Home

Forum

License

FAQ

Donation

Small HTTP server

(Description for Windows version)

What's this?
License.
Capabilities
How to...?
Directories and files names
Options and command line parameters
Allowed and denied IP ranges.
Limits.
Running scripts
Server Side Includes (SSI)
Regular expressions
Countries features
Internet Server Applications (ISAPI)
Proxy server
DNS server
SMTP server
POP3 server & proxy
FTP server & proxy
TLS/SSL server
HTTP TLS VPN server and client
Conclusion.

If server works it's available:

Setting / Current state
Users & Virtual Hosts
Current statistics
Online: What's new?
(Last version, Forum, etc.)
Download Web Mail
An external script gives Web intrface for working with mail
Download Sendmail emulator

Donation

Contacts:

What's this?

This very small utility turns your computer into a fully functional Web-server, Mail server, DNS server, FTP server, DHCP server and HTTPS VPN server. The program itself requires a minimal set of system resources, so the server's functioning doesn't influence your computer's performance. This server can function under a LAN networking or even under a Dial-Up networking. Webmasters can run this utility on their local computers and debug their CGI-scripts without going on-line.

This is probably the smallest HTTP server, but you shouldn't underestimate its capabilities.

Capabilities.

GET,POST,HEAD methods support (HTTP/1.0 - 1.1)
Multitasking. -- simultaneous data transfer and requests reception from several remote users with a delay depending on the channel's quality.
High performance. The server transfers data without any delay.
CGI-scripts and FastCGI available:
- PE *.exe Windows format.
- MZ *.exe DOS format.
- *.com DOS format.
- perl-scripts (with an external perl-interpreter).
- phtml-pages (with an external PHP-interpreter).
- applets of Windows associated file types.
Server Side Includes (SSI).
Internet Server Applications ISAPI).
Dynamical output of information about requests. The 16 Kb cache is provided for the log. After its overflow earlier data are replaced by newer ones. The "save" option writes every 4 Kb of the protocol on your hard disk.
Requests control protects your information.

Also:
Mail
- POP3 server.
- SMTP server.
- Anti-spam filters. Good, bad, and gray lists common and personal for each user.
- Forwarding and possibilities to execute scripts for income messages.
- Execute external anti-virus
FTP server
- Virtual directories for FTP
- FTP proxy.
HTTP proxy server
- HTTP, FTP, HTTPS request supported
- Store lot of traffic, fast access.
- Internal continues downloading when connection broken.
- Server can request compressed and unpack reply on fly (with an external Zlib library)
DNS server
- Option for dinamicaly check a serverice on remote host and if the service down, change one IP address to other.
- Reqursion from root DNS or from DNS of provider. Caching.
- Option for autoreply to request to resolve IPv6 name. (for networks that don't use Internet through IPv6).
- DNSBL server (work with SMTP)
- DNS over HTTP(S) aka DoH (RFC8484)
DHCP server
Full detail statistics. Include statiscs by countries!
Web and local administration
IPv6 support
SSL/TLS support with an external library.
GZip compression support with an external Zlib library.
HTTP TLS VPN server and client.

Compactness is one of the greatest features of this product. Its functioning doesn't obstruct your work. This server uses a minimal set of system resources necessary for a quick data transfer.

Contents

How to...?

Well, it is fairly easy - setup it by running shttp3.exe. Select target folder, check "Update entry in main menu", enter user name and password for administration. Press "Install." After installation, run "Small HTTP server", double click on the window, then, in Setttings, you may enable Web administration and then go to Setting / Current state to option your server.
You can go to your web server from local PC use http://127.0.0.1/. If you don't have DNS name, that's not a big problem. Any user can go to your web site by entering your IP address. You can also add your site to search engines applying the IP address as the URL.

Directories and files names.

The server works with certain directories and files names. Your site is supposed to be in the directory specified during settings (WWW by default). The files that contents CGI identefer in pathname are files to run. By default CGI identefer is \cgi-bin\, when server receives a request for file in CGI-BIN directory, it tries to execute it. If the requested file ends in .pl, the PERL interpreter is called. If the requested file ends in .phtml, .pht, .php, the PHP interpreter runs this file. For example, if you installed the server in c:\http, then files in c:\http\www can be accessed, i.e. a user types http://Your_IP_address_here/test.html, he or she will see c:\http\www\test.html file. CGI scripts are in c:\http\www\CGI-BIN. If you create IMAGES sub-folder in WWW folder and put bgr.gif there, it can be accessed by http://Your_IP_address/IMAGES/bgr.gif. Anyway, if the file name is not specified, i.e. the request ends in '/', the server will show the default file which name was specified either during setting. For instance, http://127.0.0.1/My/ is equal to http://127.0.0.1/My/index.htm. Server can support many virtual hosts. Each virtual host has its own root directory, and also can include virtual directories common for all.

ASIS files also support. Those files content HTTP header in the beginning. Such files are being used for redirect inbound request to other site. This file must begins with keyword "Status: " after this returning code and your header is going. After header one line is empty, and data. Extension must be .asi or .asis

Contents

Options and command line parameters.

You can option server via dialog box "Settings..", via Web interface if remote administration is enabled, or you can manual edit http.cfg or just add parameters to command line. In many case you don't need to change settings manually but if you really want to, you can do with next keys.

