initial commit

g3proxy/doc/configuration/servers/dummy_close.rst

@@ -0,0 +1,8 @@
+.. _configuration_server_dummy_close:
+
+dummy_close
+===========
+
+This is the dummy server designed to close all connections.
+
+There are no extra config keys for this kind of server.

g3proxy/doc/configuration/servers/http_proxy.rst

@@ -0,0 +1,250 @@
+.. _configuration_server_http_proxy:
+
+http_proxy
+==========
+
+This server provides http proxy, including http forward and http connect.
+
+The following common keys are supported:
+
+* :ref:`escaper <conf_server_common_escaper>`
+* :ref:`auditor <conf_server_common_auditor>`
+* :ref:`user_group <conf_server_common_user_group>`
+* :ref:`shared_logger <conf_server_common_shared_logger>`
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`tls_server <conf_server_common_tls_server>`
+* :ref:`tcp_sock_speed_limit <conf_server_common_tcp_sock_speed_limit>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+* :ref:`dst_host_filter_set <conf_server_common_dst_host_filter_set>`
+* :ref:`dst_port_filter <conf_server_common_dst_port_filter>`
+* :ref:`tcp_copy_buffer_size <conf_server_common_tcp_copy_buffer_size>`
+* :ref:`tcp_copy_yield_size <conf_server_common_tcp_copy_yield_size>`
+* :ref:`tcp_misc_opts <conf_server_common_tcp_misc_opts>`
+* :ref:`task_idle_check_duration <conf_server_common_task_idle_check_duration>`
+* :ref:`task_idle_max_count <conf_server_common_task_idle_max_count>`
+* :ref:`extra_metrics_tags <conf_server_common_extra_metrics_tags>`
+
+The auth scheme supported by the server is determined by the type of the specified user group.
+
++-------------+---------------------------+-------------------+
+|auth scheme  |user group type            |is supported       |
++=============+===========================+===================+
+|Basic        |hashed_user                |yes                |
++-------------+---------------------------+-------------------+
+|Negotiate    |gss_api                    |not yet            |
++-------------+---------------------------+-------------------+
+
+.. _config_server_http_proxy_server_id:
+
+server_id
+---------
+
+**optional**, **type**: :ref:`http server id <conf_value_http_server_id>`
+
+Set the server id. If set, the header *X-BD-Remote-Connection-Info* will be added to response.
+
+**default**: not set
+
+auth_realm
+----------
+
+**optional**, **type**: :ref:`ascii str <conf_value_ascii_str>`
+
+Set the auth realm.
+
+**default**: proxy
+
+tls_client
+----------
+
+**optional**, **type**: :ref:`openssl tls client config <conf_value_openssl_tls_client_config>`
+
+Set TLS client parameters for https forward requests.
+
+**default**: set with default value
+
+ftp_client
+----------
+
+**optional**, **type**: :ref:`ftp client config <conf_value_ftp_client_config>`
+
+Set the ftp client config for FTP over Http requests.
+
+**default**: set with default value
+
+req_header_recv_timeout
+-----------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the max time to wait a full request header after the client connection become readable.
+
+**default**: 30s
+
+rsp_header_recv_timeout
+-----------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the max time duration after the full request sent and before receive of the whole response header.
+
+**default**: 60s
+
+req_header_max_size
+-------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the max request header size.
+
+**default**: 64KiB
+
+rsp_header_max_size
+-------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the max response header size.
+
+**default**: 64KiB
+
+.. _config_server_http_proxy_log_uri_max_chars:
+
+log_uri_max_chars
+-----------------
+
+**optional**, **type**: usize
+
+Set the max number of characters of uri should be logged in logs.
+
+The user level config value will take effect if set, see this :ref:`user config option <config_user_log_uri_max_chars>`.
+
+**default**: 1024
+
+pipeline_size
+-------------
+
+**optional**, **type**: int
+
+Set the pipeline size for HTTP 1.0/1.1.
+
+**default**: 10
+
+.. note::
+
+  We only pipeline requests with no body.
+
+pipeline_read_idle_timeout
+--------------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the idle timeout of the client side IDLE http connections.
+
+**default**: 5min
+
+no_early_error_reply
+--------------------
+
+**optional**, **type**: bool
+
+Set to true if no error reply should be sent out before user auth succeeded, the connection will be just closed
+in such case.
+
+**default**: false
+
+allow_custom_host
+-----------------
+
+**optional**, **type**: bool
+
+Set if custom *Host* header is allowed. If set to false, the *Host* header in http headers should have the same domain
+or ip address with the one in the request method line.
+
+**default**: true
+
+.. note:: we don't require the *Host* header to be present in http headers no matter what have been set for this
+
+body_line_max_length
+--------------------
+
+**optional**, **type**: int
+
+Set the max line length for lines (trailer and chunk size) in http body.
+
+**default**: 8192
+
+http_forward_upstream_keepalive
+-------------------------------
+
+**optional**, **type**: :ref:`http keepalive <conf_value_http_keepalive>`
+
+Set http keepalive config at server level.
+
+**default**: set with default value
+
+.. _config_server_http_proxy_http_forward_mark_upstream:
+
+http_forward_mark_upstream
+--------------------------
+
+**optional**, **type**: bool
+
+If set, the header *X-BD-Upstream-Id* header will be added to the response from upstream, with the value to be
+:ref:`server_id <config_server_http_proxy_server_id>`.
+Local generated response will not contains this header.
+
+**default**: false
+
+.. _config_server_http_proxy_echo_chained_info:
+
+echo_chained_info
+-----------------
+
+**optional**, **type**: bool
+
+Set whether to add custom header in response that provides chained information
+about the direct connection to upstream.
+
+The custom headers are:
+
+- X-BD-Upstream-Addr
+- X-BD-Outgoing-IP
+
+**default**: false
+
+untrusted_read_speed_limit
+--------------------------
+
+**optional**, **type**: :ref:`tcp socket speed limit <conf_value_tcp_sock_speed_limit>`
+
+Enable untrusted read of the body of requests with no auth info, and set the read rate limit.
+
+Set this if you need to be compatible with buggy java http clients which won't handle the 407 error response in time.
+
+**default**: not set, which means untrusted read is disabled, **alias**: untrusted_read_limit
+
+.. versionchanged:: 1.4.0 changed name to untrusted_read_speed_limit
+
+.. _config_server_http_proxy_egress_path_selection_header:
+
+egress_path_selection_header
+----------------------------
+
+**optional**, **type**: str, **alias**: path_selection_header
+
+Set the http custom header name to be used for path selection.
+
+**default**: not set
+
+.. _config_server_http_proxy_steal_forwarded_for:
+
+steal_forwarded_for
+-------------------
+
+**optional**, **type**: bool
+
+Set if we should delete the *Forwarded* and *X-Forwarded-For* headers from the client's request.
+
+**default**: false

