X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/d76258f5592252a833ddb6192de7a2b111f1797f..eb0814b3cbcbb19789f2a6d5cfdcb0add3402e3a:/doc/ircd.conf.example

diff --git a/doc/ircd.conf.example b/doc/ircd.conf.example
old mode 100755
new mode 100644
index 0466cba4..f54ff128
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@@ -4,36 +4,39 @@
  * Copyright (C) 2002-2005 ircd-ratbox development team
  * Copyright (C) 2005-2006 charybdis development team
  *
- * $Id: example.conf 3582 2007-11-17 21:55:48Z jilles $
- *
  * See reference.conf for more information.
  */
 
 /* Extensions */
-#loadmodule "extensions/chm_operonly_compat.la";
-#loadmodule "extensions/chm_quietunreg_compat.la";
-#loadmodule "extensions/chm_sslonly_compat.la";
-#loadmodule "extensions/createauthonly.la";
-#loadmodule "extensions/extb_account.la";
-#loadmodule "extensions/extb_canjoin.la";
-#loadmodule "extensions/extb_channel.la";
-#loadmodule "extensions/extb_combi.la";
-#loadmodule "extensions/extb_extgecos.la";
-#loadmodule "extensions/extb_hostmask.la";
-#loadmodule "extensions/extb_oper.la";
-#loadmodule "extensions/extb_realname.la";
-#loadmodule "extensions/extb_server.la";
-#loadmodule "extensions/extb_ssl.la";
-#loadmodule "extensions/hurt.la";
-#loadmodule "extensions/m_findforwards.la";
-#loadmodule "extensions/m_identify.la";
-#loadmodule "extensions/no_oper_invis.la";
-#loadmodule "extensions/sno_farconnect.la";
-#loadmodule "extensions/sno_globalkline.la";
-#loadmodule "extensions/sno_globaloper.la";
-#loadmodule "extensions/sno_whois.la";
-#loadmodule "extensions/override.la";
-#loadmodule "extensions/no_kill_services.la";
+#loadmodule "extensions/chm_operonly_compat";
+#loadmodule "extensions/chm_quietunreg_compat";
+#loadmodule "extensions/chm_sslonly_compat";
+#loadmodule "extensions/chm_operpeace";
+#loadmodule "extensions/createauthonly";
+#loadmodule "extensions/extb_account";
+#loadmodule "extensions/extb_canjoin";
+#loadmodule "extensions/extb_channel";
+#loadmodule "extensions/extb_combi";
+#loadmodule "extensions/extb_extgecos";
+#loadmodule "extensions/extb_hostmask";
+#loadmodule "extensions/extb_oper";
+#loadmodule "extensions/extb_realname";
+#loadmodule "extensions/extb_server";
+#loadmodule "extensions/extb_ssl";
+#loadmodule "extensions/extb_usermode";
+#loadmodule "extensions/hurt";
+#loadmodule "extensions/m_extendchans";
+#loadmodule "extensions/m_findforwards";
+#loadmodule "extensions/m_identify";
+#loadmodule "extensions/m_locops";
+#loadmodule "extensions/no_oper_invis";
+#loadmodule "extensions/sno_farconnect";
+#loadmodule "extensions/sno_globalkline";
+#loadmodule "extensions/sno_globalnickchange";
+#loadmodule "extensions/sno_globaloper";
+#loadmodule "extensions/sno_whois";
+#loadmodule "extensions/override";
+#loadmodule "extensions/no_kill_services";
 
 /*
  * IP cloaking extensions: use ip_cloaking_4.0
@@ -42,15 +45,14 @@
  * releases.
  */
 
-#loadmodule "extensions/ip_cloaking_4.0.la";
-#loadmodule "extensions/ip_cloaking.la";
+#loadmodule "extensions/ip_cloaking_4.0";
+#loadmodule "extensions/ip_cloaking";
 
 serverinfo {
 	name = "hades.arpa";
 	sid = "42X";
 	description = "charybdis test server";
 	network_name = "StaticBox";
-	hub = yes;
 
