Small HTTP server

(Description for Linux version)

Capabilities
License.
How to...?
Directories and files names
Options and command line parameters
Allowed and denied IP ranges.
Limits.
Running scripts
Server Side Includes (SSI)
Countries features
Proxy server
DNS server
SMTP server
POP3 server & proxy
FTP server & proxy
TLS/SSL server
HTTP TLS VPN server and client
Conclusion.

If server works it's available:

Setting / Current state
Users & Virtual Hosts
Current statistics
Web mail
Online: What's new?
(Last version, Forum, etc.)
Download Web Mail
An external script gives Web intrface for working with mail
Download Sendmail emulator

Donation

Contacts:

E-mail...

What's this?

This very small utility turns your computer into a fully functional Web-server, Mail server, DNS server, FTP server, DHCP server and HTTPS VPN server. The program itself requires a minimal set of system resources, so the server's functioning doesn't influence your computer's performance. This server can function under a LAN networking or even under a Dial-Up networking. Webmasters can run this utility on their local computers and debug their CGI-scripts without going on-line.

This is probably the smallest HTTP server, but you shouldn't underestimate its capabilities.

Capabilities.

GET method support (HTTP/1.0-1.1)
POST method support
Multitasking. -- simultaneous data transfer and requests reception from several remote users with a delay depending on the channel's quality.
High performance. The server transfers data without any delay.
CGI and FastCGI scripts
Server Side Includes (SSI).
Dynamical output of information about requests. The 16 Kb cache is provided for the protocol. After its overflow earlier data are replaced by newer ones. The "save" option writes every 4-8 Kb of the protocol on your hard disk.
Requests control protects your information.

Also:
Mail
- POP3 server.
- SMTP server.
- Anti-spam filters. Good, bad, and gray lists common and personal for each user.
- Forwarding and possibilities to execute scripts for income messages.
- Execute external anti-virus
FTP server
- Virtual directories for FTP
- FTP proxy.
HTTP proxy server
- HTTP, FTP, HTTPS request supported
- Store lot of traffic, fast access.
- Internal continues downloading when connection broken.
- Server can request compressed and unpack reply on fly (with an external Zlib library)
DNS server
- Option for dinamicaly check a serverice on remote host and if the service down, change one IP address to other.
- Reqursion from root DNS or from DNS of provider. Caching.
- Option for autoreply to request to resolve IPv6 name. (for networks that don't use Internet through IPv6).
- DNSBL server (work with SMTP)
- DNS over HTTP(S) aka DoH (RFC8484)
DHCP server
Full detail statistics. Include statiscs by countries!
Web and local administration
IPv6 support
SSL/TLS support with an external library.
GZip compression support with an external Zlib library.
HTTP TLS VPN server and client.

Compactness is one of the greatest features of this product. Its functioning doesn't obstruct your work. This server uses a minimal set of system resources necessary for a quick data transfer.

Contents

How to...?

Well, it is fairly easy - unpack archive to the directory. Executable files: httpd.exe, httpd.exopenssl, httpd.exgnutls. With httpd.exe you can select the security library in the configuration. In httpd.exopenssl and httpd.exgnutls, the selected library code is embedded in the executable file.
If you are building the program from source, you can simply run:

./configure
make
make install

In this case, the program will be installed in /usr/local/ .... Binaries and libraries will be in /usr/local/lib/smallsrv, language files will be in /usr/local/share/smallsrv, symlink to executables will be in /usr/local/bin, etc. You can change this is using the keys for the ./configure command. Run ./configure --help to view the keys and review README.md for build details. Configuration files (httpd.cfg and other) can be in /etc/smallsrv/ or can to be in the same directory as httpd.exe This file may content uncripted passwords, therefor hight recomended to disable reading this file for other and for group. Use chmod 0600 httpd.cfg Now you may run httpd.exe To run it as daimon type httpd.exe hide or you may add hide keyword to httpd.cfg. In httpd.cfg remote administration is disable, after unpacking and to view statistic httpd.cfg contents administrator's acount. The name is "admin", password is "none". First time you must manualy edit httpd.cfg in line "user=admin;none;/var/shttps;A" change "none" to your password. To enable Web administration uncomment "radmin" keyword. After it you may use Setting / Current state to option server. Directories, files and scripts. The server works with certain directories and files names. Your site is supposed to be in the directory specified during settings. The files that have "executable for other" mode attribute are files to run. If server has a right to change current user, the scripts will be run from user's id of the file. The files that have "readable for other" mode attribute are files to return. If the file name is not specified in request, i.e. the request ends in '/', the server will show the default file which name was specified either during setting. Server can support many virtual hosts. Each virtual host has its own root directory, and also can include virtual directories common for all. ASIS files also support. Those files content HTTP header in the beginning. Such files are being used for redirect inbound request to other site. This file must begins with keyword "Status: " after this returning code and your header is going. After header one line is empty, and data. Extension must be .asi or .asis Contents Options and command line parameters. You can option via Web interface if remote administration is enabled, or you can manual edit httpd.cfg or just add parameters to command line. In many case you don't need to change settings manually but if you really want to, you can do with next keys. Parametr and comment Key General Setting Don't out log to terminal. noicon Start as daimon. hide Detail log for POP/SMTP/FTP. Otherwise only basic event are added to log. detail Disable saving log. nolog Log filename. log=name.log Create a daily log (new log created after each day).It's necessary to get statistics for a day. Server will every day rename old log file (add date to name). It's necessary to get statistics for a day. logday Separate log for each server seplog Don't out error stream (STDERR) from CGI scripts to remote users noerrout Dublicate CGI stderr to http.err log dupstderr Add to log debug info from logical expresion in SSI and Antivirus/Forward files dbgle Enable remote administration. Otherwise, only statistics will be available for administrators. radmin Number of simultaneous requests from each host. You can restrict number of simulate request from the same host. Usually one browser creates four simulate connections. Some browsers try to create much more simulate connections. This restriction includes all TCP connections (HTTP,FTP,POP,SMTP,Proxy) from_same_host=## No restrict the number of simultaneous connections from each host nofrom_same_host Minimum connection speed to detect a DoS attack over a large number of slow connections. (KBytes/minute). Zero to disable checking. dos_protect_speed=value Don't trim log lines nolimitlog Limit the length of the log lines The length of each line should not exceed this value limitlog=value IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. ip_range={#.#.#.#[-#.#.#.#],} Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. ip_deny={#.#.#.#[-#.#.#.#],} IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: ip6_range=value IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. ip6_deny=value Don't save uncrypted passwords in config file cryptpwd Remove passwords from the log delpwd Save passwords as MD5 Digest (RFC2069/RFC2617) md5pwd Realm - string for MD5 Digest (RFC2069/RFC2617) md5realm=path Using MD5 Digest for authorization if posible (RFC2069/RFC2617) md5digest Using paranoidal variant of MD5 Digest for authorization if posible (RFC2617 qop=auth) md5paranoidal Use system users/passwords databases. Warning: Digest and APOP authorization methods will not work for system users sysuser The name of the system group whose members are allowed to connect to the POP3 server (if system user/password databases are used) grp_pop=value The name of the system group whose members are allowed to send mail via SMTP server (if system user/password databases are used) grp_smtp=value The name of the system group whose members are allowed to receive files via FTP (if system user/password databases are used) grp_ftpr=value The name of the system group whose members are allowed to upload files via FTP (if system user/password databases are used) grp_ftpw=value The name of the system group whose members are allowed to set executable file mode via FTP (if system user/password databases are used) grp_ftpe=value The name of the system group whose members are allowed to use Proxy and VPN (if system user/password databases are used) grp_proxy=value The name of the system group whose members are allowed to administrate the server (if system user/password databases are used) grp_admin=value IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1 adm_range=value Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens. adm_deny=value IPv6 IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: adm6_range=value IPv6 Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens. adm6_deny=value Enable 2 point in filenames (may be dangerous) twopoint HTTP server Disable HTTP server. nomax IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1 http_range=value Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. http_deny=value IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: http6_range=value IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. http6_deny=value Bind to all addapters nohttp_bind IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6) http_bind=value Also work through IPv6 httpipv6 Don't restrict speed of outgoing transfer nohttp_speed Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute) http_speed=value How many another connections must have activity, to check on speed limitation http_spdusr=value PHP. Specify location of "php-cgi" php=path Run PHP as FastCGI. fcgi_php FastCGI ident. The part of a URL that indicates a FastCGI script. Default is ".fcgi" fcgi_ident=value Use this group id, to detect FastCGI. Direct 0 to disable using group id. fcgi_gid=value Use UNIX socket for FastCGI. Otherwise used localhost TCP socket fcgi_unix Directory to create FastCGI UNIX sockets. May be /tmp, /var/tmp, /dev/shm, ... fcgi_upath=path Disable share dir. noshare Do not show directory listing nooutdir Don't break CGI, when connection closed nbrkcgi Advanced code for control header. header=value Use 'chunked' transfer for SSI. ssi_chunk Disable multi stream download for one file. nomsd Use gzip packing, if posible. http_gzip DLL library ZLib. gz_lib=path Pack if size of file great then gz_low=value Don't pack files with next sufixes nogz_ext=value IP database file for countries features. ip_base=path Add REMOTE_COUNTRY variable to CGI/SSI enviroment. ip_cntr Enable return country info for '/$_ip2country_$?ip=x.x.x.x' request ip2cntr_srv $_ip2country_$ service for authorized users only ip2cntr_aut Enable DNS over HTTP(S). http_doh No limitation for HTTP nohttp_ltime Time per that will calculating limits (in seconds) http_ltime=value Limit per IP (Kb) http_ip_limit=value Limit per network (Kb) http_net_limit=value Total limit for server (Kb) http_limit=value Timeout, before resend request again. In milliseconds dnstimeout=value TCP/IP port for HTTP server. Usually it's 80 port=## Number of HTTP requests working simultaneous. Approcsimately 20Kb of memory is reserved for each thread. Usually 12 connections are enought for 3-8 visitors per minute. max=## Default file name. Name when requested URL finished by "/". (Wildcards are accepted, such as index.