g3proxy/doc/configuration/servers/http_rproxy.rst

@@ -0,0 +1,302 @@
+.. _configuration_server_http_rproxy:
+
+http_rproxy
+===========
+
+This server provides http reverse proxy.
+
+The following common keys are supported:
+
+* :ref:`escaper <conf_server_common_escaper>`
+* :ref:`auditor <conf_server_common_auditor>`
+* :ref:`user_group <conf_server_common_user_group>`
+* :ref:`shared_logger <conf_server_common_shared_logger>`
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`tcp_sock_speed_limit <conf_server_common_tcp_sock_speed_limit>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+* :ref:`tcp_copy_buffer_size <conf_server_common_tcp_copy_buffer_size>`
+* :ref:`tcp_copy_yield_size <conf_server_common_tcp_copy_yield_size>`
+* :ref:`tcp_misc_opts <conf_server_common_tcp_misc_opts>`
+* :ref:`task_idle_check_duration <conf_server_common_task_idle_check_duration>`
+* :ref:`task_idle_max_count <conf_server_common_task_idle_max_count>`
+* :ref:`extra_metrics_tags <conf_server_common_extra_metrics_tags>`
+
+The auth scheme supported by the server is determined by the type of the specified user group.
+
++-------------+---------------------------+-------------------+
+|auth scheme  |user group type            |is supported       |
++=============+===========================+===================+
+|Basic        |hashed_user                |yes                |
++-------------+---------------------------+-------------------+
+|Negotiate    |gss_api                    |not yet            |
++-------------+---------------------------+-------------------+
+
+.. _config_server_http_rproxy_server_id:
+
+server_id
+---------
+
+**optional**, **type**: :ref:`http server id <conf_value_http_server_id>`
+
+Set the server id. If set, the header *X-BD-Remote-Connection-Info* will be added to response.
+
+**default**: not set
+
+auth_realm
+----------
+
+**optional**, **type**: :ref:`ascii str <conf_value_ascii_str>`
+
+Set the auth realm.
+
+**default**: proxy
+
+req_header_recv_timeout
+-----------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the max time to wait a full request header after the client connection become readable.
+
+**default**: 30s
+
+rsp_header_recv_timeout
+-----------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the max time duration after the full request sent and before receive of the whole response header.
+
+**default**: 60s
+
+req_header_max_size
+-------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the max request header size.
+
+**default**: 64KiB
+
+rsp_header_max_size
+-------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the max response header size.
+
+**default**: 64KiB
+
+.. _config_server_http_rproxy_log_uri_max_chars:
+
+log_uri_max_chars
+-----------------
+
+**optional**, **type**: usize
+
+Set the max number of characters of uri should be logged in logs.
+
+The user level config value will take effect if set, see this :ref:`user config option <config_user_log_uri_max_chars>`.
+
+**default**: 1024
+
+pipeline_size
+-------------
+
+**optional**, **type**: int
+
+Set the pipeline size for HTTP 1.0/1.1.
+
+**default**: 10
+
+.. note::
+
+  We only pipeline requests with no body.
+
+pipeline_read_idle_timeout
+--------------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the idle timeout of the client side IDLE http connections.
+
+**default**: 5min
+
+no_early_error_reply
+--------------------
+
+**optional**, **type**: bool
+
+Set to true if no error reply should be sent out before user auth succeeded, the connection will be just closed
+in such case.
+
+**default**: false
+
+body_line_max_length
+--------------------
+
+**optional**, **type**: int
+
+Set the max line length for lines (trailer and chunk size) in http body.
+
+**default**: 8192
+
+http_forward_upstream_keepalive
+-------------------------------
+
+**optional**, **type**: :ref:`http keepalive <conf_value_http_keepalive>`
+
+Set http keepalive config at server level.
+
