Permission to use this material for evaluation, copy this material for your own use, and distribute the copies via publicly accessible on-line media, without fee, is hereby granted provided that the above copyright notice and this permission notice appear in all copies. AIST makes no representations about the accuracy or suitability of this material for any purpose. it is provided "as is", without any express or implied warranties.
 
PERMUTED INDEX
 
 CFI
 CU-SeeMe
 DGAuth
 DNS
 FTP
 Gopher
 HostList
 HTTP
 ICP
 IMAP
 LDAP
 NNTP
 PAM
 POP
 ProtoList
 SMTP
 SockMux
 Socks
 SSI.shtml
 SSL
 TCPrelay
 Telnet
 UDPrelay
 Whois
 X
 
INDEX
 
  
 
 -F
 -P
 -f
 -r
 -v
 -d
 ADMIN
 AF_LOCAL
 Aging
 AUTH
 AUTHORIZER
 BASEURL
 CACHE
 CACHEFILE
 CGIENV
 CHARCODE
 CHROOT
 CMAP
 CONNECT
 CRON
 DATAPATH
 DELAY
 DELEGATE
 DGOPTS
 DGPATH
 DGROOT
 DNSCONF
 EXPIRE
 FCL
 FFROMCL
 FFROMMD
 FFROMSV
 FMD
 FSV
 FTOMD
 FTOSV
 FILETYPE
 FORWARD
 FTOCL
 FTPCONF
 HOSTLIST
 HOSTS
 HTMLCONV
 HTTPCONF
 ICP
 ICPCONF
 INETD
 LIBPATH
 LOGDIR
 LOGFILE
 MASTER
 MASTERP
 MAXIMA
 MIMECONV
 MOUNT
 MYAUTH
 MountOptions
 NNTPCONF
 OWNER
 PERMIT
 PORT
 PROTOLOG
 PROXY
 REACHABLE
 REJECT
 RELAY
 RELIABLE
 REMITTABLE
 RESOLV
 RES_CONF
 RES_DEBUG
 RES_NS
 RES_RR
 RES_VRFY
 RIDENT
 ROUTE
 RPORT
 SERVER
 SHARE
 SMTPCONF
 SMTPGATE
 SockMux
 SOCKOPT
 SOCKS
 SRCIF
 SSLTUNNEL
 TIMEOUT
 TUNNEL
 UMASK
 URICONV
 VSAP
 XCOM
 XFIL
 
 
 
 
  
 TCPrelay
 UDPrelay
 SockMux
 Socks
 DGAuth
 PAM
 HTTP
 SSI.shtml
 ICP
 FTP
 Telnet
 POP
 IMAP
 SMTP
 NNTP
 LDAP
 Whois
 X
 Gopher
 SSL
 DNS
 CU-SeeMe
  
 
--------- --------- --------- --------- --------- --------- --------- --------- DELEGATED(8) MAINTENANCE COMMANDS DELEGATED(8)
NAME
DeleGate works as an application level proxy which interprets relayed protocol (control sequence and data structure) between a client and a server; various value added services are realized for recognized protocol. Also DeleGate works as a circuit level proxy which literally conveys transmission between a client and a server of arbitrary protocols on TCP or UDP.
DeleGate can be used to enforce access control restricting remittable protocols, reachable servers, and acceptable clients. DeleGate forces delay for penalty on repetition of forbidden access, or make defense shutting down service and sending automatic reports to administrator on suspicion of attack. A basic logging on circuit level common to arbitrary protocol and protocol dependent logging in some common formats are supported for some protocols.
DeleGate can act as a kind of application level router, controlling direct or indirect routes toward a destination server by selecting upstream proxy or Socks server. One of exploitable routes toward a server will be selected or tried in order depending on application protocol, destination host and source client.
As an application level proxy, DeleGate interpretively relays various application protocols, providing various value added services including caching or conversion for relayed data, of which structure depends on each application protocol. Based on interpretation of application protocols, DeleGate can be used as a protocol gateway which translates between client-side protocol and server-side protocol.
As a circuit level proxy, a DeleGate server literally conveys transmission bound to a specified server of a specified application protocol on TCP or UDP, or toward arbitrary servers based on Socks protocol.
As an application level proxy, DeleGate provides virtual view for resources in other servers, by aliasing, merging, and hiding real names (like URL which identifies a resource or a service) in real servers. It is like a generalized mechanism of NFS file mount, but unlikely it is realized by rewriting content of data. In other words, this is a mapping (rewriting) of virtual names in client to/from real names in server, where names are embedded in a protocol dependent data structure on request/response messages between a client and a server. With this function named mounting, for example, a resource http://hostiN/ is shown to client as if it is http://hostx/iN/. MOUNT can be used to customize built-in icons and messages of DeleGate too.
Communication between client and DeleGate or between DeleGate and server can be filtered or translated by user defined filter programs attached to DeleGate using a simple scheme named CFI (Common Filter Interface). Existing filter programs, from standard input to standard output, can be used as a CFI program without modification. Besides filtering by external programs, some of frequently used filtering operations are built-in to DeleGate, including HTTP header removal and generation.
All of local files of DeleGate, including log files and cache files, are placed under an individual root directory (DGROOT) as private files belong to the owner of the DeleGate by default. But to share them among different users, the path name, owner, and access permission of each file can be customized. Also log file name can be parameterized with date value for aging, and cache file name can be parameterized with hash value to distribute cache disks.
Although DeleGate can be controlled by a lot of options, only -Pport option and SERVER=protocol parameter are mandatory to operate in most case. The -P option specifies on which port DeleGate receives requests from clients. SERVER parameter specifies in which protocol DeleGate communicates with clients, and optionally to which destination server it will relay the communication.
Options can be loaded from local or remote resources with "+=URL" notation, typically from a local file like "+=/path/of/parameters" (see Parameter Substitution)
OPTIONS
 
An entrance port is made as a TCP port by default except UDP based
application protocol (dns, icp, cuseeme, udprelay) is specified in
SERVER=protocol parameter.
And regardless of the protocol specified in SERVER, it can be
made as a UDP port with postfix "/udp" like -Pport/udp. 
 
This option MUST be specified except in following cases.
It is ignored when the DeleGate is invoked from inetd(8),
or in most case of -Ffunction option,
or when running as a tunnel server
with SERVER="tunnel1".
   -P option  --  entrance port(s) to the DeleGate
              ==  -Pport[,port]*
        port  ==  [host:]portNum[/udp]
     portNum  ==  number[-number]
This option specifies on which entrance port DeleGate receives
requests from clients.
As a typical example, "-P8080" means it accepts request on TCP port
numbered 8080 on any network interface belong to the host machine.
When the host has multiple interfaces or multiple IP addresses
assigned to a single physical interface, you can select one of them
with the specification format -Phost:portNum, like
"-Plocalhost:8080" for example.
A DeleGate server can accept from multiple ports or (limited) multiple
network interfaces by -Pport,port,...
Note: See SRCIF
as to selection of a source address of an outgoing connection.
-f option -- foreground execution
-r option -- restart
   -v option  --  logging level control
              ==  -v[vdtsau]
   -d option  --  debugging of sub components
              ==  -d[hs]
-S option -- watch SIGCHLD signal
   -T option  --  trace system calls
              ==  -T[xsdt]*
   -F option  --  extra function
              ==  -Ffunction
-- option -- hiding command line arguments
parameter == name=value
conditional parameter == (condition)parameter
-e option == -ename=value
PARAMETERS
In the following list, parameters marked with "*" are repeatable like name=value1 name=value2 ... name=valueN. If the same parameter is defined both in environment and command line, the one in command line precedes to the one in environment. If other non-repeatable names are repeated, the lastly given value is taken. Parameters marked with "+" can NOT be given in "+=parameters" scripts.
 
