Home Forum License FAQ Donation

Small HTTP server

(Description for Linux version)

Contents

         

If server works it's available:

Setting / Current state
Users & Virtual Hosts
Current statistics
Web mail
Online:
What's new?
(Last version, Forum, etc.)
Download Web Mail
An external script gives Web intrface for working with mail
Download Sendmail emulator

Donation

Contacts:


E-mail...



What's this?

This very small utility turns your computer into a fully functional Web-server, Mail server, DNS server, FTP server, DHCP server and HTTPS VPN server. The program itself requires a minimal set of system resources, so the server's functioning doesn't influence your computer's performance. This server can function under a LAN networking or even under a Dial-Up networking. Webmasters can run this utility on their local computers and debug their CGI-scripts without going on-line.

This is probably the smallest HTTP server, but you shouldn't underestimate its capabilities.

Capabilities.

Compactness is one of the greatest features of this product. Its functioning doesn't obstruct your work. This server uses a minimal set of system resources necessary for a quick data transfer.

Contents



How to...?

Well, it is fairly easy - unpack archive to the directory. Executable files: httpd.exe, httpd.exopenssl, httpd.exgnutls. With httpd.exe you can select the security library in the configuration. In httpd.exopenssl and httpd.exgnutls, the selected library code is embedded in the executable file.
If you are building the program from source, you can simply run:
./configure
make
make install
In this case, the program will be installed in /usr/local/ .... Binaries and libraries will be in /usr/local/lib/smallsrv, language files will be in /usr/local/share/smallsrv, symlink to executables will be in /usr/local/bin, etc. You can change this is using the keys for the ./configure command. Run ./configure --help to view the keys and review README.md for build details.
Configuration files (httpd.cfg and other) can be in /etc/smallsrv/ or can to be in the same directory as httpd.exe This file may content uncripted passwords, therefor hight recomended to disable reading this file for other and for group. Use
chmod 0600 httpd.cfg
Now you may run httpd.exe To run it as daimon type httpd.exe hide or you may add hide keyword to httpd.cfg. In httpd.cfg remote administration is disable, after unpacking and to view statistic httpd.cfg contents administrator's acount. The name is "admin", password is "none". First time you must manualy edit httpd.cfg in line "user=admin;none;/var/shttps;A" change "none" to your password. To enable Web administration uncomment "radmin" keyword. After it you may use Setting / Current state to option server.


Directories, files and scripts.

The server works with certain directories and files names. Your site is supposed to be in the directory specified during settings. The files that have "executable for other" mode attribute are files to run. If server has a right to change current user, the scripts will be run from user's id of the file. The files that have "readable for other" mode attribute are files to return. If the file name is not specified in request, i.e. the request ends in '/', the server will show the default file which name was specified either during setting. Server can support many virtual hosts. Each virtual host has its own root directory, and also can include virtual directories common for all.

ASIS files also support. Those files content HTTP header in the beginning. Such files are being used for redirect inbound request to other site. This file must begins with keyword "Status: " after this returning code and your header is going. After header one line is empty, and data. Extension must be .asi or .asis

Contents



Options and command line parameters.

