMEOUT=io]

max. period to wait response from server.

tout-pack-intvl

[0.25]

max. interval between packets relayed on SSLtunnel by the CONNECT method.

halfdup

Forbid full-duplex usage of SSLtunnel by the CONNECT method.

urlesc[:escChars] [empty]

the set of characters in request URL to be escaped by "%XX" notation before any processing. As a special case, HTTPCONF="urlesc" means HTTPCONF="urlesc:<>".

proxycontrol[:{on|off}]

consume substring following "?_?" in request URL as control information for the DeleGate; when DeleGate get request URL?_?proxycontrol, only URL part is forwarded to the server and proxycontrol part is (possibly) used by DeleGate.

cka-cfi

make connection with the client keep-alive even with external filter (FCL, FTOCL).

nolog:listOfCodeType[:connMap]

listOfCodeType == [ respCode / ][ Type [ / subType ] ]
specify response code or Content-Type of response message not to be logged in access log (PROTOLOG).

Example:

HTTPCONF="nolog:302,304,image"


xferlog:ftp

record FTP/HTTP transactions in xferlog format too.

bugs:listOfBugs

listOfBugs is a list of features to be disabled to bypass possible bugs as follows:

no-gzip ... disable Content-Encoding:gzip

no-keepalive ... disable Connection:Keep-Alive

no-keepaliveproxy ... disable Connection:Keep-Alive with client side proxy

no-chunked ... disable Transfer-Encoding:chunked

no-flush-chunk ... disable flushing response after each chunk

kill-contleng ... erase original Content-Length in chunked encoding

add-contleng ... add or update Content-Length even in chunked encoding

do-authconv ... enable Authentication conversion from client's Basic to server's Digest

bugs:thru-304

disable the conversion from "304 Not Modified" to "200 Ok" in the message as the response to a conditional request with the "If-Modified-Since" header. DeleGate with external filters tries to return a HTTP response messages with a body (with the code "200 Ok") when it is filtered (and possibly rewritten) by the filters even if the body should be returned as empty (304 Not Modified) based on the modification date (Last-Modified) of the target data. This is necessary to return data rewritten dynamically by filters, but it disables the merit by the conditional request and the "304" response. "thru-304" turns the above conversion off and let DeleGate pass through "If-Modified-Since" request from clients and the "Last-Modified" and "304 Not Modified" response from servers.

svauth:no-basic

Stop forwarding Basic Authorization (which contains cleartext password) from client to server. If the server supports Digest authentication, then the DeleGate do it by proxy of the client.

svauth:less-basic

Postpone forwarding Basic Authorization from client to server until the server requires the Basic Authentication.

session:cookie

Enable session management based on Cookie. The session identifier is passed to CFI/CGI programs in environment variable "X_COOKIE_SESSION", and can be logged into PROTOLOG.

Example:

HTTPCONF=session PROTOLOG=":%s %X"

Example:

HTTPCONF=search:/path/of/searchScript
MOUNT="/bin/* cgi:/path/of/cgi-bin/* search:-"
MOUNT="/* file:/path/of/data/*"

FILETYPE parameter  ==  FILETYPE=suffix:gopherType:altText:iconName:contentType
                    --  default: FILETYPE=".txt:0:TXT:text:text/plain"
                                 FILETYPE=...

Define file name to content-type mapping.

gopherType:

0 - text, 1 - directory, 4 - BinHex, 6 - uuencode, 9 - binary, g - gif, I - image, ...

altText:

alternative text which should be displayed for the icon image in text only displays (embedded into IMG tag in HTML text like <IMG ALT="altText" ... >)

iconName:

one of binary, binhex, compressed, directory, document, ftp, gzip, image, index, index2, movie, sound, tar, telnet, text, unknown, uu (see http://delegate/-/builtin/icons/)

contentType:

text/plain, image/gif, ... (see RFC2045)

Example:

FILETYPE=".txt:0:TXT:text:text/plain"
FILETYPE=".gif:g:GIF:image:image/gif"

CGIENV parameter    ==  CGIENV=name[,name]*
                    --  default: CGIENV="*"

A list of environment variables to be passed to CGI program.