General
 
 
Routing
 
 
Access control
 
 
Resource usage restriction
 
 
Cache control
 
 
Mount
 
 
Data conversion
 
 
Filter control
 
 
Local file usage
 
 
Host name resolution
 
Parameters in this category are used to control common attributes
of DeleGate independently of the purpose of usage or
target application protocol.
      name
      value format
      functionality
     
 --
      ----------
      ------------------
      ----------------------------------
     
      SERVER
      proto://host:port
       client-side protocol and default server
     
      ADMIN
      user@host.domain
      E-mail addr. of the admin. of this DeleGate
     
+
      OWNER
      user[/group]
      with who's access right this DeleGate runs
     
*
      CRON
      crontab-spec
      cron compatible scheduler of actions
     
*
      INETD
      inetd-conf
      inetd like server configuration notation
     
*
      HOSTLIST
      name:hostList
      define a named HostList
     
*
      CMAP
      map-spec
      mapping table about the current connection
     
 
      LIBPATH
      dir:dir:...
      search path for library files
  
      DATAPATH
      dir:dir:...
      search path for data files
  
      DGPATH
      dir:dir:...
      search path for SUBSTITUTION resources
 
      DGOPTS
      option;option;...
      list of command line options
 
      PORT
      portList
      reserve entrance ports like -P option
     
These parameters control the indirect routing toward the target server
exploiting upstream proxies or Socks servers on the way to servers.
If any target hosts are directly reachable on IP level from your
DeleGate's host,
these parameters may not necessary.
Besides these parameters,
ICP and MOUNT
have something to do with routing based on application protocols.
 --
      ----------
      ------------------
      ----------------------------------
 *
      FORWARD
      proxy-_-proto:dst:src    
      forward to proxy when from src to dst in proto
 *
      ROUTE
      proxy-_-dst:src    
      forward to proxy when from src to dst
 *
      MASTER
      host:port
      connect via the upstream DeleGate
  
      MASTERP
      [host:port]
      invoke a MASTER private to this DeleGate
 *
      PROXY
      host:port
      connect via the upstream proxy
 *
      SOCKS
      host[:port]
      connect via the socks server
  
      SSLTUNNEL
      host:port
      connect via the SSL tunnel for HTTPS
  
      VSAP
      host:port
      accept/connect via a remote host
 *
      CONNECT
      ca,ma,di,so,...
      the order of trials of connection types
 *
      SRCIF
      host[:port]
      source address of connection to server
  
      TUNNEL
      type:scriptPath
      connect via the tunnel on serial line
  
      RPORT
      {tcp|udp}[:host]
      return port from the MASTER-DeleGate
 
These parameters control who (client) can access to what (server)
and how (protocol).
The basic policy of default access control is designed so that
clients on networks local to the host of DeleGate are permitted
to access to any server.
Note that the default value of
REMITTABLE depends on
SERVER, and
IP-level reachability to DeleGate on a multi-homed host
may be restricted by -Phost:port option.
You must most carefully configure these parameters
so that this DeleGate does not introduce a security hole,
especially when it is running on a host
which is directly accessible to/from the internet.
 --
      ----------
      ------------------
      ----------------------------------
 *
      PERMIT
      proto:dst:src
      protocols/servers/clients to be permitted
 *
      REJECT
      proto:dst:src
      protocols/servers/clients to be rejected
  
      REMITTABLE
      ProtoList
      protocols remittable to the server
 *
      REACHABLE
      dstHostList
      only specified server hosts are reachable
 *
      RELIABLE
      srcHostList
      accept only from the specified client hosts
 *
      RELAY
      proxy|delegate|no
      restrict proxying modes
 *
      AUTH
      what:aproto:users
      authorized users for remote administration
 *
      AUTHORIZER
      serv:proto:dst:src
      authentication server
 *
      MYAUTH
      user:pass:proto:dst:src
      authentication client
  
      RIDENT
      client|server
      forward socket addr. to upstream DeleGate
 
These parameters can be useful where available resources are
in severe condition; when the host of DeleGate is heavy loaded,
network bandwidth is narrow, or response from server can be slow.
 --
      ----------
      ------------------
      ----------------------------------
 *
      MAXIMA
      what:number
      maxima of parallel sessions and etc.
 *
      TIMEOUT
      what:seconds
      timeout of connection and etc.
 *
      DELAY
      what:seconds
      delay for penalty
 
Enable or disable cache and specify validity of cached data.
Usage of cache is controlled in context of routing by
CONNECT too.
Removing stale cache file can be done periodically using
CRON.
 --
      ----------
      ------------------
      ----------------------------------
 
      CACHE
      do|no|ro
      control to do cache or not
 *
      EXPIRE
      days|hours|secs
      expiration of the cached data
  
      CACHEFILE
      fileNameSpec
      in which file cache data are stored
 *
      ICP
      icpClientConfig
      configuration as an ICP client
 
Provide virtual view for other server(s) by URL mapping,
filtering and aliasing resource names,
to merge multiple servers,
to translate between different protocols,
to export internal servers,
and so on.
Also MOUNT can be used to customize
or replace built-in icons and messages.
 --
      ----------
      ------------------
      ----------------------------------
 *
      MOUNT
      "vURL rURL opt"
      map virtual URL to/from real URL
 *
      URICONV
      convList:attrList
      control URI rewriting with MOUNT
 
      BASEURL
      URL
      the base of (virtual) URL of this server
 
      DELEGATE
      host:port
      limited form of BASEURL
 
Parameters to control built-in converter for text type data.
 --
      ----------
      ------------------
      ----------------------------------
 *
      CHARCODE
      JIS|EUC|SJIS|UTF8
      character conversion for Japanese text
  
      HTMLCONV
      deent|enent|pre
      decode/encode between HTML & plain text
  
      MIMECONV
      thru|charcode
      control MIME encoder/decoder
 
Insert a filter program on the way to/from client or server
to convert data transmitted between them.
 --
      ----------
      ------------------
      ----------------------------------
  
      FCL
      filterCommand
      filter between client and DeleGate
  
      FTOCL
      filterCommand
      filter from DeleGate to client
  
      FFROMCL
      filterCommand
      filter from client to DeleGate
  
      FSV
      filterCommand
      filter between server and DeleGate
  
      FTOSV
      filterCommand
      filter from DeleGate to server
  
      FFROMSV
      filterCommand
      filter from server to DeleGate
  
      FMD
      filterCommand
      filter between MASTER and this DeleGate
  
      FTOMD
      filterCommand
      filter from this DeleGate to MASTER
  
      FFROMMD
      filterCommand
      filter from MASTER to this DeleGate
  
      XCOM
      filterCommand
      execute a command as a server
  
      XFIL
      filterCommand
      execute a filter as a server
 
All of local files are integrated under DGROOT by default.
You should not change nor specify these parameters if not necessary.
 --
      ----------
      ------------------
      ----------------------------------
 +
      CHROOT
      dirPath
      change the root of file system at start
 +
      DGROOT
      dirPath
      root directory of all of DeleGate files
 *+
      SHARE
      dirPatternList
      files to be shared among users
 +
      UMASK
      mask
      umask value in octal
  
      VARDIR
      dirPath
      default base of log and cache
  
      CACHEDIR
      dirPath
      where cache files are placed
  
      ETCDIR
      dirPath
      where persistent management files are
  
      LOGDIR
      dirPath
      where DeleGate logs are
  
      LOGFILE
      LogFilename
      where DeleGate makes logging
  
      PROTOLOG
      LogFilename
      httpd or wu-ftp compatible log file
  
      ERRORLOG
      LogFilename
      where DeleGate make error logging
  
      TRACELOG
      LogFilename
      where signal trace (by -T) is put
  
      EXPIRELOG
      LogFilename
      file which records expire log
  
      WORKDIR
      dirPath
      where DeleGate should dump core (-_-;
  
      ACTDIR
      dirPath
      where temporary files are placed
  
      TMPDIR
      dirPath
      where invisible temporary files are placed
  
      PIDFILE
      fileName
      where the DeleGate's PID is recorded
 
Resolve host name to/from IP address using DNS, NIS or local file.
Protocol specific
 --
      ----------
      ------------------
      ----------------------------------
 *
      HOSTS
      host/addr,...
      private host/address mapping
 
      RESOLV
      file,nis,dns,sys
      the order of resolvers to be used
 
      RES_CONF
      URL
      where resolv.conf is
 
      RES_NS
      host[:port]
      DNS server to be used
 
      RES_RR
      HostList
      enable Round Robin of IP-addresses
 
      RES_VRFY
      ""
      enable double check of reverse resolution
 
      RES_DEBUG
      number
      debugging level of name resolution
 
 --
      ----------
      ------------------
      ----------------------------------
 *
      HTTPCONF
      what:conf
      HTTP specific configuration
  
      FILETYPE
      suffix:fileType
      mapping from filename to data type & etc.
  
      CGIENV
      name,name,...
      environment variables to be passed to CGI
 *
      ICPCONF
      icpServerConfig
      configuration as an ICP server
 *
      FTPCONF
      what[:conf]
      FTP specific configuration
 *
      NNTPCONF
      what:conf
      NNTP specific configuration
  
      SMTPCONF
      what:conf
      SMTP specific configuration
  
      SMTPGATE
      dirPath
      SMTP to SMTP/NNTP g.w. configuration
 *
      DNSCONF
      what:conf
      configuration as a DNS server
 
SERVER parameter*   ==  SERVER=protocol[://host[:portNum]][:-:MountOptions]
           portNum  ==  [+|-]number
                    --  default: SERVER=delegate
Example: a SERVER parameter for unbound Telnet-DeleGate
If no destination server (host) is specified, it is to be be given by client somehow at run-time, on application level in protocol dependent way.
The protocol with server is implicitly expected to be the same with the protocol with the client. Some protocols like HTTP have their inherent way to specify the protocol with the destination server. Otherwise it must be explicitly given with MOUNT parameter, like MOUNT="/news/* nntp://server/*" for example.
SERVER=protocol://host:portNum specifies the URL of destination server. The ":portNum" part is omitable as usual in URL if the number is that of standard port number of the protocol. A list of protocols and standard port numbers recognized by the DeleGate is available at: "http://delegate/-/builtin/mssgs/config.dhtml". If a portNum is prefixed with "-" or "+", it means mapping the port number of the entrance port adding the specified offset, or using the port number as is by "-" with empty portNum.
Example: forwarding multiple ports to an another host
Note that a DeleGate bound to a specific server is not disabled to
work as a proxy for arbitrary servers.
Proxying ability must be restricted if necessary, using
PERMIT, REACHABLE and RELAY parameters.
 