You can option via Web interface if remote administration is enabled, or you can manual edit httpd.cfg or just add parameters to command line. In many case you don't need to change settings manually but if you really want to, you can do with next keys.
Parametr and commentKey
General Setting
Don't out log to terminal.noicon
Start as daimon.hide
Detail log for POP/SMTP/FTP. Otherwise only basic event are added to log.detail
Disable saving log.nolog
Log filename.log=name.log
Create a daily log (new log created after each day).It's necessary to get statistics for a day. Server will every day rename old log file (add date to name). It's necessary to get statistics for a day.logday
Separate log for each serverseplog
Don't out error stream (STDERR) from CGI scripts to remote usersnoerrout
Dublicate CGI stderr to http.err logdupstderr
Add to log debug info from logical expresion in SSI and Antivirus/Forward filesdbgle
Enable remote administration. Otherwise, only statistics will be available for administrators.radmin
Number of simultaneous requests from each host. You can restrict number of simulate request from the same host. Usually one browser creates four simulate connections. Some browsers try to create much more simulate connections. This restriction includes all TCP connections (HTTP,FTP,POP,SMTP,Proxy)from_same_host=##
No restrict the number of simultaneous connections from each hostnofrom_same_host
Minimum connection speed to detect a DoS attack over a large number of slow connections. (KBytes/minute). Zero to disable checking.dos_protect_speed=value
Don't trim log linesnolimitlog
Limit the length of the log lines The length of each line should not exceed this valuelimitlog=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.ip_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.ip_deny={#.#.#.#[-#.#.#.#],}
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::ip6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.ip6_deny=value
Don't save uncrypted passwords in config filecryptpwd
Remove passwords from the logdelpwd
Save passwords as MD5 Digest (RFC2069/RFC2617)md5pwd
Realm - string for MD5 Digest (RFC2069/RFC2617)md5realm=path
Using MD5 Digest for authorization if posible (RFC2069/RFC2617)md5digest
Using paranoidal variant of MD5 Digest for authorization if posible (RFC2617 qop=auth)md5paranoidal
Use system users/passwords databases. Warning: Digest and APOP authorization methods will not work for system userssysuser
The name of the system group whose members are allowed to connect to the POP3 server (if system user/password databases are used)grp_pop=value
The name of the system group whose members are allowed to send mail via SMTP server (if system user/password databases are used)grp_smtp=value
The name of the system group whose members are allowed to receive files via FTP (if system user/password databases are used)grp_ftpr=value
The name of the system group whose members are allowed to upload files via FTP (if system user/password databases are used)grp_ftpw=value
The name of the system group whose members are allowed to set executable file mode via FTP (if system user/password databases are used)grp_ftpe=value
The name of the system group whose members are allowed to use Proxy and VPN (if system user/password databases are used)grp_proxy=value
The name of the system group whose members are allowed to administrate the server (if system user/password databases are used)grp_admin=value
IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1adm_range=value
Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens.adm_deny=value
IPv6 IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::adm6_range=value
IPv6 Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens.adm6_deny=value
Enable 2 point in filenames (may be dangerous)twopoint
HTTP server
Disable HTTP server.nomax
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1http_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.http_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::http6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.http6_deny=value
Bind to all addaptersnohttp_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)http_bind=value
Also work through IPv6httpipv6
Don't restrict speed of outgoing transfernohttp_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)http_speed=value
How many another connections must have activity, to check on speed limitationhttp_spdusr=value
PHP. Specify location of "php-cgi" php=path
Run PHP as FastCGI.fcgi_php
FastCGI ident. The part of a URL that indicates a FastCGI script. Default is ".fcgi"fcgi_ident=value
Use this group id, to detect FastCGI. Direct 0 to disable using group id.fcgi_gid=value
Use UNIX socket for FastCGI. Otherwise used localhost TCP socketfcgi_unix
Directory to create FastCGI UNIX sockets. May be /tmp, /var/tmp, /dev/shm, ...fcgi_upath=path
Disable share dir.noshare
Do not show directory listingnooutdir
Don't break CGI, when connection closednbrkcgi
Advanced code for control header.header=value
Use 'chunked' transfer for SSI.ssi_chunk
Disable multi stream download for one file.nomsd
Use gzip packing, if posible.http_gzip
DLL library ZLib.gz_lib=path
Pack if size of file great thengz_low=value
Don't pack files with next sufixesnogz_ext=value
IP database file for countries features.ip_base=path
Add REMOTE_COUNTRY variable to CGI/SSI enviroment.ip_cntr
Enable return country info for '/$_ip2country_$?ip=x.x.x.x' requestip2cntr_srv
$_ip2country_$ service for authorized users onlyip2cntr_aut
Enable DNS over HTTP(S).http_doh
No limitation for HTTPnohttp_ltime
Time per that will calculating limits (in seconds)http_ltime=value
Limit per IP (Kb)http_ip_limit=value
Limit per network (Kb)http_net_limit=value
Total limit for server (Kb)http_limit=value
Timeout, before resend request again. In millisecondsdnstimeout=value
TCP/IP port for HTTP server. Usually it's 80port=##
Number of HTTP requests working simultaneous. Approcsimately 20Kb of memory is reserved for each thread. Usually 12 connections are enought for 3-8 visitors per minute. max=##
Default file name. Name when requested URL finished by "/". (Wildcards are accepted, such as index.* to allow any index file in folder)def=name.ext
Error file. Full path to file or script that will be returned if requested file is not found. For CGI or SSI PATH_INFO variable will contents the name of requested file.error=path\name.ext
Default web foulder.dir=root_dir_name
Share dir. If you want this dir to be CGI current dir always, direct it here. Otherwise CGI current dir will be CGI script dir.share=path
Enable Server Side Includes (SSI) checking in HTML files. By default SSI checking in .sht*,.sml*,.asp* files only. Warning: SSI processing uses more memory, and and creates a small delayssihtm
Key to check SSI in .sht*,.sml*,.asp* files only.nossihtm
The limit of receiving by POST method in bytes. Don't direct big value because it's may preoccupy your PC and network.post_limit=##
Limit of time for CGI execution. In seconds.cgi_timeout=##
Mime types
Define extended mime type for extension. E.g. for .bmp mime type may be image/bitmap
mime=".ext1;mime-type1;.ext2;mime-type2;...;.extN;mime-typeN"
Virtual hosts and virtual directory
Web root dir for specific hostname. You may add many hosts with its own folder. You may add many virtual /directory/ common for all hosts. " The name of virtual directory is to be between two forward-slash (/).
hostpath="hostname;path"
Key may be repeated more then once.
Proxy server
Disable HTTP proxy.noproxy
TCP/IP port for proxy server.proxy=#port
How many proxy requests will be working in the same time.proxy_max=#max
Cache size (Kb). It's memory cache size.cache=proxy_cach_size
IP ranges for which, this server is avilable. IP adresses through comma and range, low hyphenate high. E.g. 192.168.0.1-192.168.0.16,127.0.0.1 proxy_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.proxy_deny=value
Disable to save cache in hard disk.noproxy_dir
Cache proxy directory.proxy_dir=path
For how many days files will be saved. Proxy can delete downloaded files from cache proxy directory after several days of last download. In any case, if user press "Reload" button files download again.proxy_time=#days
Ignore NO-CACHE in control headers of the pages. HTTP protocol has an opportunity to disable caching for page. Often site holders use this option to calculate the number of vistors. In any case, if user press "Reload" button files download again.ignocache
Proxy for avtorized users only. Proxy will be available for defined users with proxy access flag onlyproxyusers
Disable Proxy server.noproxy_max
Bind to all addaptersnoproxy_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)proxy_bind=value
Also work through IPv6proxyipv6
Don't save big files. Limit (bytes)proxy_fsize=value
Calculate days from last access. (Otherwise from the day of download)proxy_laccess
Don't cache page if request content cookies.proxy_hrd
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::proxy6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.proxy6_deny=value
Don't restrict speed of outgoing transfernoproxy_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)proxy_speed=value
How many another connections must have activity, to check on speed limitationproxy_spdusr=value
Large mode. Useful to hold a lot of data traffic.proxy_big
Super large mode. New mode to minimize time for search when to many files stored.proxy_sbig
Number of tries to resume download file after errorproxy_tryes=value
Limit for simultaneous requests from the same host to the same URL. Zero for unlimited.proxy_same=value
Do not use higher level proxy server.noupproxy
Higher level proxy server.upproxy=value
TCP/IP port on up level proxy server.upproxy_port=value
Higher level proxy server does not require authorization.noup_user
Higher level proxy user:paswordup_user=value
For POP3/SMTP/FTP proxy connect through HTTPS higher level proxy.ever_upproxy
No use higher level proxy for next hosts.nouphosts=value
Disabled hostsbad_hosts=value
Proxy session timeout (in second).proxy_timeout=value
Request gziped, and self unpack if browser don't support it. (Direct where is Zlib in HTTP part of options)proxy_gzip
Don't use antivirusnoproxy_antivirus
Antivirus host (127.0.0.1 for local)proxy_antivirus=path
Antivirus portproxy_avport=value
Check HTML files. (Otherwise proxy will check application only)proxy_avhtml
Check all files. (Otherwise proxy will check application only)proxy_avall
No limitation for proxynoproxy_ltime
Time per that will calculating limits (in seconds)proxy_ltime=value
Limit per IP (Kb)proxy_ip_limit=value
Limit per network (Kb)proxy_net_limit=value
Total limit for server (Kb)proxy_limit=value
DNS server
Hosts file. See also format of this filehosts=hosts_file
Disable DNS server.nohosts
Bind to all addapters for DNSnodns_bind
IPs and IPv6 to bind for DNS, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)dns_bind=value
Also work through IPv6 for DNSdnsipv6
Enable DNS over TCP.dnstcp
IPv6 IPs that can access this DNS server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::dns6_range=value
IPv6 Deny IPs that can't access this DNS server. Separe single IP by comma and IP ranges with hyphens.dns6_deny=value
Don't save DNS cache on exit.nodnscachefile
DNS cache file name.dnscachefile=path
Don't try to recursive find AAAA records. (for networks that don't use Internet through IPv6)dnsno6
Disable build in DNSBL servernodns_bld
Host name of build in DNSBL serverdns_bld=value
Detect DoS request. Number of DoS-like requests to block IPdns_detect_dos=value
A space-separated list of bad hostnames. DoS detection namesdns_dos_hosts=value
Disable recursion.noreqursion
Size of cache for names in bytes.dnscache
Recursion call to up level servers only.dnsupl
Return mailhost as host name, if MX record is not found.dnsmx
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.dns_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.dns_deny={#.#.#.#[-#.#.#.#],}
To remote redirect server. Current IP notification
URL on redirect server. Full URL to update your IP address on dinamic DNS server. "$IP_ADDRESS" to insert your real IP address into URL. ddns=url
Time to re-confirm your IP on redirect server.ddns_time=#N
Disable dynamic DNS.noddns
FTP server
Disable FTP server.noftp_max
Bind to all addapters for FTPnoftp_bind
IPs and IPv6 to bind for FTP, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)ftp_bind=value
Also work through IPv6ftpipv6
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1ftp_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.ftp_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::ftp6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.ftp6_deny=value
Don't restrict speed of outgoing transfernoftp_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)ftp_speed=value