 	/* On multi-homed hosts you may need the following. These define
 	 * the addresses we connect from to other servers. */
@@ -58,7 +60,7 @@ serverinfo {
 	#vhost = "192.0.2.6";
 	/* for IPv6 */
 	#vhost6 = "2001:db8:2::6";
-	
+
 	/* ssl_private_key: our ssl private key */
 	ssl_private_key = "etc/ssl.key";
 
@@ -182,7 +184,7 @@ auth {
 	 * flags = ...; below if it is.
 	 */
 	password = "letmein";
-	
+
 	/* spoof: fake the users user@host to be be this.  You may either
 	 * specify a host or a user@host to spoof to.  This is free-form,
 	 * just do everyone a favour and dont abuse it. (OLD I: = flag)
@@ -190,26 +192,28 @@ auth {
 	spoof = "I.still.hate.packets";
 
 	/* Possible flags in auth:
-	 * 
+	 *
 	 * encrypted                  | password is encrypted with mkpasswd
 	 * spoof_notice               | give a notice when spoofing hosts
 	 * exceed_limit (old > flag)  | allow user to exceed class user limits
-	 * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines&dnsbls
-	 * dnsbl_exempt		      | exempt this user from dnsbls
-	 * spambot_exempt	      | exempt this user from spambot checks
-	 * shide_exempt		      | exempt this user from serverhiding
+	 * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines,
+	 *                            | dnsbls, and proxies
+	 * proxy_exempt               | exempt this user from proxies
+	 * dnsbl_exempt               | exempt this user from dnsbls
+	 * spambot_exempt             | exempt this user from spambot checks
+	 * shide_exempt               | exempt this user from serverhiding
 	 * jupe_exempt                | exempt this user from generating
 	 *                              warnings joining juped channels
-	 * resv_exempt		      | exempt this user from resvs
+	 * resv_exempt                | exempt this user from resvs
 	 * flood_exempt               | exempt this user from flood limits
-	 *                                     USE WITH CAUTION.
+	 *                              USE WITH CAUTION.
 	 * no_tilde     (old - flag)  | don't prefix ~ to username if no ident
 	 * need_ident   (old + flag)  | require ident for user in this class
 	 * need_ssl                   | require SSL/TLS for user in this class
 	 * need_sasl                  | require SASL id for user in this class
 	 */
 	flags = kline_exempt, exceed_limit;
-	
+
 	/* class: the class the user is placed in */
 	class = "opers";
 };
@@ -239,7 +243,7 @@ privset "global_op" {
 
 privset "admin" {
 	extends = "global_op";
-	privs = oper:admin, oper:die, oper:rehash, oper:spy;
+	privs = oper:admin, oper:die, oper:rehash, oper:spy, oper:grant;
 };
 
 operator "god" {
@@ -252,13 +256,13 @@ operator "god" {
 	user = "*god@127.0.0.1";
 
 	/* password: the password required to oper.  Unless ~encrypted is
-	 * contained in flags = ...; this will need to be encrypted using 
+	 * contained in flags = ...; this will need to be encrypted using
 	 * mkpasswd, MD5 is supported
 	 */
 	password = "etcnjl8juSU1E";
 
 	/* rsa key: the public key for this oper when using Challenge.
-	 * A password should not be defined when this is used, see 
+	 * A password should not be defined when this is used, see
 	 * doc/challenge.txt for more information.
 	 */
 	#rsa_public_key_file = "/usr/local/ircd/etc/oper.pub";
@@ -349,6 +353,7 @@ channel {
 	knock_delay = 5 minutes;
 	knock_delay_channel = 1 minute;
 	max_chans_per_user = 15;
+	max_chans_per_user_large = 60;
 	max_bans = 100;
 	max_bans_large = 500;
 	default_split_user_count = 0;
@@ -363,6 +368,7 @@ channel {
 	disable_local_channels = no;
 	autochanmodes = "+nt";
 	displayed_usercount = 3;
+	strip_topic_colors = no;
 };
 
