Small HTTP server

(Description for Linux version)

Capabilities
License.
How to...?
Directories and files names
Command line settings and parameters
Allowed and denied IP ranges.
Limits.
Running scripts
Server Side Includes (SSI)
Regular expressions
Countries features
Proxy server
DNS server
SMTP server
POP3 server & proxy
FTP server & proxy
TLS/SSL server
HTTP TLS VPN server and client
Conclusion.

If server works it's available:

Setting / Current state
Users & Virtual Hosts
Current statistics
Web mail
Online: What's new?
(Last version, Forum, etc.)
Download Sendmail emulator

Donation

Contacts:

What's this?

This very small utility turns your computer into a fully functional Web-server, Mail server, DNS server, FTP server, DHCP server and HTTPS VPN server. The program itself requires a minimal set of system resources, so the server's functioning doesn't influence your computer's performance. This server can function under a LAN networking or even under a Dial-Up networking. Webmasters can run this utility on their local computers and debug their CGI-scripts without going on-line.

This is probably the smallest HTTP server, but you shouldn't underestimate its capabilities.

Capabilities.

GET,POST,HEAD methods support (HTTP/1.0 - 1.1)
Multitasking. -- simultaneous data transfer and requests reception from several remote users with a delay depending on the channel's quality.
High performance. The server transfers data without any delay.
CGI-scripts and FastCGI available
Server Side Includes (SSI).
Dynamical output of information about requests. The 16 Kb cache is provided for the log. After its overflow earlier data are replaced by newer ones. The "save" option writes every 4-8 Kb of the log on your hard disk.
Requests control protects your information.

Also:
Mail
- POP3 server.
- SMTP server.
- Anti-spam filters. Good, bad, and gray lists common and personal for each user.
- Forwarding and possibilities to execute scripts for income messages.
- Execute external anti-virus
FTP server
- Virtual directories for FTP
- FTP proxy.
HTTP proxy server
- HTTP, FTP, HTTPS request supported
- Store lot of traffic, fast access.
- Internal continues downloading when connection broken.
- Server can request compressed and unpack reply on fly (with an external Zlib library)
DNS server
- Option for dinamicaly check a serverice on remote host and if the service down, change one IP address to other.
- Reqursion from root DNS or from DNS of provider. Caching.
- Option for autoreply to request to resolve IPv6 name. (for networks that don't use Internet through IPv6).
- DNSBL server (work with SMTP)
- DNS over HTTP(S) aka DoH (RFC8484)
DHCP server
Full detail statistics. Include statiscs by countries!
Web and local administration
IPv6 support
SSL/TLS support with an external library.
GZip compression support with an external Zlib library.
HTTP TLS VPN server and client.

Compactness is one of the greatest features of this product. Its functioning doesn't obstruct your work. This server uses a minimal set of system resources necessary for a quick data transfer.

Contents

How to...?

Well, it is fairly easy - unpack archive to the directory. Executable files: httpd.exe, httpd.exopenssl, httpd.exgnutls. With httpd.exe you can select the security library in the configuration. In httpd.exopenssl and httpd.exgnutls, the selected library code is embedded in the executable file.
If you are building the program from source, you can simply run:

./configure
make
make install

In this case, the program will be installed in /usr/local/ .... Binaries and libraries will be in /usr/local/lib/smallsrv, language files will be in /usr/local/share/smallsrv, symlink to executables will be in /usr/local/bin, etc. You can change this is using the keys for the ./configure command. Run ./configure --help to view the keys and review README.md for build details.
Configuration files (httpd.cfg and other) can be in /etc/smallsrv/ or can to be in the same directory as httpd.exe This file may content uncripted passwords, therefor hight recomended to disable reading this file for other and for group. Use
chmod 0600 httpd.cfg
Now you may run httpd.exe To run it as daimon type httpd.exe hide or you may add hide keyword to httpd.cfg. In httpd.cfg remote administration is disable, after unpacking and to view statistic httpd.cfg contents administrator's acount. The name is "admin", password is "none". First time you must manualy edit httpd.cfg in line "user=admin;none;/var/shttps;A" change "none" to your password. To enable Web administration uncomment "radmin" keyword. After it you may use Setting / Current state to option server.

Directories, files and scripts.

The server works with certain directories and files names. Your site is supposed to be in the directory specified in settings. Files with "executable by others" permission are files to run. If the server has permission to change the current user, scripts will be run with the file owner ID. Files that have "readable by others" permission can be transferred. If the file name is not specified in request, i.e. the request ends in '/', the server will show the default file which name was specified either during setting. Server can support many virtual hosts. Each virtual host has its own root directory, and also can include virtual directories common for all.

ASIS files are also supported. These files contain an HTTP header at the beginning. Such files are used, for example, to redirect incoming requests to another site. This file should start with the keyword "Status:" after this return code and your header. After the header there is one empty line, and the data. The extension should be .asi or .asis
Example of file t.htm.asi:

Status: 301
Location: /d2/t.htm
content-type: text/html

Moved Permanently....

Contents

Options and command line parameters.

You can option via Web interface if remote administration is enabled, or you can manual edit httpd.cfg or just add parameters to command line. In many case you don't need to change settings manually but if you really want to, you can do with next keys.