How many another connections must have activity, to check on speed limitationftp_spdusr=value
Use any free system provided port for a passive data connectionnoftp_pasvp
First FTP port for passive data connection. (Range of used ports will be from and including this port depending on the number of simultanious FTP connections)ftp_pasvp=value
Disable multi stream for one IPftp_oone
Convert names with space.ftp_wospace
Don't use upload directory.noftp_upload
Enable FTP PORT command to the client's host only. FTP to FTP mode may not work.ftp_same
Enable FTP proxy.ftp_proxy
No limitation for FTP innoftpi_ltime
Time per that will calculating limits (in seconds)ftpi_ltime=value
Limit per IP (Kb)ftpi_ip_limit=value
Limit per network (Kb)ftpi_net_limit=value
Total limit for server (Kb)ftpi_limit=value
No limitation for FTP outnoftpo_ltime
Time per that will calculating limits (in seconds)ftpo_ltime=value
Limit per IP (Kb)ftpo_ip_limit=value
Limit per network (Kb)ftpo_net_limit=value
Total limit for server (Kb)ftpo_limit=value
Always ask for a password, even for users without a passwordftp_always_pass
Number of simultaneous requests.ftp_max=max
TCP/IP port for FTP server. Usually it is 21ftp_port=port
User session timeout. (in second) Connection will close, if user is idle for this time.ftp_timeout=#N
Name of upload subdirectory.If FTP directory contents this subdirectory, users with \"read only\" access can still upload files here. E.g. /pub/"ftp_upload="/dir/"
Enable virtual directories for FTP.ftp_vdirs
POP3 server setting
Disable POP3 server.nopop3_max
POP3/SMTP session timeout. (in second). Connection will close, if user is idle for this time.pop_timeout=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1pop_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.pop_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::pop6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.pop6_deny=value
Bind to all addaptersnopop_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)pop_bind=value
Also work through IPv6popipv6
Don't restrict speed of outgoing transfernopop_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)pop_speed=value
How many another connections must have activity, to check on speed limitationpop_spdusr=value
Enable POP3 proxypop3_proxy
Enable Web mailwmail
Don't save messages sent throught Web mail in user's foldernowmailsent
Subfolder to save sent messageswmailsent=value
Delete messages throught Web mail immediatelynowmailtrash
Trash folder to move deleted messageswmailtrash=value
Convert pages to UTF-8wmail_utf
Number of simultaneous requests.pop3_max=max
TCP/IP port for POP3 server. Usually it is 110pop_port=port
SMTP server setting
Disable SMTP server.nosmtp_max
Bind to all addaptersnosmtp_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)smtp_bind=value
Also work through IPv6smtpipv6
If mailhost of receptor absent, try hostsmtp_nomx
It is normal SMTP relay. (Otherwise it is only SMTP proxy)nosmtpproxy
Higher level SMTP. (SMTP proxy mode)smtpproxy=value
Do not save sent messages.nosmtp_sent
For how many days sent messages will be saved. (Zero for keep ever)sent_time=value
IPv6 Us IP ranges (allowed list) E.g. ::1,FE80::-FEFF::smtp6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.smtp6_deny=value
Temporary add IP to allowed list after POP3 authorizationsmtp_pop_ip
Limit message size. (in bytes).smtp_msg_limit=value
Don't break connection, when overflow size limitsmtp_nobreak
Enable Generate-Delivery-Reportsmtp_conform
Goodlist. Common file with alowed source e-mails, IPs, hosts paternsgoodlist=path
Badlist. Common file with bad source e-mails, IPs, hosts paternsbadlist=path
Graylist. Common file with source e-mails, IPs, hosts paterns that required addvansed checkinggraylist=path
Check "goodlist", "badlist" and "graylist" files in user's home directory before receive messagechklists
Text that will be retrived in case when message declined. There you also may direct URL to Web form to direct send messagemsgspam=value
Do not use script for incomming/outgoing mailnoantivirus
Antivirus scriptantivirus=path
Limit of time for script execution. (in seconds)run_timeout=value
Break filter (expresion). Variables $msg,$sender,$hello,$control may be checked to stop reciving large message.antispam=value
Spam filter (expresion). Variables $msg,$sender,$hello,$control may be checked to add IP to spamer's list.spamfltr=value
Accept messages with wrong return pathnocheckback
Fake e-mail addresses, through coma. If somebody try to send message to these addresses it will be added to spamer's listfake=value
DNSBL servers. Ask these external spamers list, about remote IP, before receive mail. (May be more then one server through space) dnsbl=value
Check mailhost of sender (DNS MX record) before receive mailcheckmx
Ignore graylist if message incomme from source mailhost (DNS MX) mxignbl
How long spamers IPs will active in spamer's list (in seconds)spam_time=value
No limitation for SMTPnosmtp_ltime
Time per that will calculating limits (in seconds)smtp_ltime=value
Limit per IP (Kb)smtp_ip_limit=value
Limit per network (Kb)smtp_net_limit=value
Total limit for server (Kb)smtp_limit=value
No limitation for alowed IPsnolimitus
Enable receive from foregein IP messages from us domainuncheckip
Minimal timeout betwen sending messagestime_btw=value
Number of simultaneous requests.smtp_max=max
SMTP server name. (Domain name)smtp_name=your.domain.name
Use all virtual hosts as alias domain name.vhalias
TCP/IP port for SMTP server. Usually it's 25smtp_port=port
Output path. Directory to store messages before sendsmtp_out=path
Sent path. Directory to store messages after sentsmtp_sent=path
Error path. Directory to store messages, that can't be sentsmtp_err=path
DNS server to get mail routing info. (May be your default DNS server)smtp_dns=#.#.#.#
Alow any "From" field. Otherwise server will send message from user_name@your.domain.name onlysmtp_any
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.smtp_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.smtp_deny={#.#.#.#[-#.#.#.#],}
Blacklist of E-mail addresses of spamers. Separate addreses by space. Use *@host to block receiving from any address of this host)blacklist="u@adr1 *@adr2 ..."
Use instructions from the "forward" file in a user's directory.forward
Alow execution of applications from user's "forward" file.fwdrun
Use TLS when sending outgoing message if possiblesmtptls
Always use TLS when sending outgoing messages; if not possible, don't sendsmtponlytls
Verify the remote certificate signature. (Verfy methods the same as directed in VPN client settings)smtpchktls
DHTP server setting
Disable DHCPnodhcp_max
Total IPs avilable to allocatedhcp_max=value
IP address of DHCP serverdhcp_ip=value
LAN broadcast address for DHCP replydhcp_bcast=value
First IPs for allocatedhcp_first=value
Netmaskdhcp_mask=value
Gatewaydhcp_gate=value
DNS serversdhcp_dns=value
Domain namedhcp_name=value
File to save statedhcp_file=path
DNS should resolve hostnames for IPs that was allocateddhcp_rdns
Listen only, to store info from another servers for DNS. (never response)dhcp_lo
TLS/SSL server setting
Disable TLS/SSL servernotls_max
Number of simultaneous requests.tls_max=value
TCP/IP port for TLS/SSL server. Usually it's 443tls_port=value
Limit on the number of idle keep-alive connections waitingkeep_alive_max=value
Timeout in seconds for idle keep-alive connectionkeep_alive_timeout=value
Check live in seconds for idle keep-alive connection. 0 - use system default. (Supported from Linux 2.4, from Windows 10 v1709)keep_alive_idle=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1ssl_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.ssl_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::ssl6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.ssl6_deny=value
Bind to all addaptersnotls_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)tls_bind=value
Also work through IPv6tlsipv6
Don't restrict speed of outgoing transfernotls_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)tls_speed=value
How many another connections must have activity, to check on speed limitationtls_spdusr=value
Enable TLS for POP3/SMTPsmtp_tls
Enable TLS for FTPftp_tls
DLL library with TLS/SSL. E.g. seclib.dlltls_lib=path
Certificate filetls_cert_file=path
Key filetls_key_file=path
CA-Pathtls_capath=path
CA-filetls_cafile=path
Sets priorities for the ciphers, key exchange methods, and macs For GNU TLS and for OpenSSL, the string format is different. For OpenSSL, you can see the format of this line here in the CIPHER LIST FORMAT section. The default is the following line:
"TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_AES_256_GCM_SHA384:
 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:
 ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:ALL:!DES:!3DES:!RC2"
For GnuTLS, see the string format here
tls_priority=value
Remote administration through sequre HTTPS onlyadmtls
Web mail through sequre HTTPS onlytls_wmail
HTTP TLS VPN server setting
Disable TLS VPNnotlsvpn
Maximum number of TLS VPN connections working simultaneous.tlsvpn_max=value
TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). HTTPS requests to this URL will be redirected to VPN vpn_url=value
Enable TLS VPN on Tun devicevpntun
Enable TLS VPN on Tap devicevpntap
Tun device numbervpn_tun_number=value
Tap device numbervpn_tap_number=value
TLS VPN MTU for tun.vpn_tun_mtu=value
TLS VPN MTU for tap.vpn_tap_mtu=value
Tun device pathnametundev=value
Public access without password. (Otherwise only users with Proxy access can use this service) vpnpub
Set Tun interface IP addresstun_ip=value
Set Tun interface netmasktun_nmask=value
Set Tap interface IP addresstap_ip=value
Set Tap interface netmasktap_nmask=value
Run init script for Tun devicetun_script_up=path
Run init script for Tap devicetap_script_up=path
First IP address to allocate for remote client that connected to Tun. (Optional)tun_remote_ip=value
Total IP addresses to allocate for remote client that connected to Tun. (Optional. Set to 0 to use external DHCP server, or another methods)tun_remote_max=value
DNS servers that will be offered to the TUN client.tun_remote_dns=value
First IP address to allocate for remote client that connected to Tap. (Optional)tap_remote_ip=value
Total IP addresses to allocate for remote client that connected to Tap. (Optional. Set to 0 to use external DHCP server, or another methods)tap_remote_max=value
DNS servers that will be offered to the TAP client. (Optional) tap_remote_dns=value
HTTP TLS VPN client setting
Enable to connect to TLS VPN remote hostvpnclient
Host to connect to remote TLS VPN servervpn_remote_host=value
TLS VPN remote port. (Usually 443)vpn_client_port=value
TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). Must be the same as directed on the remote servervpn_client_url=value
TLS VPN User namevpn_remote_user=value
TLS VPN Passwordvpn_remote_passw=value
VPN client to Tap. (Otherwise Tun)vpncln_tap
TLS VPN client Tun/Tap device numbervpn_tuntap_number=value
TLS VPN MTU for client.vpn_client_mtu=value
Set client VPN interface IP addresstuntap_ip=value
Set client VPN interface netmasktuntap_nmask=value
Run init script when VPN connection estabilishedvpncln_script_up=path
Run deinit script when VPN connection closedvpncln_script_down=path
Validate remote TLS sertificate, check host namevpncln_chktls
Don't check remote sertificate time. Ignore expired. (GNUTLS only)vpncln_tlsigntime
Accept self signed sertificate. (GNUTLS only)vpncln_tlsssign
SSH style of sertificate validate. (GNUTLS only. Public keys of new untracted remote will be stored in ~/.gnutls/known_hosts)vpncln_tlssshstyle
Users
To give FTP, Mail, Administration access you must add users.
user="name;password;home_dir;type_of_access_flags"
Key may be repeated more then once.
type_of_access_flags -- It's sequence of next symbol:
  • F -- FTP access -- user can read files from his home directory and any subdirectory via FTP.
  • W -- FTP write access -- user can upload files to his home directory via FTP.
  • N -- Disable add executable mode attribute for files.
  • S -- SMTP. User can send messages via SMTP from user_name@your.domain.name
  • P -- POP3. User will have mailbox. All messages to user_name@your.domain.name will stored in home/mbox directory and available via POP3.
  • A -- This is administrator. -- He has full access to administration's pages, can add users, change access rights etc...
  • H -- Proxy. Access to proxy.
If the name of user is known to system (present in /etc/password, /etc/shadow), the server will try to switch current user to this user, when he logon to FTP. Otherwise server will try switch current user to the user named "ftp" For FTP access you can add anonymous user without password In this case just skip password. E.g.:
user=anonymous;;/usr/pub;FWN
user=ftp;;/var/readonly;F