MountOptions for HTTP-DeleGate

CONDITIONS:

vhost={HostList} -- virtual host matching and rewriting.

true if the value of the "Host:" field in the request message is included in the HostList for request rewriting, and true unconditionally for response rewriting. It supports virtual hosting by a special rewriting for response, that is, any full-URL of a real host in a response message will be rewritten to that of a virtual host.

avhost={HostList} -- address based virtual hosting

equivalent to the "vhost" option.

nvhost={HostList} -- name based virtual hosting

similarly to "vhost" option, "nvhost" is used to configure virtual hosting except that this option is restricted to create name based virtual hosts which are distinguished each other only by their host names. Each virtual host is identified textually by its name (thus no "-" prefix for each host is necessary to force textual-only matching which is necessary with the "vhost" option). For example, the following two MOUNT parameters are equivalent to each other.
 MOUNT="/* http://server/* vhost=-www.domain"
 MOUNT="/* http://server/* nvhost=www.domain"
A special option "nvhost=-thru" can be used to ease forwarding a virtual domain name indicated by a client to a server. The option means matching with virtual domain name to be sent to the target server. By default, the domain name can be specified explicitly with the nvserv or the target server name in the rURL of this MOUNT rule by default. For example, the following three MOUNT parameters are equivalent mutually.
 MOUNT="/* http://domain/* nvhost=-thru,rserv=server"
 MOUNT="/* http://server/* nvhost=-thru,nvserv=domain"
 MOUNT="/* http://server/* nvhost=domain,nvserv=-thru"


qmatch=pattern -- pattern matching in the request header

true if the pattern matches with string in the request header. (ex. qmatch=*User-Agent:*compatible;%20MS*)

dstproto={ProtoList} -- to the server of specified protocol

true if the protocol of the destination server is in the ProtoList.

method={methodList} -- request method

true if the access method of the current request is included in the methodList.

asproxy

true if the DeleGate is called as a proxy server that is the requested URL is in full URL format.

!asproxy

true if the DeleGate is not accessed as a proxy server in the request.

withquery

true if the requested URL has "?query" component

CONTROLS:

authorizer=authServList

the AUTHORIZER which is to be applied to this MOUNT point. If AUTHORIZER is specified in both MountOption and command line option, the one in MountOption is used.

moved[={300|301|302|303}]

don't relay to rURL but return response for redirection as "302 Moved" with "Location:rURL". Redirection within the same server can be eased using the abbreviation of host-name in the rURL like MOUNT="/path1 ///path2 moved".

referer

Apply the rewriting only to the Referer: field to be forwarded. This is an synonym of "where=ref".

useproxy[=proxyURI]

generate "305 Use Proxy" response message. If proxyURI is omitted or given as "direct", the response message is sent with Set-Proxy field as "Set-Proxy: DIRECT". Otherwise the URI is set in the field as "Set-Proxy: SET; proxyURI=proxyURI".

realm=realmString

specify the realm of authentication.

forbidden

reject the request as forbidden (synonym of "rcode=403")

unknown

reject the request as unknown (synonym of "rcode=404")

rcode={300|301|302|303|304|305|306|403|404}

return the response with the specified status code, which can be useful for customizing error messages.

onerror[=listOfCodes]

this MOUNT entry is used to substitute a response message when an error occurred. It is applied If the response status code for the request shows an error (4xx or 5xx), and the status code is in the listOfCodes if it is specified. For example with MOUNT="/path/* file:/tmp/autherr.cgi onerror={401,407}", the output from /tmp/autherr.cgi is sent when authentication error occurred in access to URLs under "/path/".

robots={no|ok}

allow or disallow retrievals from robots. The default value for NNTP and FTP is "no", while it is "ok" for other protocols.

nvserv | nvserv=host -- forwarding to a name based virtual server

specify MOUNTing the target server as a name based virtual hosting server. The virtual host name to be sent to the server can be specified as "nvserv=host" or it is the host name part in the rURL by default. With this option, the target server is MOUNTed only as a virtual server of the host name while other servers, of alias names of the host or IP-addresses of the host, are not MOUNTed. This means that the MOUNT rule will be applied for rewriting of URL in a HTTP response message only if the hostname of a URL matches textually with the virtual host name of the target server. The virtual hostname from the client can be passed through to the server with "nvserv=-thru".

avserv | avserv=host -- forwarding to an IP-address based virtual server

notate that the target server is not a name based virtual hosting server. With this option, all of servers of alias names or IP-addresses of the target server are MOUNTed by this MOUNT rule. It has been the default behavior of MOUNT but it can be changed with the option HTTPCONF="nvserv:auto" to automatically detect virtual servers in a set of MOUNT parameters. This "avserv" option could become necessary to notate a non-virtual server which is automatically guessed as a virtual server.

rserv=host[:port] -- real target server

specify the real host name or IP-address and port number of the target server toward which the HTTP connection is established. This option is used to do MOUNT a virtual hosting server of which virtual host name is specified in the rURL rather than in the "nvserv=host" option. For example, the following two MOUNT rules are equivalent to each other.
 MOUNT="/v/* http://www.domain/* rserv=192.168.1.123"
 MOUNT="/v/* http://192.168.1.123/* nvserv=www.domain"
Specifying the "rserv" option implies that the target server is a virtual server as if notated with the "nvserv" option.