If a SERVER parameter is with ":-:MountOptions",
the SERVER parameter will be dynamically selected if the condition
specified in the MountOptions
is evaluated to be true.
As a special case, ":-:via=HostList" can be abbreviated
as ":-:HostList".
 
Example: selecting an appropriate NNTP server for a client
 
Example: {NNTP,SMTP,POP}-DeleGate as a single server
 
 
Example:
run with the user ID corresponding to the user name of the client
 
Example:
         
Example:
 
Example:
 
 
 
For special gwproto, FORWARD works as a generalized notation of
MASTER, PROXY and SOCKS as follows.
 
 
If multiple routes to the destination server are available,
the route defined by FORWARD is tryed in precedence defined by "proxy" or
"master" in CONNECT.
 
A host specification in the dstHostList may be
prefixed with "proto://"
to restrict the protocol to be forwarded.  For example,
ROUTE="http://host:port/-_-{ftp://*}:*"
means that only access to FTP servers are forwarded
to the HTTP-proxy at "http://host:port/".
 
A host specification in the dstHostList can be restricted further
with port number.
For example, ROUTE="http://host:port/-_-{*:21}:*" means that
only accesses to the port number 21 (FTP service) is forwarded to the
proxy.
 
Optional "/masterControl" can be:
     
Example:
 
Example:
 
Example:
 
connType:
 
Each connection type can be abbreviated by the first character as
{c,i,m,d,v,s,u} respectively. 
Note:
In current implementation, "cache" will be tried first anyway if it is
included in the connSeq.
 
This parameter specifies the source address (of a network interface) of each
connection to a server.
This can be useful when the host of DeleGate has multiple network interfaces.
Also it can be used to specify the port to be used for accepting
a client connection by a SOCKS-DeleGate or a FTP-DeleGate.
 
In most cases, a special pattern "*" as host or port specifies
the wild-card IP address or port number.
In some cases, the special pattern "*" is used for the desired address and number
which is specified by a protocol,
like a port for FTP data connection (by PORT or PASV)
or a port for SOCKS (BIND and UDP-ASSOCIATE).
To explicitly specify the wild-card as an IP address and port number,
use "0.0.0.0" as host and "0" as port respectively.
 
Example:
 
The port for "ftp-data" connection which is assigned on demand and notified
to the peer,
that is from client to server by PORT or from server to client by PASV,
can be controlled separately by "ftp-data-port" or "ftp-data-pasv" respectively.
The source port for data connection, which is established from server to
client for PORT or from client to server for PASV,
can be controlled by "ftp-data-src".
 
Currently, the tunnelType must be "tty7" which means
transmission between DeleGates is done in 7bits stream.
When the type is "tty7", how the TUNNEL is established is described
in the specified SHIO-script file.
See "src/sample.shio" in the distribution package.
The name of a script file must be specified either in absolute path,
or in relative file name which will be retrieved in
LIBPATH.
The upstream DeleGate for TUNNEL must be invoked with
SERVER="tunnel1".
 
Example: make a tunnel without login dialogue
 
If multiple PERMIT parameters are given,
an access will be permitted if at least one of
those PERMITs indicates permission.
If no PERMIT parameter is given, access permission is controlled
by REMITTABLE, REACHABLE and RELIABLE parameters which can be
defined explicitly or implicitly depending on SERVER parameter.
 
Example:
unlimited permission to hosts on local net while only http://www to others
 
The special pattern "*" in ProtoList (dstHostList) means
all of permitted protocols (servers), which may be explicitly
defined with REMITTABLE (REACHABLE) parameters.   These parameters
limits the widest possible permission.  A protocol (server) is not permitted
if it is not permitted in REMITTABLE (REACHABLE) parameters defined
implicitly or explicitly.
Similarly, if more than one RELIABLE parameters are given explicitly,
they limit the widest acceptable clients in srcHostList of PERMIT.
 
The host specifications in the dstHostList can be further restricted
with port number like "host:portNumList".
For example, PERMIT="telnet:{*:23}:*" means permitting
telnet to any host but only on the standard port number (23).
 
A protocol name in the ProtoList can be modified with port number
and method like "protocolName/portNumList/methodList"
to restrict accessible ports and methods in the protocol.
For example, a series of PERMIT parameters,
PERMIT="ftp//readonly:Servers:Clients"
PERMIT="ftp:*:*"
means inhibiting uploading to Servers from Clients
while allowing uploading among other combinations of servers and clients.
 
When multiple DeleGate servers are chained using MASTER or PROXY
parameter, the original client identification information got at
the first DeleGate server (at the entrance of the chain) can be
forwarded to the upstream DeleGate server using RIDENT
parameter and will be examined using PERMIT parameter.
 
Example:
forbid mail-clients to remove message on mail-servers
 
If a protocol name is followed by "/portNumList",
only ports listed in
the PortList is permitted.
A PortList can be followed by "/methodList" which restricts
available methods in the protocol.
A pseudo method "readonly" is used to prohibit methods for modification.
For example, REMITTABLE="ftp//readonly" make a FTP-DeleGate be
"read only" which inhibits uploading to FTP servers.
 
Protocol Specific Default: 
Exception:
 
If the first member of a list is "+", it means the default list of
permitted protocols.  For example, REMITTABLE="+,-https/80,-wais,file"
with SERVER=http means REMITTABLE="http,https/443,gopher,ftp,file".
 
Note that multiple RELIABLE parameters like
RELIABLE=Hosts1 RELIABLE=Hosts2 will be interpreted
being simply concatenated into a single RELIABLE="Hosts1,Hosts2",
which will NOT mean "Hosts1 or Hosts2"
if Hosts1 or Hosts2 includes some
negation or
composite operators.
You are recommended to use multiple PERMIT parameters instead
if you are not sure what does these mean.
 
RELAY="no" means working as an origin HTTP server without relaying 
(Origin HTTP server is a usual server which accepts requests in usual
format, not in format for proxies, that is URL in request is neither
in full format nor in "/-_-" format, but in absolute format).
RELAY="vhost" can be used for origin HTTP server with relaying to arbitrary
virtual hosts.  This option enables a HTTP request to be forwarded to
arbitrary destination server, indicated in "Host:" field in request header,
without explicit MOUNT.  This automatic relaying is done only when the
request URL is not MOUNTed, thus is not so likely because most DeleGate
working as origin server have MOUNT parameter for the root URL ("/*").
 
Example:
 
Default:
 
In HTTP-DeleGate, user declares "who am i" giving an
Authorization header (in request message), which consists of
Username:Password,
where Username can be in a form of User@Host.
 
Currently following categories of authentication/authorization
are supported:
 
-- in any protocol DeleGate --
 
 
-- in FTP server and FTP/HTTP gateway --
 
 
-- in proxy and origin HTTP server --
 
 
In the case where the FTP-server based authentication is used, 
a recommended user name of the authorization information is
e-mail address like "user@host.domain"
so that it can be commonly used for both AUTH="anonftp" and AUTH="proxy".
 
Note that even a client authorized by an auth-server is not permitted
if the client's host does not pass other access controls
(RELIABLE and PERMIT).
To permit any authorized client regardless of its host, specify as
RELIABLE="-a/*". Also RELIABLE="*" works for this purpose
but is not safe on modifications of configuration and DeleGate.
 
Adding connMap, an auth-server can be selected conditionally on
a combination of destination protocol, server host and client host.
The authServList is a host name of authentication server, or a
list of host names of authentication servers.
If authServList is followed with "@realmValue", the value is
used to define the realm of protection space in HTTP-DeleGate.
It can be overridden by MountOption "realm=realmValue" for each MOUNT point.
 
Currently, the default protocol of remote authentication/authorization server
is that of FTP protocol with USER and PASS commands.  Thus any real FTP
server can be used as an authentication/authorization server of DeleGate.
Another way of maintaining DeleGate's own lists for
authentication/authorization is using
-Fauth function.
 