Please note that there shouldn't be spaces before and after "=". If a parameter you are entering contains spaces make sure that you put them in quotes. Here is an example of a correct command line:
httpd.exe port=1080 def=index.html nolog
Here is an example of configuration file:
log=/var/log/http.log
max=12 def=index.stm
@www.cfg # include other configuration file
hostpath=www.name.www;/var/www1
hostpath=max.name.www;/var/WWW2
# End of file


Contents



Allowed and denied IP ranges.

For each service you may direct allowed and denied IP addresses. Also present common allowed and denied ranges of IP to blocking or enable access to all TCP services, and ranges that define IPs from where Web administration available. Addresses directed through coma. You might direct one address or range. Example: 127.0.0.1,192.168.0.1-192.168.0.255

HTTP,FTP,POP3,Proxy will receive request from IPs that include in allowed list and exclude denied list.

SMTP will receive the message for own domain (incoming for own users) from any addresses, exclude denied. The messages to send outside, it will get from allowed IPs only If you don't want get any messages from some IP -- just add it to denied list.

DNS server also retrieve local records to anybody, but recursion searching it do for IPs from allowed list only.

Contents



Limits.

You may direct limits for exchange for HTTP,Proxy,SMTP,FTP. For it, in the settings direct time for that will present limit and values for IP, network of this IP, and total limit for the service. Get attention, that when limit will over the exchange will not be break until full file will not be transfer. When limit overflow next calls for the time calculated from overflow value will be failed.