Parametr and comment	Key
General Setting
Don't out log to terminal.	noicon
Start as daimon.	hide
Detail log for POP/SMTP/FTP. Otherwise only basic event are added to log.	detail
Disable saving log.	nolog
Log filename.	log=name.log
Create a daily log (new log created after each day).It's necessary to get statistics for a day. Server will every day rename old log file (add date to name). It's necessary to get statistics for a day.	logday
Separate log for each server	seplog
Don't out error stream (STDERR) from CGI scripts to remote users	noerrout
Dublicate CGI stderr to http.err log	dupstderr
Add to log debug info from logical expresion in SSI and Antivirus/Forward files	dbgle
Enable remote administration. Otherwise, only statistics will be available for administrators.	radmin
Number of simultaneous requests from each host. You can restrict number of simulate request from the same host. Usually one browser creates four simulate connections. Some browsers try to create much more simulate connections. This restriction includes all TCP connections (HTTP,FTP,POP,SMTP,Proxy)	from_same_host=##
No restrict the number of simultaneous connections from each host	nofrom_same_host
Minimum connection speed to detect a DoS attack over a large number of slow connections. (KBytes/minute). Zero to disable checking.	dos_protect_speed=value
Don't trim log lines	nolimitlog
Limit the length of the log lines The length of each line should not exceed this value	limitlog=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.	ip_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ip_deny={#.#.#.#[-#.#.#.#],}
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	ip6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ip6_deny=value
Don't save uncrypted passwords in config file	cryptpwd
Remove passwords from the log	delpwd
Save passwords as MD5 Digest (RFC2069/RFC2617)	md5pwd
Realm - string for MD5 Digest (RFC2069/RFC2617)	md5realm=path
Using MD5 Digest for authorization if posible (RFC2069/RFC2617)	md5digest
Using paranoidal variant of MD5 Digest for authorization if posible (RFC2617 qop=auth)	md5paranoidal
Use system users/passwords databases. Warning: Digest and APOP authorization methods will not work for system users	sysuser
The name of the system group whose members are allowed to connect to the POP3 server (if system user/password databases are used)	grp_pop=value
The name of the system group whose members are allowed to send mail via SMTP server (if system user/password databases are used)	grp_smtp=value
The name of the system group whose members are allowed to receive files via FTP (if system user/password databases are used)	grp_ftpr=value
The name of the system group whose members are allowed to upload files via FTP (if system user/password databases are used)	grp_ftpw=value
The name of the system group whose members are allowed to set executable file mode via FTP (if system user/password databases are used)	grp_ftpe=value
The name of the system group whose members are allowed to use Proxy and VPN (if system user/password databases are used)	grp_proxy=value
The name of the system group whose members are allowed to administrate the server (if system user/password databases are used)	grp_admin=value
IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	adm_range=value
Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens.	adm_deny=value
IPv6 IPs from that can administrate this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	adm6_range=value
IPv6 Deny IPs from that can't administrate this server. Separe single IP by comma and IP ranges with hyphens.	adm6_deny=value
Enable 2 point in filenames (may be dangerous)	twopoint
HTTP server
Disable HTTP server.	nomax
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	http_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	http_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	http6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	http6_deny=value
Bind to all addapters	nohttp_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	http_bind=value
Also work through IPv6	httpipv6
Don't restrict speed of outgoing transfer	nohttp_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	http_speed=value
How many another connections must have activity, to check on speed limitation	http_spdusr=value
PHP. Specify location of "php-cgi"	php=path
Run PHP as FastCGI.	fcgi_php
FastCGI ident. The part of a URL that indicates a FastCGI script. Default is ".fcgi"	fcgi_ident=value
Use this group id, to detect FastCGI. Direct 0 to disable using group id.	fcgi_gid=value
Use UNIX socket for FastCGI. Otherwise used localhost TCP socket	fcgi_unix
Directory to create FastCGI UNIX sockets. May be /tmp, /var/tmp, /dev/shm, ...	fcgi_upath=path
Disable share dir.	noshare
Do not show directory listing	nooutdir
Don't break CGI, when connection closed	nbrkcgi
Advanced code for control header.	header=value
Use 'chunked' transfer for SSI.	ssi_chunk
Disable multi stream download for one file.	nomsd
Use gzip packing, if posible.	http_gzip
DLL library ZLib.	gz_lib=path
Pack if size of file great then	gz_low=value
Don't pack files with next sufixes	nogz_ext=value
IP database file for countries features.	ip_base=path
Add REMOTE_COUNTRY variable to CGI/SSI enviroment.	ip_cntr
Enable return country info for '/$_ip2country_$?ip=x.x.x.x' request	ip2cntr_srv
$_ip2country_$ service for authorized users only	ip2cntr_aut
Enable DNS over HTTP(S).	http_doh
No limitation for HTTP	nohttp_ltime
Time per that will calculating limits (in seconds)	http_ltime=value
Limit per IP (Kb)	http_ip_limit=value
Limit per network (Kb)	http_net_limit=value
Total limit for server (Kb)	http_limit=value
Timeout, before resend request again. In milliseconds	dnstimeout=value
TCP/IP port for HTTP server. Usually it's 80	port=##
Number of HTTP requests working simultaneous. Approcsimately 20Kb of memory is reserved for each thread. Usually 12 connections are enought for 3-8 visitors per minute.	max=##
Default file name. Name when requested URL finished by "/". (Wildcards are accepted, such as index.* to allow any index file in folder)	def=name.ext
Error file. Full path to file or script that will be returned if requested file is not found. For CGI or SSI PATH_INFO variable will contents the name of requested file.	error=path\name.ext
Default web foulder.	dir=root_dir_name
Share dir. If you want this dir to be CGI current dir always, direct it here. Otherwise CGI current dir will be CGI script dir.	share=path
*Enable Server Side Includes (SSI) checking in HTML files. By default SSI checking in .sht,.sml,.asp files only. Warning: SSI processing uses more memory, and and creates a small delay**	ssihtm
Key to check SSI in .sht,.sml,.asp* files only.	nossihtm
The limit of receiving by POST method in bytes. Don't direct big value because it's may preoccupy your PC and network.	post_limit=##
Limit of time for CGI execution. In seconds.	cgi_timeout=##
Mime types Define extended mime type for extension. E.g. for .bmp mime type may be image/bitmap *mime=".ext1;mime-type1;.ext2;mime-type2;...;.extN;mime-typeN"*
Virtual hosts and virtual directory Web root dir for specific hostname. You may add many hosts with its own folder. You may add many virtual /directory/ common for all hosts. " The name of virtual directory is to be between two forward-slash (/). *hostpath="hostname;path"* Key may be repeated more then once.
Proxy server
Disable HTTP proxy.	noproxy
TCP/IP port for proxy server.	proxy=#port
How many proxy requests will be working in the same time.	proxy_max=#max
Cache size (Kb). It's memory cache size.	cache=proxy_cach_size
IP ranges for which, this server is avilable. IP adresses through comma and range, low hyphenate high. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	proxy_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	proxy_deny=value
Disable to save cache in hard disk.	noproxy_dir
Cache proxy directory.	proxy_dir=path
For how many days files will be saved. Proxy can delete downloaded files from cache proxy directory after several days of last download. In any case, if user press "Reload" button files download again.	proxy_time=#days
Ignore NO-CACHE in control headers of the pages. HTTP protocol has an opportunity to disable caching for page. Often site holders use this option to calculate the number of vistors. In any case, if user press "Reload" button files download again.	ignocache
Proxy for avtorized users only. Proxy will be available for defined users with proxy access flag only	proxyusers
Disable Proxy server.	noproxy_max
Bind to all addapters	noproxy_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	proxy_bind=value
Also work through IPv6	proxyipv6
Don't save big files. Limit (bytes)	proxy_fsize=value
Calculate days from last access. (Otherwise from the day of download)	proxy_laccess
Don't cache page if request content cookies.	proxy_hrd
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	proxy6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	proxy6_deny=value
Don't restrict speed of outgoing transfer	noproxy_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	proxy_speed=value