There are built-in auth-servers to be used as authServ as follows:
 
DGAuth: Authentication scheme based on digested password, specific to each
application protocol, is enabled with "AUTHORIZER=-dgauth".
This kind of authentication scheme,
at least APOP proxy or HTTP Digest/Basic gateway does,
requires the original cleartext of password.
To store a password to be used in such way, run DeleGate with
"-Fauth -a username:password -dgauth".
Since passwords for -dgauth is stored in encrypted form, a keyword is
required for the encryption.
Specify the keyword as CRYPT=pass:keyword
or answer it interactively afterwards.
Otherwise, DGAuth can be delegated to a remote
DGAuth server.
DGAuth generates a session identifier which is retained identically
during the session started by an authentication,
then passed to CFI/CGI programs in environment variable "X_DIGEST_SESSION"
and can be logged into PROTOLOG.
 
Example:
 
PAM: On platforms where PAM (Pluggable Authentication Modules) is available,
it can be used for authentication with the syntax
AUTHORZIER="-pam/service",
for example as AUTHORIZER="-pam/passwd", AUTHORIZER="-pam/ftp" and so on.
 
LIST: In the "-list{user:pass,...}", substitution by
"[date+format]"
can be used in user and pass.
For example, AUTHORIZER="-list{guest:[date+%y%m]}" means accepting
usrename "guest" with password "0405" in May 2004.
 
If only authentication of user is necessary without authorization,
the following special name will be useful as a authServList.
 
 
Example:
 
The pair of username+password which is sent from a client can be forwarded
to the server by MYAUTH="%U:%P"
(supported in HTTP and FTP only).
 
Example: 
Example: 
 
 
 
Each value specifies the maximum delay time and delay time increases
according as the error count increases.
 
If a vURL is terminated with "*"
then partially matched path is also rewritten.
If a rURL is terminated with "*" then remaining part
in the partially matched path will be copied after the rURL.
 
Example: a MOUNT for HTTP-DeleGate
 
If "=" is specified as vURL or rURL,
it means mount as is without
rewriting for the vURL in a request,
or rewriting for rURL in a response.
 
The port number of the destination server (in rURL)
can be prefixed with "-" or "+"
to be determined dynamically
by offsetting from the port number of the entransport,
as in SERVER parameter.
 
If the rURL is of "file:path" and the path is
a relative one, then the data file is searched under the
DGROOT directory or directories listed in
DATAPATH.
 
Abbreviations
 
To make configurations be simple and reusable, special abbreviated
formats of URL can be used in MOUNT parameter.
If "=" is specified as protocol-name, host-name
or port-number in rURL which consists of
protocol-name://host-name:port-number/url-path,
then it represents that of the DeleGate itself (i.e. that of vURL).
URLs beginning with "//" represents further abbreviations,
"///path" for "=://=:=/path" (in the same protocol,host and port)
and
"//serv..." for "=://serv..." (in the same protocol).
 
Abbreviated host-name and port-number is substituted by
that of the virtual host (given in HTTP Host: field) if exists,
or by that of the real interface with the client.
To explicitly specify the real interface, use "-P" for
"host-name:port-number part like "http://-P/path".
 
Example: abbreviation in rURL of MOUNT parameter
 
Complex Matching and Rewriting
 
A pattern following "*%" in vURL and rURL represents
a pattern for complex matching specified in the format like that of scanf(3).
Each format specification consists of a specification following "%",
like "%c", "%[a-z]" and so on.
The extended format "%S" has variable meanings determined by its
adjacent character, i.e. "%Sx" means "%[^x]x":
ex. "%S." for "%[^.]." and "%S/" for "%[^/]/".
"%(N)" in rURL means copying Nth element in
vURL.
If a vURL pattern ends with "$" character, then complete
matching to the end of URL string is required.
 
Example: complex matching and rewriting
 
CONDITIONS:
The first group of options are to make MOUNT be conditional
depending on source and destination (client and server).
When a MOUNT parameter have a MountOption
including one or more conditions,
the MOUNT will be ignored without all of conditions are true.
 
 
 
These HostList should be a list of host:port,
where :port part can be omitted when it is not to be cared.
The host part can be represented as "*"
when the difference of network interface is not to be cared.
 
Example:
 
CONTROLS:
The second group of options are to control the behaviors of DeleGate
which are local to the MOUNT point.
 
 
 
The special convList URICONV="+" means loading the default URICONV
configuration (no attrList in this case in the current implementation).
The attrList is a list of attributes names each may be postfixed
with an element name.  A special attributes name "+" means the
default set of attributes.  An attribute prefixed with "-"
character is excluded from the calculated set of attributes.
 
Another special convList URICONV="where:any" enables searching URL
to be rewritten not only in HTML tags but also
in JavaScript and CSS (Cascading Style Sheets).
 
Example:
 
When an origin/gateway HTTP-DeleGate received "Host:vhost1" in
a request header, it overrides BASEURL="http://vhost0" parameter
to have "vhost1" be the base URL of the DeleGate.
To override the "Host:" header by BASEURL, prefix "-" to a host name as
BASEURL="http://-vhost0".
 
Example:
 
Originally, this parameter is introduced to control proxying mode for
non-CERN HTTP type proxy (including gopher proxy) by rewriting a URL
(or pointer) with gateway-_-URL
or proto://gwHost:Port/-_-URL notation,
where the gwHost:Port part is generated and embedded by DeleGate.
 
Thus you can disable the proxying mode specifying non existing
entrance port and an empty ProtoList like DELEGATE="-:0:-all".
But this can be done more simply by RELAY parameter and it is
disabled by default in recent versions.
 
 
Another formatting pattern is "$[hash:format]" which
hashes a string generated by format into
hexadecimal value ranging from "00" to "1f".
This will be useful to divide a single huge directory containing all
servers into 32 small directories, which can be on physically
different disks.
 
 
Example:
 
ICP="host0" 
To enable this parameter for internet-mail/news protocols
(SMTP, POP and NNTP),
also MIMECONV parameter must be specified
so that it enables character conversion (enabled by default).
 
A HTTP client can override this specification by sending its choice
in "Accept-Language" field in a request message,
which may be configurable in each client (WWW browser).
For example, if
"Accept-Language: (charcode=EUC)" is sent in a request from client,
the response text will be converted into EUC regardless of CHARCODE
specification of the DeleGate.  If
"Accept-Language: (charcode=THRU)" is specified,
any conversion specified by the administrator of this DeleGate is disabled.
 
 
"deent" and "enent" control encoding and decoding of special
characters between HTML and plain text
("<" to/from "<" for example)
when such characters appear in a text of
multi-byte charset (like ISO-2022-JP).
If "deent" is specified, encoded entity symbol appearing
in multi-byte charset text will be decoded.
This may be useful to recover a text
including characters indiscriminately encoded by
encoder which does not care multi-byte characters.
 
Filters can be applied conditionally using
CMAP
based on circuit level information, or
using CFI script
based on application level information.
 
On WindowsNT and OS/2, commands executed as XCOM will be given a
environment variable "SOCKHANDLE_CLIENT"
which have the handle value of the inherited socket
connected to the client.
 
Example:
 
The patterns ${PROTO} and ${PORT} will be substituted with the
protocol name and the port number of this DeleGate respectively.
These files and directories will be created automatically by
DeleGate if possible.  You can stop logging by specifying null
file name like LOGFILE="" or PROTOLOG="".
 
The format of PROTOLOG for HTTP is compatible with
the common logfile format and is customizable.
The format of PROTOLOG for FTP is compatible with
xferlog.
 
LogFilename and dirPath Substitution for Aging 
 
Example: aging a log file day by day and rotate by a month
 
Example: make log directory hierarchical by date
 
The latest LOGFILE will be pointed with another file name
(hard link to it) which name is made by omitting
"[date+format]" parts from LOGFILE specification.
For example, by the LOGFILE specification in the above example,
logfile will be named like "log/aged/00/12/31/80.http"
while the latest one is given another name "log/80.http".
 
Another pattern for aging is "[start+format]"
which will be evaluated in the same way with
"date+" except that it will be substituted by
the time when the DeleGate started
(or restarted by SIGHUP or specified TIMEOUT=restart).
 
 
 
a host named "host.yy.xx.dom" matches with the first hostSpec,
but excluded by the second one, but included again by the third one.
If the first host in a HostList is with "!", it means
exclusion from the universe ("*", that is any host), that is,
"!host, ..." is regarded as "*,!host, ..."
 
 
Example: inhibit access from unknown hosts or from unknown users
 
Example: conditional filtering using CMAP
  
 
Example:
 
Example:
 
The complete format of period is like this:
[wW]HH[MM][-HH[MM]].
A time period in a week is represented with "wW" where W
expresses a day in a week ranging from "0" to "6" according to Sunday
through Saturday. Sunday can be expressed as "7" too for convenience.
 