+**default**: set with default value
+
+untrusted_read_speed_limit
+--------------------------
+
+**optional**, **type**: :ref:`tcp socket speed limit <conf_value_tcp_sock_speed_limit>`
+
+Enable untrusted read of the body of requests with no auth info, and set the read rate limit.
+
+Set this if you need to be compatible with buggy java http clients which won't handle the 407 error response in time.
+
+**default**: not set, which means untrusted read is disabled, **alias**: untrusted_read_limit
+
+.. versionchanged:: 1.4.0 changed name to untrusted_read_speed_limit
+
+append_forwarded_for
+--------------------
+
+**optional**, **type**: :ref:`http forwarded header type <conf_value_http_forwarded_header_type>`
+
+Set if we should append a corresponding forwarded header to the request send out to the next proxy.
+
+See :ref:`steal_forwarded_for <config_server_http_proxy_steal_forwarded_for>` config option in http_proxy for more info
+if you want to delete existing forwarded headers.
+
+See the doc of supported escapers for detailed protocol info.
+
+**default**: classic, which means *X-Forwarded-\** headers will be appended
+
+hosts
+-----
+
+**required**, **type**: :ref:`host matched object <conf_value_host_matched_object>` <:ref:`host <configuration_server_http_rproxy_host>`>
+
+Set the hosts we should handle based on host match rules.
+
+Example 1:
+
+.. code-block:: yaml
+
+  hosts:
+    services:
+      upstream: www.example.net
+
+Example 2:
+
+.. code-block:: yaml
+
+  hosts:
+    - exact_match:
+        - www.example.net
+        - example.net
+      services:
+        upstream: www.example.net
+    - child_match: example.org
+      set_default: true
+      services:
+        upstream: www.example.org
+
+**default**: not set
+
+.. _configuration_server_http_rproxy_host:
+
+Host
+^^^^
+
+This is the config for each local host on this server.
+
+services
+""""""""
+
+**required**, **type**: :ref:`uri path matched object <conf_value_uri_path_matched_object>` <:ref:`service <configuration_server_http_rproxy_service>`>
+
+Set the sites we should handle based on url path match rules.
+
+tls_server
+""""""""""
+
+**optional**, **type**: :ref:`rustls server config <conf_value_rustls_server_config>`
+
+Set TLS server config for this local site.
+
+If not set, the :ref:`global tls server <configuration_server_http_rproxy_global_tls_server>` config will be used.
+
+**default**: not set
+
+.. _configuration_server_http_rproxy_service:
+
+Service
+^^^^^^^
+
+This set the config for a upstream http service.
+
+upstream
+""""""""
+
+**required**, **type**: :ref:`upstream str <conf_value_upstream_str>`
+
+Set the target upstream address. The default port is 80 which can be omitted.
+
+tls_client
+""""""""""
+
+**optional**, **type**: :ref:`openssl tls client config <conf_value_openssl_tls_client_config>`
+
+Set TLS parameters for this local TLS client if https is needed.
+If set to empty map, a default config is used.
+
+**default**: not set
+
+tls_name
+""""""""
+
+**optional**, **type**: :ref:`tls name <conf_value_tls_name>`
+
+Set the tls server name to verify tls certificate of the upstream site.
+
+If not set, the host part of the upstream address will be used.
+
+**default**: not set
+
+enable_tls_server
+-----------------
+
+**optional**, **type**: bool
+
+Set whether tls is enabled for all local sites.
+
+Requests to local sites without valid tls server config will be dropped.
+
+**default**: false
+
+.. _configuration_server_http_rproxy_global_tls_server:
+
+global_tls_server
+-----------------
+
+**optional**, **type**: :ref:`rustls server config <conf_value_rustls_server_config>`
+
+Set global TLS server config on the server. This will be used if no tls server config set on the matched local site.
+
+**default**: not set
+
+client_hello_recv_timeout
+-------------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the timeout value for the receive of the complete TLS ClientHello message.
+
+**default**: 1s