How many another connections must have activity, to check on speed limitation	proxy_spdusr=value
Large mode. Useful to hold a lot of data traffic.	proxy_big
Super large mode. New mode to minimize time for search when to many files stored.	proxy_sbig
Number of tries to resume download file after error	proxy_tryes=value
Limit for simultaneous requests from the same host to the same URL. Zero for unlimited.	proxy_same=value
Do not use higher level proxy server.	noupproxy
Higher level proxy server.	upproxy=value
TCP/IP port on up level proxy server.	upproxy_port=value
Higher level proxy server does not require authorization.	noup_user
Higher level proxy user:pasword	up_user=value
For POP3/SMTP/FTP proxy connect through HTTPS higher level proxy.	ever_upproxy
No use higher level proxy for next hosts.	nouphosts=value
Disabled hosts	bad_hosts=value
Proxy session timeout (in second).	proxy_timeout=value
Request gziped, and self unpack if browser don't support it. (Direct where is Zlib in HTTP part of options)	proxy_gzip
Don't use antivirus	noproxy_antivirus
Antivirus host (127.0.0.1 for local)	proxy_antivirus=path
Antivirus port	proxy_avport=value
Check HTML files. (Otherwise proxy will check application only)	proxy_avhtml
Check all files. (Otherwise proxy will check application only)	proxy_avall
No limitation for proxy	noproxy_ltime
Time per that will calculating limits (in seconds)	proxy_ltime=value
Limit per IP (Kb)	proxy_ip_limit=value
Limit per network (Kb)	proxy_net_limit=value
Total limit for server (Kb)	proxy_limit=value
DNS server
Hosts file. See also format of this file	hosts=hosts_file
Disable DNS server.	nohosts
Bind to all addapters for DNS	nodns_bind
IPs and IPv6 to bind for DNS, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	dns_bind=value
Also work through IPv6 for DNS	dnsipv6
Enable DNS over TCP.	dnstcp
IPv6 IPs that can access this DNS server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	dns6_range=value
IPv6 Deny IPs that can't access this DNS server. Separe single IP by comma and IP ranges with hyphens.	dns6_deny=value
Don't save DNS cache on exit.	nodnscachefile
DNS cache file name.	dnscachefile=path
Don't try to recursive find AAAA records. (for networks that don't use Internet through IPv6)	dnsno6
Disable build in DNSBL server	nodns_bld
Host name of build in DNSBL server	dns_bld=value
Detect DoS request. Number of DoS-like requests to block IP	dns_detect_dos=value
A space-separated list of bad hostnames. DoS detection names	dns_dos_hosts=value
Disable recursion.	noreqursion
Size of cache for names in bytes.	dnscache
Recursion call to up level servers only.	dnsupl
Return mailhost as host name, if MX record is not found.	dnsmx
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.	dns_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	dns_deny={#.#.#.#[-#.#.#.#],}
FTP server
Disable FTP server.	noftp_max
Bind to all addapters for FTP	noftp_bind
IPs and IPv6 to bind for FTP, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	ftp_bind=value
Also work through IPv6	ftpipv6
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	ftp_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ftp_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	ftp6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ftp6_deny=value
Don't restrict speed of outgoing transfer	noftp_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	ftp_speed=value
How many another connections must have activity, to check on speed limitation	ftp_spdusr=value
Use any free system provided port for a passive data connection	noftp_pasvp
First FTP port for passive data connection. (Range of used ports will be from and including this port depending on the number of simultanious FTP connections)	ftp_pasvp=value
Disable multi stream for one IP	ftp_oone
Convert names with space.	ftp_wospace
Don't use upload directory.	noftp_upload
Enable FTP PORT command to the client's host only. FTP to FTP mode may not work.	ftp_same
Enable FTP proxy.	ftp_proxy
No limitation for FTP in	noftpi_ltime
Time per that will calculating limits (in seconds)	ftpi_ltime=value
Limit per IP (Kb)	ftpi_ip_limit=value
Limit per network (Kb)	ftpi_net_limit=value
Total limit for server (Kb)	ftpi_limit=value
No limitation for FTP out	noftpo_ltime
Time per that will calculating limits (in seconds)	ftpo_ltime=value
Limit per IP (Kb)	ftpo_ip_limit=value
Limit per network (Kb)	ftpo_net_limit=value
Total limit for server (Kb)	ftpo_limit=value
Always ask for a password, even for users without a password	ftp_always_pass
Number of simultaneous requests.	ftp_max=max
TCP/IP port for FTP server. Usually it is 21	ftp_port=port
User session timeout. (in second) Connection will close, if user is idle for this time.	ftp_timeout=#N
Name of upload subdirectory.If FTP directory contents this subdirectory, users with \"read only\" access can still upload files here. E.g. /pub/"	ftp_upload="/dir/"
Enable virtual directories for FTP.	ftp_vdirs
TFTP server setting
Disable TFTP	notftp_max
Public TFTP directory	tftp_dir=path
TFTP port	tftp_port=value
Bind to all addapters	notftp_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	tftp_bind=value
Also work through IPv6	tftpipv6
Total number of files simultaneously open via TFTP.	tftp_max=value
TFTP timeout (seconds)	tftp_timeout=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	tftp_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	tftp_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	tftp6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	tftp6_deny=value
POP3 server setting
Disable POP3 server.	nopop3_max
POP3/SMTP session timeout. (in second). Connection will close, if user is idle for this time.	pop_timeout=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	pop_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	pop_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	pop6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	pop6_deny=value
Bind to all addapters	nopop_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	pop_bind=value
Also work through IPv6	popipv6
Don't restrict speed of outgoing transfer	nopop_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	pop_speed=value
How many another connections must have activity, to check on speed limitation	pop_spdusr=value
Enable POP3 proxy	pop3_proxy
Enable Web mail	wmail
Don't save messages sent throught Web mail in user's folder	nowmailsent
Subfolder to save sent messages	wmailsent=value
Delete messages throught Web mail immediately	nowmailtrash
Trash folder to move deleted messages	wmailtrash=value
Convert pages to UTF-8	wmail_utf
Number of simultaneous requests.	pop3_max=max
TCP/IP port for POP3 server. Usually it is 110	pop_port=port
SMTP server setting
Disable SMTP server.	nosmtp_max
Bind to all addapters	nosmtp_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	smtp_bind=value
Also work through IPv6	smtpipv6
If mailhost of receptor absent, try host	smtp_nomx
It is normal SMTP relay. (Otherwise it is only SMTP proxy)	nosmtpproxy
Higher level SMTP. (SMTP proxy mode)	smtpproxy=value
Do not save sent messages.	nosmtp_sent
For how many days sent messages will be saved. (Zero for keep ever)	sent_time=value
IPv6 Us IP ranges (allowed list) E.g. ::1,FE80::-FEFF::	smtp6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	smtp6_deny=value
Temporary add IP to allowed list after POP3 authorization	smtp_pop_ip
Limit message size. (in bytes).	smtp_msg_limit=value
Don't break connection, when overflow size limit	smtp_nobreak
Enable Generate-Delivery-Report	smtp_conform
Goodlist. Common file with alowed source e-mails, IPs, hosts paterns	goodlist=path
Badlist. Common file with bad source e-mails, IPs, hosts paterns	badlist=path
Graylist. Common file with source e-mails, IPs, hosts paterns that required addvansed checking	graylist=path
Check "goodlist", "badlist" and "graylist" files in user's home directory before receive message	chklists
Text that will be retrived in case when message declined. There you also may direct URL to Web form to direct send message	msgspam=value
Do not use script for incomming/outgoing mail	noantivirus
Antivirus script	antivirus=path
Limit of time for script execution. (in seconds)	run_timeout=value
Break filter (expresion). Variables $msg,$sender,$hello,$control may be checked to stop reciving large message.	antispam=value
Spam filter (expresion). Variables $msg,$sender,$hello,$control may be checked to add IP to spamer's list.	spamfltr=value
Accept messages with wrong return path	nocheckback
Fake e-mail addresses, through coma. If somebody try to send message to these addresses it will be added to spamer's list	fake=value
DNSBL servers. Ask these external spamers list, about remote IP, before receive mail. (May be more then one server through space)	dnsbl=value
Check mailhost of sender (DNS MX record) before receive mail	checkmx
Ignore graylist if message incomme from source mailhost (DNS MX)	mxignbl
How long spamers IPs will active in spamer's list (in seconds)	spam_time=value
No limitation for SMTP	nosmtp_ltime
Time per that will calculating limits (in seconds)	smtp_ltime=value