Parametr and comment	Key
General Setting
Disable icon in notification area. Don't add icon into systrey (server's window always in back). In this case to get access to administration dialog box you must: To get server window you can press Ctrl-Alt-Del to open task manager, in task manager select HTTP, and try to kill it. Server will ask you "Do you want to close HTTP server?", -- If you reply "No" server show window. In server window's select system menu (Right button on title) and select advanced item "Server" Also if server is runed as NT service you may open server's window by Pause/Continue button in Service Control Manatger.	noicon
Minimize on startup.	hide
Create detailed log for POP/SMTP/FTP. (By default only basic events are added to the log).	detail
Disable saving log.	nolog
Log filename.	log=name.log
Create a daily log (new log created after each day).It's necessary to get statistics for a day. Server will every day rename old log file (add date to name). It's necessary to get statistics for a day.	logday
Separate log for each server	seplog
Don't out error stream (STDERR) from CGI scripts to remote users	noerrout
Dublicate CGI stderr to http.err log	dupstderr
Add to log debug info from logical expresion in SSI and Antivirus/Forward files	dbgle
Enable remote administration. Otherwise, only statistics will be available for administrators.	radmin
Number of simultaneous requests from each host. You can restrict number of simulate request from the same host. Usually one browser creates four simulate connections. Some browsers try to create much more simulate connections. This restriction includes all TCP connections (HTTP,FTP,POP,SMTP,Proxy)	from_same_host=##
No restrict the number of simultaneous connections from each host	nofrom_same_host
Minimum connection speed to detect a DoS attack over a large number of slow connections. (KBytes/minute). Zero to disable checking.	dos_protect_speed=value
Don't trim log lines	nolimitlog
Limit the length of the log lines The length of each line should not exceed this value	limitlog=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.	ip_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ip_deny={#.#.#.#[-#.#.#.#],}
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	ip6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ip6_deny=value
Don't save uncrypted passwords in config file	cryptpwd
Remove passwords from the log	delpwd
Save passwords as MD5 Digest (RFC2069/RFC2617)	md5pwd
Realm - string for MD5 Digest (RFC2069/RFC2617)	md5realm=path
Using MD5 Digest for authorization if posible (RFC2069/RFC2617)	md5digest
Using paranoidal variant of MD5 Digest for authorization if posible (RFC2617 qop=auth)	md5paranoidal
IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	adm_range=value
Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens.	adm_deny=value
IPv6 IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	adm6_range=value
IPv6 Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens.	adm6_deny=value
Enable 2 point in filenames (may be dangerous)	twopoint
HTTP server
Disable HTTP server.	nomax
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	http_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	http_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	http6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	http6_deny=value
Bind to all addapters	nohttp_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	http_bind=value
Also work through IPv6	httpipv6
Don't restrict speed of outgoing transfer	nohttp_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	http_speed=value
How many another connections must have activity, to check on speed limitation	http_spdusr=value
PHP. Specify location of "php-cgi.exe" or "phpisapi.dll"	php=path
Run PHP as FastCGI.	fcgi_php
FastCGI ident. The part of a URL that indicates a FastCGI script. Default is ".fcgi"	fcgi_ident=value
Use this group id, to detect FastCGI. Direct 0 to disable using group id.	fcgi_gid=value
Use UNIX socket for FastCGI. Otherwise used localhost TCP socket	fcgi_unix
Directory to create FastCGI UNIX sockets. May be /tmp, /var/tmp, /dev/shm, ...	fcgi_upath=path
Disable share dir.	noshare
Do not show directory listing	nooutdir
Don't break CGI, when connection closed	nbrkcgi
Advanced code for control header.	header=value
Use 'chunked' transfer for SSI.	ssi_chunk
Disable multi stream download for one file.	nomsd
Use gzip packing, if posible.	http_gzip
DLL library ZLib.	gz_lib=path
Pack if size of file great then	gz_low=value
Don't pack files with next sufixes	nogz_ext=value
IP database file for countries features.	ip_base=path
Add REMOTE_COUNTRY variable to CGI/SSI enviroment.	ip_cntr
Enable return country info for '/$_ip2country_$?ip=x.x.x.x' request	ip2cntr_srv
$_ip2country_$ service for authorized users only	ip2cntr_aut
Enable DNS over HTTP(S).	http_doh
No limitation for HTTP	nohttp_ltime
Time per that will calculating limits (in seconds)	http_ltime=value
Limit per IP (Kb)	http_ip_limit=value
Limit per network (Kb)	http_net_limit=value
Total limit for server (Kb)	http_limit=value
Timeout, before resend request again. In milliseconds	dnstimeout=value
TCP/IP port for HTTP server. Usually it's 80	port=##
Number of HTTP requests working simultaneous. Approcsimately 20Kb of memory is reserved for each thread. Usually 12 connections are enought for 3-8 visitors per minute.	max=##
Limit on the number of idle keep-alive connections waiting	keep_alive_max=value
Timeout in seconds for idle keep-alive connection	keep_alive_timeout=value
Check live in seconds for idle keep-alive connection. 0 - use system default. (Supported from Linux 2.4, from Windows 10 v1709)	keep_alive_idle=value
Default file name. Name when requested URL finished by "/". (Wildcards are accepted, such as index.* to allow any index file in folder)	def=name.ext
Error file. Full path to file or script that will be returned if requested file is not found. For CGI or SSI PATH_INFO variable will contents the name of requested file.	error=path\name.ext
Default web foulder.	dir=root_dir_name
CGI ident.The part of a URL that indicates a CGI script. Default is "\cgi-bin\", but you could use e.g. "\cgi-", "\local-bin\", ".cgi", etc.	cgi_ident="\cgi-bin\"
PERL interpreter. Interpreter for scripts with .pl extension	perl=path\name.exe
Share dir. If you want this dir to be CGI current dir always, direct it here. Otherwise CGI current dir will be CGI script dir.	share=path
*Enable Server Side Includes (SSI) checking in HTML files. By default SSI checking in .sht,.sml,.asp files only. Warning: SSI processing uses more memory, and and creates a small delay**	ssihtm
Key to check SSI in .sht,.sml,.asp* files only.	nossihtm
Limit bytes received by POST method to. Note: Large value may use excessive PC and network resources.	post_limit=##
Never execute .htm,.gif,.jpg files. Otherwise, server trays to run any file with CGI ident.	norunhtm
Limit CGI execution time. (in seconds)	cgi_timeout=##
CGI interpreters Application or DLL which runs when specific CGI-file is requested. E.g. for .sh -- d:\gnu\bin\bash.exe, for .cgi -- d:\perl\perlis.dll. *ext=".ext;application;.ext;application;..."*
Mime types Define extended mime type for extension. E.g. for .bmp mime type may be image/bitmap *mime=".ext1;mime-type1;.ext2;mime-type2;...;.extN;mime-typeN"*
Virtual hosts and virtual directory Web root dir for specific hostname. You may add many hosts with its own folder. You may add many virtual /directory/ common for all hosts. " The name of virtual directory is to be between two forward-slash (/). *hostpath="hostname;path"* Key may be repeated more then once.
Proxy server
Disable HTTP proxy.	noproxy
TCP/IP port for proxy server.	proxy=#port
Number of proxy requests working simultaneous.	proxy_max=#max
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.	proxy_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	proxy_deny={#.#.#.#[-#.#.#.#],}
Do not save proxy cache to hard disk.	noproxy_dir
Proxy cache directory.	proxy_dir=path
For how many days files will be saved. Proxy can delete downloaded files from cache proxy directory after several days of last download. In any case, if user press "Reload" button files download again.	proxy_time=#days