Example:
 
 
Example:
 
Options and parameters can be loaded from external
"substitution resources".
An option like "+=file" is substituted by a list of options enumerated
in the resource named "file".
An option like "name=+=file" is substituted
by a list of "name=value"
where the "value" is enumerated in the "file".
Similarly an option like "name=xxx:+=file" is substituted
by a list of "name=xxx:value".
 
Substitution can be done recursively.  In this case, a relative resource
name is searched in DGPATH
or LIBPATH.
By default, DGPATH='+:.:${HOME}/delegate'
where "+" stands for the place where the "caller" resource is.
For example, if "+=file2" is referred from caller file "/local/etc/file1",
the "file2" will be searched first as "/local/etc/file2".
A resource name can be specified in full URL like
"+={file:/local/etc/file1}" or "+={http://host/file}".
 
 
Substitution resources are the list of options (or parameters)
where each line stands for an option (or a parameter).
In each line, strings after sharp character(#) will be ignored
as a comment.
White space characters (SPACE, TAB, LF and CR) at the beginning
or the ending of each line are ignored.
Single quote(') and double quote(") are stripped.
Back slash character(\) let the succeeding character be as is.
 
Example:
The following five examples have the same meaning with each other.
 
PERMIT=a:b:c PERMIT=a:b:d PERMIT=a:e:f PERMIT=x:y:z ...
 
 
 
 
 
Substitution resources will be reloaded when the DeleGate
restart
receiving a SIGHUP signal or by "-restart" action in CRON parameter.
 
Another substitution is in the form "name=-=URL" which loads the
content of URL into a temporary file on local file system (under ACTDIR),
then the parameter is rewritten to "name=/path/of/temporary-file".
This will be useful when you wish to pass remote resources to CGI or
CFI programs,
like "-eCONFIGDATA=-=http://server/configData",
then those programs will be given an environment variable named CONFIGDATA
of which value is a temporary file name containing the content of
"http://server/configData".
 
CFI AND CFI SCRIPT
 
For FTOXX and FFROMXX filters,
CFI script enables selecting an appropriate filter
to be applied to each data depending on the type of data. 
Instead of direct usage of a filter program like
FTOCL=filterCommand, specify
FTOCL=filter.cfi where filter.cfi is a file
in the CFI script format.
Or a CFI script can be loaded from remote host like
FTOCL=URL via HTTP or FTP.
When the file name of CFI scripts or a filter command referred
in the script is specified in relative path name,
it is searched in LIBPATH.
 
A CFI script is text data which
starts with a magic string "#!cfi" and
contains more than one filter specifications
which are separated by "--" with each other.
 
 
If no Action is specified, it indicates matching the
ruleName:ruleBody to the input header.
It matches when the input message has a ruleName header with
a field body matches with ruleBody.
If at least one of matching rules turns to be true,
then the filterUnit is adopted.
If no matching rule is included in a filterUnit then
the filterUnit is adopted unconditionally.
Currently, only a limited set of MIME headers (in request or response
message) can be used for the matching.
Also, some extended headers can be used to match with information not
included in the original header (ex. "X-Status-Code" which means
status code in response message)
 
When the header ruleName is "Body-Filter", "CGI",
"Header-Filter", or "Message-Filter",
exceptionally they specifies an action
(or filtering) to be applied to the input data.
For filters of "Body-Filter" or "CGI",
the body part of the input message will be passed to the
standard input of the filter program, then the output from the
standard output of it will be forwarded to the destination
(client or server) instead of the original input message.
The "Content-Length" header in the forwarded message will be
adjusted to indicate the size of the body part to be forwarded.
For filters of "Header-Filter",
the header part of a message will be passed to and from the filter.
The start-line in the HTTP message (Request-Line or Status-Line)
will be passed as a header field prefixed with
"Request-Line:" or "Status-Line:".
For filters of "Message-Filter",
whole message consists of header and body is passed to and from the filter.
 
With a prefixed "Action/" to a ruleName:ruleBody,
some simple rewriting using ruleBody data
for relevant ruleName field will be done.
"Output/ruleName:ruleBody" indicates appending (or replacing)
a ruleName:ruleBody field into the header.
"Remove/ruleName:ruleBody" indicates removing header fields
with name ruleName and body matches to ruleBody.
 
Example: rewriting HTTP response messages
 
[content of test.cfi] 
PROXYING BY URL REDIRECTION
 
 
 
Originally, this redirection mechanism was implemented for Gopher proxy,
and extended to HTTP protocol,
then extended to a generic MOUNT mechanism.
Now almost the same effect with "-_-" redirection can be emulated
with a MOUNT parameter like follows, allowing to replace "-_-" with
an arbitrary string.
 
 
You can write a DeleGate switching table in HTML.
Suppose that you have two DeleGate hosts connected to different network
provider each other, and you want to select one of them explicitly
but without changing configuration of your browser
and without typing a lengthy URL prefixed with "http://delegate/-_-".
You can write a table in HTML to switch DeleGate like this:  
 
 
This table works independently of if the client is using DeleGate
or not,
because DeleGate does not do URL redirection in response message
described above if the URL is already redirected like above.
 
Right after the -_- mark, optional "/Modifier/" form can be inserted
as follows:
 
Common Notation
 
 
TCPrelay
 
Example: two proxies on TCP with similar function
 
UDPrelay
 
Example: two proxies on UDP with similar function
 
Example: a gateway between UDP and TCP
 
A pair of gateways like above can be used to convey UDP packets over TCP
connections, but such relaying (tunneling) is realized more efficiently
using SockMux with a single TCP connection.
 
DGAuth server
 
 
Example: DGAuth-DeleGate server and its client 
Example: DGAuth-DeleGate server and its client on the same host 
A DGAuth server receives a set of components to be used to calculate
digest for each application protocol, then return the digest, as follows.
 
PAM server
 
 
Example: PAM-DeleGate server and its client 
Example: PAM-DeleGate server and its client communicating over SSL 
Note that most of PAM authentications need to be executed under the
privilege of superuser on Unix (with OWNER="root" option).
But you can avoid running your PAM-DeleGate server with superuser privilege by
installing external program "dgpam" under DGROOT/subin/.
 
The default port number of the experimental PAM/HTTP server is 8686.
Other ports can be specified as
AUTHRIZER=-pam//host..port,
for example as AUTHORIZER="-pam//hostX..8765/passwd".
 
PAM/HTTP protocol uses the format of HTTP compatible request/response
messages as follows.
 
Following the format, you can easily develop your own PAM server,
instead of PAM-DeleGate, using your own HTTP server with CGI or so.
 
SockMux server
 
 
The persistent connection is established with "-Phost:port" parameter
at receptor side, and "SERVER=sockmux://host:port" at connector side.
The port to accept outgoing connections to be forwarded to remote is specified
with PORT="listOfPorts parameter.
The server to be connected for incoming connections from remote is specified
with a postfix string ",-in" like SERVER="telnet://host:23,-in".
 
An incoming connection can be processed with DeleGate as a proxy of the
specified protocol.
If only protocol name is specified like SERVER="telnet,-in", or if "-in"
is postfixed like "-in(option list)", then a DeleGate is
invoked to process the connection.
The option list is passed to the invoked DeleGate as the list of
command line options.
For example, SERVER="telnet://host,-in(+=config.cnf)" will invoke a DeleGate
with command line options like ``delegated SERVER=telnet://host +=config.cnf''.
 
Example: bi-directional SockMux-DeleGate 
Example: uni-directional SockMux-DeleGate 
Example: uni-directional to proxy-Telent-DeleGate 
When SockMux is used just to relay data between sockets, without
interpreting the application protocol relayed over SockMux,
such relaying can be represented with simpler expression using
DEST parameter instead of SERVER as follows:
 
 
Example: tcprelay over SockMux 
Example: relaying UDP over SockMux/TCP 
Another way to establish a persistent connection between
two SockMux-DeleGate is using a FIFO device like named pipe.
It is specified like SERVER=sockmux:commtype@fifoName
where commtype is one of "commin", "commout", and "comm",
which represents uni-directional input, uni-directional output and
bi-directional input/output respectively.
 
Example: use fifo device on a host 
Example: use communication port between two hosts (not tested yet) 
The persistent connection can be established by a given external
program invoked by DeleGate.
The process of the program is passed a socket to/from DeleGate at 
file descriptor number 0 and 1;
 
Example: establish connection by external command 
The destination SERVER for an incoming connection from remotel can be
selected depending on which remote port it was accepted.
A SERVER parameter postfixed with
":-:-Pxxxx"
will be applied only to connections which is accepted on remote host
with PORT=xxxx.
 
Example: forwarding multiple port 
NOTE: forwarding FTP data connection is not supported (yet).
 