Limit per IP (Kb)	smtp_ip_limit=value
Limit per network (Kb)	smtp_net_limit=value
Total limit for server (Kb)	smtp_limit=value
No limitation for alowed IPs	nolimitus
Enable receive from foregein IP messages from us domain	uncheckip
Minimal timeout betwen sending messages	time_btw=value
Before receiving an external message, check the SPF record for the domain.	spf_check
Do not accept messages from hosts without an SPF record.	spf_must
Ignore username case in incoming messages	smtp_ign_case
Number of simultaneous requests.	smtp_max=max
SMTP server name. (Domain name)	smtp_name=your.domain.name
Use all virtual hosts as alias domain name.	vhalias
TCP/IP port for SMTP server. Usually it's 25	smtp_port=port
Output path. Directory to store messages before send	smtp_out=path
Sent path. Directory to store messages after sent	smtp_sent=path
Error path. Directory to store messages, that can't be sent	smtp_err=path
DNS server to get mail routing info. (May be your default DNS server)	smtp_dns=#.#.#.#
Alow any "From" field. Otherwise server will send message from user_name@your.domain.name only	smtp_any
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens.	smtp_range={#.#.#.#[-#.#.#.#],}
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	smtp_deny={#.#.#.#[-#.#.#.#],}
Blacklist of E-mail addresses of spamers. Separate addreses by space. Use *@host to block receiving from any address of this host)	*blacklist="u@adr1 @adr2 ..."**
Use instructions from the "forward" file in a user's directory.	forward
Alow execution of applications from user's "forward" file.	fwdrun
Use TLS when sending outgoing message if possible	smtptls
Always use TLS when sending outgoing messages; if not possible, don't send	smtponlytls
Verify the remote certificate signature. (Verfy methods the same as directed in VPN client settings)	smtpchktls
When using SMTP authorization, the sender must be the same as the authorization user.	smtp_authsame
DHCP server setting
Disable DHCP	nodhcp_max
Total IPs avilable to allocate	dhcp_max=value
IP address of DHCP server	dhcp_ip=value
LAN broadcast address for DHCP reply	dhcp_bcast=value
First IPs for allocate	dhcp_first=value
Netmask	dhcp_mask=value
Gateway	dhcp_gate=value
DNS servers	dhcp_dns=value
Domain name	dhcp_name=value
File to save state	dhcp_file=path
DNS should resolve hostnames for IPs that was allocated	dhcp_rdns
Listen only, to store info from another servers for DNS. (never response)	dhcp_lo
TLS/SSL server setting
Disable TLS/SSL server	notls_max
Number of simultaneous requests.	tls_max=value
TCP/IP port for TLS/SSL server. Usually it's 443	tls_port=value
Limit on the number of idle keep-alive connections waiting	keep_alive_max=value
Timeout in seconds for idle keep-alive connection	keep_alive_timeout=value
Check live in seconds for idle keep-alive connection. 0 - use system default. (Supported from Linux 2.4, from Windows 10 v1709)	keep_alive_idle=value
IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. 192.168.0.1-192.168.0.16,127.0.0.1	ssl_range=value
Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ssl_deny=value
IPv6 IPs that can access this server. Separe single IP by comma and IP ranges with hyphens. E.g. ::1,FE80::-FEFF::	ssl6_range=value
IPv6 Deny IPs that can't access this server. Separe single IP by comma and IP ranges with hyphens.	ssl6_deny=value
Bind to all addapters	notls_bind
IPs and IPv6 to bind, through coma. (0.0.0.0 - bind to all IP; ::0 bind to all IPv6)	tls_bind=value
Also work through IPv6	tlsipv6
Don't restrict speed of outgoing transfer	notls_speed
Limit for summary speed of outgoing transfer for all connections from the same IP (KBytes/minute)	tls_speed=value
How many another connections must have activity, to check on speed limitation	tls_spdusr=value
Enable TLS for POP3/SMTP	smtp_tls
Enable TLS for FTP	ftp_tls
DLL library with TLS/SSL. E.g. libsec111.dll	tls_lib=path
Certificate file	tls_cert_file=path
Key file	tls_key_file=path
CA-Path	tls_capath=path
CA-file	tls_cafile=path
Sets priorities for the ciphers, key exchange methods, and macs For GNU TLS and for OpenSSL, the string format is different. For OpenSSL, you can see the format of this line here in the CIPHER LIST FORMAT section. The default is the following line: "TLS_RSA_WITH_AES_256_CBC_SHA256:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_AES_256_GCM_SHA384: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384: ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:ALL:!DES:!3DES:!RC2" For GnuTLS, see the string format here	tls_priority=value
Remote administration through sequre HTTPS only	admtls
Web mail through sequre HTTPS only	tls_wmail
HTTP TLS VPN server setting
Disable TLS VPN	notlsvpn
Maximum number of TLS VPN connections working simultaneous.	tlsvpn_max=value
TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). HTTPS requests to this URL will be redirected to VPN	vpn_url=value
Enable TLS VPN on Tun device	vpntun
Enable TLS VPN on Tap device	vpntap
Tun device number	vpn_tun_number=value
Tap device number	vpn_tap_number=value
TLS VPN MTU for tun.	vpn_tun_mtu=value
TLS VPN MTU for tap.	vpn_tap_mtu=value
Tun device pathname	tundev=value
Public access without password. (Otherwise only users with Proxy access can use this service)	vpnpub
Set Tun interface IP address	tun_ip=value
Set Tun interface netmask	tun_nmask=value
Set Tap interface IP address	tap_ip=value
Set Tap interface netmask	tap_nmask=value
Run init script for Tun device	tun_script_up=path
Run init script for Tap device	tap_script_up=path
First IP address to allocate for remote client that connected to Tun. (Optional)	tun_remote_ip=value
Total IP addresses to allocate for remote client that connected to Tun. (Optional. Set to 0 to use external DHCP server, or another methods)	tun_remote_max=value
DNS servers that will be offered to the TUN client.	tun_remote_dns=value
First IP address to allocate for remote client that connected to Tap. (Optional)	tap_remote_ip=value
Total IP addresses to allocate for remote client that connected to Tap. (Optional. Set to 0 to use external DHCP server, or another methods)	tap_remote_max=value
DNS servers that will be offered to the TAP client. (Optional)	tap_remote_dns=value
Fix destination MAC in packets for TAP	tap_fix_map
Set VPN traffic limit per user	vpn_user_limit
Set VPN traffic limit per IP	vpn_ip_limit
Limit of incoming VPN traffic per hour. (Mb)	vpn_limit_in_h=value
Limit of outgoing VPN traffic per hour. (Mb)	vpn_limit_out_h=value
Limit of incoming VPN traffic per day. (Mb)	vpn_limit_in_d=value
Limit of outgoing VPN traffic per day. (Mb)	vpn_limit_out_d=value
Limit of incoming VPN traffic per mounth. (Mb)	vpn_limit_in_m=value
Limit of outgoing VPN traffic per mounth. (Mb)	vpn_limit_out_m=value
Save the state of limits in this file on exit	vpn_limit_fname=path
HTTP TLS VPN client setting
Enable to connect to TLS VPN remote host	vpnclient
Host to connect to remote TLS VPN server	vpn_remote_host=value
TLS VPN remote port. (Usually 443)	vpn_client_port=value
TLS VPN URL name (direct only local part of URL e.g. "/$_vpn_$"). Must be the same as directed on the remote server	vpn_client_url=value
TLS VPN User name	vpn_remote_user=value
TLS VPN Password	vpn_remote_passw=value
VPN client to Tap. (Otherwise Tun)	vpncln_tap
TLS VPN client Tun/Tap device number	vpn_tuntap_number=value
TLS VPN MTU for client.	vpn_client_mtu=value
Set client VPN interface IP address	tuntap_ip=value
Set client VPN interface netmask	tuntap_nmask=value
Run init script when VPN connection estabilished	vpncln_script_up=path
Run deinit script when VPN connection closed	vpncln_script_down=path
Validate remote TLS certificate, check host name	vpncln_chktls
Don't check remote certificate time. Ignore expired. (GNUTLS only)	vpncln_tlsigntime
Accept self signed certificate. (GNUTLS only)	vpncln_tlsssign
SSH style of certificate validate. (GNUTLS only. Public keys of new untracted remote will be stored in ~/.gnutls/known_hosts)	vpncln_tlssshstyle
Users To give FTP, Mail, Administration access you must add users. *user="name;password;home_dir;type_of_access_flags"* Key may be repeated more then once. type_of_access_flags -- It's sequence of next symbol: F -- FTP access -- user can read files from his home directory and any subdirectory via FTP. W -- FTP write access -- user can upload files to his home directory via FTP. N -- Disable add executable mode attribute for files. S -- SMTP. User can send messages via SMTP from user_name@your.domain.name P -- POP3. User will have mailbox. All messages to user_name@your.domain.name will stored in home/mbox directory and available via POP3. A -- This is administrator. -- He has full access to administration's pages, can add users, change access rights etc... H -- Proxy. Access to proxy. If the name of user is known to system (present in /etc/password, /etc/shadow), the server will try to switch current user to this user, when he logon to FTP. Otherwise server will try switch current user to the user named "ftp" For FTP access you can add anonymous user without password In this case just skip password. E.g.: user=anonymous;;/usr/pub;FWN user=ftp;;/var/readonly;F

