Article delegate-en/3456 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3455@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Is there any way to control&limit user's Session&Connections when use delegate as socks 5 proxy?
07 Aug 2006 02:01:25 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A3455@delegate-en.ML_> on 08/07/06(08:01:32)
I wrote:
 |In message <_A3454@delegate-en.ML_> on 08/07/06(05:31:41)
 |you liword <ppygqbdyi-4z7ofth2ab5r.ml@ml.delegate.org> wrote:
 | |Is there any way to control&limit user's Session&Connections when use
 | |delegate as socks 5 proxy?For example limit useA can create only 1
 | |session to connect net at a time.
 |
 |There is no SOCKS specific control but a generic parameter to limit
 |the max. number of connection from a host at a time as this:
 |
 |  MAXIMA=conpch:1
 |
 |This limitation can be applied only to a specified hosts as this:
 |
 |  (hostA)MAXIMA=conpch:1
 |
 |<URL:http://www.delegate.org/delegate/Manual.htm?MAXIMA>
 |<URL:http://www.delegate.org/delegate/Manual.htm?opt_cond>
 |
 |There is no way to limit resource usage based on the authenticated
 |users of SOCKS (yet).

Limiting resource usage per user is a feature in the TODO list of DeleGate
to be supported from the beginning.  Now I feel it might be a time, so I
tried to implement it (it will be released in 9.2.4-pre13 soon).
The modification is as the enclosed patch, and it can be used as follows:

  AUTHORIZER="-list{userA:passA,userB:passB}"
  (userA@*)MAXIMA=conpch:1

With the parameters, the DeleGate requires clients to do password based
authentication (which should be either "userA" with the password "passA"
or "userB" with password "passB" in this case).
If the client is authenticated as "userB", then the connection from the
client-host is limited to 1 at a time.

<URL:http://www.delegate.org/delegate/Manual.htm?AUTHORIZER>

Problems:
Since this is just a generic mechanism independent of an application protocol,
it just result in "authentication failure" on exceeded resource usage.
For SOCKS5, it should return success in the authentication phase and return
error for a command request.
Also "MAXIMA=conpch" (max. connections per client-host at a time) is not
appropriate for limitation per "user" who can access via multiple
client-hosts at a time.  A new limitation like "max. sessions per user"
should be introduced.

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


diff -c ../arc/delegate9.2.4-pre12/src/access.c ./src/access.c
*** ../arc/delegate9.2.4-pre12/src/access.c	Tue Jul 25 08:00:30 2006
--- ./src/access.c	Mon Aug  7 10:11:39 2006
***************
*** 1510,1516 ****
--- 1510,1534 ----
  	return 0;
  }
  
+ void scan_condargs(Connection *Conn);
+ int doAuthX(Connection *Conn,AuthInfo *ident);
+ extern int MAXCONN_PCH;
  int doAuth(Connection *Conn,AuthInfo *ident)
+ {	int stat;
+ 
+ 	stat = doAuthX(Conn,ident);
+ 	if( 0 <= stat ){
+ 		scan_condargs(Conn);
+ 		if( 0 < MAXCONN_PCH && MAXCONN_PCH < Conn->cl_count ){
+ 			sv1log("Too many connections(%d < %d)[%s][%s]\n",
+ 				MAXCONN_PCH,Conn->cl_count,ident->i_user,
+ 				Client_Host);
+ 			return -1;
+ 		}
+ 	}
+ 	return stat;
+ }
+ int doAuthX(Connection *Conn,AuthInfo *ident)
  {	int rcode;
  	CStr(authserv,MaxHostNameLen);
  	CStr(userpass,256);
diff -c ../arc/delegate9.2.4-pre12/src/env.c ./src/env.c
*** ../arc/delegate9.2.4-pre12/src/env.c	Fri Jul 21 01:31:34 2006
--- ./src/env.c	Mon Aug  7 10:32:51 2006
***************
*** 803,810 ****
--- 803,820 ----
  		Cp = &condArg[cai];
  		arg = Cp->ca_arg;
  		if( Cp->ca_src )
+ 		{
+ 		/*
  		if( !matchPath1(Cp->ca_src,"-",Client_Host,Client_Port) )
+ 		*/
+ 			const char *us;
+ 			if( ClientAuth.i_user )
+ 				us = ClientAuth.i_user;
+ 			else	us = "-";
+ 			if( !matchPath1(Cp->ca_src,us,Client_Host,Client_Port) )
  			continue;
+ 			mdebug("{m} [%d]MATCH [%s]%s\n",cai,us,arg);
+ 		}
  
  		if( strneq(arg,"+=",2) ){
  			evalarg_func = scan1;

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V