Contents



Running scripts.

Requested files that contents CGI identefer in pathname will be executed. If option "Run 'system' files" selected then files with attribute 'system' will be executed too. CGI/1.1 standards are supported, for reference please consult http://Web.Golux.Com/coar/cgi/. When running a script, request line parameters are transferred both in command line and in QUERY_STRING environment variable. The script transfers data directly to the client that requested it. A script should output Content-Type: type\r\n or Location: url. There could be some auxiliary lines like Content-Length: xx\r\n or Date:. These data end in \r\n\r\n. If you use C or Perl please note that in text mode output functions automatically transform \n to \r\n. Pascal writeln function also completes output with these symbols. (\r = [CR] = 0x0D; \n = [LF] = 0x0A )

Contents.


Server Side Includes (SSI)

  • SSI can greatly increase your capabilities allowing you to dynamically insert results of CGI scripts in any place of a document being shown to the user.
  • When a remote client requests a *.sht, *.shtm or *.shtml file, server returns it evaluating SSI tags which are contained there.
  • SSI tags have the following format:
    <!--#tag_name {variable="value" } -->
  • HTTP or request form variables can be put into the "value" field. Variable name starts with $ and can be later put in braces {} if you wish to concatenate the variable value with subsequent text (excepting spaces). For instance , $USER_AGENT contains browser type, and if you want to concatenate it with "_12345", use "${USER_AGENT}_12345". When using symbols like $, \, " make sure you place \ before them: $ - \$, \ - \\, " - \" etc. If a variable can't be evaluated, it replaced with the "undefined" value.

    Current server version supports the following tags:

    include
    <!--#include virtual="path/file_name" -->
    <!--#include file="full_path/file_name" -->
    Both variants include the content of file_name in the document. In first case it looks for the document from the web root directory, in the second case you can define a path for the document. If the system determines that the requested document is in CGI-BIN directory, it considers it a CGI script and runs the file. If the file_name contains the "?" symbol, the string after it is transmitted as a request with parameters which should be processed by your script.

    exec
    <!--#exec cgi="file_name" -->
    <!--#exec cmd="full_path/file_name" -->
    Runs the script like with "include" tag.

    fsize & lastmod
    <!--#fsize virtual="path/file_name" -->
    <!--#fsize file="full_path/file_name" -->
    <!--#fsize Kb virtual="path/file_name" -->
    <!--#fsize Mb file="full_path/file_name" -->
    <!--#lastmod virtual="path/file_name" -->
    <!--#lastmod file="full_path/file_name" -->
    <!--#lastmod format="d.m.Y H:i:s" virtual="path/file_name" -->
    <!--#lastmod format="d-m-y h:i:sA" file="full_path/file_name" -->
    Shows file size and last modified date. Size can be rounded up to Kilobytes or Megabytes.
    Date can by formated as you like. Next format keys are defined:

    Key Description Range
    dDay of the month, 2 digits with leading zeros 01 to 31
    jDay of the month without leading zeros 1 to 31
    mNumeric representation of a month, with leading zeros 01 through 12
    nNumeric representation of a month, without leading zeros 1 through 12
    YA full numeric representation of a year, 4 digits 1970 through 9999
    yA two digit representation of a year 00 through 99
    aLowercase Ante meridiem and Post meridiem am or pm
    AUppercase Ante meridiem and Post meridiem AM or PM
    g12-hour format of an hour without leading zeros 0 through 12
    G24-hour format of an hour without leading zeros 0 through 23
    h12-hour format of an hour with leading zeros 01 through 12
    H24-hour format of an hour with leading zeros 00 through 23
    iMinutes with leading zeros 00 to 59
    sSeconds with leading zeros 00 through 59

    echo
    <!--#echo var="var" -->
    Prints variable value.

    printenv
    <!--#printenv -->
    Outputs the values of all variables.

    break
    <!--#break -->
    Breaks procession of the document.

    if -- elif -- else -- endif
    <!--#if expr="expression" -->
    text
    <!--#elif expr="expression" -->
    text
    <!--#elif expr="expression" -->
    text
    ...
    <!--#else -->
    text
    <!--#endif -->

    The text will be either shown or not depending on the outcomes of specified conditions. The conditions can consist of variables and values as well as different logical operators between them:

    ! -- "Not"
    = or == -- "Equal to"
    != -- "Not equal to"
    <,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to".
    ~ -- "Part of..." str1 ~ str2 -- the result is true, if the string str2 is the part of string str1
    str1 =~ /pattern/ig -- pattern it is Regular expressions like Unix. The result is be true, if in the string str1 has been found substring equal by pattern.
    && --"AND"
    || --"OR"

    elif and else operators can be omitted, elif can be repeated as many times as you need. It's necessary to put the endif tag at the end of your statements.

    set
    <!--#set var="variable" value="value" -->
    Sets or changes the value of the variable. Although, try not to use this feature too often because the number of variables and memory allocated for them is somewhat restricted.

    Contents



    Regular Expressions

    To checking incomming variables finding by pattern avilable. Pattern is regular expressions, with syntax accepted in Unix. Regular expressions it is substring to find. Into this substring also may be present metacharacters,quantifiers and variables. The following metacharacters understen:
  • ^ -- begin of line.
  • . -- any char except new line.
  • \ -- if next character is metacharacter it undesten as just character. E.g. "\." is just point. Also known the following sequensies:
    • \n -- new line
    • \r -- return
    • \t -- tab
    • \\ -- \ - slash
    • \x## -- hex code of char.
    • \o### or \0### -- octal code of char.
    • \### -- decimal code of char.
  • [] -- in square bracket may be directed avilable or unavilable values for next char: If first char in the bracket is '^', this mean char may be any except other chars directed in bracket. Otherwise the char may be only one char from the bracket. '-' inside bracket mean all chars from preveous of '-' to char after '-'. The char '\' inside bracket also changed interpretation of next char. Examples:
    • [0-9] -- mean all diget.
    • [a-zA-Z] -- mean all letter.
    • [^@$\-\n\o008\x01] -- mean any char exept @,$,-,new line, and chars with codes 8 and 1.
  • () -- prescribe to save substring by pattern inside bracket for using in futures. The founded substring will be avilable as variables from $1 to $9. The last result also avilable as $+ . The string before last result avilable as $` . The string after last result avilable as $'
  • | -- or.
    After metachar may be present quantifier:
  • * -- repeat 0 or more times.
  • + -- repeat 1 or more times.
  • ? -- may be absent
  • {n} -- repeat 0 or more times.
  • {n,} -- repeat n or more times.
  • {n,m} -- repeat at least n but not more then m times. After any quantifier may by following modifer '?' to lessen pattern distribution up to first posible coincidence. An example when finding in string '123abcdefff567'
    • with pattern /([a-z]*)/ $1 will be "abcdefff"
    • with pattern /([a-z]*)f/ $1 will be "abcdeff"
    • with pattern /([a-z]*?)f/ $1 will be "abcde"

    At end of patern, after last slash, may be flowing various modifiers. Nov the program understan next various modifiers:
  • i -- case-insensitive pattern
  • v -- force disable to clear the list of variables ($1 - $9). Without this modifier the program will clear the list in new logical expressions, when the first regular expressions into this logical will begin checking.
  • c -- force clear the list of variables ($1 - $9) before begin. In one logical expressions may be more then one regular expressions. By default all of them use the same list of variables, and e.g. if first expression filled $1 and $2, the second may fill only from $3 If you use this modifer expressions will fill variables begin from $1 independency of result of preveuse part of logical expression.