Please note that there shouldn't be spaces before and after "=". If a parameter you are entering contains spaces make sure that you put them in quotes. Here is an example of a correct command line:
httpd.exe port=1080 def=index.html nolog Here is an example of configuration file: log=/var/log/http.log max=12 def=index.stm @www.cfg # include other configuration file hostpath=www.name.www;/var/www1 hostpath=max.name.www;/var/WWW2 # End of file

Contents

Allowed and denied IP ranges.

For each server, you can specify allowed and prohibited IP addresses. Also specify general allowed and prohibited IP ranges to block or allow access to all TCP servers, as well as ranges that define the IP addresses from which web administration is available. Addresses directed through coma. You might direct one address or range. Example: 127.0.0.1,192.168.0.1-192.168.0.255

HTTP,FTP,POP3,Proxy will receive request from IPs that include in allowed list and exclude denied list.

SMTP will receive the message for own domain (incoming for own users) from any addresses, exclude denied. The messages to send outside, it will get from allowed IPs only If you don't want get any messages from some IP -- just add it to denied list.

DNS server also retrieve local records to anybody, but recursion searching it do for IPs from allowed list only.

Contents

Limits.

You can limit traffic for HTTP, Proxy, SMTP and FTP. To do this, in the settings, specify the time for which the limit will be set and the values for the IP address, the network of this IP address and the general limit for the service. Please note that if the limit is exceeded, data exchange will not be interrupted until the file is transferred completely. If the limit is overflowed, the following requests will be rejected within the time calculated based on the overflow value.

Contents

Running scripts.

Requested files that contents CGI identefer in pathname will be executed. If option "Run 'system' files" selected then files with attribute 'system' will be executed too. CGI/1.1 standards are supported, for reference please consult rfc3875 . When running a script, request line parameters are transferred both in command line and in QUERY_STRING environment variable. The script transfers data directly to the client that requested it. A script should output Content-Type: type\r\n or Location: url. There could be some auxiliary lines like Content-Length: xx\r\n or Date:. These data end in \r\n\r\n. If you use C or Perl please note that in text mode output functions automatically transform \n to \r\n. Pascal writeln function also completes output with these symbols. (\r = [CR] = 0x0D; \n = [LF] = 0x0A )

Contents.

Server Side Includes (SSI)

SSI can greatly increase your capabilities allowing you to dynamically insert results of CGI scripts in any place of a document being shown to the user.

When a remote client requests a *.sht, *.shtm or *.shtml file, the server returns it by processing the SSI tags it contains.

SSI tags have the following format:


HTTP or request form variables can be put into the "value" field. Variable name starts with $ and can be later put in braces {} if you wish to concatenate the variable value with subsequent text (excepting spaces). For instance , $USER_AGENT contains browser type, and if you want to concatenate it with "_12345", use "${USER_AGENT}_12345". When using symbols like $, \, " make sure you place \ before them: $ - \$, \ - \\, " - \" etc. If a variable can't be evaluated, it replaced with the "undefined" value.

Current server version supports the following tags:

include


Both variants include the content of file_name in the document. In first case it looks for the document from the web root directory, in the second case you can define a path for the document. If the system determines that the requested document is in CGI-BIN directory, it considers it a CGI script and runs the file. If the file_name contains the "?" symbol, the string after it is transmitted as a request with parameters which should be processed by your script.

exec


Runs the script like with "include" tag.

fsize & lastmod








Shows file size and last modified date. Size can be rounded up to Kilobytes or Megabytes.
Date can by formated as you like. Next format keys are defined:

Key	Description	Range
d	Day of the month, 2 digits with leading zeros	01 to 31
j	Day of the month without leading zeros	1 to 31
m	Numeric representation of a month, with leading zeros	01 through 12
n	Numeric representation of a month, without leading zeros	1 through 12
Y	A full numeric representation of a year, 4 digits	1970 through 9999
y	A two digit representation of a year	00 through 99
a	Lowercase Ante meridiem and Post meridiem	am or pm
A	Uppercase Ante meridiem and Post meridiem	AM or PM
g	12-hour format of an hour without leading zeros	0 through 12
G	24-hour format of an hour without leading zeros	0 through 23
h	12-hour format of an hour with leading zeros	01 through 12
H	24-hour format of an hour with leading zeros	00 through 23
i	Minutes with leading zeros	00 to 59
s	Seconds with leading zeros	00 through 59

echo

Prints variable value.

printenv

Outputs the values of all variables.

break

Breaks procession of the document.

if -- elif -- else -- endif

text

text

text
...

text


The text will be either shown or not depending on the outcomes of specified conditions. The conditions can consist of variables and values as well as different logical operators between them:

! -- "Not"
= or == -- "Equal to"
!= -- "Not equal to"
<,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to".
~ -- "Part of..." str1 ~ str2 -- the result is true, if the string str2 is the part of string str1
str1 =~ /pattern/ig -- pattern it is Regular expressions. The result is be true, if in the string str1 has been found substring equal by pattern.
&& --"AND"
|| --"OR"

elif and else operators can be omitted, elif can be repeated as many times as you need. It's necessary to put the endif tag at the end of your statements.

set

Sets or changes the value of the variable. Although, try not to use this feature too often because the number of variables and memory allocated for them is somewhat restricted.

Contents

Regular Expressions

A pattern search is available to check incoming variables. A pattern is a regular expression with the accepted Unix syntax. A regular expression is a substring to be found that may also contain metacharacters and variables. The following metacharacters are understood:

^ -- begin of line.

. -- any char except new line.

\ -- if next character is metacharacter it undesten as just character. E.g. "\." is just point. Also known the following sequensies:

\n -- new line
\r -- return
\t -- tab
\\ -- \ - slash
\x## -- hex code of char.
\o### or \0### -- octal code of char.
\### -- decimal code of char.