* to allow any index file in folder) def=name.ext Error file. Full path to file or script that will be returned if requested file is not found. For CGI or SSI PATH_INFO variable will contents the name of requested file. error=path\name.ext Default web foulder. dir=root_dir_name Share dir. If you want this dir to be CGI current dir always, direct it here. Otherwise CGI current dir will be CGI script dir. share=path Enable Server Side Includes (SSI) checking in HTML files. By default SSI checking in .sht*,.sml*,.asp* files only. Warning: SSI processing uses more memory, and and creates a small delay ssihtm Key to check SSI in .sht*,.sml*,.asp* files only. nossihtm The limit of receiving by POST method in bytes. Don't direct big value because it's may preoccupy your PC and network. post_limit=## Limit of time for CGI execution. In seconds. cgi_timeout=## Mime types Define extended mime type for extension. E.g. for .bmp mime type may be image/bitmap mime=".ext1;mime-type1;.ext2;mime-type2;...;.extN;mime-typeN" Virtual hosts and virtual directory Web root dir for specific hostname. You may add many hosts with its own folder. You may add many virtual /directory/ common for all hosts. " The name of virtual directory is to be between two forward-slash (/). hostpath="hostname;path" Key may be repeated more then once. Proxy server Disable HTTP proxy. noproxy TCP/IP port for proxy server. proxy=#port How many proxy requests will be working in the same time. proxy_max=#max Cache size (Kb). It's memory cache size. cache=proxy_cach_size IP ranges for which, this server is avilable. IP adresses through comma and range, low hyphenate high. E.g. 192.168.0.1-192.168.0.16,127.0.0.1 proxy_range={#.#.#.#[-#.#.#.#],} Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. proxy_deny=value Disable to save cache in hard disk. noproxy_dir Cache proxy directory. proxy_dir=path For how many days files will be saved. Proxy can delete downloaded files from cache proxy directory after several days of last download. In any case, if user press "Reload" button files download again. proxy_time=#days Ignore NO-CACHE in control headers of the pages. HTTP protocol has an opportunity to disable caching for page. Often site holders use this option to calculate the number of vistors. In any case, if user press "Reload" button files download again. ignocache Proxy for avtorized users only. Proxy will be available for defined users with proxy access flag only proxyusers Disable Proxy server. noproxy_max Bind to all addapters noproxy_bind IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6) proxy_bind=value Also work through IPv6 proxyipv6 Don't save big files. Limit (bytes) proxy_fsize=value Calculate days from last access. (Otherwise from the day of download) proxy_laccess Don't cache page if request content cookies. proxy_hrd IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: proxy6_range=value IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. proxy6_deny=value Don't restrict speed of outgoing transfer noproxy_speed Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute) proxy_speed=value How many another connections must have activity, to check on speed limitation proxy_spdusr=value Large mode. Useful to hold a lot of data traffic. proxy_big Super large mode. New mode to minimize time for search when to many files stored. proxy_sbig Number of tries to resume download file after error proxy_tryes=value Limit for simultaneous requests from the same host to the same URL. Zero for unlimited. proxy_same=value Do not use higher level proxy server. noupproxy Higher level proxy server. upproxy=value TCP/IP port on up level proxy server. upproxy_port=value Higher level proxy server does not require authorization. noup_user Higher level proxy user:pasword up_user=value For POP3/SMTP/FTP proxy connect through HTTPS higher level proxy. ever_upproxy No use higher level proxy for next hosts. nouphosts=value Disabled hosts bad_hosts=value Proxy session timeout (in second). proxy_timeout=value Request gziped, and self unpack if browser don't support it. (Direct where is Zlib in HTTP part of options) proxy_gzip Don't use antivirus noproxy_antivirus Antivirus host (127.0.0.1 for local) proxy_antivirus=path Antivirus port proxy_avport=value Check HTML files. (Otherwise proxy will check application only) proxy_avhtml Check all files. (Otherwise proxy will check application only) proxy_avall No limitation for proxy noproxy_ltime Time per that will calculating limits (in seconds) proxy_ltime=value Limit per IP (Kb) proxy_ip_limit=value Limit per network (Kb) proxy_net_limit=value Total limit for server (Kb) proxy_limit=value DNS server Hosts file. See also format of this file hosts=hosts_file Disable DNS server. nohosts Bind to all addapters for DNS nodns_bind IPs and IPv6 to bind for DNS, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6) dns_bind=value Also work through IPv6 for DNS dnsipv6 Enable DNS over TCP. dnstcp IPv6 IPs that can access this DNS server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: dns6_range=value IPv6 Deny IPs that can't access this DNS server. Separe single IP by comma and IP ranges with hyphens. dns6_deny=value Don't save DNS cache on exit. nodnscachefile DNS cache file name. dnscachefile=path Don't try to recursive find AAAA records. (for networks that don't use Internet through IPv6) dnsno6 Disable build in DNSBL server nodns_bld Host name of build in DNSBL server dns_bld=value Detect DoS request. Number of DoS-like requests to block IP dns_detect_dos=value A space-separated list of bad hostnames. DoS detection names dns_dos_hosts=value Disable recursion. noreqursion Size of cache for names in bytes. dnscache Recursion call to up level servers only. dnsupl Return mailhost as host name, if MX record is not found. dnsmx IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. dns_range={#.#.#.#[-#.#.#.#],} Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. dns_deny={#.#.#.#[-#.#.#.#],} To remote redirect server. Current IP notification URL on redirect server. Full URL to update your IP address on dinamic DNS server. "$IP_ADDRESS" to insert your real IP address into URL. ddns=url Time to re-confirm your IP on redirect server. ddns_time=#N Disable dynamic DNS. noddns FTP server Disable FTP server. noftp_max Bind to all addapters for FTP noftp_bind IPs and IPv6 to bind for FTP, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6) ftp_bind=value Also work through IPv6 ftpipv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1 ftp_range=value Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. ftp_deny=value IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: ftp6_range=value IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. ftp6_deny=value Don't restrict speed of outgoing transfer noftp_speed Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute) ftp_speed=value How many another connections must have activity, to check on speed limitation ftp_spdusr=value Use any free system provided port for a passive data connection noftp_pasvp First FTP port for passive data connection. (Range of used ports will be from and including this port depending on the number of simultanious FTP connections) ftp_pasvp=value Disable multi stream for one IP ftp_oone Convert names with space. ftp_wospace Don't use upload directory. noftp_upload Enable FTP PORT command to the client's host only. FTP to FTP mode may not work. ftp_same Enable FTP proxy. ftp_proxy No limitation for FTP in noftpi_ltime Time per that will calculating limits (in seconds) ftpi_ltime=value Limit per IP (Kb) ftpi_ip_limit=value Limit per network (Kb) ftpi_net_limit=value Total limit for server (Kb) ftpi_limit=value No limitation for FTP out noftpo_ltime Time per that will calculating limits (in seconds) ftpo_ltime=value Limit per IP (Kb) ftpo_ip_limit=value Limit per network (Kb) ftpo_net_limit=value Total limit for server (Kb) ftpo_limit=value Always ask for a password, even for users without a password ftp_always_pass Number of simultaneous requests. ftp_max=max TCP/IP port for FTP server. Usually it is 21 ftp_port=port User session timeout. (in second) Connection will close, if user is idle for this time. ftp_timeout=#N Name of upload subdirectory.If FTP directory contents this subdirectory, users with \"read only\" access can still upload files here. E.g. /pub/" ftp_upload="/dir/" Enable virtual directories for FTP. ftp_vdirs POP3 server setting Disable POP3 server. nopop3_max POP3/SMTP session timeout. (in