Ignore NO-CACHE in control headers of the pages. HTTP protocol has an opportunity to disable caching for page. Often site holders use this option to calculate the number of vistors. In any case, if user press "Reload" button files download again.	ignocache
Proxy for avtorized users only. Proxy will be available for defined users with proxy access flag only	proxyusers
Disable Proxy server.	noproxy_max
Bind to all addapters	noproxy_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	proxy_bind=value
Also work through IPv6	proxyipv6
Don't save big files. Limit (bytes)	proxy_fsize=value
Calculate days from last access. (Otherwise from the day of download)	proxy_laccess
Don't cache page if request content cookies.	proxy_hrd
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	proxy6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	proxy6_deny=value
Don't restrict speed of outgoing transfer	noproxy_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	proxy_speed=value
How many another connections must have activity, to check on speed limitation	proxy_spdusr=value
Large mode. Useful to hold a lot of data traffic.	proxy_big
Super large mode. New mode to minimize time for search when to many files stored.	proxy_sbig
Number of tries to resume download file after error	proxy_tryes=value
Limit for simultaneous requests from the same host to the same URL. Zero for unlimited.	proxy_same=value
Do not use higher level proxy server.	noupproxy
Higher level proxy server.	upproxy=value
TCP/IP port on up level proxy server.	upproxy_port=value
Higher level proxy server does not require authorization.	noup_user
Higher level proxy user:pasword	up_user=value
For POP3/SMTP/FTP proxy connect through HTTPS higher level proxy.	ever_upproxy
No use higher level proxy for next hosts.	nouphosts=value
Disabled hosts	bad_hosts=value
Proxy session timeout (in second).	proxy_timeout=value
Request gziped, and self unpack if browser don't support it. (Direct where is Zlib in HTTP part of options)	proxy_gzip
Don't use antivirus	noproxy_antivirus
Antivirus host (127.0.0.1 for local)	proxy_antivirus=path
Antivirus port	proxy_avport=value
Check HTML files. (Otherwise proxy will check application only)	proxy_avhtml
Check all files. (Otherwise proxy will check application only)	proxy_avall
No limitation for proxy	noproxy_ltime
Time per that will calculating limits (in seconds)	proxy_ltime=value
Limit per IP (Kb)	proxy_ip_limit=value
Limit per network (Kb)	proxy_net_limit=value
Total limit for server (Kb)	proxy_limit=value
DNS server
Hosts file. See also format of this file	hosts=hosts_file
Disable DNS server.	nohosts
Bind to all addapters for DNS	nodns_bind
IPs and IPv6 to bind for DNS, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	dns_bind=value
Also work through IPv6 for DNS	dnsipv6
Enable DNS over TCP.	dnstcp
IPv6 IPs that can access this DNS server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	dns6_range=value
IPv6 Deny IPs that can't access this DNS server. Separe single IP by comma and IP ranges with hyphens.	dns6_deny=value
Don't save DNS cache on exit.	nodnscachefile
DNS cache file name.	dnscachefile=path
Don't try to recursive find AAAA records. (for networks that don't use Internet through IPv6)	dnsno6
Disable build in DNSBL server	nodns_bld
Host name of build in DNSBL server	dns_bld=value
Detect DoS request. Number of DoS-like requests to block IP	dns_detect_dos=value
A space-separated list of bad hostnames. DoS detection names	dns_dos_hosts=value
Disable recursion.	noreqursion
Recursion call to higher level servers only.	dnsupl
Return mailhost as host name, if MX record is not found.	dnsmx
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.	dns_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	dns_deny={#.#.#.#[-#.#.#.#],}
FTP server
Disable FTP server.	noftp_max
Bind to all addapters for FTP	noftp_bind
IPs and IPv6 to bind for FTP, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	ftp_bind=value
Also work through IPv6	ftpipv6
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	ftp_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ftp_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	ftp6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ftp6_deny=value
Don't restrict speed of outgoing transfer	noftp_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	ftp_speed=value
How many another connections must have activity, to check on speed limitation	ftp_spdusr=value
Use any free system provided port for a passive data connection	noftp_pasvp
First FTP port for passive data connection. (Range of used ports will be from and including this port depending on the number of simultanious FTP connections)	ftp_pasvp=value
Disable multi stream for one IP	ftp_oone
Convert names with space.	ftp_wospace
Don't use upload directory.	noftp_upload
Enable FTP PORT command to the client's host only. FTP to FTP mode may not work.	ftp_same
Enable FTP proxy.	ftp_proxy
No limitation for FTP in	noftpi_ltime
Time per that will calculating limits (in seconds)	ftpi_ltime=value
Limit per IP (Kb)	ftpi_ip_limit=value
Limit per network (Kb)	ftpi_net_limit=value
Total limit for server (Kb)	ftpi_limit=value
No limitation for FTP out	noftpo_ltime
Time per that will calculating limits (in seconds)	ftpo_ltime=value
Limit per IP (Kb)	ftpo_ip_limit=value
Limit per network (Kb)	ftpo_net_limit=value
Total limit for server (Kb)	ftpo_limit=value
Always ask for a password, even for users without a password	ftp_always_pass
Number of simultaneous requests.	ftp_max=max
TCP/IP port for FTP server. Usually it is 21	ftp_port=port
User session timeout. (in second) Connection will close, if user is idle for this time.	ftp_timeout=#N
Name of upload subdirectory.If FTP directory contents this subdirectory, users with \"read only\" access can still upload files here. E.g. /pub/"	ftp_upload="/dir/"
Enable virtual directories for FTP.	ftp_vdirs
POP3 server setting
Disable POP3 server.	nopop3_max
POP3/SMTP session timeout. (in second). Connection will close, if user is idle for this time.	pop_timeout=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	pop_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	pop_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	pop6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	pop6_deny=value
Bind to all addapters	nopop_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	pop_bind=value
Also work through IPv6	popipv6
Don't restrict speed of outgoing transfer	nopop_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	pop_speed=value
How many another connections must have activity, to check on speed limitation	pop_spdusr=value
Enable POP3 proxy	pop3_proxy
Enable Web mail	wmail
Don't save messages sent throught Web mail in user's folder	nowmailsent
Subfolder to save sent messages	wmailsent=value
Delete messages throught Web mail immediately	nowmailtrash
Trash folder to move deleted messages	wmailtrash=value
Convert pages to UTF-8	wmail_utf
Number of simultaneous requests.	pop3_max=max
TCP/IP port for POP3 server. Usually it is 110	pop_port=port
SMTP server setting
Disable SMTP server.	nosmtp_max
Bind to all addapters	nosmtp_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	smtp_bind=value
Also work through IPv6	smtpipv6
If mailhost of receptor absent, try host	smtp_nomx
It is normal SMTP relay. (Otherwise it is only SMTP proxy)	nosmtpproxy
Higher level SMTP. (SMTP proxy mode)	smtpproxy=value
Do not save sent messages.	nosmtp_sent
For how many days sent messages will be saved. (Zero for keep ever)	sent_time=value
IPv6 Us IP ranges (allowed list) E.g. ::1,FE80::-FEFF::	smtp6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	smtp6_deny=value
Temporary add IP to allowed list after POP3 authorization	smtp_pop_ip
Limit message size. (in bytes).	smtp_msg_limit=value
Don't break connection, when overflow size limit	smtp_nobreak
Enable Generate-Delivery-Report	smtp_conform
Goodlist. Common file with alowed source e-mails, IPs, hosts paterns	goodlist=path
Badlist. Common file with bad source e-mails, IPs, hosts paterns	badlist=path
Graylist. Common file with source e-mails, IPs, hosts paterns that required addvansed checking	graylist=path
Check "goodlist", "badlist" and "graylist" files in user's home directory before receive message	chklists
Text that will be retrived in case when message declined. There you also may direct URL to Web form to direct send message	msgspam=value