[] -- The square brackets may indicate available or unavailable values for the next character: If the first character in the brackets is "^", it means that the character can be any except the other characters specified in the brackets. Otherwise, the character can only be one character from the brackets. "-" inside the brackets means all characters from the preceding "-" to the character after "-". The "\" character inside the brackets also changes the interpretation of the next character. Examples:

[0-9] -- means any number.
[a-zA-Z] -- means any letter.
[^@$\-\n\o007\x01] -- means any symbol except @,$,-,new line, and symbols with codes 7 and 1.

() -- prescribe to save substring by pattern inside bracket for using in futures. The founded substring will be avilable as variables from $1 to $9. The last result also avilable as $+ . The string before last result avilable as $` . The string after last result avilable as $'

| -- or.
A repeater may be specified after the metacharacter:

* -- repeat 0 or more times.

+ -- repeat 1 or more times.

? -- may be absent

{n} -- repeat n times.

{n,} -- repeat n or more times.

{n,m} -- repeat at least n but not more then m times. After any repeater, you can use another modifier "?", which reduces the pattern distribution to the first possible match. Without this modifier, the pattern part greedily takes all the characters that match it. An example when finding in string '123abcdefff567'

with pattern /([a-z]*)/ $1 will be "abcdefff"
with pattern /([a-z]*)f/ $1 will be "abcdeff"
with pattern /([a-z]*?)f/ $1 will be "abcde"

At the end of the pattern, after the last slash, modifiers can be placed. The program understands the following modifiers:

i -- case-insensitive pattern

v -- Force clearing of the variable list ($1-$9). Without this modifier, the program will clear the list in new logical expressions when it starts checking the first regular expressions in this logical expression.

c -- Force clearing of the variable list ($1-$9) before starting. There can be multiple regular expressions in one logical expression. By default, they all use the same variable list, and for example, if the first expression filled $1 and $2, the second may only fill $3. Using this modifier, the expressions will fill the variables starting with $1, regardless of the result of the previous part of the logical expression.

Also next function available:

exist(filename) - returns 1 if file exist, otherwise 0.

fsize(filename) - returns size of the file.

ftime(filename) - returns time of last modification of the file in seconds from 01.01.1971.

fmode(filename) - returns access mode of the file.

Contents

IP Country Database Functions

The program can show statistic by countries and server may add REMOTE_COUNTRY variably with country name to SSI/CGI enviroment. IP-contry database need for these features. Download and unzip it. Then in server's options direct where is it. Fast search will not delay SSI and CGI execution. The program does not garanted valid country detection for evry time, but in many cases it will be. For IP addresses that absent in the database the server show "unknown" instead country name.
Also, if enabled in the settings, /$_ip2country_$ and /$_ip2country_$?l=h http queries returns the user's country.
This request maintains an 'l=' variable, that may be 'h' - for html reply, 'j' - for javascript reply, and any other value for just text reply.
You can include Javascript variation as <script src=/$_ip2country_$?l=j > in your web pages to use the country name in your scripts. The answer will be in the following format:

var county_code="CC",country="Country name",country_ip="127.0.0.1";

Contents

Proxy

If hard disk cache enabled server will store all incomming files except authorized pages. Server can delete downloaded files from cache proxy directory after several days of last download. See also command line keys descriptions

Contents

DNS server

This version contains a DNS server. To run it, you must specify the description file hosts. On the one hand, the file format can be extremely simple and compatible with the system hosts file, and on the other hand, it can correspond to the master file format recommended by RFC 1035. For compatibility with the system hosts file, each line can contain an IP address and a host name. Comments begin with the symbol '#'. The domain name in this file can begin with '*.' to describe all subdomains. Example:

# Here is an example of hosts file for local network.

194.45.68.21 www.max.local
194.45.68.21 max.local
194.45.68.20 *.max.local
194.45.68.22 www.boss.local
194.45.68.23 serg.local
194.45.68.26 www.serg.local
194.45.68.24 *.andy.local
194.45.68.25 *.mary.local
# etc ...

# To create your own dialup network add last record:
194.45.68.20 * # -- Redirect all unknown incoming request to 194.45.68.20

# end of hosts file

Each line may also contain a domain name and a resource record (RR) description. A comment may begin with ';' The following records are supported:
$ORIGIN <domain-name>
$TTL <validate-time> -- a 32 bit unsigned integer that specifies the time interval (in seconds) that the resource record may be cached before it should be discarded.
$SLAVE <domain-name> <ip-address-of-master> [<filename>] -- Work as slave DNS server for this domain. Download full domain from master
$IF_DOWN <host:port> <interval> Old.IP=New.IP -- By this option server will try to connect to the host:port for time interval (in seconds), and if fail in each record with Old.IP it will replasing to New.IP.
[<domain-name>] <blank> [<TTL>] IN <type> <RDATA>
Unlike the RFC recommendation, to describe a domain, you must specify the full <domain-name> ('@' is not interpreted, the final dot may be omitted). You can also omit <domain-name>, in which case the previous name will be used. Unlike the RFC recommendation, you must specify the "IN" class for each line in the RR format. <type> may be:

A <IP-address> - a host IPv4 address

AAAA <IPv6-address> - a host IPv6 address

NS <full-name> - an authoritative name server

CNAME <full-name> - the canonical name for an alias. The 'A' record for original name MUST present in this file.

SOA <full-name> <e-mail by owner> (<SERIAL>,<REFRESH>,<RETRY>,<EXPIRE>,<MINIMUM>) - marks the start of a zone of authority

MX <preference> <full-name> - mail exchange. <preference> a number from 1 to 255. The server with the lower value is chosen first.

PTR <full-name> - a name. Host at left side must be #.#.#.#.in-addr.arpa

TXT text

SPF text

CAA 0 [issue|issuewild] server

TLSA usage selector matching_type data ^{* See more in TLS caption.}

TYPEnumber \\# length hex hex hex... - for new, unknow types.
Other types are ignored.
The server also automatically supports PTR queries if the requested PTR record is missing. The server returns RDATA for the response from the first "A" record with that IP address or from lines compatible with the system hosts file. For each record type, the domain name can begin with the "*." pattern to cover all subdomains. The server supports "*" queries to return all information about a domain. For a domain with a wildcard, the response will also contain the wildcard. For other queries, the response will contain the requested domain without the wildcard.

The server can support recursive calls. To allow searching for any domain, you MUST specify NS records for the root servers. If you check "Recursive calls only to top-level servers", you must specify the DNS server of your provider, not the root servers, and the program will only contact these servers. Without this setting, the server itself will sequentially send requests to servers in other zones. Example:

# Here is an example of hosts file for export domain to Internet,
# and resolve other names.

; First, lines holds the information on root name servers needed to
; initialize cache of Internet domain name servers

.                  IN  NS a.root-servers.net
a.root-servers.net IN  A  198.41.0.4
.                  IN  NS b.root-servers.net
b.root-servers.net IN  A  128.9.0.107
.                  IN  NS c.root-servers.net
c.root-servers.net IN  A  192.33.4.12
.                  IN  NS d.root-servers.net
d.root-servers.net IN  A  128.8.10.90
.                  IN  NS e.root-servers.net
e.root-servers.net IN  A  192.203.230.10
.                  IN  NS f.root-servers.net
f.root-servers.net IN  A  192.5.5.241
.                  IN  NS g.root-servers.net
g.root-servers.net IN  A  192.112.36.4
.                  IN  NS h.root-servers.net
h.root-servers.net IN  A  128.63.2.53