second). Connection will close, if user is idle for this time. pop_timeout=value IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1 pop_range=value Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. pop_deny=value IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: pop6_range=value IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. pop6_deny=value Bind to all addapters nopop_bind IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6) pop_bind=value Also work through IPv6 popipv6 Don't restrict speed of outgoing transfer nopop_speed Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute) pop_speed=value How many another connections must have activity, to check on speed limitation pop_spdusr=value Enable POP3 proxy pop3_proxy Enable Web mail wmail Don't save messages sent throught Web mail in user's folder nowmailsent Subfolder to save sent messages wmailsent=value Delete messages throught Web mail immediately nowmailtrash Trash folder to move deleted messages wmailtrash=value Convert pages to UTF-8 wmail_utf Number of simultaneous requests. pop3_max=max TCP/IP port for POP3 server. Usually it is 110 pop_port=port SMTP server setting Disable SMTP server. nosmtp_max Bind to all addapters nosmtp_bind IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6) smtp_bind=value Also work through IPv6 smtpipv6 If mailhost of receptor absent, try host smtp_nomx It is normal SMTP relay. (Otherwise it is only SMTP proxy) nosmtpproxy Higher level SMTP. (SMTP proxy mode) smtpproxy=value Do not save sent messages. nosmtp_sent For how many days sent messages will be saved. (Zero for keep ever) sent_time=value IPv6 Us IP ranges (allowed list) E.g. ::1,FE80::-FEFF:: smtp6_range=value IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. smtp6_deny=value Temporary add IP to allowed list after POP3 authorization smtp_pop_ip Limit message size. (in bytes). smtp_msg_limit=value Don't break connection, when overflow size limit smtp_nobreak Enable Generate-Delivery-Report smtp_conform Goodlist. Common file with alowed source e-mails, IPs, hosts paterns goodlist=path Badlist. Common file with bad source e-mails, IPs, hosts paterns badlist=path Graylist. Common file with source e-mails, IPs, hosts paterns that required addvansed checking graylist=path Check "goodlist", "badlist" and "graylist" files in user's home directory before receive message chklists Text that will be retrived in case when message declined. There you also may direct URL to Web form to direct send message msgspam=value Do not use script for incomming/outgoing mail noantivirus Antivirus script antivirus=path Limit of time for script execution. (in seconds) run_timeout=value Break filter (expresion). Variables $msg,$sender,$hello,$control may be checked to stop reciving large message. antispam=value Spam filter (expresion). Variables $msg,$sender,$hello,$control may be checked to add IP to spamer's list. spamfltr=value Accept messages with wrong return path nocheckback Fake e-mail addresses, through coma. If somebody try to send message to these addresses it will be added to spamer's list fake=value DNSBL servers. Ask these external spamers list, about remote IP, before receive mail. (May be more then one server through space) dnsbl=value Check mailhost of sender (DNS MX record) before receive mail checkmx Ignore graylist if message incomme from source mailhost (DNS MX) mxignbl How long spamers IPs will active in spamer's list (in seconds) spam_time=value No limitation for SMTP nosmtp_ltime Time per that will calculating limits (in seconds) smtp_ltime=value Limit per IP (Kb) smtp_ip_limit=value Limit per network (Kb) smtp_net_limit=value Total limit for server (Kb) smtp_limit=value No limitation for alowed IPs nolimitus Enable receive from foregein IP messages from us domain uncheckip Minimal timeout betwen sending messages time_btw=value Number of simultaneous requests. smtp_max=max SMTP server name. (Domain name) smtp_name=your.domain.name Use all virtual hosts as alias domain name. vhalias TCP/IP port for SMTP server. Usually it's 25 smtp_port=port Output path. Directory to store messages before send smtp_out=path Sent path. Directory to store messages after sent smtp_sent=path Error path. Directory to store messages, that can't be sent smtp_err=path DNS server to get mail routing info. (May be your default DNS server) smtp_dns=#.#.#.# Alow any "From" field. Otherwise server will send message from user_name@your.domain.name only smtp_any IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. smtp_range={#.#.#.#[-#.#.#.#],} Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. smtp_deny={#.#.#.#[-#.#.#.#],} Blacklist of E-mail addresses of spamers. Separate addreses by space. Use *@host to block receiving from any address of this host) blacklist="u@adr1 *@adr2 ..." Use instructions from the "forward" file in a user's directory. forward Alow execution of applications from user's "forward" file. fwdrun Use TLS when sending outgoing message if possible smtptls Always use TLS when sending outgoing messages; if not possible, don't send smtponlytls Verify the remote certificate signature. (Verfy methods the same as directed in VPN client settings) smtpchktls DHTP server setting Disable DHCP nodhcp_max Total IPs avilable to allocate dhcp_max=value IP address of DHCP server dhcp_ip=value LAN broadcast address for DHCP reply dhcp_bcast=value First IPs for allocate dhcp_first=value Netmask dhcp_mask=value Gateway dhcp_gate=value DNS servers dhcp_dns=value Domain name dhcp_name=value File to save state dhcp_file=path DNS should resolve hostnames for IPs that was allocated dhcp_rdns Listen only, to store info from another servers for DNS. (never response) dhcp_lo TLS/SSL server setting Disable TLS/SSL server notls_max Number of simultaneous requests. tls_max=value TCP/IP port for TLS/SSL server. Usually it's 443 tls_port=value Limit on the number of idle keep-alive connections waiting keep_alive_max=value Timeout in seconds for idle keep-alive connection keep_alive_timeout=value Check live in seconds for idle keep-alive connection. 0 - use system default. (Supported from Linux 2.4, from Windows 10 v1709) keep_alive_idle=value IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1 ssl_range=value Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. ssl_deny=value IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF:: ssl6_range=value IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens. ssl6_deny=value Bind to all addapters notls_bind IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6) tls_bind=value Also work through IPv6 tlsipv6 Don't restrict speed of outgoing transfer notls_speed Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute) tls_speed=value How many another connections must have activity, to check on speed limitation tls_spdusr=value Enable TLS for POP3/SMTP smtp_tls Enable TLS for FTP ftp_tls DLL library with TLS/SSL. E.g. seclib.dll tls_lib=path Certificate file tls_cert_file=path Key file tls_key_file=path CA-Path tls_capath=path CA-file tls_cafile=path Sets priorities for the ciphers, key exchange methods, and macs For GNU TLS and for OpenSSL, the string format is different. For OpenSSL, you can see the format of this line here in the CIPHER LIST FORMAT section. The default is the following line: "TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_AES_256_GCM_SHA384: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:ALL:!DES:!3DES:!RC2" For GnuTLS, see the string format here tls_priority=value Remote administration through sequre HTTPS only admtls Web mail through sequre HTTPS only tls_wmail HTTP TLS VPN server setting Disable TLS VPN notlsvpn Maximum number of TLS VPN connections working simultaneous. tlsvpn_max=value TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). HTTPS requests to this URL will be redirected to VPN vpn_url=value Enable TLS VPN on Tun device vpntun Enable TLS VPN on Tap device vpntap Tun device number vpn_tun_number=value Tap device number vpn_tap_number=value TLS VPN MTU for tun. vpn_tun_mtu=value TLS VPN MTU for tap. vpn_tap_mtu=value Tun device pathname tundev=value Public access without password. (Otherwise only users with Proxy access can use this service) vpnpub Set Tun interface IP address tun_ip=value Set Tun interface netmask tun_nmask=value Set Tap interface IP address tap_ip=value Set Tap interface netmask tap_nmask=value Run init script for Tun device tun_script_up=path Run init script for Tap device tap_script_up=path First IP address to allocate for remote client that connected to