 serverhide {
@@ -376,8 +382,7 @@ serverhide {
  * You can have multiple combinations of host and rejection reasons.
  * They are used in pairs of one host/rejection reason.
  *
- * These settings should be adequate for most networks, and are (presently)
- * required for use on StaticBox.
+ * These settings should be adequate for most networks.
  *
  * Word to the wise: Do not use blacklists like SPEWS for blocking IRC
  * connections.
@@ -397,10 +402,10 @@ serverhide {
  * as of this writing.
  *
  * As of charybdis 3.5, a matches parameter is allowed; if omitted, any result
- * is considered a match. If included, a comma-separated list of *quoted* 
+ * is considered a match. If included, a comma-separated list of *quoted*
  * strings is allowed to match queries. They may be of the format "0" to "255"
  * to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match
- * an A record. The blacklist is only applied if it matches anything in the 
+ * an A record. The blacklist is only applied if it matches anything in the
  * list. You may freely mix full IP's and final octets.
  *
  * Consult your blacklist provider for the meaning of these parameters; they
@@ -418,6 +423,80 @@ blacklist {
 #	reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
 };
 
+/* These are the OPM settings.
+ * This is similar to the functionality provided by BOPM. It will scan incoming
+ * connections for open proxies by connecting to clients and attempting several
+ * different open proxy handshakes. If they connect back to us (via a dedicated
+ * listening port), and send back the data we send them, they are considered
+ * an open proxy. For politeness reasons (users may be confused by the incoming
+ * connection attempts if they are logging incoming connections), the user is
+ * notified upon connect if they are being scanned.
+ *
+ * WARNING:
+ * These settings are considered experimental, and as of this writing, the
+ * Charybdis scanner is not as comprehensive as the one available in HOPM. Only
+ * basic SOCKS4 and SOCKS5 scanning is performed on a few well-known ports. You
+ * may disable the open proxy scanning feature by deleting this block if you are
+ * uncomfortable with this.
+ */
+opm {
+	/* IPv4 address to listen on. This must be a publicly facing IP address
+	 * to be effective.
+	 * If omitted, it defaults to serverinfo::vhost.
+	 */
+	#listen_ipv4 = "127.0.0.1";
+
+	/* IPv4 port to listen on.
+	 * This should not be the same as any existing listeners.
+	 */
+	#port_ipv4 = 32000;
+
+	/* IPv6 address to listen on. This must be a publicly facing IP address
+	 * to be effective.
+	 * If omitted, it defaults to serverinfo::vhost6.
+	 */
+	#listen_ipv6 = "0::1";
+
+	/* IPv6 port to listen on.
+	 * This should not be the same as any existing listeners.
+	 */
+	#port_ipv6 = 32000;
+
+	/* You can also set a port directive which will set both the IPv4 and
+	 * IPv6 ports at once.
+	 */
+	port = 32000;
+
+	/* This sets the timeout in seconds before ending open proxy scans.
+	 * Values less than 1 or greater than 60 are ignored.
+	 * It is advisable to keep it as short as feasible, so clients do not
+	 * get held up by excessively long scan times.
+	 */
+	timeout = 5;
+
+	/* These are the ports to scan for SOCKS4 proxies on. They may overlap
+	 * with other scan types. Sensible defaults are given below.
+	 */
+	socks4_ports = 1080, 10800, 443, 80, 8080, 8000;
+
+	/* These are the ports to scan for SOCKS5 proxies on. They may overlap
+	 * with other scan types. Sensible defaults are given below.
+	 */
+	socks5_ports = 1080, 10800, 443, 80, 8080, 8000;
+
+	/* These are the ports to scan for HTTP connect proxies on (plaintext).
+	 * They may overlap with other scan types. Sensible defaults are given
+	 * below.
+	 */
+	httpconnect_ports = 80, 8080, 8000;
+
+	/* These are the ports to scan for HTTPS CONNECT proxies on (SSL).
+	 * They may overlap with other scan types. Sensible defaults are given
+	 * below.
+	 */
+	httpsconnect_ports = 443, 4443;
+};
+
 alias "NickServ" {
 	target = "NickServ";
 };
@@ -541,6 +620,7 @@ general {
 	max_ratelimit_tokens = 30;
 	away_interval = 30;
 	certfp_method = sha1;
+	hide_opers_in_whois = no;
 };
 
 modules {