opm: add support for HTTPS CONNECT proxies.

[solanum.git] / doc / ircd.conf.example

diff --git a/doc/ircd.conf.example b/doc/ircd.conf.example
index ef779228d821cf234042dbd4ff1b05fe1f1b95a4..f54ff128be34807acef6a19fa4f6beee982a4d42 100644 (file)
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@@ -28,6 +28,7 @@
 #loadmodule "extensions/m_extendchans";
 #loadmodule "extensions/m_findforwards";
 #loadmodule "extensions/m_identify";
+#loadmodule "extensions/m_locops";
 #loadmodule "extensions/no_oper_invis";
 #loadmodule "extensions/sno_farconnect";
 #loadmodule "extensions/sno_globalkline";
@@ -195,15 +196,17 @@ auth {
         * encrypted                  | password is encrypted with mkpasswd
         * spoof_notice               | give a notice when spoofing hosts
         * exceed_limit (old > flag)  | allow user to exceed class user limits
-        * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines&dnsbls
-        * dnsbl_exempt               | exempt this user from dnsbls
-        * spambot_exempt             | exempt this user from spambot checks
-        * shide_exempt               | exempt this user from serverhiding
+        * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines,
+        *                            | dnsbls, and proxies
+        * proxy_exempt               | exempt this user from proxies
+        * dnsbl_exempt               | exempt this user from dnsbls
+        * spambot_exempt             | exempt this user from spambot checks
+        * shide_exempt               | exempt this user from serverhiding
         * jupe_exempt                | exempt this user from generating
         *                              warnings joining juped channels
-        * resv_exempt                | exempt this user from resvs
+        * resv_exempt                | exempt this user from resvs
         * flood_exempt               | exempt this user from flood limits
-        *                                     USE WITH CAUTION.
+        *                              USE WITH CAUTION.
         * no_tilde     (old - flag)  | don't prefix ~ to username if no ident
         * need_ident   (old + flag)  | require ident for user in this class
         * need_ssl                   | require SSL/TLS for user in this class
@@ -420,6 +423,80 @@ blacklist {
 #      reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
 };
 
+/* These are the OPM settings.
+ * This is similar to the functionality provided by BOPM. It will scan incoming
+ * connections for open proxies by connecting to clients and attempting several
+ * different open proxy handshakes. If they connect back to us (via a dedicated
+ * listening port), and send back the data we send them, they are considered
+ * an open proxy. For politeness reasons (users may be confused by the incoming
+ * connection attempts if they are logging incoming connections), the user is
+ * notified upon connect if they are being scanned.
+ *
+ * WARNING:
+ * These settings are considered experimental, and as of this writing, the
+ * Charybdis scanner is not as comprehensive as the one available in HOPM. Only
+ * basic SOCKS4 and SOCKS5 scanning is performed on a few well-known ports. You
+ * may disable the open proxy scanning feature by deleting this block if you are
+ * uncomfortable with this.
+ */
+opm {
+       /* IPv4 address to listen on. This must be a publicly facing IP address
+        * to be effective.
+        * If omitted, it defaults to serverinfo::vhost.
+        */
+       #listen_ipv4 = "127.0.0.1";
+
+       /* IPv4 port to listen on.
+        * This should not be the same as any existing listeners.
+        */
+       #port_ipv4 = 32000;
+
+       /* IPv6 address to listen on. This must be a publicly facing IP address
+        * to be effective.
+        * If omitted, it defaults to serverinfo::vhost6.
+        */
+       #listen_ipv6 = "0::1";
+
+       /* IPv6 port to listen on.
+        * This should not be the same as any existing listeners.
+        */
+       #port_ipv6 = 32000;
+
+       /* You can also set a port directive which will set both the IPv4 and
+        * IPv6 ports at once.
+        */
+       port = 32000;
+
+       /* This sets the timeout in seconds before ending open proxy scans.
+        * Values less than 1 or greater than 60 are ignored.
+        * It is advisable to keep it as short as feasible, so clients do not
+        * get held up by excessively long scan times.
+        */
+       timeout = 5;
+
+       /* These are the ports to scan for SOCKS4 proxies on. They may overlap
+        * with other scan types. Sensible defaults are given below.
+        */
+       socks4_ports = 1080, 10800, 443, 80, 8080, 8000;
+
+       /* These are the ports to scan for SOCKS5 proxies on. They may overlap
+        * with other scan types. Sensible defaults are given below.
+        */
+       socks5_ports = 1080, 10800, 443, 80, 8080, 8000;
+
+       /* These are the ports to scan for HTTP connect proxies on (plaintext).
+        * They may overlap with other scan types. Sensible defaults are given
+        * below.
+        */
+       httpconnect_ports = 80, 8080, 8000;
+
+       /* These are the ports to scan for HTTPS CONNECT proxies on (SSL).
+        * They may overlap with other scan types. Sensible defaults are given
+        * below.
+        */
+       httpsconnect_ports = 443, 4443;
+};
+
 alias "NickServ" {
        target = "NickServ";
 };