Do not use script for incomming/outgoing mail	noantivirus
Antivirus script	antivirus=path
Limit of time for script execution. (in seconds)	run_timeout=value
Break filter (expresion). Variables $msg,$sender,$hello,$control may be checked to stop reciving large message.	antispam=value
Spam filter (expresion). Variables $msg,$sender,$hello,$control may be checked to add IP to spamer's list.	spamfltr=value
Accept messages with wrong return path	nocheckback
Fake e-mail addresses, through coma. If somebody try to send message to these addresses it will be added to spamer's list	fake=value
DNSBL servers. Ask these external spamers list, about remote IP, before receive mail. (May be more then one server through space)	dnsbl=value
Check mailhost of sender (DNS MX record) before receive mail	checkmx
Ignore graylist if message incomme from source mailhost (DNS MX)	mxignbl
How long spamers IPs will active in spamer's list (in seconds)	spam_time=value
No limitation for SMTP	nosmtp_ltime
Time per that will calculating limits (in seconds)	smtp_ltime=value
Limit per IP (Kb)	smtp_ip_limit=value
Limit per network (Kb)	smtp_net_limit=value
Total limit for server (Kb)	smtp_limit=value
No limitation for alowed IPs	nolimitus
Enable receive from foregein IP messages from us domain	uncheckip
Minimal timeout betwen sending messages	time_btw=value
Number of simultaneous requests.	smtp_max=max
SMTP server name. (Domain name)	smtp_name=your.domain.name
Use all virtual hosts as alias domain name.	vhalias
TCP/IP port for SMTP server. Usually it's 25	smtp_port=port
Output path. Directory to store messages before sending	smtp_out=path
Sent path. Directory to store sent messages	smtp_sent=path
Error path. Directory to store messages, on failed send	smtp_err=path
DNS server to get mail routing info. (May be your default DNS server)	smtp_dns=#.#.#.#
Alow any "From" field. Otherwise server will send message from user_name@your.domain.name only	smtp_any
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.	smtp_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	smtp_deny={#.#.#.#[-#.#.#.#],}
Blacklist of E-mail addresses of spamers. Separate addreses by space. Use *@host to block receiving from any address of this host)	*blacklist="u@adr1 @adr2 ..."**
Use instructions from the "forward" file in a user's directory.	forward
Alow execution of applications from user's "forward" file.	fwdrun
Use TLS when sending outgoing message if possible	smtptls
Always use TLS when sending outgoing messages; if not possible, don't send	smtponlytls
Verify the remote certificate signature. (Verfy methods the same as directed in VPN client settings)	smtpchktls
DHTP server setting
Disable DHCP	nodhcp_max
Total IPs avilable to allocate	dhcp_max=value
IP address of DHCP server	dhcp_ip=value
LAN broadcast address for DHCP reply	dhcp_bcast=value
First IPs for allocate	dhcp_first=value
Netmask	dhcp_mask=value
Gateway	dhcp_gate=value
DNS servers	dhcp_dns=value
Domain name	dhcp_name=value
File to save state	dhcp_file=path
DNS should resolve hostnames for IPs that was allocated	dhcp_rdns
Listen only, to store info from another servers for DNS. (never response)	dhcp_lo
TLS/SSL server setting
Disable TLS/SSL server	notls_max
Number of simultaneous requests.	tls_max=value
TCP/IP port for TLS/SSL server. Usually it's 443	tls_port=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	ssl_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ssl_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	ssl6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ssl6_deny=value
Bind to all addapters	notls_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	tls_bind=value
Also work through IPv6	tlsipv6
Don't restrict speed of outgoing transfer	notls_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	tls_speed=value
How many another connections must have activity, to check on speed limitation	tls_spdusr=value
Enable TLS for POP3/SMTP	smtp_tls
Enable TLS for FTP	ftp_tls
DLL library with TLS/SSL. E.g. libsec111.dll	tls_lib=path
Certificate file	tls_cert_file=path
Key file	tls_key_file=path
CA-Path	tls_capath=path
CA-file	tls_cafile=path
Sets priorities for the ciphers, key exchange methods, and macs For GNU TLS and for OpenSSL, the string format is different. For OpenSSL, you can see the format of this line here in the CIPHER LIST FORMAT section. The default is the following line: "TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_AES_256_GCM_SHA384: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:ALL:!DES:!3DES:!RC2" For GnuTLS, see the string format here	tls_priority=value
Remote administration through sequre HTTPS only	admtls
Web mail through sequre HTTPS only	tls_wmail
HTTP TLS VPN server setting
Disable TLS VPN	notlsvpn
Maximum number of TLS VPN connections working simultaneous.	tlsvpn_max=value
TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). HTTPS requests to this URL will be redirected to VPN	vpn_url=value
Enable TLS VPN on Tun device	vpntun
Enable TLS VPN on Tap device	vpntap
Tun device number	vpn_tun_number=value
Tap device number	vpn_tap_number=value
TLS VPN MTU for tun.	vpn_tun_mtu=value
TLS VPN MTU for tap.	vpn_tap_mtu=value
Tun device pathname	tundev=value
Public access without password. (Otherwise only users with Proxy access can use this service)	vpnpub
Set Tun interface IP address	tun_ip=value
Set Tun interface netmask	tun_nmask=value
Set Tap interface IP address	tap_ip=value
Set Tap interface netmask	tap_nmask=value
Run init script for Tun device	tun_script_up=path
Run init script for Tap device	tap_script_up=path
First IP address to allocate for remote client that connected to Tun. (Optional)	tun_remote_ip=value
Total IP addresses to allocate for remote client that connected to Tun. (Optional. Set to 0 to use external DHCP server, or another methods)	tun_remote_max=value
DNS servers that will be offered to the TUN client.	tun_remote_dns=value
First IP address to allocate for remote client that connected to Tap. (Optional)	tap_remote_ip=value
Total IP addresses to allocate for remote client that connected to Tap. (Optional. Set to 0 to use external DHCP server, or another methods)	tap_remote_max=value
DNS servers that will be offered to the TAP client. (Optional)	tap_remote_dns=value
HTTP TLS VPN client setting
Enable to connect to TLS VPN remote host	vpnclient
Host to connect to remote TLS VPN server	vpn_remote_host=value
TLS VPN remote port. (Usually 443)	vpn_client_port=value
TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). Must be the same as directed on the remote server	vpn_client_url=value
TLS VPN User name	vpn_remote_user=value
TLS VPN Password	vpn_remote_passw=value
VPN client to Tap. (Otherwise Tun)	vpncln_tap
TLS VPN client Tun/Tap device number	vpn_tuntap_number=value
TLS VPN MTU for client.	vpn_client_mtu=value
Set client VPN interface IP address	tuntap_ip=value
Set client VPN interface netmask	tuntap_nmask=value
Run init script when VPN connection estabilished	vpncln_script_up=path
Run deinit script when VPN connection closed	vpncln_script_down=path
Validate remote TLS sertificate, check host name	vpncln_chktls
Don't check remote sertificate time. Ignore expired. (GNUTLS only)	vpncln_tlsigntime
Accept self signed sertificate. (GNUTLS only)	vpncln_tlsssign
SSH style of sertificate validate. (GNUTLS only. Public keys of new untracted remote will be stored in ~/.gnutls/known_hosts)	vpncln_tlssshstyle
Users To give FTP, Mail, Administration access you must add users. *user="name;password;home_dir;type_of_access_flags"* Key may be repeated more then once. type_of_access_flags -- It's sequence of next symbol: F -- FTP access -- user can read files from his home directory and any subdirectory via FTP. W -- FTP write access -- user can upload files to his home directory via FTP. N -- Disable upload files via cgi-ident in path. S -- SMTP. User can send messages via SMTP from user_name@your.domain.name P -- POP3. User will have mailbox. All messages to user_name@your.domain.name will stored in home/mbox directory and available via POP3. A -- This is administrator. -- He has full access to administration's pages, can add users, change access rights etc... H -- Proxy. Access to proxy. For FTP access you can add anonymous user without password In this case just skip password. E.g.: user=anonymous;;c:\public;FWN user=ftp;;c:\readonly;F