    Also next function available:
  • exist(filename) - returns 1 if file exist, otherwise 0.
  • fsize(filename) - returns size of the file.
  • ftime(filename) - returns time of last modification of the file in seconds from 01.01.1971.
  • fmode(filename) - returns access mode of the file.

    Contents



    Countries features

    The program can show statistic by countries and server may add REMOTE_COUNTRY variably with country name to SSI/CGI enviroment. IP-contry database need for these features. Download and unzip it. Then in server's options direct where is it. Fast search will not delay SSI and CGI execution. The program does not garanted valid country detection for evry time, but in many cases it will be. For IP addresses that absent in the database the server show "unknown" instead country name.
    Also, if enabled in the settings, /$_ip2country_$ and /$_ip2country_$?l=h http queries returns the user's country.
    This request maintains an 'l=' variable, that may be 'h' - for html reply, 'j' - for javascript reply, and any other value for just text reply.
    You can include Javascript variation as <script src=/$_ip2country_$?l=j > in your web pages to use the country name in your scripts. The answer will be in the following format:
    var county_code="CC",country="Country name",country_ip="127.0.0.1";
    

    Contents



    Internet Server Applications (ISAPI)

    It is alternative to Common Gateway Interface Executable Files. The server will identify a file with a .DLL extension as a script to execute. For every client request, the HttpExtensionProc entry point is called. My realization of this interface have next features:
  • If HttpExtensionProc return 4 (HSE_STATUS_ERROR) or great then DLL will be unload.
  • When script call WriteClient the dwHttpStatusCode must content valid value or begins with HTTP/ and contents full HTTP reply.
  • The absentce of GetExtensionVersion is not an error.

    Contents



    Proxy

    If hard disk cache enabled server will store all incomming files except authorized pages. Server can delete downloaded files from cache proxy directory after several days of last download. See also command line keys descriptions

    Contents



    DNS server

    This version content DNS server. To run you must specify hosts file. File has format on the one hand compatible with system hosts file and on the other hand may be alike with master file format recomended by RFC 1035. For compatible with system hosts file, each lines may content IP address and name of the host. Comments begin with symbol '#'. Domain name in this file could begin from '*.' to descript all subdomain. Example:

    # Here is an example of hosts file for local network.
    
    194.45.68.21 www.max.local
    194.45.68.21 max.local
    194.45.68.20 *.max.local
    194.45.68.22 www.boss.local
    194.45.68.23 serg.local
    194.45.68.26 www.serg.local
    194.45.68.24 *.andy.local
    194.45.68.25 *.mary.local
    # etc ...
    
    # To create your own dialup network add last record:
    194.45.68.20 * # -- Redirect all unknown incoming request to 194.45.68.20
    
    # end of hosts file
    
    Also each line may content domain-name and RR description and comment may begin with ';' Next lines are supported:
    $ORIGIN <domain-name>
    $TTL <validate-time> -- a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded.
    $SLAVE <domain-name> <ip-address-of-master> [<filename>] -- Work as slave DNS server for this domain. Download full domain from master
    $IF_DOWN <host:port> <interval> Old.IP=New.IP -- By this option server will try to connect to the host:port for time interval (in seconds), and if fail in each record with Old.IP it will replasing to New.IP.
    [<domain-name>] <blank> [<TTL>] IN <type> <RDATA>
    For domain description unlike RFC recomendation you must direct full <domain-name> ('@' dosen't interpretate, last point may be skipped or present it's the same). You may skip <domain-name> in this case preveus name will be used. Unlike RFC recomendation you must direct class "IN" for each line with RR format. <type> may be:
  • A <IP-address> - a host IPv4 address
  • AAAA <IPv6-address> - a host IPv6 address
  • NS <full-name> - an authoritative name server
  • CNAME <full-name> - the canonical name for an alias. The 'A' record for original name MUST present in this file.
  • SOA <full-name> <e-mail by owner> (<SERIAL>,<REFRESH>,<RETRY>,<EXPIRE>,<MINIMUM>) - marks the start of a zone of authority
  • MX <preference> <full-name> - mail exchange. <preference> is numbre from 1 to 255. Lower values are preferred.
  • PTR <full-name> - a name. Host at left side must be #.#.#.#.in-addr.arpa
  • TXT text
  • SPF text
  • CAA 0 [issue|issuewild] server
  • TLSA usage selector matching_type data * See more in TLS caption.
  • TYPEnumber \\# length hex hex hex... - for new, unknow types.
    Other types are ignored.
    Also server supports PTR request, but RDATA for reply server gives from first 'A' record with such IP, or from lines compatible with system hosts file. For each type of record domain-name may begin from wildcard '*.' to descrpibe all sub domains. Server supports '*' type of request to return all about domain. For domain with wildcard reply also will content wildcard. For other types of request reply will be without wildcard.

    Server may support reqursion call. To release resolving for any domain you MUST direct NS record for root servers. If you check "Recursion call to up level servers only" you must direct DNS server of your provider, instead root servers, and program will call only to these servers. Otherwise, server will call to different zone servers. Example:

    # Here is an example of hosts file for export domain to Internet,
    # and resolve other names.
    
    ; First, lines holds the information on root name servers needed to
    ; initialize cache of Internet domain name servers
    
    .                  IN  NS a.root-servers.net
    a.root-servers.net IN  A  198.41.0.4
    .                  IN  NS b.root-servers.net
    b.root-servers.net IN  A  128.9.0.107
    .                  IN  NS c.root-servers.net
    c.root-servers.net IN  A  192.33.4.12
    .                  IN  NS d.root-servers.net
    d.root-servers.net IN  A  128.8.10.90
    .                  IN  NS e.root-servers.net
    e.root-servers.net IN  A  192.203.230.10
    .                  IN  NS f.root-servers.net
    f.root-servers.net IN  A  192.5.5.241
    .                  IN  NS g.root-servers.net
    g.root-servers.net IN  A  192.112.36.4
    .                  IN  NS h.root-servers.net
    h.root-servers.net IN  A  128.63.2.53
    
    ; Now declare our domain
    
    $TTL 86400  ;TTL - 24 hours
    
    somedomain.net IN SOA  somedomain.net [email protected] (
     2002120602 ; Serial
     36000      ; Refresh
     3000       ; Retry
     36000000   ; Expire
     36000      ; Minimum
     )
      IN NS   ns.somedomain.net
      IN NS   ns2.somedomain.net
      IN MX 1 relay1.somedomain.net
      IN MX 2 relay2.somedomain.net
      IN A 192.168.12.1
    
    ns.somedomain.net     IN A 192.168.12.1
    ns2.somedomain.net    IN A 192.168.12.2
    relay1.somedomain.net IN A 192.168.12.1
    relay2.somedomain.net IN A 192.168.12.2
    
    pc2.somedomain.net    IN A 192.168.12.2
      IN NS   ns2.somedomain.net
      IN MX 1 relay1.somedomain.net
    