genvhost=host (obsoleted by nvserv and rserv options)

Specify the hostname which will be received by the target server as its virtual hostname. It is set in the "Host: host" field in the request message to be forwarded to the server. When the request is to be forwarded via a HTTP proxy, it is set in the request URL as http://host/... The default Host field sent to the server is derived from the rURL part of the MOUNT parameter which specifies the target server. For example for MOUNT="/* http://hosti:8080/*", "Host: hosti:8080" will be forwarded to the server (which is running at the port hosti:8080). To through pass the Host field in the request from a client to the server, specify as "genvhost=-thru".

ftosv=-cc-charCode

convert charset in HTTP header forwarded to server into charCode (jis|sjis|euc|utf8)

pathext=string

when DeleGate as an origin HTTP server searches a file for requested URL, the path name extended with the specified string is retrieved first. For example with "pathext=-ja", "index-ja.html" is retrieved prior to "index.html". It can be useful in combination with other MOUNT conditions, like MOUNT="/* file:data/www/* vhost=www.delegate.jp,pathext=-ja"

Example: virtual hosting, acting as multiple HTTP servers

The target server or local directory is switched by with which name the DeleGate is referred (in the "Host:vhost" header field). In this example, requests for "http://dom1.com" and "http://dom2.org" are forwarded to each corresponding server, while requests for "http://dom3.net" or any other name are retrieved in each corresponding local directory.

MOUNT="/* http://wwwA/* vhost=-dom1.com"
MOUNT="/* http://wwwB/* vhost=-dom2.org"
MOUNT="/* file:data/wwwC/* vhost=-dom3.net"
MOUNT="/* file:data/www/*"


Example:

"useproxy", "method", "dst" and "withquery" options are introduced originally to refuse potentially troublesome accesses which may invoke CGI programs in target servers. For example, to refuse any request with POST method, or with URL including "?":

MOUNT="http:* = method=POST,asproxy,useproxy"
MOUNT="http:* = withquery,asproxy,useproxy"

AUTH parameters for HTTP-DeleGate

AUTH=origin:auth

-- default: AUTH=origin:ident
Like AUTH=proxy, specify using the value in "Authorization" field in the HTTP header to authenticate the user, except that accessibility to a DeleGate as a "HTTP origin server" is checked in this case.

Example:

AUTH=origin:auth RELIABLE="*@localhost"
Any user who can login to the localhost of this DeleGate, giving a correct pair of user name and password in Authorization, will be authorized to access.

AUTH=forward[:{by,for,ver,*}]

Put identification information of the source host in the Forwarded field in a HTTP request header like:

Forwarded: by Me (Version) for Client

Currently, if this is specified, it is regarded as AUTH="forward:*:" regardless of the second field. This is useful for a DeleGate on a firewall which relays internal HTTP servers toward outside .

AUTH=viagen[:hostIdentifier]

Specify the identifier of the host of this DeleGate, which is put into the Via field in forwarded HTTP message headers as follows:

Via: protocol-version hostIdentifier ( comment )


If no AUTH=viagen is specified, a default pseudonym is used for hostIdentifier. If empty hostIdentifier is specified, as AUTH="viagen", the hostname of this DeleGate is used. A special specification AUTH="viagen:-" disables the insertion of the Via field.
If '%' character is used in a hostIdentifier, it is interpreted as the format for authString below.

AUTH=authgen:basic:authString

Generate "Authorization: Basic authString" in a HTTP request header to be forwarded to a server, if it does not have an original Authorization field from a client. The authString should be "userName:passWord". The following special string stand for attributes of clients.

%u	-- user name got using Ident protocol
%h	-- host name of the client got from the socket
%i	-- host name of the network interface to the client
%I	-- like %i but use the value of "Host:" if given in HTTP
%a	-- host address of the client
%n	-- network address of the client
%H	-- hostname of the DeleGate
%M	-- the ADMIN of the DeleGate
%A	-- generated string by "CMAP=string:authgen:mapSpec"
%U	-- username part of client's [Proxy-]Authorization: username:password
%P	-- password part of client's [Proxy-]Authorization: username:password

Example:

When the firewall have two network interfaces and internal and external hosts access from different interface, then they can be distinguished by the name of interface.
AUTH="authgen:basic:%i:%h"
Otherwise, internal network should be explicitly defined using CMAP as follows.
AUTH="authgen:basic:%A"
CMAP="{internal:passWord}:authgen:*:*:{InternalNetList}"
CMAP="{external:passWord}:authgen:*:*:*"


A generated password is formatted as "passWord/%i" and a DeleGate rejects incoming requests with an Authorization field of such pattern. Thus forged password cannot pass the DeleGate on the host "%i".