Tun. (Optional) tun_remote_ip=value Total IP addresses to allocate for remote client that connected to Tun. (Optional. Set to 0 to use external DHCP server, or another methods) tun_remote_max=value DNS servers that will be offered to the TUN client. tun_remote_dns=value First IP address to allocate for remote client that connected to Tap. (Optional) tap_remote_ip=value Total IP addresses to allocate for remote client that connected to Tap. (Optional. Set to 0 to use external DHCP server, or another methods) tap_remote_max=value DNS servers that will be offered to the TAP client. (Optional) tap_remote_dns=value HTTP TLS VPN client setting Enable to connect to TLS VPN remote host vpnclient Host to connect to remote TLS VPN server vpn_remote_host=value TLS VPN remote port. (Usually 443) vpn_client_port=value TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). Must be the same as directed on the remote server vpn_client_url=value TLS VPN User name vpn_remote_user=value TLS VPN Password vpn_remote_passw=value VPN client to Tap. (Otherwise Tun) vpncln_tap TLS VPN client Tun/Tap device number vpn_tuntap_number=value TLS VPN MTU for client. vpn_client_mtu=value Set client VPN interface IP address tuntap_ip=value Set client VPN interface netmask tuntap_nmask=value Run init script when VPN connection estabilished vpncln_script_up=path Run deinit script when VPN connection closed vpncln_script_down=path Validate remote TLS sertificate, check host name vpncln_chktls Don't check remote sertificate time. Ignore expired. (GNUTLS only) vpncln_tlsigntime Accept self signed sertificate. (GNUTLS only) vpncln_tlsssign SSH style of sertificate validate. (GNUTLS only. Public keys of new untracted remote will be stored in ~/.gnutls/known_hosts) vpncln_tlssshstyle Users To give FTP, Mail, Administration access you must add users. user="name;password;home_dir;type_of_access_flags" Key may be repeated more then once. type_of_access_flags -- It's sequence of next symbol: F -- FTP access -- user can read files from his home directory and any subdirectory via FTP. W -- FTP write access -- user can upload files to his home directory via FTP. N -- Disable add executable mode attribute for files. S -- SMTP. User can send messages via SMTP from user_name@your.domain.name P -- POP3. User will have mailbox. All messages to user_name@your.domain.name will stored in home/mbox directory and available via POP3. A -- This is administrator. -- He has full access to administration's pages, can add users, change access rights etc... H -- Proxy. Access to proxy. If the name of user is known to system (present in /etc/password, /etc/shadow), the server will try to switch current user to this user, when he logon to FTP. Otherwise server will try switch current user to the user named "ftp" For FTP access you can add anonymous user without password In this case just skip password. E.g.: user=anonymous;;/usr/pub;FWN user=ftp;;/var/readonly;F Please note that there shouldn't be spaces before and after "=". If a parameter you are entering contains spaces make sure that you put them in quotes. Here is an example of a correct command line: httpd.exe port=1080 def=index.html nolog Here is an example of configuration file: log=/var/log/http.log max=12 def=index.stm @www.cfg # include other configuration file hostpath=www.name.www;/var/www1 hostpath=max.name.www;/var/WWW2 # End of file Contents Allowed and denied IP ranges. For each service you may direct allowed and denied IP addresses. Also present common allowed and denied ranges of IP to blocking or enable access to all TCP services, and ranges that define IPs from where Web administration available. Addresses directed through coma. You might direct one address or range. Example: 127.0.0.1,192.168.0.1-192.168.0.255 HTTP,FTP,POP3,Proxy will receive request from IPs that include in allowed list and exclude denied list. SMTP will receive the message for own domain (incoming for own users) from any addresses, exclude denied. The messages to send outside, it will get from allowed IPs only If you don't want get any messages from some IP -- just add it to denied list. DNS server also retrieve local records to anybody, but recursion searching it do for IPs from allowed list only. Contents Limits. You may direct limits for exchange for HTTP,Proxy,SMTP,FTP. For it, in the settings direct time for that will present limit and values for IP, network of this IP, and total limit for the service. Get attention, that when limit will over the exchange will not be break until full file will not be transfer. When limit overflow next calls for the time calculated from overflow value will be failed. Contents Running scripts. Requested files that contents CGI identefer in pathname will be executed. If option "Run 'system' files" selected then files with attribute 'system' will be executed too. CGI/1.1 standards are supported, for reference please consult http://Web.Golux.Com/coar/cgi/. When running a script, request line parameters are transferred both in command line and in QUERY_STRING environment variable. The script transfers data directly to the client that requested it. A script should output Content-Type: type\r\n or Location: url. There could be some auxiliary lines like Content-Length: xx\r\n or Date:. These data end in \r\n\r\n. If you use C or Perl please note that in text mode output functions automatically transform \n to \r\n. Pascal writeln function also completes output with these symbols. (\r = [CR] = 0x0D; \n = [LF] = 0x0A ) Contents. Server Side Includes (SSI) SSI can greatly increase your capabilities allowing you to dynamically insert results of CGI scripts in any place of a document being shown to the user. When a remote client requests a *.sht, *.shtm or *.shtml file, server returns it evaluating SSI tags which are contained there. SSI tags have the following format:  HTTP or request form variables can be put into the "value" field. Variable name starts with $ and can be later put in braces {} if you wish to concatenate the variable value with subsequent text (excepting spaces). For instance , $USER_AGENT contains browser type, and if you want to concatenate it with "_12345", use "${USER_AGENT}_12345". When using symbols like $, \, " make sure you place \ before them: $ - \$, \ - \\, " - \" etc. If a variable can't be evaluated, it replaced with the "undefined" value. Current server version supports the following tags: include   Both variants include the content of file_name in the document. In first case it looks for the document from the web root directory, in the second case you can define a path for the document. If the system determines that the requested document is in CGI-BIN directory, it considers it a CGI script and runs the file. If the file_name contains the "?" symbol, the string after it is transmitted as a request with parameters which should be processed by your script. exec   Runs the script like with "include" tag. fsize & lastmod         Shows file size and last modified date. Size can be rounded up to Kilobytes or Megabytes. Date can by formated as you like. Next format keys are defined: Key Description Range d Day of the month, 2 digits with leading zeros 01 to 31 j Day of the month without leading zeros 1 to 31 m Numeric representation of a month, with leading zeros 01 through 12 n Numeric representation of a month, without leading zeros 1 through 12 Y A full numeric representation of a year, 4 digits 1970 through 9999 y A two digit representation of a year 00 through 99 a Lowercase Ante meridiem and Post meridiem am or pm A Uppercase Ante meridiem and Post meridiem AM or PM g 12-hour format of an hour without leading zeros 0 through 12 G 24-hour format of an hour without leading zeros 0 through 23 h 12-hour format of an hour with leading zeros 01 through 12 H 24-hour format of an hour with leading zeros 00 through 23 i Minutes with leading zeros 00 to 59 s Seconds with leading zeros 00 through 59 echo  Prints variable value. printenv  Outputs the values of all variables. break  Breaks procession of the document. if -- elif -- else -- endif  text  text  text ...  