    *.somedomain.net      IN A 192.168.12.1
      IN NS   ns.somedomain.net
      IN NS   ns2.somedomain.net
      IN MX 1 relay1.somedomain.net
      IN MX 2 relay2.somedomain.net
    
    
    ; also this file may contents lines in next format:
    192.168.12.1 www.max.local
    192.168.12.2 max.local
    192.168.12.1 *.max.local
    
    $SLAVE domain2.name 192.168.12.8 domain2.name.txt
    $IF_DOWN 192.168.12.2:80 300 192.168.12.2=192.168.12.1
    
    
    # end of hosts file
    


    See also command line keys descriptions

    SMTP server

    SMTP server can:

  • Receive messages for defined users. Target address must be user_name@your.domain.name This messages store in user's home/mbox directory and it's available via POP3.
  • Receive messages from defined users for anybody. Source address must be user_name@your.domain.name You can enable to receive messages from anybody to anyone, and you can restrict remote IP range, for which this type of messages is enable. To get mail routing info, SMTP server asks DNS server. You must direct DNS IP in options.
  • You may add some spamers addresses into blacklist. Messages from these addresses will be never received. Also server can support common and personal badlist and goodlist files. The names of common lists you may direct in options. Also in options you may enable check personal files named "badlist" and "goodlist" in user's home directories. Each line of these file may be:
    • E-mail address or any part of address.
    • IP address or part of IP address.
    • ? Logical expresion where you may do action with $sender, $hello, $control variables.
      • $sender -- return address
      • $hello -- self identification from remote server.
      • $control -- full identification line in flowing format:
        "From sender (remote_hello [IP]) date and time For receptors\r\n"
    • ?? List of DNSBL servers
    Example:
    # Begin of file
    @yahoo
    4.79.181.
    67.28.113.
    [email protected]
    lotto
    ? $sender == spamer@address
    ? ! $hello =~ /.+\.[a-z]{2,4}/
    ? $control =~ /\[64.156.215.*\]/
    # End of file
    

  • You may enable server to check user's "forward" files, to redirect or percolate messages.
    File named "forward" could be placed into user's home directory. When option is enable server parses each line of this file and understands next instruction:
  • #if expression -- next lines will be checked if expression is true
  • #elif expression -- if previous condition is false then next lines will be checked if expression is true
  • #else -- next lines will be checked if previous condition is false
  • #endif -- end of conditions block
  • #mv where -- move message
  • #cp where -- copy message
  • #rm -- remove message
  • # anything -- comment
  • !/usr/bin/path/application {params} -- execute "/usr/bin/path/application {params} users_home/mbox/name.msg". If executing is enable in options only.
  • to1@host1 {toN@hostN} -- redirect message to this addresses.
    The conditions can consist of variables ($size_kb -- size of message in KB; $in_text(text to find) -- is true if the text was found in the message) and values as well as different logical operators between them:
    ! -- "Not"
    = or == -- "Equal to"
    != -- "Not equal to"
    <,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to".
    is the part of string str1
    && --"AND"
    || --"OR"

    str1 =~ /pattern/ig -- pattern it is Regular expressions like Unix. The result is be true, if in the string str1 has been found substring equal by pattern.
    Space and back-slash (' \') at end of line mean continues current command at next line.
    Example:
    # Here is the example of forward file.
    
    #if  $in_text(boss@address)
    !/usr/bin/perl/bin/perl.exe autoreply.pl
    #endif
    
    #if $in_text(100% FREE)
    !deltree /Y
    #elif $size_kb<=20 && ! ( $in_text(boss@address) || $in_text(@private.address) || $in_text(do not redirect) )
    my_home@address [email protected]
    #else
    !/usr/bin/perl/bin/perl.exe check.pl
    #endif
    
    # End of forward file
    
  • Antivirus script have same format as forward file, but unlike forward file it checking before sending each message. Example:
    # Here is the example of antivirus file.
    
    #if  $text =~ /Content-Transfer-Encoding: ["`]?base64[\001-\xFF]*?\n\r?\nTVqQAAMA/
    
    #if  $text =~ /name=.*\.pif/
    #mv c:\probably\virus
    #else
    !c:\DrWeb\drwebcl.exe /GO /TM- /WA- /TB- /ML
    #endif
    
    #elif $body =~ /<script language=/ && $body =~ /<!DOCTYPE HTML/
    #mv c:\probably\spam
    #endif
    
    # End of file
    

    Break-filter destined to break receiving long size spam messages.
    Break-filter it is logical expression that may do checking after server will receive first 8Kb of the message. If the result of this expression is true, the continues of the message will not be next received, to the "Subject" header's field will be added "[SPAM]", combination of "sender+IP address+server's hello+receptions" will be placed to the temporary bad list, and next tries to send the same messages will be stopped before begin of data transfer.
    Inside expression next variables may be used:
  • $msg -- first 8Kb of the message
  • $sender -- return address
  • $hello -- self identification from remote server.
  • $control -- full identification line in flowing format:
    "From sender (remote_hello [IP]) date and time For receptors\r\n"
    You may include the same actions as in '#if' operator: ||,&&,<,>,>=,<=,==,!=,=~
    The example:
     (! ( $msg =~ /^From:[^\n\r]*<([^>\n\r]+)>/i ||
          $msg =~ /^From:[ \t]*([^\n\r]+)/          )
     )
     || $1 != $sender
     || $msg =~ /^Subject:[^\n\r]*New site|You are win/i
     || $msg =~ /to|for[ \r\n\t]+unsubscribe[ \r\n\t]+[ \r\n\t]+press|go|open|reply|do not/i
    
    In this example: first four lines check does field 'From' is present in the message, and get address from this field, and this address must be the same as sender address (return path); Next line search in the field Subject "New site" or "You are win"; and last line try to detect some strings like "To unsubscribe do something..."
    If any of these condition will be true the message will be detect as spam. See also command line keys descriptions

    POP3 server & proxy

    POP3 server provide access to incomming mail. If POP3 proxy is enabled then users may option their E-mail client's program to get mail from another remote POP3 through this POP3. For it, user option in client's program must be: local_user@remote_user@remote_host
    Password must be: local_password@remote_password
    Or @remote_password part may be added to user option. Anywhere instead '@' may be used '#'.

    If Web Mail enabled the users that have POP3 access may use it by URL http://host.name/$_wmail_$ . Web mail avilable only from IP addresses from POP3 range.