Please note that there shouldn't be spaces before and after "=". If a parameter you are entering contains spaces make sure that you put them in quotes. Here is an example of a correct command line:
http.exe port=1080 def=index.html php="C:\PROGRAM FILES\PHP\php.exe" nolog Here is an example of configuration file: log=C:\TEMP\http.log perl=C:\PERL\BIN\perlis.dll # supported !!! max=12 def=index.stm @www.cfg # include other configuration file hostpath=www.name.www;C:\www1 hostpath=max.name.www;C:\www2 # End of file

Contents

Allowed and denied IP ranges.

For each service you may direct allowed and denied IP addresses. Also present common allowed and denied ranges of IP to blocking or enable access to all TCP services, and ranges that define IPs from where Web administration available. Addresses directed through coma. You might direct one address or range. Example: 127.0.0.1,192.168.0.1-192.168.0.255

HTTP,FTP,POP3,Proxy will receive request from IPs that include in allowed list and exclude denied list.

SMTP will receive the message for own domain (incoming for own users) from any addresses, exclude denied. The messages to send outside, it will get from allowed IPs only If you don't want get any messages from some IP -- just add it to denied list.

DNS server also retrieve local records to anybody, but recursion searching it do for IPs from allowed list only.

Contents

Limits.

You may direct limits for exchange for HTTP,Proxy,SMTP,FTP. For it, in the settings direct time for that will present limit and values for IP, network of this IP, and total limit for the service. Get attention, that when limit will over the exchange will not be break until full file will not be transfer. When limit overflow next calls for the time calculated from overflow value will be failed.

Contents

Running scripts.

Requested files that contents CGI identefer in pathname will be executed. If option "Run 'system' files" selected then files with attribute 'system' will be executed too. CGI/1.1 standards are supported, for reference please consult http://Web.Golux.Com/coar/cgi/. When running a script, request line parameters are transferred both in command line and in QUERY_STRING environment variable. The script transfers data directly to the client that requested it. A script should output Content-Type: type\r\n or Location: url. There could be some auxiliary lines like Content-Length: xx\r\n or Date:. These data end in \r\n\r\n. If you use C or Perl please note that in text mode output functions automatically transform \n to \r\n. Pascal writeln function also completes output with these symbols. (\r = [CR] = 0x0D; \n = [LF] = 0x0A )

Contents.

Server Side Includes (SSI)

SSI can greatly increase your capabilities allowing you to dynamically insert results of CGI scripts in any place of a document being shown to the user.

When a remote client requests a *.sht, *.shtm or *.shtml file, server returns it evaluating SSI tags which are contained there.

SSI tags have the following format:


HTTP or request form variables can be put into the "value" field. Variable name starts with $ and can be later put in braces {} if you wish to concatenate the variable value with subsequent text (excepting spaces). For instance , $USER_AGENT contains browser type, and if you want to concatenate it with "_12345", use "${USER_AGENT}_12345". When using symbols like $, \, " make sure you place \ before them: $ - \$, \ - \\, " - \" etc. If a variable can't be evaluated, it replaced with the "undefined" value.

Current server version supports the following tags:

include


Both variants include the content of file_name in the document. In first case it looks for the document from the web root directory, in the second case you can define a path for the document. If the requested document content cgi_ident in path, the server runs the file. If the file_name contains the "?" symbol, the string after it is transmitted as a request with parameters which should be processed by your script.

exec


Runs the script like with "include" tag, from /cgi_ident/ subdirectory

fsize & lastmod








Shows file size and last modified date. Size can be rounded up to Kilobytes or Megabytes.
Date can by formated as you like. Next format keys are defined:

Key	Description	Range
d	Day of the month, 2 digits with leading zeros	01 to 31
j	Day of the month without leading zeros	1 to 31
m	Numeric representation of a month, with leading zeros	01 through 12
n	Numeric representation of a month, without leading zeros	1 through 12
Y	A full numeric representation of a year, 4 digits	1970 through 9999
y	A two digit representation of a year	00 through 99
a	Lowercase Ante meridiem and Post meridiem	am or pm
A	Uppercase Ante meridiem and Post meridiem	AM or PM
g	12-hour format of an hour without leading zeros	0 through 12
G	24-hour format of an hour without leading zeros	0 through 23
h	12-hour format of an hour with leading zeros	01 through 12
H	24-hour format of an hour with leading zeros	00 through 23
i	Minutes with leading zeros	00 to 59
s	Seconds with leading zeros	00 through 59

echo

Prints variable value.

printenv

Outputs the values of all variables.

break

Breaks procession of the document.

if -- elif -- else -- endif

text

text

text
...

text


The text will be either shown or not depending on the outcomes of specified conditions. The conditions can consist of variables and values as well as different logical operators between them:

! -- "Not"
= or == -- "Equal to"
!= -- "Not equal to"
<,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to".
~ -- "Part of..." str1 ~ str2 -- the result is true, if the string str2 is the part of string str1
str1 =~ /pattern/ig -- pattern it is Regular expressions like Unix. The result is be true, if in the string str1 has been found substring equal by pattern.
&& --"AND"
|| --"OR"

elif and else operators can be omitted, elif can be repeated as many times as you need. It's necessary to put the endif tag at the end of your statements.

set

Sets or changes the value of the variable. Although, try not to use this feature too often because the number of variables and memory allocated for them is somewhat restricted.

Contents

Regular Expressions

To checking incomming variables finding by pattern avilable. Pattern is regular expressions, with syntax accepted in Unix. Regular expressions it is substring to find. Into this substring also may be present metacharacters,quantifiers and variables. The following metacharacters understen:

^ -- begin of line.

. -- any char except new line.

\ -- if next character is metacharacter it undesten as just character. E.g. "\." is just point. Also known the following sequensies:

\n -- new line
\r -- return
\t -- tab
\\ -- \ - slash
\x## -- hex code of char.
\o### or \0### -- octal code of char.
\### -- decimal code of char.

[] -- in square bracket may be directed avilable or unavilable values for next char: If first char in the bracket is '^', this mean char may be any except other chars directed in bracket. Otherwise the char may be only one char from the bracket. '-' inside bracket mean all chars from preveous of '-' to char after '-'. The char '\' inside bracket also changed interpretation of next char. Examples:

[0-9] -- mean all diget.
[a-zA-Z] -- mean all letter.
[^@$\-\n\o008\x01] -- mean any char exept @,$,-,new line, and chars with codes 8 and 1.

() -- prescribe to save substring by pattern inside bracket for using in futures. The founded substring will be avilable as variables from $1 to $9. The last result also avilable as $+ . The string before last result avilable as $` . The string after last result avilable as $'

| -- or.
After metachar may be present quantifier:

* -- repeat 0 or more times.

+ -- repeat 1 or more times.

? -- may be absent

{n} -- repeat 0 or more times.

{n,} -- repeat n or more times.