text  The text will be either shown or not depending on the outcomes of specified conditions. The conditions can consist of variables and values as well as different logical operators between them: ! -- "Not" = or == -- "Equal to" != -- "Not equal to" <,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to". ~ -- "Part of..." str1 ~ str2 -- the result is true, if the string str2 is the part of string str1 str1 =~ /pattern/ig -- pattern it is Regular expressions like Unix. The result is be true, if in the string str1 has been found substring equal by pattern. && --"AND" || --"OR" elif and else operators can be omitted, elif can be repeated as many times as you need. It's necessary to put the endif tag at the end of your statements. set  Sets or changes the value of the variable. Although, try not to use this feature too often because the number of variables and memory allocated for them is somewhat restricted. Contents Regular Expressions To checking incomming variables finding by pattern avilable. Pattern is regular expressions, with syntax accepted in Unix. Regular expressions it is substring to find. Into this substring also may be present metacharacters,quantifiers and variables. The following metacharacters understen: ^ -- begin of line. . -- any char except new line. \ -- if next character is metacharacter it undesten as just character. E.g. "\." is just point. Also known the following sequensies: \n -- new line \r -- return \t -- tab \\ -- \ - slash \x## -- hex code of char. \o### or \0### -- octal code of char. \### -- decimal code of char. [] -- in square bracket may be directed avilable or unavilable values for next char: If first char in the bracket is '^', this mean char may be any except other chars directed in bracket. Otherwise the char may be only one char from the bracket. '-' inside bracket mean all chars from preveous of '-' to char after '-'. The char '\' inside bracket also changed interpretation of next char. Examples: [0-9] -- mean all diget. [a-zA-Z] -- mean all letter. [^@$\-\n\o008\x01] -- mean any char exept @,$,-,new line, and chars with codes 8 and 1. () -- prescribe to save substring by pattern inside bracket for using in futures. The founded substring will be avilable as variables from $1 to $9. The last result also avilable as $+ . The string before last result avilable as $` . The string after last result avilable as $' | -- or. After metachar may be present quantifier: * -- repeat 0 or more times. + -- repeat 1 or more times. ? -- may be absent {n} -- repeat 0 or more times. {n,} -- repeat n or more times. {n,m} -- repeat at least n but not more then m times. After any quantifier may by following modifer '?' to lessen pattern distribution up to first posible coincidence. An example when finding in string '123abcdefff567' with pattern /([a-z]*)/ $1 will be "abcdefff" with pattern /([a-z]*)f/ $1 will be "abcdeff" with pattern /([a-z]*?)f/ $1 will be "abcde" At end of patern, after last slash, may be flowing various modifiers. Nov the program understan next various modifiers: i -- case-insensitive pattern v -- force disable to clear the list of variables ($1 - $9). Without this modifier the program will clear the list in new logical expressions, when the first regular expressions into this logical will begin checking. c -- force clear the list of variables ($1 - $9) before begin. In one logical expressions may be more then one regular expressions. By default all of them use the same list of variables, and e.g. if first expression filled $1 and $2, the second may fill only from $3 If you use this modifer expressions will fill variables begin from $1 independency of result of preveuse part of logical expression. Also next function available: exist(filename) - returns 1 if file exist, otherwise 0. fsize(filename) - returns size of the file. ftime(filename) - returns time of last modification of the file in seconds from 01.01.1971. fmode(filename) - returns access mode of the file. Contents Countries features The program can show statistic by countries and server may add REMOTE_COUNTRY variably with country name to SSI/CGI enviroment. IP-contry database need for these features. Download and unzip it. Then in server's options direct where is it. Fast search will not delay SSI and CGI execution. The program does not garanted valid country detection for evry time, but in many cases it will be. For IP addresses that absent in the database the server show "unknown" instead country name. Also, if enabled in the settings, /$_ip2country_$ and /$_ip2country_$?l=h http queries returns the user's country. This request maintains an 'l=' variable, that may be 'h' - for html reply, 'j' - for javascript reply, and any other value for just text reply. You can include Javascript variation as <script src=/$_ip2country_$?l=j > in your web pages to use the country name in your scripts. The answer will be in the following format: var county_code="CC",country="Country name",country_ip="127.0.0.1"; Contents Internet Server Applications (ISAPI) It is alternative to Common Gateway Interface Executable Files. The server will identify a file with a .DLL extension as a script to execute. For every client request, the HttpExtensionProc entry point is called. My realization of this interface have next features: If HttpExtensionProc return 4 (HSE_STATUS_ERROR) or great then DLL will be unload. When script call WriteClient the dwHttpStatusCode must content valid value or begins with HTTP/ and contents full HTTP reply. The absentce of GetExtensionVersion is not an error. Contents Proxy If hard disk cache enabled server will store all incomming files except authorized pages. Server can delete downloaded files from cache proxy directory after several days of last download. See also command line keys descriptions Contents DNS server This version content DNS server. To run you must specify hosts file. File has format on the one hand compatible with system hosts file and on the other hand may be alike with master file format recomended by RFC 1035. For compatible with system hosts file, each lines may content IP address and name of the host. Comments begin with symbol '#'. Domain name in this file could begin from '*.' to descript all subdomain. Example: # Here is an example of hosts file for local network. 194.45.68.21 www.max.local 194.45.68.21 max.local 194.45.68.20 *.max.local 194.45.68.22 www.boss.local 194.45.68.23 serg.local 194.45.68.26 www.serg.local 194.45.68.24 *.andy.local 194.45.68.25 *.mary.local # etc ... # To create your own dialup network add last record: 194.45.68.20 * # -- Redirect all unknown incoming request to 194.45.68.20 # end of hosts file Also each line may content domain-name and RR description and comment may begin with ';' Next lines are supported: $ORIGIN <domain-name> $TTL <validate-time> -- a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded. $SLAVE <domain-name> <ip-address-of-master> [<filename>] -- Work as slave DNS server for this domain. Download full domain from master $IF_DOWN <host:port> <interval> Old.IP=New.IP -- By this option server will try to connect to the host:port for time interval (in seconds), and if fail in each record with Old.IP it will replasing to New.IP. [<domain-name>] <blank> [<TTL>] IN <type> <RDATA> For domain description unlike RFC recomendation you must direct full <domain-name> ('@' dosen't interpretate, last point may be skipped or present it's the same). You may skip <domain-name> in this case preveus name will be used. Unlike RFC recomendation you must direct class "IN" for each line with RR format. <type> may be: A <IP-address> - a host IPv4 address AAAA <IPv6-address> - a host IPv6 address NS <full-name> - an authoritative name server CNAME <full-name> - the canonical name for an alias. The 'A' record for original name MUST present in this file. SOA <full-name> <e-mail by owner> (<SERIAL>,<REFRESH>,<RETRY>,<EXPIRE>,<MINIMUM>) - marks the start of a zone of authority MX <preference> <full-name> - mail exchange. <preference> is numbre from 1 to 255. Lower values are preferred. PTR <full-name> - a name. Host at left side must be #.#.#.#.in-addr.arpa TXT text SPF text CAA 0 [issue|issuewild] server TLSA usage selector matching_type data ^{* See more in TLS caption.