* Dynamically extend channel limits -- m_extendchans
* Find channel forwards -- m_findforwards
* /identify support -- m_identify
+ * /locops support -- m_locops
* Opers cannot be invisible (umode +i) -- no_oper_invis
* Far connection notices (snomask +F) -- sno_farconnect
* Remote k/d/x line active notices -- sno_globalkline
#loadmodule "extensions/m_extendchans";
#loadmodule "extensions/m_findforwards";
#loadmodule "extensions/m_identify";
+#loadmodule "extensions/m_locops";
#loadmodule "extensions/no_oper_invis";
#loadmodule "extensions/sno_farconnect";
#loadmodule "extensions/sno_globalkline";
*/
#vhost6 = "2001:db7:2::6";
- /* ssl_private_key: our ssl private key */
- ssl_private_key = "etc/ssl.key";
-
- /* ssl_cert: certificate for our ssl server */
+ /* ssl_cert: certificate (and optionally key) for our ssl server */
ssl_cert = "etc/ssl.pem";
+ /* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
+ #ssl_private_key = "etc/ssl.key";
+
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
ssl_dh_params = "etc/dh.pem";
max_number = 1;
/* sendq: servers need a higher sendq as they are sent more data */
- sendq=2 megabytes;
+ sendq = 2 megabytes;
};
/* listen {}: contain information about the ports ircd listens on (OLD P:) */
* encrypted | password is encrypted with mkpasswd
* spoof_notice | give a notice when spoofing hosts
* exceed_limit (old > flag) | allow user to exceed class user limits
- * kline_exempt (old ^ flag) | exempt this user from k/g/xlines&dnsbls
+ * kline_exempt (old ^ flag) | exempt this user from k/g/xlines,
+ * | dnsbls, and proxies
* dnsbl_exempt | exempt this user from dnsbls
+ * proxy_exempt | exempt this user from proxies
* spambot_exempt | exempt this user from spambot checks
* shide_exempt | exempt this user from serverhiding
* jupe_exempt | exempt this user from generating
};
connect "ipv6.lame.server" {
- /* Hosts that are IPv6 addresses must be in :: shortened form
- * if applicable. Addresses starting with a colon get an extra
- * zero prepended, for example: 0::1
- */
+ host = "192.0.2.1";
host = "2001:db8:3::8";
send_password = "password";
accept_password = "password";
port = 6666;
- /* aftype: controls whether the connection uses "ipv4" or "ipv6".
- * Default is ipv4.
+ /* aftype: controls whether the outgoing connection uses "ipv4" or "ipv6".
+ * Default is to try either at random.
*/
aftype = ipv6;
class = "server";
* notified upon connect if they are being scanned.
*
* WARNING:
- * These settings are considered experimental, and as of this writing, the
- * Charybdis scanner is not as comprehensive as the one available in HOPM. Only
- * basic SOCKS4 and SOCKS5 scanning is performed on a few well-known ports. You
- * may disable the open proxy scanning feature by deleting this block if you are
- * uncomfortable with this.
+ * These settings are considered experimental. Only the most common proxy types
+ * are checked for (Charybdis is immune from POST and GET proxies). If you are
+ * not comfortable with experimental code, remove or comment out the *entire*
+ * block below to disable the proxy scanner.
*/
opm {
/* IPv4 address to listen on. This must be a publicly facing IP address
* to be effective.
* If omitted, it defaults to serverinfo::vhost6.
*/
- #listen_ipv6 = "0::1";
+ #listen_ipv6 = "::1";
/* IPv6 port to listen on.
* This should not be the same as any existing listeners.
*/
#port_ipv6 = 32000;
- /* You can also set a port directive which will set both the IPv4 and
- * IPv6 ports at once.
+ /* You can also set the listen_port directive which will set both the
+ * IPv4 and IPv6 ports at once.
+ */
+ listen_port = 32000;
+
+ /* This sets the timeout in seconds before ending open proxy scans.
+ * Values less than 1 or greater than 60 are ignored.
+ * It is advisable to keep it as short as feasible, so clients do not
+ * get held up by excessively long scan times.
+ */
+ timeout = 5;
+
+ /* These are the ports to scan for SOCKS4 proxies on. They may overlap
+ * with other scan types. Sensible defaults are given below.
+ */
+ socks4_ports = 80, 443, 1080, 8000, 8080, 10800;
+
+ /* These are the ports to scan for SOCKS5 proxies on. They may overlap
+ * with other scan types. Sensible defaults are given below.
+ */
+ socks5_ports = 80, 443, 1080, 8000, 8080, 10800;
+
+ /* These are the ports to scan for HTTP CONNECT proxies on (plaintext).
+ * They may overlap with other scan types. Sensible defaults are given
+ * below.
+ */
+ httpconnect_ports = 80, 8080, 8000;
+
+ /* These are the ports to scan for HTTPS CONNECT proxies on (SSL).
+ * They may overlap with other scan types. Sensible defaults are given
+ * below.
*/
- port = 32000;
+ httpsconnect_ports = 443, 4443;
};
/*
/* dots in ident: the amount of '.' characters permitted in an ident
* reply before the user is rejected.
*/
- dots_in_ident=2;
+ dots_in_ident = 2;
/* min nonwildcard: the minimum non wildcard characters in k/d/g lines
* placed via the server. klines hand placed are exempt from limits.
stats_e_disabled = no;
/* stats c oper only: make stats c (connect {}) oper only */
- stats_c_oper_only=no;
+ stats_c_oper_only = no;
/* stats h oper only: make stats h (hub_mask/leaf_mask) oper only */
- stats_h_oper_only=no;
+ stats_h_oper_only = no;
/* stats y oper only: make stats y (class {}) oper only */
- stats_y_oper_only=no;
+ stats_y_oper_only = no;
/* stats o oper only: make stats o (opers) oper only */
- stats_o_oper_only=yes;
+ stats_o_oper_only = yes;
/* stats P oper only: make stats P (ports) oper only
* NOTE: users doing stats P will never be given the ips that the
* server listens on, simply the ports.
*/
- stats_P_oper_only=no;
+ stats_P_oper_only = no;
/* stats i oper only: make stats i (auth {}) oper only. set to:
* yes: show users no auth blocks, made oper only.
* masked: show users first matching auth block
* no: show users all auth blocks.
*/
- stats_i_oper_only=masked;
+ stats_i_oper_only = masked;
/* stats k/K oper only: make stats k/K (klines) oper only. set to:
* yes: show users no auth blocks, made oper only
* masked: show users first matching auth block
* no: show users all auth blocks.
*/
- stats_k_oper_only=masked;
+ stats_k_oper_only = masked;
/* map oper only: make /map oper only */
map_oper_only = no;
away_interval = 30;
/* certfp_method: the method that should be used for computing certificate fingerprints.
- * Acceptable options are sha1, sha256 and sha512. Networks running versions of charybdis
- * prior to charybdis 3.5 MUST use sha1 for certfp_method.
+ * Acceptable options are sha1, sha256, spki_sha256, sha512 and spki_sha512. Networks
+ * running versions of charybdis prior to charybdis 3.5 MUST use sha1 for certfp_method.
+ *
+ * The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does
+ * not change unless the private key is changed. This allows the fingerprint to stay
+ * constant even if the certificate is reissued. These fingerprints will be prefixed with
+ * "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type.
*/
- certfp_method = sha1;
+ certfp_method = spki_sha256;
/* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */
hide_opers_in_whois = no;