g3proxy/doc/configuration/servers/index.rst

@@ -0,0 +1,281 @@
+.. _configuration_server:
+
+******
+Server
+******
+
+The type for each server config is *map*, with two always required keys:
+
+* *name*, which specify the name of the escaper.
+* *type*, which specify the real type of the escaper, decides how to parse other keys.
+
+There are many types of server, each with a section below.
+
+Servers
+=======
+
+.. toctree::
+   :maxdepth: 2
+
+   dummy_close
+   tcp_stream
+   tls_stream
+   http_proxy
+   socks_proxy
+   http_rproxy
+   sni_proxy
+   plain_tcp_port
+   plain_tls_port
+   intelli_proxy
+
+Common Keys
+===========
+
+This section describes the common keys, they may be used by many escapers.
+
+.. _conf_server_common_escaper:
+
+escaper
+-------
+
+**required**, **type**: str
+
+Set the escaper to use with this server.
+
+If the specified escaper doesn't exist in configure, a default DummyDeny escaper will be used.
+
+.. _conf_server_common_auditor:
+
+auditor
+-------
+
+**optional**, **type**: str
+
+Set the auditor to use with this server.
+
+If the specified auditor doesn't exist in configure, a default auditor will be used.
+
+.. versionadded:: 1.7.0
+
+.. _conf_server_common_user_group:
+
+user_group
+----------
+
+**optional**, **type**: str
+
+Set the user group for auth.
+
+If the specified user group doesn't exist in configure, a default user group with no users will be used.
+
+**default**: no auth enabled
+
+.. _conf_server_common_shared_logger:
+
+shared_logger
+-------------
+
+**optional**, **type**: ascii
+
+Set the server to use a logger running on a shared thread.
+
+**default**: not set
+
+.. _conf_server_common_listen:
+
+listen
+------
+
+**required**, **type**: :ref:`tcp listen <conf_value_tcp_listen>`
+
+Set the listen config for this server.
+
+The instance count setting will be ignored if *listen_in_worker* is correctly enabled.
+
+.. _conf_server_common_listen_in_worker:
+
+listen_in_worker
+----------------
+
+**optional**, **type**: bool
+
+Set if we should listen in each worker runtime if you have worker enabled.
+
+The listen instance count will be the same with the worker number count.
+
+**default**: false
+
+.. versionadded:: 1.7.8
+
+.. _conf_server_common_tls_server:
+
+tls_server
+----------
+
+**optional**, **type**: :ref:`rustls server config <conf_value_rustls_server_config>`
+
+Enable TLS on the listening socket and set TLS parameters.
+
+**default**: disabled
+
+.. _conf_server_common_ingress_network_filter:
+
+ingress_network_filter
+----------------------
+
+**optional**, **type**: :ref:`ingress network acl rule <conf_value_ingress_network_acl_rule>`
+
+Set the network filter for clients.
+
+**default**: not set
+
+.. _conf_server_common_dst_host_filter_set:
+
+dst_host_filter_set
+-------------------
+
+**optional**, **type**: :ref:`dst host acl rule set <conf_value_dst_host_acl_rule_set>`
+
+Set the filter for dst host of each request.
+
+.. note:: This won't limit the Host header in http protocol.
+
+**default**: not set
+
+.. _conf_server_common_dst_port_filter:
+
+dst_port_filter
+---------------
+
+**optional**, **type**: :ref:`exact port acl rule <conf_value_exact_port_acl_rule>`
+
+Set the filter for dst port of each request.
+
+**default**: not set
+
+.. _conf_server_common_tcp_sock_speed_limit:
+
+tcp_sock_speed_limit
+--------------------
+
+**optional**, **type**: :ref:`tcp socket speed limit <conf_value_tcp_sock_speed_limit>`
+
+Set speed limit for each tcp socket.
+
+**default**: no limit, **alias**: tcp_conn_speed_limit | tcp_conn_limit
+
+.. versionchanged:: 1.4.0 changed name to tcp_sock_speed_limit
+
+.. _conf_server_common_udp_sock_speed_limit:
+
+udp_sock_speed_limit
+--------------------
+
+**optional**, **type**: :ref:`udp socket speed limit <conf_value_udp_sock_speed_limit>`
+
+Set speed limit for each udp socket.
+
+**default**: no limit, **alias**: udp_relay_speed_limit | udp_relay_limit
+
+.. versionchanged:: 1.4.0 changed name to udp_sock_speed_limit
+
+.. _conf_server_common_tcp_copy_buffer_size:
+
+tcp_copy_buffer_size
+--------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the buffer size for internal tcp copy.
+
+**default**: 16K, **minimal**: 4K
+
+.. _conf_server_common_tcp_copy_yield_size:
+
+tcp_copy_yield_size
+-------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the yield out size for the internal copy task.
+
+**default**: 1M, **minimal**: 256K
+
+.. _conf_server_common_udp_relay_packet_size:
+
+udp_relay_packet_size
+---------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the udp packet size for udp relay.
+
+**default**: 4K, **maximum**: 16K
+
+.. _conf_server_common_udp_relay_yield_size:
+
+udp_relay_yield_size
+--------------------
+
+**optional**, **type**: :ref:`humanize usize <conf_value_humanize_usize>`
+
+Set the yield out size for the internal relay task.
+
+**default**: 1M, **maximum**: 256K
+
+.. _conf_server_common_tcp_misc_opts:
+
+tcp_misc_opts
+-------------
+
+**optional**, **type**: :ref:`tcp misc sock opts <conf_value_tcp_misc_sock_opts>`
+
+Set misc tcp socket options on accepted tcp sockets.
+
+**default**: not set, nodelay is default enabled
+
+.. _conf_server_common_udp_misc_opts:
+
+udp_misc_opts
+-------------
+
+**optional**, **type**: :ref:`udp misc sock opts <conf_value_udp_misc_sock_opts>`
+
+Set misc udp socket options on created udp sockets.
+
+**default**: not set
+
+.. _conf_server_common_task_idle_check_duration:
+
+task_idle_check_duration
+------------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the idle check duration for task.
+
+**default**: 5min, **max**: 30min
+
+.. _conf_server_common_task_idle_max_count:
+
+task_idle_max_count
+-------------------
+
+**optional**, **type**: i32
+
+The task will be closed if the idle check return IDLE the times as this value.
+
+.. note:: The value set at user side will overwrite this.
+
+**default**: 1
+
+.. _conf_server_common_extra_metrics_tags:
+
+extra_metrics_tags
+------------------
+
+**optional**, **type**: :ref:`static metrics tags <conf_value_static_metrics_tags>`
+
+Set extra metrics tags that should be added to server stats and user stats already with server tags added.
+
+**default**: not set