} TYPEnumber \\# length hex hex hex... - for new, unknow types. Other types are ignored. Also server supports PTR request, but RDATA for reply server gives from first 'A' record with such IP, or from lines compatible with system hosts file. For each type of record domain-name may begin from wildcard '*.' to descrpibe all sub domains. Server supports '*' type of request to return all about domain. For domain with wildcard reply also will content wildcard. For other types of request reply will be without wildcard. Server may support reqursion call. To release resolving for any domain you MUST direct NS record for root servers. If you check "Recursion call to up level servers only" you must direct DNS server of your provider, instead root servers, and program will call only to these servers. Otherwise, server will call to different zone servers. Example: # Here is an example of hosts file for export domain to Internet, # and resolve other names. ; First, lines holds the information on root name servers needed to ; initialize cache of Internet domain name servers . IN NS a.root-servers.net a.root-servers.net IN A 198.41.0.4 . IN NS b.root-servers.net b.root-servers.net IN A 128.9.0.107 . IN NS c.root-servers.net c.root-servers.net IN A 192.33.4.12 . IN NS d.root-servers.net d.root-servers.net IN A 128.8.10.90 . IN NS e.root-servers.net e.root-servers.net IN A 192.203.230.10 . IN NS f.root-servers.net f.root-servers.net IN A 192.5.5.241 . IN NS g.root-servers.net g.root-servers.net IN A 192.112.36.4 . IN NS h.root-servers.net h.root-servers.net IN A 128.63.2.53 ; Now declare our domain $TTL 86400 ;TTL - 24 hours somedomain.net IN SOA somedomain.net max@somedomain.net ( 2002120602 ; Serial 36000 ; Refresh 3000 ; Retry 36000000 ; Expire 36000 ; Minimum ) IN NS ns.somedomain.net IN NS ns2.somedomain.net IN MX 1 relay1.somedomain.net IN MX 2 relay2.somedomain.net IN A 192.168.12.1 ns.somedomain.net IN A 192.168.12.1 ns2.somedomain.net IN A 192.168.12.2 relay1.somedomain.net IN A 192.168.12.1 relay2.somedomain.net IN A 192.168.12.2 pc2.somedomain.net IN A 192.168.12.2 IN NS ns2.somedomain.net IN MX 1 relay1.somedomain.net *.somedomain.net IN A 192.168.12.1 IN NS ns.somedomain.net IN NS ns2.somedomain.net IN MX 1 relay1.somedomain.net IN MX 2 relay2.somedomain.net ; also this file may contents lines in next format: 192.168.12.1 www.max.local 192.168.12.2 max.local 192.168.12.1 *.max.local $SLAVE domain2.name 192.168.12.8 domain2.name.txt $IF_DOWN 192.168.12.2:80 300 192.168.12.2=192.168.12.1 # end of hosts file See also command line keys descriptions SMTP server SMTP server can: Receive messages for defined users. Target address must be user_name@your.domain.name This messages store in user's home/mbox directory and it's available via POP3. Receive messages from defined users for anybody. Source address must be user_name@your.domain.name You can enable to receive messages from anybody to anyone, and you can restrict remote IP range, for which this type of messages is enable. To get mail routing info, SMTP server asks DNS server. You must direct DNS IP in options. You may add some spamers addresses into blacklist. Messages from these addresses will be never received. Also server can support common and personal badlist and goodlist files. The names of common lists you may direct in options. Also in options you may enable check personal files named "badlist" and "goodlist" in user's home directories. Each line of these file may be: E-mail address or any part of address. IP address or part of IP address. ? Logical expresion where you may do action with $sender, $hello, $control variables. $sender -- return address $hello -- self identification from remote server. $control -- full identification line in flowing format: "From sender (remote_hello [IP]) date and time For receptors\r\n" ?? List of DNSBL servers Example: # Begin of file @yahoo 4.79.181. 67.28.113. one@address.com lotto ? $sender == spamer@address ? ! $hello =~ /.+\.[a-z]{2,4}/ ? $control =~ /\[64.156.215.*\]/ # End of file You may enable server to check user's "forward" files, to redirect or percolate messages. File named "forward" could be placed into user's home directory. When option is enable server parses each line of this file and understands next instruction: #if expression -- next lines will be checked if expression is true #elif expression -- if previous condition is false then next lines will be checked if expression is true #else -- next lines will be checked if previous condition is false #endif -- end of conditions block #mv where -- move message #cp where -- copy message #rm -- remove message # anything -- comment !/usr/bin/path/application {params} -- execute "/usr/bin/path/application {params} users_home/mbox/name.msg". If executing is enable in options only. to1@host1 {toN@hostN} -- redirect message to this addresses. The conditions can consist of variables ($size_kb -- size of message in KB; $in_text(text to find) -- is true if the text was found in the message) and values as well as different logical operators between them: ! -- "Not" = or == -- "Equal to" != -- "Not equal to" <,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to". is the part of string str1 && --"AND" || --"OR" str1 =~ /pattern/ig -- pattern it is Regular expressions like Unix. The result is be true, if in the string str1 has been found substring equal by pattern. Space and back-slash (' \') at end of line mean continues current command at next line. Example: # Here is the example of forward file. #if $in_text(boss@address) !/usr/bin/perl/bin/perl.exe autoreply.pl #endif #if $in_text(100% FREE) !deltree /Y #elif $size_kb<=20 && ! ( $in_text(boss@address) || $in_text(@private.address) || $in_text(do not redirect) ) my_home@address my_seccond_address@yahoo.com #else !/usr/bin/perl/bin/perl.exe check.pl #endif # End of forward file Antivirus script have same format as forward file, but unlike forward file it checking before sending each message. Example: # Here is the example of antivirus file. #if $text =~ /Content-Transfer-Encoding: ["`]?base64[\001-\xFF]*?\n\r?\nTVqQAAMA/ #if $text =~ /name=.*\.pif/ #mv c:\probably\virus #else !c:\DrWeb\drwebcl.exe /GO /TM- /WA- /TB- /ML #endif #elif $body =~ /<script language=/ && $body =~ /<!DOCTYPE HTML/ #mv c:\probably\spam #endif # End of file Break-filter destined to break receiving long size spam messages. Break-filter it is logical expression that may do checking after server will receive first 8Kb of the message. If the result of this expression is true, the continues of the message will not be next received, to the "Subject" header's field will be added "[SPAM]", combination of "sender+IP address+server's hello+receptions" will be placed to the temporary bad list, and next tries to send the same messages will be stopped before begin of data transfer. Inside expression next variables may be used: $msg -- first 8Kb of the message $sender -- return address $hello -- self identification from remote server. $control -- full identification line in flowing format: "From sender (remote_hello [IP]) date and time For receptors\r\n" You may include the same actions as in '#if' operator: ||,&&,<,>,>=,<=,==,!=,=~ The example: (! ( $msg =~ /^From:[^\n\r]*<([^>\n\r]+)>/i || $msg =~ /^From:[ \t]*([^\n\r]+)/ ) ) || $1 != $sender || $msg =~ /^Subject:[^\n\r]*New site|You are win/i || $msg =~ /to|for[ \r\n\t]+unsubscribe[ \r\n\t]+[ \r\n\t]+press|go|open|reply|do not/i In this example: first four lines check does field 'From' is present in the message, and get address from this field, and this address must be the same as sender address (return path); Next line search in the field Subject "New site" or "You are win"; and last line try to detect some strings like "To unsubscribe do something..." If any of these condition will be true the message will be detect as spam. See also command line keys descriptions POP3 server & proxy POP3 server provide access to incomming mail. If POP3 proxy is enabled then users may option their E-mail client's program to get mail from another remote POP3 through this POP3. For it, user option in client's program must be: local_user@remote_user@remote_host Password must be: local_password@remote_password Or @remote_password part may be added to user option. Anywhere instead '@' may be used '#'. If Web Mail enabled the users that have POP3 access may use it by URL http://host.name/$_wmail_$ . Web mail avilable only from IP addresses from POP3 range. FTP server & proxy FTP server provide access to home directories of users and if option "Enable virtual directories for FTP" is selected then provide access to private virtual directories. Public virtual directories are unavilable through FTP. If FTP proxy is enabled then users may option their FTP client's program to work with remote FTP through this FTP. For it, user option in client's program must be: local_user@remote_user@remote_host Password must be: local_password@remote_password Or @remote_password part may be added to user option. Anywhere instead '@' may be used '#'. Some FTP clients (e.g. FTP plugin for Far manager) support alike type of FTP proxy. In this cliens you may option firewall setting to your_host:FTP_port, and dirrect FTP URL like this: ftp://local_user#remote_user:local_password#remote_password@ftp_host/ TLS/SSL server The server doesn't content real buildin TLS/SSL cryptographic functions, but includes interface to connect external TLS/SSL library. You may connect OpenSSL or GNU TLS to the server. libsec111.so and libsecgnutls.so libraries based on OpenSSL and GnuTLS included in Linux package. For this functions required sertificate. Easy and free way to get it, is generate self signed sertificate e.g. with help OpenSSL: openssl genrsa 2048 > ks.key openssl req -x509 -new -key ks.key -days 3650 > ks.pem ks.pem -- is result file that may be used as "Certificate file" ks.key -- is result file that may be used as "Key file" Self-signed certificate will not provide the security guarantees. An attacker on intermediate routers can include a bidirectional proxy in your connection, put his certificate in place of yours, and the browser will not be able to recognize that it is not your certificate. Some browsers or TLS clients may support the DANE (RFC6698) method for certificate validation. For this method, you need to add specific DNS records for your domain. The format of this entry is: _port._base_protocol.host.name IN TLSA usage selector matching_type data usage for self signed this domain certificate must be 3. selector may be: 0 -- Full certificate: the Certificate binary structure as defined in RFC5280 1 -- SubjectPublicKeyInfo: DER-encoded binary structure as defined in RFC5280 matching_type may be: 0 -- Exact match on selected content 1 -- SHA-256 hash of selected content RFC6234 2 -- SHA-512 hash of selected content RFC6234 data can be generated with help openssl and sha256sum: Selector=0 (full certificate) openssl x509 -in ks.pem -outform der | sha256sum Selector=1 (subject public key) openssl x509 -in ks.pem -pubkey -noout | openssl rsa -pubin -outform der | sha256sum Examples of TLSA DNS records: _443._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 ) _443._tcp.www.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 ) _25._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 ) _110._tcp.smallsrv.com. IN TLSA ( 3 1 1 5bdd89111e62a72c946d47a91e7a17aec3102d41a2523e04b510a83cebffdf1a ) HTTP TLS VPN server and client Now this program can create a VPN channel inside an HTTPS connection. How does it work? On the host where the HTTP server is used, you can enable the VPN server in the settings. On other hosts you can install the program and enable the VPN client (only the VPN client is possible). Clients access the server using the HTTPS protocol, request a URL like this: https://hostname.etc/$_vpn_$/. You can choose any URL name by which the server will determine that this is a VPN request. When the HTTP server detects a VPN request, it passes the connection to the built-in VPN server. TAP and TUN The server supports both VPN types, and both VPNs can run simultaneously, but each type must be on its own subnet. The client can choose only one type, TUN or TAP, and it reports the required type to the server when connecting. What is the difference? On a TAP connection, each packet also includes a 14-byte Ethernet header. This gives some advanced features, e.g. The TAP interface can be included in the bridge, and any type of packet can be broadcast through TAP. The TUN connection only supports IPv4 and IPv6 packets. Link between clients In this version, the server does not filter anything. Communication between clients will work and may be filtered by an external firewall. Link to Linux and Windows Linux and Windows VPN use the same protocols and can be connected to each other. Tap driver for Windows. Windows does not have a built-in TUN/TAP driver. This means an external driver is required. This program can work with the free and open source TAP-windows driver from the OpenVPN project. Available here. (Select Tap-Windows-9.24.7 for your system). If you want to set up the server on a Windows PC and use both TUN and TAP adapters, add two adapters after installing the driver. If you are already using OpenVPN and would like to use this server as well, add new adapters for it. In the server settings, you can specify the TAP adapter index starting with zero, or the name of the network connection. A simple way to specify an index is to leave the connection name empty, the server will fill it in itself. To access the driver, the server MUST be started with administrator rights for the first time. Perhaps this is a feature of the Tap-windows adapter, or it is a feature of my test environment, or I did not understand something, but a good way To configure the IP address when using Tun mode, an external .bat script is used. The server can start it automatically. Also in this script you can change routing and other network parameters, such as DNS servers. Scripts. The VPN server and client run scripts in three cases: When the server initializes the TUN/TAP adapter. In this case, the arguments are: Interface_name IP_address Subnet_mask Gateway In this case, the gateway is the same as IP. When the client connects to the server and the connection is established. In this case the arguments are: Interface_name Interface_name IP_address Net_mask Gateway DNS_servers IP_address of remote_vpn_server When the client connection is closed. In this case the arguments are: Interface_name Interface_name IP_address Remote_disconnected_vpn_server IP_address Authorized access. You can select the option to make the HTTP TLS VPN server publicly accessible to anyone who knows the URL. Otherwise, the server will require HTTP-style authentication. In the server settings you need to add a user with "Proxy" access, and in the client settings specify this username and password. Security library. External libraries seclib111 and seclibgnutls have been updated. Older versions will not work with VPN as they lack the necessary functions. If you were using an older version of the server and want to use a VPN, please update the library. Verifying the server certificate. If you want to enable server certificate verification, then in the TLS/SSL parameters you need to specify the directory with trusted certificates. You can put your remote server's certificate or root certificates there. If you are using OpenSSL, you will need to create hashes for your certificates. Run: openssl rehash -compat -v path_to_this_directory If you are using GnuTLS there are a few additional options, e.g. you can disable certificate time checking and enable SSH style verification. In this case, the host's certificate will be accepted as valid the first time, and the public key will be stored for the host. The next time the public key will be verified. MTU In the Linux version, you can specify the MTU for each interface. In the Windows version, the same can be done using external tools for "Network connection". It's probably best to choose an MTU smaller than your actual MTU (typically 1500) for header sizes (14-byte Ethernet header for TAP, TLS header, and the server adds 2 bytes for each packet) to run faster. But I think the best way is to set a large MTU. For example 9000 or even 15000. In this case TLS will receive large packets, encrypt them, and when they are transmitted, at the upper TCP layer they will be divided into packets according to your real Ethernet MTU. But on the other hand, when several clients are connected, a large MTU may give priority to the transfer of large files, to the detriment of those who do not transfer large files. Contents Conclusion Finally I want to pay my deepest respect to the GNU C++ compiler programmers. It was that compiler that compiled this program. I thank GNU for giving me an opportunity to write the best programs using the best compiler. You can visit GNU resources: GNU -- GNU itself. M. Feoktistov Contents

Key	Description	Range
d	Day of the month, 2 digits with leading zeros	01 to 31
j	Day of the month without leading zeros	1 to 31
m	Numeric representation of a month, with leading zeros	01 through 12
n	Numeric representation of a month, without leading zeros	1 through 12
Y	A full numeric representation of a year, 4 digits	1970 through 9999
y	A two digit representation of a year	00 through 99
a	Lowercase Ante meridiem and Post meridiem	am or pm
A	Uppercase Ante meridiem and Post meridiem	AM or PM
g	12-hour format of an hour without leading zeros	0 through 12
G	24-hour format of an hour without leading zeros	0 through 23
h	12-hour format of an hour with leading zeros	01 through 12
H	24-hour format of an hour with leading zeros	00 through 23
i	Minutes with leading zeros	00 to 59
s	Seconds with leading zeros	00 through 59