{n,m} -- repeat at least n but not more then m times. After any quantifier may by following modifer '?' to lessen pattern distribution up to first posible coincidence. An example when finding in string '123abcdefff567'

with pattern /([a-z]*)/ $1 will be "abcdefff"
with pattern /([a-z]*)f/ $1 will be "abcdeff"
with pattern /([a-z]*?)f/ $1 will be "abcde"

At end of patern, after last slash, may be flowing various modifiers. Nov the program understan next various modifiers:

i -- case-insensitive pattern

v -- force disable to clear the list of variables ($1 - $9). Without this modifier the program will clear the list in new logical expressions, when the first regular expressions into this logical will begin checking.

c -- force clear the list of variables ($1 - $9) before begin. In one logical expressions may be more then one regular expressions. By default all of them use the same list of variables, and e.g. if first expression filled $1 and $2, the second may fill only from $3 If you use this modifer expressions will fill variables begin from $1 independency of result of preveuse part of logical expression.

Also next function available:

exist(filename) - returns 1 if file exist, otherwise 0.

fsize(filename) - returns size of the file.

ftime(filename) - returns time of last modification of the file in seconds from 01.01.1971.

fmode(filename) - returns access mode of the file.

Contents

Countries features

The program can show statistic by countries and server may add REMOTE_COUNTRY variably with country name to SSI/CGI enviroment. IP-contry database need for these features. Download and unzip it. Then in server's options direct where is it. Fast search will not delay SSI and CGI execution. The program does not garanted valid country detection for evry time, but in many cases it will be. For IP addresses that absent in the database the server show "unknown" instead country name.
Also, if enabled in the settings, /$_ip2country_$ and /$_ip2country_$?l=h http queries returns the user's country.
This request maintains an 'l=' variable, that may be 'h' - for html reply, 'j' - for javascript reply, and any other value for just text reply.
You can include Javascript variation as <script src=/$_ip2country_$?l=j > in your web pages to use the country name in your scripts. The answer will be in the following format:

var county_code="CC",country="Country name",country_ip="127.0.0.1";

Contents

Internet Server Applications (ISAPI)

It is alternative to Common Gateway Interface Executable Files. The server will identify a file with a .DLL extension as a script to execute. For every client request, the HttpExtensionProc entry point is called. My realization of this interface have next features:

If HttpExtensionProc return 4 (HSE_STATUS_ERROR) or great then DLL will be unload.

When script call WriteClient the dwHttpStatusCode must content valid value or begins with HTTP/ and contents full HTTP reply.

The absentce of GetExtensionVersion is not an error.

Contents

Proxy

If hard disk cache enabled server will store all incomming files except authorized pages. Server can delete downloaded files from cache proxy directory after several days of last download. You may chouse save downloaded data for long time, and in this case you will have lot of files, and quantity will be grow, and grow, and grow... Some file's systems slowly working when too much of files in directory. For this case use large mode, -- the server create 64 subdirectories and will save the files there. See also command line keys descriptions

Contents

DNS server

This version content DNS server. To run you must specify hosts file. File has format on the one hand compatible with system hosts file and on the other hand may be alike with master file format recomended by RFC 1035. For compatible with system hosts file, each lines may content IP address and name of the host. Comments begin with symbol '#'. Domain name in this file could begin from '*.' to descript all subdomain. Example:

# Here is an example of hosts file for local network.

192.168.1.21 www.max.local
192.168.1.21 max.local
192.168.1.20 *.max.local
192.168.1.22 www.boss.local
192.168.1.23 serg.local
192.168.1.26 www.serg.local
192.168.1.24 *.andy.local
192.168.1.25 *.mary.local
# etc ...

# To create your own dialup network add last record:
192.168.1.21 * # -- Redirect all unknown incoming request to 192.168.1.21

# end of hosts file

Also each line may content domain-name and RR description and comment may begin with ';' Next lines are supported:
$ORIGIN <domain-name>
$TTL <validate-time> -- a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded.
$SLAVE <domain-name> <ip-address-of-master> [<filename>] -- Work as slave DNS server for this domain. Download full domain from master
$IF_DOWN <host:port> <interval> Old.IP=New.IP -- By this option server will try to connect to the host:port for time interval (in seconds), and if fail in each record with Old.IP it will replasing to New.IP.
[<domain-name>] <blank> [<TTL>] IN <type> <RDATA>
For domain description unlike RFC recomendation you must direct full <domain-name> ('@' dosen't interpretate, last point may be skipped or present it's the same). You may skip <domain-name> in this case preveus name will be used. Unlike RFC recomendation you must direct class "IN" for each line with RR format. <type> may be:

A <IP-address> - a host IPv4 address

AAAA <IPv6-address> - a host IPv6 address

NS <full-name> - an authoritative name server

CNAME <full-name> - the canonical name for an alias. The 'A' record for original name MUST present in this file.

SOA <full-name> <e-mail by owner> (<SERIAL>,<REFRESH>,<RETRY>,<EXPIRE>,<MINIMUM>) - marks the start of a zone of authority

MX <preference> <full-name> - mail exchange. <preference> is numbre from 1 to 255. Lower values are preferred.

PTR <full-name> - a name. Host at left side must be #.#.#.#.in-addr.arpa

TXT text

SPF text

CAA 0 [issue|issuewild] server

TLSA usage selector matching_type data ^{* See more in TLS caption.}

TYPEnumber \\# length hex hex hex... - for new, unknow types.
Other types are ignored.
Also for PTR requests, if PTR record not found, RDATA for reply server gives from first 'A' record with such IP, or from lines compatible with system hosts file. For each type of record domain-name may begin from wildcard '*.' to descrpibe all sub domains. Server supports '*' type of request to return all about domain. For domain with wildcard reply also will content wildcard. For other types of request reply will be without wildcard.

Server may support reqursion call. To release resolving for any domain you MUST direct NS record for root servers. If you check "Recursion call to up level servers only" you must direct DNS server of your provider, instead root servers, and program will call only to these servers. Otherwise, server will call to different zone servers. Example:

# Here is an example of hosts file for export domain to Internet,
# and resolve other names.

; First, lines holds the information on root name servers needed to
; initialize cache of Internet domain name servers

.                  IN  NS a.root-servers.net
a.root-servers.net IN  A  198.41.0.4
.                  IN  NS b.root-servers.net
b.root-servers.net IN  A  128.9.0.107
.                  IN  NS c.root-servers.net
c.root-servers.net IN  A  192.33.4.12
.                  IN  NS d.root-servers.net
d.root-servers.net IN  A  128.8.10.90
.                  IN  NS e.root-servers.net
e.root-servers.net IN  A  192.203.230.10
.                  IN  NS f.root-servers.net
f.root-servers.net IN  A  192.5.5.241
.                  IN  NS g.root-servers.net
g.root-servers.net IN  A  192.112.36.4
.                  IN  NS h.root-servers.net
h.root-servers.net IN  A  128.63.2.53