g3proxy/doc/configuration/servers/intelli_proxy.rst

@@ -0,0 +1,59 @@
+.. _configuration_server_intelli_proxy:
+
+intelli_proxy
+=============
+
+Intelligent Proxy port, it will do protocol detection and then send to other servers if detected.
+
+The following common keys are supported:
+
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+
+http_server
+-----------
+
+**required**, **type**: str
+
+Set name of the next http_proxy server to send the accepted connections to.
+
+socks_server
+------------
+
+**required**, **type**: str
+
+Set name of the next socks_proxy server to send the accepted connections to.
+
+protocol_detection_channel_size
+-------------------------------
+
+**optional**, **type**: usize
+
+The connection will be send to a task channel after it's protocol is detected. This config option set the channel size.
+
+If the channel is full, the connection will be closed silently.
+
+**default**: 4096
+
+protocol_detection_timeout
+--------------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the timeout duration that we wait to check the protocol of each connection.
+
+If timeout, the connection will be closed silently.
+
+**default**: 4s
+
+protocol_detection_max_jobs
+---------------------------
+
+**optional**, **type**: usize
+
+Set the limit of protocol detection jobs.
+
+If the limit is reached, the connection will be closed silently.
+
+**default**: 4096

g3proxy/doc/configuration/servers/plain_tcp_port.rst

@@ -0,0 +1,21 @@
+.. _configuration_server_plain_tcp_port:
+
+plain_tcp_port
+==============
+
+This server provides plain tcp port, which can be placed in front of other servers.
+
+The following common keys are supported:
+
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+
+server
+------
+
+**required**, **type**: str
+
+Set name of the next server to send the accepted connections to.
+
+The next server should be able to accept tcp connections.