    FTP server & proxy

    FTP server provide access to home directories of users and if option "Enable virtual directories for FTP" is selected then provide access to private virtual directories. Public virtual directories are unavilable through FTP.
    If FTP proxy is enabled then users may option their FTP client's program to work with remote FTP through this FTP. For it, user option in client's program must be: local_user@remote_user@remote_host
    Password must be: local_password@remote_password
    Or @remote_password part may be added to user option. Anywhere instead '@' may be used '#'.
    Some FTP clients (e.g. FTP plugin for Far manager) support alike type of FTP proxy. In this cliens you may option firewall setting to your_host:FTP_port, and dirrect FTP URL like this: ftp://local_user#remote_user:local_password#remote_password@ftp_host/



    TLS/SSL server

    The server doesn't content real buildin TLS/SSL cryptographic functions, but includes interface to connect external TLS/SSL library. You may connect OpenSSL or GNU TLS to the server. libsec111.so and libsecgnutls.so libraries based on OpenSSL and GnuTLS included in Linux package. For this functions required sertificate.
    Easy and free way to get it, is generate self signed sertificate e.g. with help OpenSSL:

    
    openssl genrsa 2048 > ks.key
    openssl req -x509 -new -key ks.key -days 3650 > ks.pem
    
    
    ks.pem -- is result file that may be used as "Certificate file"
    ks.key -- is result file that may be used as "Key file"
    Self-signed certificate will not provide the security guarantees. An attacker on intermediate routers can include a bidirectional proxy in your connection, put his certificate in place of yours, and the browser will not be able to recognize that it is not your certificate.
    Some browsers or TLS clients may support the DANE (RFC6698) method for certificate validation. For this method, you need to add specific DNS records for your domain. The format of this entry is:
    _port._base_protocol.host.name IN TLSA usage selector matching_type data

    usage for self signed this domain certificate must be 3.

    selector may be:
  • 0 -- Full certificate: the Certificate binary structure as defined in RFC5280
  • 1 -- SubjectPublicKeyInfo: DER-encoded binary structure as defined in RFC5280

    matching_type may be:
  • 0 -- Exact match on selected content
  • 1 -- SHA-256 hash of selected content RFC6234
  • 2 -- SHA-512 hash of selected content RFC6234

    data can be generated with help openssl and sha256sum:
    Selector=0 (full certificate)
    openssl x509 -in ks.pem -outform der | sha256sum
    
    Selector=1 (subject public key)
    openssl x509 -in ks.pem -pubkey -noout | openssl rsa -pubin -outform der | sha256sum
    

    Examples of TLSA DNS records:
    _443._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
    _443._tcp.www.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
    _25._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
    _110._tcp.smallsrv.com. IN TLSA ( 3 1 1 5bdd89111e62a72c946d47a91e7a17aec3102d41a2523e04b510a83cebffdf1a )
    



    HTTP TLS VPN server and client

    Now this program can create a VPN channel inside an HTTPS connection.

  • How does it work?
    On the host where the HTTP server is used, you can enable the VPN server in the settings. On other hosts you can install the program and enable the VPN client (only the VPN client is possible). Clients access the server using the HTTPS protocol, request a URL like this: https://hostname.etc/$_vpn_$/. You can choose any URL name by which the server will determine that this is a VPN request. When the HTTP server detects a VPN request, it passes the connection to the built-in VPN server.
  • TAP and TUN
    The server supports both VPN types, and both VPNs can run simultaneously, but each type must be on its own subnet. The client can choose only one type, TUN or TAP, and it reports the required type to the server when connecting.
    What is the difference? On a TAP connection, each packet also includes a 14-byte Ethernet header. This gives some advanced features, e.g. The TAP interface can be included in the bridge, and any type of packet can be broadcast through TAP. The TUN connection only supports IPv4 and IPv6 packets.
  • Link between clients
    In this version, the server does not filter anything. Communication between clients will work and may be filtered by an external firewall.
  • Link to Linux and Windows
    Linux and Windows VPN use the same protocols and can be connected to each other.
  • Tap driver for Windows.
    Windows does not have a built-in TUN/TAP driver. This means an external driver is required. This program can work with the free and open source TAP-windows driver from the OpenVPN project. Available here. (Select Tap-Windows-9.24.7 for your system). If you want to set up the server on a Windows PC and use both TUN and TAP adapters, add two adapters after installing the driver. If you are already using OpenVPN and would like to use this server as well, add new adapters for it. In the server settings, you can specify the TAP adapter index starting with zero, or the name of the network connection. A simple way to specify an index is to leave the connection name empty, the server will fill it in itself. To access the driver, the server MUST be started with administrator rights for the first time. Perhaps this is a feature of the Tap-windows adapter, or it is a feature of my test environment, or I did not understand something, but a good way To configure the IP address when using Tun mode, an external .bat script is used. The server can start it automatically. Also in this script you can change routing and other network parameters, such as DNS servers.
  • Scripts.
    The VPN server and client run scripts in three cases:
    • When the server initializes the TUN/TAP adapter. In this case, the arguments are: Interface_name IP_address Subnet_mask Gateway In this case, the gateway is the same as IP.
    • When the client connects to the server and the connection is established. In this case the arguments are: Interface_name Interface_name IP_address Net_mask Gateway DNS_servers IP_address of remote_vpn_server
    • When the client connection is closed. In this case the arguments are: Interface_name Interface_name IP_address Remote_disconnected_vpn_server IP_address
  • Authorized access.
    You can select the option to make the HTTP TLS VPN server publicly accessible to anyone who knows the URL. Otherwise, the server will require HTTP-style authentication. In the server settings you need to add a user with "Proxy" access, and in the client settings specify this username and password.
  • Security library.
    External libraries seclib111 and seclibgnutls have been updated. Older versions will not work with VPN as they lack the necessary functions. If you were using an older version of the server and want to use a VPN, please update the library.
  • Verifying the server certificate.
    If you want to enable server certificate verification, then in the TLS/SSL parameters you need to specify the directory with trusted certificates. You can put your remote server's certificate or root certificates there. If you are using OpenSSL, you will need to create hashes for your certificates. Run:
    openssl rehash -compat -v path_to_this_directory
    
    If you are using GnuTLS there are a few additional options, e.g. you can disable certificate time checking and enable SSH style verification. In this case, the host's certificate will be accepted as valid the first time, and the public key will be stored for the host. The next time the public key will be verified.
  • MTU
    In the Linux version, you can specify the MTU for each interface. In the Windows version, the same can be done using external tools for "Network connection". It's probably best to choose an MTU smaller than your actual MTU (typically 1500) for header sizes (14-byte Ethernet header for TAP, TLS header, and the server adds 2 bytes for each packet) to run faster. But I think the best way is to set a large MTU. For example 9000 or even 15000. In this case TLS will receive large packets, encrypt them, and when they are transmitted, at the upper TCP layer they will be divided into packets according to your real Ethernet MTU. But on the other hand, when several clients are connected, a large MTU may give priority to the transfer of large files, to the detriment of those who do not transfer large files.

    Contents



    Conclusion

    Finally I want to pay my deepest respect to the GNU C++ compiler programmers. It was that compiler that compiled this program. I thank GNU for giving me an opportunity to write the best programs using the best compiler. You can visit GNU resources:
  • GNU -- GNU itself.


    M. Feoktistov


    Contents