AUTH=pauthgen:basic:authString

Generate "Proxy-Authorization: Basic authString" like AUTH=authgen.
Note: obsoleted by MYAUTH="user:pass:http-proxy".

Example:

Consume Proxy-Authorization in a request message from a client then forward it to an upstream proxy as is (by authString == %U:%P)
AUTH=proxy:pauth AUTH="pauthgen:basic:%U:%P" PROXY=...

AUTH=fromgen:fromString

If specified, "From: fromString" will be put in the HTTP request if the original header does not have an original From field. If fromString is omitted, the default value is "%u@%h".

AUTH=log:remoteHost:identUser:authUser

Specify contents of the client information part in common logfile format of HTTP servers. The default value is AUTH="log:%h:%u:%U".

%F	-- E-mail address in From field
%L	-- local part of From: local@domain field
%D	-- domain part of From: local@domain field
%U	-- username part of Authorization: username:password
%P	-- password part of Authorization: username:password
%Q	-- "for clientFQDN" part of Forwarded: field

Example:

To record information about an original client in an internal DeleGate which is forwarded from a firewall DeleGate, generate From field at the firewall DeleGate and record it at the internal DeleGate.

firewall% delegated AUTH="fromgen:%u@%h" ...
internal% delegated AUTH="log:%D/%h:%L/%u:%U" ...

To make configuration of DeleGate be flexible, allowing it not only to the administrator of the DeleGate but also to the users (providers of WWW resources on an origin HTTP-DeleGate), DeleGate supports reading user defined configuration parameters at each request processing time. Such parameters should be given in a files with file name extension ".dgp", in the format of "+=parameters" file, on MOUNTed local file systems. It works like -Fcgi but more efficiently without creating a new process.

Example: MOUNTing news serverN at http://delegate/news/servN/

(1) by a parameter at the start-up time
MOUNT="/news/servN/* nntp://nntpserverN/*"

(2) by a CGI-DeleGate
MOUNT="/news/* cgi:/dirPath/*"

[the contents of file:/dirPath/servN/welcome.cgi]
delegated -Fcgi MOUNT="/* nntp://nntpserverN/*"

(3) by a ".dgp" file
MOUNT="/news/* file:/dirPath/*"

[the contents of file:/dirPath/servN/welcome.dgp]
MOUNT="/* nntp://nntpserverN/*"

(This mechanism should be applied to other protocols like FTP...)

Server Side Include in SHTML files

On an origin HTTP-DeleGate, a local file with suffix ".shtml" is regarded, like a file with ".html", as a HTML file except that it includes special tags for Server Side Include (SSI) and META which are to be interpreted and substituted by the HTTP-DeleGate before it is sent to a client.

SSI tags

<!--#echo var="varName" -->

will be substituted with the value specified by varName. varName can be arbitrary CGI compatible name like "REMOTE_HOST" or "HTTP_SERVER", as well as followings.

DATE_GMT -- current time in GMT

DATE_LOCAL -- current time local to the server host

LAST_MODIFIED -- the last modified time of the .shtml file

REFERER -- equiv. to HTTP_REFERER

DOCUMENT_NAME -- equiv. to SCRIPT_NAME

DOCUMENT_URI -- equiv. to REQUEST_URI

* -- all of variables as name=value pairs

<!--#include virtual="URL" -->

will be substituted with the data specified by "virtual" attribute. "virtual" can be full URL like "proto://server/upath" or partial URL like "/upath" which will be interpreted as http://delegate/upath. Relative URLs like "upath" without leading "/" are interpreted as relative to the base (current) shtml file.

<!--#fsize virtual="URL" -->

<!--#flastmod virtual="URL" -->

will be substituted with the size or the last modified time of the specified data respectively.

<!--#config timefmt=timeFormat -->

will specify the format of generated time string by "#echo","#flastmod" or so, in strftime(3) compatible format. (default: timefmt="%a, %d %b %Y %H:%M:%S %z")

META tags

<META HTTP-EQUIV=fieldName content="fieldBody">

will generate "fieldName: fieldBody" header in the HTTP response message. The following patterns in fileBody will be substituted as described above.

${varName} or <!--#echo var=varName -->

${flastmod:URL} or <!--#flastmod virtual=URL -->

${fsize:URL} or <!--#fsize virtual=URL -->

${include:URL} or <!--#include virtual=URL -->

Example:

<META HTTP-EQUIV=Status content="200 OK">

<META HTTP-EQUIV=Content-Type content="text/html">

<META HTTP-EQUIV=Pragma content="no-cache">

<META HTTP-EQUIV=Date content="${DATE_GMT}">

<META HTTP-EQUIV=Last-Modified content="${flastmod:URL}">