g3proxy/doc/configuration/servers/plain_tls_port.rst

@@ -0,0 +1,24 @@
+.. _configuration_server_plain_tls_port:
+
+plain_tls_port
+==============
+
+This server provides plain tls port, which can be placed in front of other servers.
+
+The following common keys are supported:
+
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+* :ref:`tls_server <conf_server_common_tls_server>`
+
+  This is required for this server.
+
+server
+------
+
+**required**, **type**: str
+
+Set name of the next server to send the accepted connections to.
+
+The next server should be able to accept tls connections.

g3proxy/doc/configuration/servers/sni_proxy.rst

@@ -0,0 +1,125 @@
+.. _configuration_server_sni_proxy:
+
+sni_proxy
+=========
+
+A tcp forward proxy server based on TLS SNI / HTTP Host.
+
+The following common keys are supported:
+
+* :ref:`escaper <conf_server_common_escaper>`
+* :ref:`auditor <conf_server_common_auditor>`
+* :ref:`shared_logger <conf_server_common_shared_logger>`
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`tcp_sock_speed_limit <conf_server_common_tcp_sock_speed_limit>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+* :ref:`tcp_copy_buffer_size <conf_server_common_tcp_copy_buffer_size>`
+* :ref:`tcp_copy_yield_size <conf_server_common_tcp_copy_yield_size>`
+* :ref:`tcp_misc_opts <conf_server_common_tcp_misc_opts>`
+* :ref:`task_idle_check_duration <conf_server_common_task_idle_check_duration>`
+* :ref:`task_idle_max_count <conf_server_common_task_idle_max_count>`
+* :ref:`extra_metrics_tags <conf_server_common_extra_metrics_tags>`
+
+request_wait_timeout
+--------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the timeout value for the wait of initial client data.
+
+**default**: 60s
+
+request_recv_timeout
+--------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the timeout value for the receive of the complete initial request after the arriving of initial data,
+which may be a TLS ClientHello message or a HTTP Request.
+
+**default**: 4s
+
+protocol_inspection
+-------------------
+
+**optional**, **type**: :ref:`protocol inspection <conf_value_dpi_protocol_inspection>`
+
+Set basic config for protocol inspection.
+
+**default**: set with default value
+
+.. versionadded:: 1.7.0
+
+server_tcp_portmap
+------------------
+
+**optional**, **type**: :ref:`server tcp portmap <conf_value_dpi_server_tcp_portmap>`
+
+Set the portmap for protocol inspection based on server side tcp port.
+
+**default**: set with default value
+
+.. versionadded:: 1.7.0
+
+client_tcp_portmap
+------------------
+
+**optional**, **type**: :ref:`client tcp portmap <conf_value_dpi_client_tcp_portmap>`
+
+Set the portmap for protocol inspection based on client side tcp port.
+
+**default**: set with default value
+
+.. versionadded:: 1.7.0
+
+allowed_hosts
+-------------
+
+**optional**, **type**: :ref:`host matched object <conf_value_host_matched_object>` <:ref:`host <configuration_server_sni_proxy_host>`>
+
+Set the list of hosts we should handle based on host match rules.
+
+If not set, all requests will be handled.
+
+Example:
+
+.. code-block:: yaml
+
+  hosts:
+    - exact_match:
+        - www.example.net
+        - example.net
+      redirect_host: www.example.net:443 # all redirect to www.example.net:*
+    - child_match: example.org # pass all *.example.org:*
+
+**default**: not set
+
+.. versionadded:: 1.1.1
+
+.. _configuration_server_sni_proxy_host:
+
+Host
+^^^^
+
+.. versionadded:: 1.1.1
+
+This set the config for a SNI host.
+
+redirect_host
+"""""""""""""
+
+**optional**, **type**: :ref:`host <conf_value_host>`
+
+Change the host field of the upstream address.
+
+**default**: not set
+
+redirect_port
+"""""""""""""
+
+**optional**, **type**: u16
+
+Change the port field of the upstream address.
+
+**default**: not set