Socks server
 
 
Example: Socks-DeleGate 
To accept an incoming TCP connection via a SOCKS-DeleGate server,
the network interface to be used for it is selected automatically
by DeleGate (based on the DST.ADDR or DSTIP which is sent from
a SOCKS client as the parameter of the BIND command).
With the SRCIF parameter, you can select a network
interface (and port number) manually, with the pseudo protocol name "tcpbind".
The complete syntax of the parameter is
SRCIF=
"[host]:[port]:tcpbind[:dstHostList[:srcHostList]]".
Typically, only the host filed is specified to select a network
interface, like SRCIF="150.29.202.120::tcpbind" for example.
 
HTTP proxy/server
 
 
Then use this DeleGate from your client on the internal host,
specifying "firewall:8080" as the proxy for
HTTP, HTTPS (Security), FTP, Gopher, Wais, and so on.
 
Example: cascaded DeleGate as an HTTP proxy 
Run a generalist DeleGate on the firewall which only accepts
request from internal host,
then run a specialist on internal which use the generalist
on firewall host.
A generalist can be shared as an upstream DeleGate from multiple
DeleGates of arbitrary protocol.
 
Example: DeleGate as an origin HTTP server 
A file with a name with ".cgi" extension is treated as a CGI script.
Also you can use arbitrary name of CGI scripts under a specified
directory with a MOUNT like: 
Example: DeleGate as a CGI program 
HTTP Transfer Log Format 
 
The session identifier put by "%s" is generated by specifying
HTTPCONF=session:cookie option while
"%As" is generated by AUTHORIZER=-dgauth option.
The format of session identifier is as this:
 
For example, "031114-173045.1234.5+6+7.9" means that
it is the 9th request from the client
in the session started at 17:30:45 on November 14 by the process of PID=1234.
The start of the session is recorded in LOGFILE as this:
 
Note that the reqnum part may not be unique because of parallel or
pipelined requests generated by a client as the owner of the session.
Note that the reqnum part for "%As" may not be incremented on each
request because the container of session identifier,
the opaque" parameter in Digest Authentication in this case,
may not be updated on each request.
 
 
 
Example:
 
 
Example:
 
 
Example: 
 
 
Example: 
 
Example: 
 
 
Example: 
Example:
 
 
 
Example:
 
CONTROLS:
 
Example: virtual hosting, acting as multiple HTTP servers
 
MOUNT="/* http://wwwA/* vhost=-dom1.com" 
 
MOUNT="http:* = method=POST,asproxy,useproxy" 
AUTH parameters for HTTP-DeleGate
 
 
Example: 
 
 
 
 
Example: 
A generated password is formatted as "passWord/%i" and
a DeleGate rejects incoming requests with an Authorization
field of such pattern. Thus forged password cannot pass the
DeleGate on the host "%i".
 
 
Example: 
 
 
 
Example:
          
 
 firewall% delegated AUTH="fromgen:%u@%h" ... 
Configuration of DeleGate by Users
 
Example:
MOUNTing news serverN at http://delegate/news/servN/
 
 
 
(This mechanism should be applied to other protocols like FTP...)
 
Server Side Include in SHTML files
 
SSI tags
 
META tags
 
ICP proxy/server
 
Example: a couple of ICP and HTTP DeleGates sharing a CACHEDIR
 
Example: an ICP proxy merging multiple upstream ICP servers
 
 
FTP proxy/server
 
Also the complete format
user:pass@host[:port]
as the generic server specification in URL
is usable both for USER and CWD like follows.
 
On a multi-homed host, or on a host behind a firewall, the IP address
or port number used for data connections might have to be controlled by
SRCIF.
 
Example: proxy FTP-DeleGate 
Then you can connect to arbitrary FTP servers (which may be
outside of firewall) via this FTP-proxy.
 
Example: cascaded FTP-Proxy
 
Example: FTP MOUNT with filtering, merging and aliasing
 
This DeleGate relays the whole contents of serv1 except for "/pub2/*"
which is replaced by that of "ftp://serv2/pub/*"
 
Example: FTP to LPR (Line Printer Daemon Protocol) gateway
 
A LPR/FTP-DeleGate allows FTP clients to access to remote printers;
printing a file by FTP file uploading and
showing a printer status by FTP directory listing.
MountOption "readonly" will inhibits listing the status.
 
Example: origin FTP-DeleGate 
"RELAY=no" prohibits the DeleGate to work as a proxy FTP server.
Writing to the file is disabled by default in origin FTP-DeleGate.
You need to specify "rw" (read/write) as a mount option to
MOUNT points to be writable, like MOUNT="/xxx/* /yyy/* rw".
 
If a ftpControl listed above is followed by ":sv" or ":cl" like "nopasv:sv"
for example, the ftpControl is applied only for server side
or client side respectively.
 
 
FTP Transfer Log Format 
 
transferTime is the total time in seconds for the transfer.
transferType is either "a" (ascii) or "b" (binary).
specialActionFlag is always "_" (none) in the current implementation.
direction is either "o" (outgoing) or "i" (incoming).
accessMode is either "a" (anonymous) or "r" (real user).
userName is e-mail address with accessMode "a",
or a real user name with accessMode "r".
serviceName is always "ftp" in the current implementation.
authenticationMethod is either "0" (none) or "1" (RFC1413 Authentication).
authenticatedUserID is the user id got via the authenticationMethod
or "*" without authentication.
DeleGateStatus is one of "L" (local file), "H" (cache hit),
"N" (cache miss).
 
Example: 
Telnet proxy/server
 
 
Example: proxy Telnet-DeleGate 
Then you can connect to arbitrary Telnet server via this Telnet-proxy.
 
Example: origin Telnet-like server
 
 POP proxy
 
Example: proxy POP-DeleGate
 
external% telnet firewall pop 
Example: POP MOUNT 
MOUNT="//*      ="
... don't rewrite if a server is specified by the user 
When a target POP server indicates that it accepts APOP authentication
(by a greeting message with a time stamp), DeleGate tries login with
APOP first, then retries with USER+PASS when APOP failed.
But if a server never accepts APOP in spite of its greeting, the useless
trial with APOP can be suppressed by "noapop" MountOption like this:
 
Example: NNTP server to POP client gateway
 
Clients are expected to send a newsgroup name as a user name.
 
Example: POP server to HTTP client gateway
 
This DeleGate provides mailboxes in POP server (at mailHost by
default) to HTTP clients.  Clients accessing to
"http://firewall/mail/"
are required to enter Username and Password for POP server at mailHost
as authorization information on HTTP.  If Username is in the form
"user@mailHost2",
not mailHost but mailHost2 is accessed as
a target POP server.
Each mailbox of User at Host server is named as
"http://firewall/mail/+pop.User.Host",
thus you can directly specify User and Host in URL.
 
IMAP proxy
 
external% telnet firewall imap 
SMTP proxy/server
 
Example: proxy SMTP-DeleGate 
Example: SMTP to SMTP forwarding
 
delegate.org# delegated -P25 SERVER=smtp
 
[the contents of SMTPGATE/users/feedback/conf]
 
Example: SMTP to NNTP forwarding
 
A SMTPGATE configuration file consists of a series of lines
of directives,
each looks like a message header of the internet message.
Comment string after sharp (#) character in each line is ignored.
Directives are categorized into three groups;
CONTROL, ACCEPT and OUTPUT.
 
 
 
 
 
 
 
 
 
When a SMTP-DeleGate received a message bound for a recipient,
with an address formed as recipient@mailhost,
it retrieves the configuration file for the recipient
in the following two directories in the order.
 
 
If no configuration for the recipient is found,
then the default configuration is used if it exists at the following directory.
 
 
Otherwise the built-in default configuration is used.
The default is at "/-/builtin/config/smtpgate/@default/conf"
which can be customized with MOUNT option.
The contents of the default is like follows which means
just delivering the input message
to the address of the recipient via the mail exchanger of the recipient.
 
 
The directory for each recipient contains following files.
 
 
Optional ones will be enabled by manually creating the file or the directory.
Instead of the default archive file,
user can define the file name and the unit of archive by ARCHIVE directive.
 
Example:
 
NNTP proxy/server
 
 
Example: Filtering 
relays only newsgroups which have name pattern "group.*".
A list of groups can be specified for a nntpServer like
"nntp://nntpServer/group1.,group2.,..."
 
Example: merge multiple NNTP servers 
Example: merge multiple NNTP servers with authentication (by AUTHINFO) 
Example: mount selected group(s)
 
Example: POP server to NNTP client 
Example: NNTP server to HTTP client 
Example: origin NNTP-DeleGate 
Specifying "-.-" as the destination server in SERVER parameter of
NNTP-DeleGate means using the DeleGate as an origin NNTP server
which has its own spools to be retrieved and posted.
To make a new newsgroup named newsGroup,
make an empty file 
When a posted article has Unix-From like "From user date"
as the first line or has a "Unix-From: user date" header,
the article number for the article is set to the one indicated in
"X-Seqno" (or "X-Sequence") header if exists,
and the creation date of the spool file will be set to the date
in the Unix-From.
 