; Now declare our domain

$TTL 86400  ;TTL - 24 hours

somedomain.net IN SOA  somedomain.net max@somedomain.net (
 2002120602 ; Serial
 36000      ; Refresh
 3000       ; Retry
 36000000   ; Expire
 36000      ; Minimum
 )
  IN NS   ns.somedomain.net
  IN NS   ns2.somedomain.net
  IN MX 1 relay1.somedomain.net
  IN MX 2 relay2.somedomain.net
  IN A 192.168.12.1

ns.somedomain.net     IN A 192.168.12.1
ns2.somedomain.net    IN A 192.168.12.2
relay1.somedomain.net IN A 192.168.12.1
relay2.somedomain.net IN A 192.168.12.2

pc2.somedomain.net    IN A 192.168.12.2
  IN NS   ns2.somedomain.net
  IN MX 1 relay1.somedomain.net

*.somedomain.net      IN A 192.168.12.1
  IN NS   ns.somedomain.net
  IN NS   ns2.somedomain.net
  IN MX 1 relay1.somedomain.net
  IN MX 2 relay2.somedomain.net


; also this file may contents lines in next format:
192.168.12.1 www.max.local
192.168.12.2 max.local
192.168.12.1 *.max.local

$SLAVE domain2.name 192.168.12.8 domain2.name.txt
$IF_DOWN 192.168.12.2:80 300 192.168.12.2=192.168.12.1


# end of hosts file

SMTP server

The SMTP server can:

Accept messages for specified users. The recipient address must be username@your_domain_name These messages are stored in the user's home directory/mbox folder and are accessible via POP3.

Accept messages from its users for any user. The sender address must be username@your_domain_name You can also allow any user to accept messages from any user and limit the range of remote IP addresses for which this type of message is allowed. To obtain mail routing information, the SMTP server contacts the DNS server. You must specify the DNS IP address in the settings.

You can add spammer addresses to the blacklist. Messages from these addresses will never be accepted. The server also supports general and personal lists of blocked and allowed addresses. The names of the common lists can be specified in the settings. Also in the settings you can enable checking of personal files named "badlist" and "goodlist" in the user's home directories. Each line in these files can be:

E-mail address or any part of address.
IP address or part of IP address.
? Logical expresion where you may do action with $sender, $hello, $control variables.
- $sender -- return address
- $hello -- self identification from remote server.
- $control -- full identification line in flowing format:
  "From sender (remote_hello [IP]) date and time For receptors\r\n"
- $check_spf -- Checks the SPF (Sender Policy Framework rfc4408) record for the domain. The value can be:
  - 1 - the IP address is valid for the domain;
  - 0 - no SPF record;
  - -1 An SPF record for the domain was found, but the sender's IP address was not found in the record;
  - -2 An SPF record for the domain was found, and a soft rejection is required for this IP;
  - -3 An SPF record for the domain was found, and a hard rejection is required for this IP.
?? List of DNSBL servers

Example:

# Begin of file
@yahoo
4.79.181.
67.28.113.
one@address.com
lotto
? $sender == spamer@address
? ! $hello =~ /.+\.[a-z]{2,4}/
? $control =~ /\[64.156.215.*\]/
# End of file

You can allow the server to check the user's "forward" files to forward or filter messages.
A file named "forward" can be placed in the user's home directory. If enabled, the server parses each line of this file and recognizes the following instructions:

#if expression -- next lines will be checked if expression is true

#elif expression -- if previous condition is false then next lines will be checked if expression is true

#else -- next lines will be checked if previous condition is false

#endif -- end of conditions block

#mv where -- move message

#cp where -- copy message

#rm -- remove message

# anything -- comment

!/usr/bin/path/application {params} -- execute "/usr/bin/path/application {params} users_home/mbox/name.msg". If executing is enable in options only.

to1@host1 {toN@hostN} -- redirect message to this addresses.
The conditions can consist of variables ($size_kb -- size of message in KB;
$in_text(text to find) -- is true if the text was found in the message;
$text -- full text with head;
$body -- message body;
$errorlevel -- the value returned by last external script or zero if no successful runs before) and values as well as different logical operators between them:
! -- "Not"
= or == -- "Equal to"
!= -- "Not equal to"
<,>,<=,>= -- "Less than", "Greater than", "Less than or equal to", "Greater than or equal to".
is the part of string str1
&& --"AND"
|| --"OR"

str1 =~ /pattern/ig -- pattern it is Regular expressions. The result is be true, if in the string str1 has been found substring equal by pattern.
Space and back-slash (' \') at end of line mean continues current command at next line.
Example:

# Here is the example of forward file.

#if  $in_text(boss@address)
!/usr/bin/perl/bin/perl.exe autoreply.pl
#endif

#if $in_text(100% FREE)
!deltree /Y
#elif $size_kb <= 20 && ! ( $in_text(boss@address) || $in_text(@private.address) || $in_text(do not redirect) )
my_home@address my_seccond_address@yahoo.com
#else
!/usr/bin/perl/bin/perl.exe check.pl
#endif

# End of forward file

Antivirus script have same format as forward file, but unlike forward file it checking before sending each message. Example:

# Here is the example of antivirus file.

#if  $text =~ /Content-Transfer-Encoding: ["`]?base64[\001-\xFF]*?\n\r?\nTVqQAAMA/

#if  $text =~ /name=.*\.pif/
#mv c:\probably\virus
#else
!c:\DrWeb\drwebcl.exe /GO /TM- /WA- /TB- /ML
#endif

#elif $body =~ /<script language=/ && $body =~ /<!DOCTYPE HTML/
#mv c:\probably\spam
#endif

# End of file

Break-filter destined to break receiving long size spam messages.
Break-filter it is logical expression that may do checking after server will receive first 8Kb of the message. If the result of this expression is true, the continues of the message will not be next received, to the "Subject" header's field will be added "[SPAM]", combination of "sender+IP address+server's hello+receptions" will be placed to the temporary bad list, and next tries to send the same messages will be stopped before begin of data transfer.
Inside expression next variables may be used:

$msg -- first 8Kb of the message

$sender -- return address

$hello -- self identification from remote server.

$control -- full identification line in flowing format:
"From sender (remote_hello [IP]) date and time For receptors\r\n"
You may include the same actions as in '#if' operator: ||,&&,<,>,>=,<=,==,!=,=~
The example:

 (! ( $msg =~ /^From:[^\n\r]*<([^>\n\r]+)>/i ||
      $msg =~ /^From:[ \t]*([^\n\r]+)/          )
 )
 || $1 != $sender
 || $msg =~ /^Subject:[^\n\r]*New site|You are win/i
 || $msg =~ /to|for[ \r\n\t]+unsubscribe[ \r\n\t]+[ \r\n\t]+press|go|open|reply|do not/i

In this example: first four lines check does field 'From' is present in the message, and get address from this field, and this address must be the same as sender address (return path); Next line search in the field Subject "New site" or "You are win"; and last line try to detect some strings like "To unsubscribe do something..."
If any of these condition will be true the message will be detect as spam. See also command line keys descriptions

POP3 Server and POP3 Proxy Server

POP3 server provides access to incoming mail. If POP3 proxy is enabled, users can configure their mail program to receive mail from another remote POP3 server via this POP3 server. To do this, the user parameter in the client program must be as follows: local_user@remote_user@remote_host
The password must be as follows: local_password@remote_password
Or the @remote_password part can be added to the user parameter. You can use '#' anywhere instead of '@'.