g3proxy/doc/configuration/servers/socks_proxy.rst

@@ -0,0 +1,120 @@
+.. _configuration_server_socks_proxy:
+
+socks_proxy
+===========
+
+This server provides socks proxy, which support tcp connect and udp associate.
+
+The following common keys are supported:
+
+* :ref:`escaper <conf_server_common_escaper>`
+* :ref:`auditor <conf_server_common_auditor>`
+* :ref:`user_group <conf_server_common_user_group>`
+* :ref:`shared_logger <conf_server_common_shared_logger>`
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`tcp_sock_speed_limit <conf_server_common_tcp_sock_speed_limit>`
+* :ref:`udp_sock_speed_limit <conf_server_common_udp_sock_speed_limit>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+* :ref:`dst_host_filter_set <conf_server_common_dst_host_filter_set>`
+* :ref:`dst_port_filter <conf_server_common_dst_port_filter>`
+* :ref:`tcp_copy_buffer_size <conf_server_common_tcp_copy_buffer_size>`
+* :ref:`tcp_copy_yield_size <conf_server_common_tcp_copy_yield_size>`
+* :ref:`udp_relay_packet_size <conf_server_common_udp_relay_packet_size>`
+* :ref:`udp_relay_yield_size <conf_server_common_udp_relay_yield_size>`
+* :ref:`tcp_misc_opts <conf_server_common_tcp_misc_opts>`
+* :ref:`udp_misc_opts <conf_server_common_udp_misc_opts>`
+* :ref:`task_idle_check_duration <conf_server_common_task_idle_check_duration>`
+* :ref:`task_idle_max_count <conf_server_common_task_idle_max_count>`
+* :ref:`extra_metrics_tags <conf_server_common_extra_metrics_tags>`
+
+The auth type supported by the server is determined by the type of the specified user group.
+
++-------------+---------------------------+-------------------+
+|auth scheme  |user group type            |is supported       |
++=============+===========================+===================+
+|user         |hashed_user                |yes                |
++-------------+---------------------------+-------------------+
+|gssapi       |gss_api                    |not yet            |
++-------------+---------------------------+-------------------+
+
+use_udp_associate
+-----------------
+
+**optional**, **type**: bool, **alias**: enable_udp_associate
+
+Set whether we should use udp associate instead of udp connect.
+
+**default**: false
+
+negotiation_timeout
+-------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the max time duration for negotiation, before we start to handle the real socks commands.
+
+**default**: 4s
+
+udp_client_initial_timeout
+--------------------------
+
+**optional**, **type**: :ref:`humanize duration <conf_value_humanize_duration>`
+
+Set the max time duration to wait before the first udp packet after we send back the udp port info.
+
+**default**: 30s
+
+udp_bind_ipv4
+-------------
+
+**optional**, **type**: :ref:`list <conf_value_list>` of :ref:`ipv4 addr str <conf_value_ipv4_addr_str>`
+
+Set the ipv4 addresses for udp associate local binding to socks client.
+If not set, the server ip for the tcp connection will be used when setup the udp listen socket.
+
+If set, the tcp connect can be in ipv6 address family.
+
+**default**: not set
+
+udp_bind_ipv6
+-------------
+
+**optional**, **type**: :ref:`list <conf_value_list>` of :ref:`ipv6 addr str <conf_value_ipv6_addr_str>`
+
+Set the ipv6 addresses for udp associate local binding to socks client.
+If not set, the server ip for the tcp connection will be used when setup the udp listen socket.
+
+If set, the tcp connect can be in ipv4 address family.
+
+**default**: not set
+
+udp_bind_port_range
+-------------------
+
+**optional**, **type**: :ref:`port range <conf_value_port_range>`
+
+Set the UDP port-range for udp associate local binding to socks client.
+If not set, the port will be selected by the OS.
+
+udp_socket_buffer
+-----------------
+
+**optional**, **type**: :ref:`socket buffer config <conf_value_socket_buffer_config>`
+
+Set the buffer config for the udp socket.
+
+.. note:: The buffer size of the socket at escaper side will also be set.
+
+**default**: not set
+
+auto_reply_local_ip_map
+-----------------------
+
+**optional**, **type**: map
+
+Set this if you want to reply another ip other then the real bind ip for the udp listen socket to the client.
+
+The key of the map should be the local ip, and the value should be the ip you want the client to use.
+
+**default**: not set