LDAP proxy
 
Example: proxy LDAP-DeleGate 
Specify this DeleGate server as your client's LDAP server and
append "@host.of.ldap-server" after root directory name (i.e.
name of baseObject for search).
 
% ldapsearch -x -h localhost -p 389 -b o=netcenter.com@memberdir.netscape.com
 
Whois proxy
 
X proxy
 
Example: relaying to two displays on a single server host
 
Example: relaying to two server hosts
 
Gopher proxy
 
 
internal% gopher firewall 8070 
SSL proxy
 
 
Example: relay between non-SSL client and SSL server 
DNS (Domain Name System) proxy/server
 
 
Example: {NIS,FILE,DNS}/DNS gateway 
MX record for hostname is generated from
-MX.hostname if it is given (like the example below),
or the A record for hostname is used.
Priorities among multiple MX records can not be represented
in the current implementation.
 
Example: hosts table to use hostA as the MX of hostB 
 
CU-SeeMe proxy
 
RESERVED NAMES
 
AF_LOCAL SOCKETS
 
CUSTOMIZATION
 
 
In this example, the MOUNT replaces only the forbidden message
and the alternative data is a local file under "/tmp".
But in general, a group of builtin-data can be replaced
using wild-card (*) notation and
alternative data can be placed at remote host which can be accessible
via HTTP or FTP.  For example, copy the whole of "src/builtin/"
into "http://yourwww/delegate/builtin/" and MOUNT it like this:
 
 
Loading remote data will not suffer from overhead
as long as cache is enabled,
since MOUNTed built-in data are cached and reused like usual data. 
 
DEFENSE AGAINST ATTACKERS
 
Since the most typical method of attackers is buffer overflow on stack,
expecting a target buffer resides at a certain address,
randomizing stack address will be effective to decrease the probability
of successful attack.
And a failure of attack will cause a fatal error
to be caught by DeleGate.
 
A suspicious client host will be shut out until a relevant file
(under ADMDIR/shutout/) is removed,
or the file is expired by TIMEOUT=shutout (30 minutes by default).
For safety, TIMEOUT="shutout:0" (never timeout) is desirable
not to give a second chance to the attacker.
But as fatal errors are highly provably caused by usual bugs in DeleGate itself,
it may be troublesome to be the default value...
 
Anyway you should be aware of following options if you are aware of
preventing this kind of attacks,
as well as access control configurations.
 
 
At the start up time, the original environment variables and 
command line arguments on stack area are moved to heap area and cleared
not to be utilized for intrusion code by attackers.
At the same time, a dummy environment variable named RANDENV
with a value of random length (with maximum MAXIMA=randenv)
is inserted to randomize addresses of environment variables
to be inherited to child processes like filter programs and CGI programs.
 
 
 
 
 
GENTLE RESTART
 
 
Also restarting with SIGHUP can be done by remote HTTP clients
at "http://delegate/-/admin/"
using AUTH=admin parameter.
 
Restarting will be done after a configuration of DeleGate is changed. 
Parameters to be reloaded on restart must be given with
+=parameters notation
for parameter substitution.
Other options (parameters) given as command line arguments will be
inherited as is to the restarted DeleGate process.
 
Another purpose of restarting can be cleaning up
of possible garbage or leaked resources
like heap memory and file descriptors.
For this purpose,
DeleGate can be restarted periodically by
TIMEOUT=restart or
at each scheduled time by
-restart action in CRON parameter.
 
Given a -Ffunction option,
DeleGate runs to do the specified function
which typically is a client-side action of a certain protocol.
You can omit entering lengthy "delegated -F" by
giving a file name "function" to an DeleGate executable file
and just call it as function.
The matching of function name is case-insensitive.
  
Command line options before -Ffunction and after "--" option
is regarded as options for DeleGate rather than for the function,
as delegated dgopt ... dgopt
-Ffunc fopt ... fopt
-- dgopt ... dgopt.
As an exception, parameter option, in name=value format,
is recognized as a parameter for DeleGate even if it appeared at
fopt position.
  
Example: using DeleGate as a resolver
 
The following is a list of major functions.
 
 
FILES
 
See the description of DGROOT parameter
and Local file usage
for more information.
 
 
AUTHOR
 
FEEDBACK
 
DISTRIBUTION
SERVER="nntp://newsserver1:-:from={*.dom1}"
SERVER="nntp://newsserver2:-:from={*.dom2}"
-P119,110,25
SERVER="nntp://nntpserver:-:{*:119}"
SERVER="smtp://smtpserver:-:{*:25}"
SERVER="pop://popserver:-:{*:110}"
ADMIN parameter     ==  ADMIN=user@host.domain
                    --  default: built in at compile time
This parameter must be correctly given especially when the DeleGate runs on
a host directly reachable to/from internet.
This E-mail address will be used as follows:
 - Shown in (error) messages to clients, as the name of
           the administrator of this DeleGate
           (HTTP, etc.). 
 - Shown in opening messages or in a help message to clients,
           as the name of the administrator (FTP, NNTP, Telnet). 
 - Sent as a default user name (in PASS command)
           on anonymous access to FTP servers. 
 - Sent as sender name (in FROM command)
           in access to remote SMTP server on verification
           by AUTH=anonftp:smtp-vrfy. 
 - Report messages are sent to the address
           on occurrence of fatal signals
 
OWNER parameter*    ==  OWNER=user[/group][:srcHostList]
                    --  default: OWNER="nobody/nogroup"
                    --  restriction: super-user only on most of Unix
This parameter is effective only when the invoker is a super-user.
If specified, the DeleGate will run with the right of specified
user, calling setuid(2) and setgid(2) system calls. User and group
can be specified either in symbolic name or in id-number prefixed
with "#" like "#1234".
If srcHostList is specified, owner of this DeleGate will be set to
the user when the client host is included in the list.  The user
name "*" will be substituted by the user name of the client when
it can be got from an
Identification server on the client host.
OWNER="*:*@*".
CRON parameter*     ==  CRON="crontab-spec"
       crontab-spec ==  minute hour day month dayOfWeek action
                    --  default: none
Cause an action at a time specified in the format of crontab-spec
which is compatible with that of standard crontab(5) of cron(8)
servers in Unix systems.
If the action is prefixed with "/" then it is an external action
which will be executed by the system(3) function.  If the action is
prefixed with "-" then it is a built-in internal action of DeleGate.
-suspend N  -- suspend for N seconds
 -restart           -- restart the DeleGate
 -exit              -- finish the DeleGate
 -expire N   -- execute expiration for $CACHEDIR
                                 by "-atime +Nd"
 -system command 
-- execute command as a shell command
 /dir/command args 
-- equiv. to "-system /dir/command args"
 - args             
-- equiv. to "/dir/delegated args"
 -Ffunc args 
-- equiv. to "/dir/delegated -Ffunc args"
 