If webmail is enabled, users with POP3 access can use it at the URL http://host.name/$_wmail_$ . Webmail is only accessible from IP addresses in the POP3 range.

FTP Server and FTP Proxy Server

The FTP server provides access to users' home directories, and if the option "Enable virtual directories for FTP" is selected, then access is provided to private virtual directories. Public virtual directories are not accessible via FTP.
If the FTP proxy server is enabled, users can configure their FTP client program to work with a remote FTP server via this FTP server. To do this, the user parameter in the client program must be as follows: local_user@remote_user@remote_host
The password must be as follows: local_password@remote_password
Or the @remote_password part can be added to the user parameter. You can use '#' anywhere instead of '@'.
Some FTP clients (for example, the FTP plugin for Far Manager) support a similar type of FTP proxy. In this client, you can specify the firewall settings your_host:FTP_port and direct FTP address as follows: ftp://local_user#remote_user:local_password#remote_password@ftp_host/

TLS/SSL server

The server does not contain built-in TLS/SSL cryptographic functions, but includes an interface for connecting an external TLS/SSL library. You can connect OpenSSL or GNU TLS to the server. In the program settings, you can specify one of the included libraries libsec111.so or libsecgnutls.so, which use the OpenSSL and GnuTLS libraries, which are usually included in Linux distributions. A certificate is required for these libraries to work.
A simple and free way to get it is to generate a self-signed certificate, for example, using OpenSSL:


openssl genrsa 2048 > ks.key
openssl req -x509 -new -key ks.key -days 3650 > ks.pem

ks.pem -- is result file that may be used as "Certificate file"
ks.key -- is result file that may be used as "Key file"
A self-signed certificate does not guarantee security. An attacker on intermediate routers can insert a bidirectional proxy into your connection, substituting their certificate for yours, and the browser will not be able to recognize that it is not your certificate.
To avoid this, you need to obtain certificates from an issuer known to browsers. Some browsers or TLS clients may support the DANE method (RFC6698) for verifying certificates. This method requires adding special DNS records for your domain. The format of these records is as follows:
_port._base_protocol.host.name IN TLSA usage selector matching_type data

usage for self signed this domain certificate must be 3.

selector may be:

0 -- Full certificate: the Certificate binary structure as defined in RFC5280

1 -- SubjectPublicKeyInfo: DER-encoded binary structure as defined in RFC5280

matching_type may be:

0 -- Exact match on selected content

1 -- SHA-256 hash of selected content RFC6234

2 -- SHA-512 hash of selected content RFC6234

data can be generated with help openssl and sha256sum:
Selector=0 (full certificate)

openssl x509 -in ks.pem -outform der | sha256sum

Selector=1 (subject public key)

openssl x509 -in ks.pem -pubkey -noout | openssl rsa -pubin -outform der | sha256sum

Examples of TLSA DNS records:

_443._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
_443._tcp.www.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
_25._tcp.smallsrv.com. IN TLSA ( 3 0 1 1ebec2c8434a67e0cbf35619819367067d5a852569666d4f6b222f722cc7cb65 )
_110._tcp.smallsrv.com. IN TLSA ( 3 1 1 5bdd89111e62a72c946d47a91e7a17aec3102d41a2523e04b510a83cebffdf1a )

HTTP TLS VPN server and client

Now this program can create a VPN channel inside an HTTPS connection.

How does it work?
On the host where the HTTP server is used, you can enable the VPN server in the settings. On other hosts you can install the program and enable the VPN client (only the VPN client is possible). Clients access the server using the HTTPS protocol, request a URL like this: https://hostname.etc/$_vpn_$/. You can choose any URL name by which the server will determine that this is a VPN request. When the HTTP server detects a VPN request, it passes the connection to the built-in VPN server.

TAP and TUN
The server supports both VPN types, and both VPNs can run simultaneously, but each type must be on its own subnet. The client can choose only one type, TUN or TAP, and it reports the required type to the server when connecting.
What is the difference? On a TAP connection, each packet also includes a 14-byte Ethernet header. This gives some advanced features, e.g. The TAP interface can be included in the bridge, and any type of packet can be broadcast through TAP. The TUN connection only supports IPv4 and IPv6 packets.

Link between clients
In this version, the server does not filter anything. Communication between clients will work and may be filtered by an external firewall.

Connection between Linux and Windows
Linux and Windows VPN use the same protocols and can be connected to each other.

Tap driver for Windows.
Windows does not have a built-in TUN/TAP driver. An external driver is required. This program works with the free and open source TAP-Windows driver from the OpenVPN project. It is available here. (Select Tap-Windows-9.24.7 for your system). If you want to set up the server on a Windows machine and use both TUN and TAP adapters, add the two adapters after installing the driver. If you are already using OpenVPN and want to use this server, add new adapters for it. In the server settings, you can specify a zero-based TAP adapter index or a network connection name. An easy way is to specify the index and leave the connection name blank, the server will fill it in automatically. The server MUST be started with administrator rights on first startup to access the driver. .

Scripts.
The VPN server and client can run scripts in three cases:

When the server initializes the TUN/TAP adapter. In this case, the arguments are as follows: Interface_name IP address Subnet_mask Gateway In this case, the gateway is the same as the IP address.
When the client connects to the server and establishes a connection. In this case, the arguments are as follows: Interface_name Interface_name IP_address Network_mask Gateway DNS_servers IP_address of the remote_vpn_server
When the client connection is closed. In this case, the arguments are: Interface_name Interface_name IP_address of the remote_vpn_server IP_address

Authorized access.
You can select the option to make the HTTP TLS VPN server publicly available to anyone who knows the URL. Otherwise, the server will require HTTP authentication. In the server settings, you must add a user with "Proxy" access, and in the client settings, specify the username and password.

Security library.
The external libraries seclib111 and seclibgnutls have been updated. Older versions will not work with VPN, as they lack the necessary functions. If you were using an older version of the server and want to use VPN, update the library.

Server certificate verification.
If you want to enable server certificate verification, you need to specify a directory with trusted certificates in the TLS/SSL settings. You can put the remote server certificate or root certificates there. If you are using OpenSSL, you will need to generate hashes for your certificates. Run:

openssl rehash -compat -v path_to_this_directory

If you are using GnuTLS, there are some additional options, for example, you can disable certificate time verification and enable SSH-style verification. In this case, the host certificate will be accepted as valid on the first connection, and its public key will be saved. On subsequent connections, the public key will be verified.

MTU
In the Linux version, you can specify the MTU for each interface. In the Windows version, the same can be done using external tools for the "Network connection" parameter. For speed, it is probably best to choose an MTU smaller than the actual MTU (usually 1500) for the header sizes (14-byte Ethernet header for TAP, IP headers, TCP, TLS, and the server adds 2 bytes to each packet). But I think the best way is to set a large MTU. For example, 9000 or even 15000. In this case, TLS will accept large packets, encrypt them, and when transmitted at the IP layer, they will be divided into packets according to your actual Ethernet MTU value. On the other hand, when several clients are connected, a large MTU value may prioritize the transfer of large files to the detriment of those who do not transfer large files.

Contents

Conclusion

Finally, I want to express my deepest respect to the developers of the GNU C++ compiler. It is this compiler that compiled this program. I thank GNU for giving me the opportunity to write programs with the best compiler. You can visit the GNU resources:

GNU — GNU itself.

M. Feoktistov

Contents