; Now declare our domain

$TTL 86400  ;TTL - 24 hours

somedomain.net IN SOA  somedomain.net max@somedomain.net (
 2002120602 ; Serial
 36000      ; Refresh
 3000       ; Retry
 36000000   ; Expire
 36000      ; Minimum
 )
  IN NS   ns.somedomain.net
  IN NS   ns2.somedomain.net
  IN MX 1 relay1.somedomain.net
  IN MX 2 relay2.somedomain.net
  IN A 192.168.12.1

ns.somedomain.net     IN A 192.168.12.1
ns2.somedomain.net    IN A 192.168.12.2
relay1.somedomain.net IN A 192.168.12.1
relay2.somedomain.net IN A 192.168.12.2

pc2.somedomain.net    IN A 192.168.12.2
  IN NS   ns2.somedomain.net
  IN MX 1 relay1.somedomain.net

*.somedomain.net      IN A 192.168.12.1
  IN NS   ns.somedomain.net
  IN NS   ns2.somedomain.net
  IN MX 1 relay1.somedomain.net
  IN MX 2 relay2.somedomain.net


; also this file may contents lines in next format:
192.168.12.1 www.max.local
192.168.12.2 max.local
192.168.12.1 *.max.local

$SLAVE domain2.name 192.168.12.8 domain2.name.txt
$IF_DOWN 192.168.12.2:80 300 192.168.12.2=192.168.12.1


# end of hosts file

SMTP server

SMTP server can:

Receive messages for defined users. Target address must be user_name@your.domain.name This messages store in user's home\mbox directory and it's available via POP3.

Receive messages from defined users for anybody. Source address must be user_name@your.domain.name You can enable to receive messages from anybody to anyone, and you can restrict remote IP range, for which this type of messages is enable. To get mail routing info, SMTP server asks DNS server. You must direct DNS IP in options.

You may add some spamers addresses into blacklist. Messages from these addresses will be never received. Also server can support common and personal badlist, goodlist, graylist files. The names of common lists you may direct in options. Also in options you may enable check personal files named "badlist", "graylist" and "goodlist" in user's home directories. Each line of these file may be:

E-mail address or any part of address.
IP address or part of IP address.
? Logical expresion where you may do action with $sender, $hello, $control variables.
- $sender -- return address
- $hello -- self identification from remote server.
- $control -- full identification line in flowing format:
  "From sender (remote_hello [IP]) date and time For receptors\r\n"
?? List of DNSBL servers

Example:

# Begin of file
@yahoo
4.79.181.
67.28.113.
one@address.com
lotto
? $sender == spamer@address
? ! $hello =~ /.+\.[a-z]{2,4}/
? $control =~ /\[64.156.215.*\]/
# End of file

You may enable server to check user's "forward" files, to redirect or percolate messages.
File named "forward" could be placed into user's home directory. When option is enable server parses each line of this file and understands next instruction:

#if expression -- next lines will be checked if expression is true

#elif expression -- if previous condition is false then next lines will be checked if expression is true

#else -- next lines will be checked if previous condition is false

#endif -- end of conditions block

#mv where -- move message

#cp where -- copy message

#rm -- remove message

# anything -- comment

!d:\path\application {params} -- execute "d:\path\application {params} users_home\mbox\name.msg". If executing is enable in options only. Also posible to direct variable ($variable_name) in command line, but in this case:

-- "users_home\mbox\name.msg" will not be added automaticaly. You may use variable $msgfile to insert name of message file.
-- the string consider to be interpretable, the slash '\' understud as begin of escape sequence, replase it to two slash. ("\\")

to1@host1 {toN@hostN} -- redirect message to this addresses.
The conditions can consist of variables ($size_kb -- size of message in KB;
$in_text(text to find) -- is true if the text was found in the message;
$text -- full text with head;
$body -- message body;
$errorlevel -- the value returned by last external script or zero if no successful runs before) and values as well as different logical operators between them:
! -- "Not"
= or == -- "Equal to"
!= -- "Not equal to"
<,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to".
is the part of string str1
&& --"AND"
|| --"OR"

str1 =~ /pattern/ig -- pattern it is Regular expressions like Unix. The result is be true, if in the string str1 has been found substring equal by pattern.
Space and back-slash (' \') at end of line mean continues current command at next line.
Example:

# Here is the example of forward file.

#if  $text =~ /\nFrom: .*?boss@address/i
!d:\perl\bin\perl.exe check.pl
#endif

#if $in_text(100% FREE)
#mv c:\probably\spam
#elif $size_kb<=20 && ! ( $text =~ /^From: .*?([^< ]+?@[^> \r\n]+).*/i && ($1 == my@private.address || $1 == boss@address ) || $in_text(do not redirect) )
#cp c:\probably\importan
my_home@address my_seccond_address@yahoo.com
#else
!d:\perl\bin\perl.exe autoreply.pl $msgfile $1
#endif

# End of forward file

Antivirus script have same format as forward file, but unlike forward file it checking before sending each message. Example:

# Here is the example of antivirus file.

#if  $text =~ /Content-Transfer-Encoding: ["`]?base64[\001-\xFF]*?\n\r?\nTVqQAAMA/

#if  $text =~ /name=.*\.pif/
#mv c:\probably\virus
#else
!c:\DrWeb\drwebcl.exe /GO /TM- /WA- /TB- /ML
#endif

#elif $body =~ /<script language=/ && $body =~ /<!DOCTYPE HTML/
#mv c:\probably\spam
#endif

# End of file

Break-filter destined to break receiving long size spam messages.
Break-filter it is logical expression that may do checking after server will receive first 8Kb of the message. If the result of this expression is true, the continues of the message will not be next received, to the "Subject" header's field will be added "[SPAM]", combination of "sender+IP address+server's hello+receptions" will be placed to the temporary bad list, and next tries to send the same messages will be stopped before begin of data transfer.
Inside expression next variables may be used:

$msg -- first 8Kb of the message

$sender -- return address

$hello -- self identification from remote server.

$control -- full identification line in flowing format:
"From sender (remote_hello [IP]) date and time For receptors\r\n"
You may include the same actions as in '#if' operator: ||,&&,<,>,>=,<=,==,!=,=~
The example:

 (! ( $msg =~ /^From:[^\n\r]*<([^>\n\r]+)>/i ||
      $msg =~ /^From:[ \t]*([^\n\r]+)/          )
 )
 || $1 != $sender
 || $msg =~ /^Subject:[^\n\r]*New site|You are win/i
 || $msg =~ /to|for[ \r\n\t]+unsubscribe[ \r\n\t]+[ \r\n\t]+press|go|open|reply|do not/i

In this example: first four lines check does field 'From' is present in the message, and get address from this field, and this address must be the same as sender address (return path); Next line search in the field Subject "New site" or "You are win"; and last line try to detect some strings like "To unsubscribe do something..."
If any of these condition will be true the message will be detect as spam. See also command line keys descriptions

POP3 server & proxy

POP3 server provide access to incomming mail. If POP3 proxy is enabled then users may option their E-mail client's program to get mail from another remote POP3 through this POP3. For it, user option in client's program must be: local_user@remote_user@remote_host
Password must be: local_password@remote_password
Or @remote_password part may be added to user option. Anywhere instead '@' may be used '#'.