g3proxy/doc/configuration/servers/tcp_stream.rst

@@ -0,0 +1,70 @@
+.. _configuration_server_tcp_stream:
+
+tcp_stream
+==========
+
+A simple tcp stream server. Map local tcp port to remote tcp port.
+
+The following common keys are supported:
+
+* :ref:`escaper <conf_server_common_escaper>`
+* :ref:`auditor <conf_server_common_auditor>`
+* :ref:`shared_logger <conf_server_common_shared_logger>`
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`tcp_sock_speed_limit <conf_server_common_tcp_sock_speed_limit>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+* :ref:`tcp_copy_buffer_size <conf_server_common_tcp_copy_buffer_size>`
+* :ref:`tcp_copy_yield_size <conf_server_common_tcp_copy_yield_size>`
+* :ref:`tcp_misc_opts <conf_server_common_tcp_misc_opts>`
+* :ref:`task_idle_check_duration <conf_server_common_task_idle_check_duration>`
+* :ref:`task_idle_max_count <conf_server_common_task_idle_max_count>`
+* :ref:`extra_metrics_tags <conf_server_common_extra_metrics_tags>`
+
+upstream
+--------
+
+**required**, **type**: :ref:`upstream str <conf_value_upstream_str>` | seq
+
+Set the remote address(es) and port. The *port* field is always required.
+
+For *seq* value, each of its element must be :ref:`weighted upstream addr <conf_value_weighted_upstream_addr>`.
+
+**alias**: proxy_pass
+
+.. versionchanged:: 1.5.3 Allow set multiple upstream addresses.
+
+upstream_pick_policy
+----------------------
+
+**optional**, **type**: :ref:`selective pick policy <conf_value_selective_pick_policy>`
+
+Set the policy to select upstream address.
+
+The key for rendezvous/jump hash is *<client-ip>*.
+
+**default**: random
+
+.. versionadded:: 1.5.3
+
+tls_client
+----------
+
+**optional**, **type**: bool | :ref:`openssl tls client config <conf_value_openssl_tls_client_config>`
+
+Set if we should do tls handshake with upstream.
+
+**default**: disabled
+
+upstream_tls_name
+-----------------
+
+**optional**, **type**: :ref:`tls name <conf_value_tls_name>`
+
+Set an explicit tls server name to do upstream tls certificate verification.
+
+If not set, the host of upstream address will be used.
+
+.. note:: IP address is not supported by now
+
+**default**: not set

g3proxy/doc/configuration/servers/tls_stream.rst

@@ -0,0 +1,74 @@
+.. _configuration_server_tls_stream:
+
+tls_stream
+==========
+
+A simple tls stream server. Add tls layer to remote tcp port.
+
+The following common keys are supported:
+
+* :ref:`escaper <conf_server_common_escaper>`
+* :ref:`auditor <conf_server_common_auditor>`
+* :ref:`shared_logger <conf_server_common_shared_logger>`
+* :ref:`listen <conf_server_common_listen>`
+* :ref:`listen_in_worker <conf_server_common_listen_in_worker>`
+* :ref:`tls_server <conf_server_common_tls_server>`
+
+  This is **required**.
+
+* :ref:`tcp_sock_speed_limit <conf_server_common_tcp_sock_speed_limit>`
+* :ref:`ingress_network_filter <conf_server_common_ingress_network_filter>`
+* :ref:`tcp_copy_buffer_size <conf_server_common_tcp_copy_buffer_size>`
+* :ref:`tcp_copy_yield_size <conf_server_common_tcp_copy_yield_size>`
+* :ref:`tcp_misc_opts <conf_server_common_tcp_misc_opts>`
+* :ref:`task_idle_check_duration <conf_server_common_task_idle_check_duration>`
+* :ref:`task_idle_max_count <conf_server_common_task_idle_max_count>`
+* :ref:`extra_metrics_tags <conf_server_common_extra_metrics_tags>`
+
+upstream
+--------
+
+**required**, **type**: :ref:`upstream str <conf_value_upstream_str>` | seq
+
+Set the remote address(es) and port. The *port* field is always required.
+
+For *seq* value, each of its element must be :ref:`weighted upstream addr <conf_value_weighted_upstream_addr>`.
+
+**alias**: proxy_pass
+
+.. versionchanged:: 1.5.3 Allow set multiple upstream addresses.
+
+upstream_pick_policy
+----------------------
+
+**optional**, **type**: :ref:`selective pick policy <conf_value_selective_pick_policy>`
+
+Set the policy to select upstream address.
+
+The key for rendezvous/jump hash is *<client-ip>*.
+
+**default**: random
+
+.. versionadded:: 1.5.3
+
+tls_client
+----------
+
+**optional**, **type**: bool | :ref:`openssl tls client config <conf_value_openssl_tls_client_config>`
+
+Set if we should do tls handshake with upstream.
+
+**default**: disabled
+
+upstream_tls_name
+-----------------
+
+**optional**, **type**: :ref:`tls name <conf_value_tls_name>`
+
+Set an explicit tls server name to do upstream tls certificate verification.
+
+If not set, the host of upstream address will be used.
+
+.. note:: IP address is not supported by now
+
+**default**: not set