FTP server & proxy

FTP server provide access to home directories of users and if option "Enable virtual directories for FTP" is selected then provide access to private virtual directories. Public virtual directories are unavilable through FTP.
If FTP proxy is enabled then users may option their FTP client's program to work with remote FTP through this FTP. For it, user option in client's program must be: local_user@remote_user@remote_host
Password must be: local_password@remote_password
Or @remote_password part may be added to user option. Anywhere instead '@' may be used '#'.
Some FTP clients (e.g. FTP plugin for Far manager) support alike type of FTP proxy. In this cliens you may option firewall setting to your_host:FTP_port, and dirrect FTP URL like this: ftp://local_user#remote_user:local_password#remote_password@ftp_host/

TLS/SSL server

The server doesn't content real buildin TLS/SSL cryptographic functions, but includes interface to connect external TLS/SSL library. You may connect OpenSSL or GNU TLS to the server. Foe Windows version simple DLL based on OpenSSL 3.2.0 avilable here: libsec320.zip (OpenSSL included)
DLL based on GnuTLS avilable here: seclibgnutls.zip (GNU TLS required)
For this functions required sertificate.
Easy and free way to get it, is generate self signed sertificate e.g. with help OpenSSL:


openssl genrsa 2048 > ks.key
openssl req -x509 -new -key ks.key -days 3650 > ks.pem

ks.pem -- is result file that may be used as "Certificate file"
ks.key -- is result file that may be used as "Key file"
Self-signed certificate will not provide the security guarantees. An attacker on intermediate routers can include a bidirectional proxy in your connection, put his certificate in place of yours, and the browser will not be able to recognize that it is not your certificate.
Some browsers or TLS clients may support the DANE (RFC6698) method for certificate validation. For this method, you need to add specific DNS records for your domain. The format of this entry is:
_port._base_protocol.host.name IN TLSA usage selector matching_type data

usage for self signed this domain certificate must be 3.

selector may be:

0 -- Full certificate: the Certificate binary structure as defined in RFC5280

1 -- SubjectPublicKeyInfo: DER-encoded binary structure as defined in RFC5280

matching_type may be:

0 -- Exact match on selected content

1 -- SHA-256 hash of selected content RFC6234

2 -- SHA-512 hash of selected content RFC6234

data can be generated with help openssl and sha256sum:
Selector=0 (full certificate)

openssl x509 -in ks.pem -outform der | sha256sum

Selector=1 (subject public key)

openssl x509 -in ks.pem -pubkey -noout | openssl rsa -pubin -outform der | sha256sum

Examples of TLSA DNS records:

_443._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
_443._tcp.www.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
_25._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
_110._tcp.smallsrv.com. IN TLSA ( 3 1 1 5bdd89111e62a72c946d47a91e7a17aec3102d41a2523e04b510a83cebffdf1a )

HTTP TLS VPN server and client

Now this program can create a VPN channel inside an HTTPS connection.

How does it work?
On the host where the HTTP server is used, you can enable the VPN server in the settings. On other hosts you can install the program and enable the VPN client (only the VPN client is possible). Clients access the server using the HTTPS protocol, request a URL like this: https://hostname.etc/$_vpn_$/. You can choose any URL name by which the server will determine that this is a VPN request. When the HTTP server detects a VPN request, it passes the connection to the built-in VPN server.

TAP and TUN
The server supports both VPN types, and both VPNs can run simultaneously, but each type must be on its own subnet. The client can choose only one type, TUN or TAP, and it reports the required type to the server when connecting.
What is the difference? On a TAP connection, each packet also includes a 14-byte Ethernet header. This gives some advanced features, e.g. The TAP interface can be included in the bridge, and any type of packet can be broadcast through TAP. The TUN connection only supports IPv4 and IPv6 packets.

Link between clients
In this version, the server does not filter anything. Communication between clients will work and may be filtered by an external firewall.

Link to Linux and Windows
Linux and Windows VPN use the same protocols and can be connected to each other.

Tap driver for Windows.
Windows does not have a built-in TUN/TAP driver. This means an external driver is required. This program can work with the free and open source TAP-windows driver from the OpenVPN project. Available here. (Select Tap-Windows-9.24.7 for your system). If you want to set up the server on a Windows PC and use both TUN and TAP adapters, add two adapters after installing the driver. If you are already using OpenVPN and would like to use this server as well, add new adapters for it. In the server settings, you can specify the TAP adapter index starting with zero, or the name of the network connection. A simple way to specify an index is to leave the connection name empty, the server will fill it in itself. To access the driver, the server MUST be started with administrator rights for the first time. Perhaps this is a feature of the Tap-windows adapter, or it is a feature of my test environment, or I did not understand something, but a good way To configure the IP address when using Tun mode, an external .bat script is used. The server can start it automatically. Also in this script you can change routing and other network parameters, such as DNS servers.

Scripts.
The VPN server and client run scripts in three cases:

When the server initializes the TUN/TAP adapter. In this case, the arguments are: Interface_name IP_address Subnet_mask Gateway In this case, the gateway is the same as IP.
When the client connects to the server and the connection is established. In this case the arguments are: Interface_name Interface_name IP_address Net_mask Gateway DNS_servers IP_address of remote_vpn_server
When the client connection is closed. In this case the arguments are: Interface_name Interface_name IP_address Remote_disconnected_vpn_server IP_address

^*)In the Windows Interface_name is the same as the connection name in Windows.

Authorized access.
You can select the option to make the HTTP TLS VPN server publicly accessible to anyone who knows the URL. Otherwise, the server will require HTTP-style authentication. In the server settings you need to add a user with "Proxy" access, and in the client settings specify this username and password.

Security library.
External libraries seclib111 and seclibgnutls have been updated. Older versions will not work with VPN as they lack the necessary functions. If you were using an older version of the server and want to use a VPN, please update the library.

Verifying the server certificate.
If you want to enable server certificate verification, then in the TLS/SSL parameters you need to specify the directory with trusted certificates. You can put your remote server's certificate or root certificates there. If you are using OpenSSL, you will need to create hashes for your certificates. Run:

openssl rehash -compat -v path_to_this_directory

If you are using GnuTLS there are a few additional options, e.g. you can disable certificate time checking and enable SSH style verification. In this case, the host's certificate will be accepted as valid the first time, and the public key will be stored for the host. The next time the public key will be verified.

MTU
In the Linux version, you can specify the MTU for each interface. In the Windows version, the same can be done using external tools for "Network connection". It's probably best to choose an MTU smaller than your actual MTU (typically 1500) for header sizes (14-byte Ethernet header for TAP, TLS header, and the server adds 2 bytes for each packet) to run faster. But I think the best way is to set a large MTU. For example 9000 or even 15000. In this case TLS will receive large packets, encrypt them, and when they are transmitted, at the upper TCP layer they will be divided into packets according to your real Ethernet MTU. But on the other hand, when several clients are connected, a large MTU may give priority to the transfer of large files, to the detriment of those who do not transfer large files.

Contents

Conclusion

Finally I want to pay my deepest respect to the GNU C++ compiler programmers. It was that compiler that compiled this program. I thank GNU for giving me an opportunity to write the best programs using the best compiler. You can visit GNU resources:

DJGPP -- home page of translation GNU GCC into DOS.
I used this version, my libraries calling WIN32 API and my program building Windows PE *.exe from COFF a.out

GNU -- GNU itself.

M. Feoktistov

Contents