CRON="0 0 * * * -restart"
CRON="0 3 * * * -expire 3"  (this is equivalent to followings)
CRON="0 3 * * * -Fexpire /path/of/cache -rm -atime +3 -sum"
CRON="0 3 * * * /path/of/delegated -Fexpire /path/of/cache -rm -atime +3 -sum"
INETD parameter*    ==  INETD="inetd-conf"
        inetd-conf  ==  port sockType proto waitStat uid execPath argList
              port  ==  [host:]portNum
          sockType  ==  stream | dgram
             proto  ==  tcp | udp
          waitStat  ==  nowait ("wait" is not yet supported)
                    --  default: none
Invoke a new DeleGate process with the specified configuration when
a request is arrived at the specified port.  The format of the
inetd-conf specification is like that of standard inetd.conf(5)
in Unix systems.
A default value of each field can be represented by "-".
Default values of sockType, proto and waitStat
are "stream", "tcp" and "nowait" respectively.
The uid field will be used as
OWNER parameter in the invoked process.
Specifying "-" as uid value means
invoking DeleGate without OWNER parameter.
If execPath is "-",
it means to start child DeleGate process with the given argList.
The configuration of the parent DeleGate process is inherited to
child DeleGates.  For example, when a parent DeleGate is invoked
like:
delegated ADMIN=foo EXPIRE=1 INETD=conf1 INETD=conf2
these ADMIN and EXPIRE parameters are inherited to DeleGates
described in conf1 and conf2.
    INETD="8080 stream tcp nowait nobody - SERVER=http"
INETD="8080 - - - nobody - SERVER=http" (equivalent to the above)
INETD="8119 - - - - - SERVER=nntp://nntpserver/"
INETD="8888 - - - - /bin/date date" (equivalent to the following)
INETD="8888 - - - - - SERVER=exec XCOM="/bin/date date"'
INETD="8888 dgram  udp - - /bin/date date"
INETD="localhost:8888 - - - - - /bin/sh sh"
INETD=+=/path/of/inetd.conf  (load configuration from a file)
HOSTLIST parameter* ==  HOSTLIST=listName:HostList
Define a named HostList with the name listName.
A named HostList can be referred in other HostLists.
If multiple HOSTLIST parameters with the same listName are defined,
the lastly defined one is referred.
If a HostList is prefixed with "+,"
like HOSTLIST="listName:+,newHostList"
then the newHostList is appended to the current definition of the list.
    // redefine .localnet
HOSTLIST=".localnet:localhost,./32,192.168.*"
// exclude localhost form the predefined .localnet
HOSTLIST=".localnet:+,!localhost"
CMAP parameter*     ==  CMAP=resultStr:mapName:connMap
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
A generic parameter to make some parameters be conditional on the current connection.
When the protocol, the destination and the source
of the current connection match the connMap,
this map is enabled providing resultStr string
to be used for mapName.
Not only host name/address but also port number of destination servers
can be used for matching in dstHostList.
A typical usage of this parameter is for applying
filter conditionally.
LIBPATH parameter   ==  LIBPATH=dirPath[:dirPath]*
                    --  default: LIBPATH='.:${STARTDIR}:${LIBDIR}:${EXECDIR}:${ETCDIR}'
Library files, including parameter files,
CFI scripts and filter programs,
are searched in multiple directories in order specified in LIBPATH
if it is specified as relative path.
By default, LIBPATH is a ordered list of the following directories:
WORKDIR (.) -- the working directory
STARTDIR -- the directory where the DeleGate is invoked
LIBDIR -- ${DGROOT}/lib by default
EXECDIR -- the directory where the executable file of DeleGate is placed
ETCDIR -- ${DGROOT}/etc by default
DATAPATH parameter  ==  DATAPATH=dirPath[:dirPath]*
                    --  default: DATAPATH='.:${DGROOT}:${STARTDIR}
The list of directories each contains data files to be provided to
client.  This parameter is used by a DeleGate which generates response
data from local file specified in relative path like
MOUNT="/path/* file:dir/*".
DGPATH parameter    ==  DGPATH=dirPath[:dirPath]*
                    --  default: DGPATH='+:.:${HOME}/delegate:${ETCDIR}'
The search path of parameter files.
A special directory name "+" stands for the place
where the "caller" resource
(a parameter file referring the parameter file) is.
DGOPTS parameter    ==  DGOPTS=opt[,opt]*
                    --  default: none
A list of command line options.
This may be useful when those options like -P or -v,
not in name=value format,
are to be given in an environment variable.
SOCKOPT parameter   ==  SOCKOPT=[no]name[:value]
                    --  default: reuse
Set socket options.
PORT parameter      ==  PORT=port[,port]*
              port  ==  [host:]portNum[/udp]
           portNum  ==  number[-number]
                    --  default: none
Make entrance ports as -P option does.
FORWARD parameter*  ==  FORWARD=gatewayURL[-_-connMap]
        gatewayURL  ==  gwproto://gwhost[:gwport]
           connMap  ==  protoList:dstHostList:srcHostList
                    --  default: none
Forwards a request
toward a proxy server specified in gatewayURL
if the request matches the condition specified in connMap,
that is, the request is in a protocol listed in protoList and 
for servers listed in dstHostList and
from clients in srcHostList.
If connMap is omitted, any request are forwarded to the
gatewayURL unconditionally.
FORWARD is a generalized notation of ROUTE and
the following two notations are equivalent.
ROUTE=gwproto://gwhost:gwport/-_-dstHostList:srcHostList
FORWARD=gwproto://gwhost:gwport/-_-*:dstHostList:srcProtoList
FORWARD=delegate://gwhost:gwport/-_-*:dstHostList:*
FORWARD=gwproto://gwhost:gwport/-_-*:dstHostList:*
FORWARD=socks://gwhost:gwport[/socksOpt]-_-*:dstHostList:srcHostList
ROUTE parameter*    ==  ROUTE=proto://host:port/-_-dstHostList:srcHostList
                    --  default: none
Forwards requests from hosts in srcHostList
to the resources listed in dstHostList
toward the server at host:port
in proto protocol.
ROUTE is a generalized notation for MASTER and PROXY.
MASTER="host:port:dstHostList" is the abbreviation of
ROUTE="delegate://host:port/-_-dstHostList:*".
PROXY="host:port:dstHostList"
      with SERVER=proto is equals to
ROUTE="proto://host:port/-_-dstHostList:*".
MASTER parameter*   ==  MASTER=host:port[/masterControl][:dstHostList]
                    --  default: none
This parameter specifies an upstream generalist DeleGate (MASTER-DeleGate)
to which this DeleGate will forward requests.
Forwarding to a MASTER-DeleGate can be filtered
by postfixing ":dstHostList";
only request toward destination servers listed in dstHostList are
forwarded to the MASTER-DeleGate.
When multiple MASTERs are given, they are tried in order until connection
to a MASTER succeed.
    cache    -- use the MASTER only if cache hits in the MASTER
    teleport -- make a persistent Teleport connection to the MASTER
    
MASTERP parameter   ==  MASTERP=[host:port]
                    --  default: none
Invoke a MASTER-DeleGate private to this DeleGate.
HTTP-DeleGate working as a gateway to another protocol needs
MASTER-DeleGate to do connection cache for FTP and NNTP.
MASTERP may be specified with MASTER to force data caching at
the local host when the MASTER is running at a remote host.
RPORT parameter     ==  RPORT={tcp|udp}[:host]
                    --  default: none
This parameter should be used together with MASTER parameter.
If specified, a connection (for response data transfer) from the
MASTER-DeleGate to this DeleGate is established separately from the
connection (for request data transfer) from the DeleGate to its
MASTER-DeleGate.  A specified type of response connection will be
made from the MASTER toward the delegate at the specified host.
PROXY parameter*    ==  PROXY=host:port[:dstHostList]
                    --  default: none
Specify an upstream proxy (specialist DeleGate or standard proxies)
to which the DeleGate should forward requests.
Only HTTP, FTP, and Telnet specialist DeleGate can specify this parameter.
SERVER=ftp PROXY=proxyhost:proxyport  
SOCKS parameter*    ==  SOCKS=host[:[port][/socksOpt][:dstHostList[:srcHostList]]]
          socksOpt  ==  [ -4 | -r ]*
                    --  default: none
Specify to use Socks server on host.  The server is expected
to recognize Socks version 5 protocol.  If the server supports only
version 4, specify "-4" option like "SOCKS=host:port/-4".
The "-r" option controls which of DeleGate or Socks server does the name
resolution (from the host name of a target host to its IP address).
With a SocksV4 server, name resolution is done by DeleGate by default.
"-r" option make the resolution be delegated to the server
(This is applicable if the server supports extended Socks4A protocol).
With a SocksV5 server, name resolution is delegated to the server
by default, and "-r" option make the resolution be done locally by DeleGate.
By default, the connection establishment via Socks will be tried
after all of other trials failed, but you can control the order by
the CONNECT parameter. 
If the dstHostList part is omitted, the default value for it is
"!.localnet".  This default value can be changed
by redefining the named HostList ".socksdst"
which is predefined as HOSTLIST=".socksdst:!.localnet"
CONNECT=s,d
SOCKS="sockshost:1080:!.localnet,!*.my.domain"
SSLTUNNEL parameter ==  SSLTUNNEL=host:port
                    --  default: none
Use a HTTP proxy with  the standard SSL tunneling feature
(on HTTP with CONNECT method)
running at host:port as a circuit level proxy
for target servers of arbitrary protocols.
VSAP parameter      ==  VSAP=host:port
                    --  default: none
Specify a VSAP server to be used for accepting from clients or for
connecting to clients.  VSAP is a remote socket mapping server
which enables servers to accept a TCP connection via a remote host
as well as to connect via a remote host.
    // VSAP server
firewall% delegated -P8000 SERVER=vsap PORT=8080-8090
    // accept via VSAP
       to provide internal servers for external clients
internal% delegated -P8080@firewall:8000 ...
    // connect via VSAP,
       working as a proxy server for internal clients
internal% delegated -P8080 CONNECT="{vsap/firewall:8000}" ...
    // accept and connect via VSAP server
internal% delegated -P8080 VSAP=firewall:8000 ...
CONNECT parameter*  ==  CONNECT=connSeq[:connMap]
           connSeq  ==  connType[,connType]*
          connType  ==  cache|icp|master|https|vsap|direct|socks|udp
           connMap  ==  ProtoList[:dstHostList[:srcHostList]]
                    --  default: CONNECT="c,i,m,h,v,s,d:*:*:*"
This parameter controls the order of trials for connection to the
target server using several connection method as followings:
cache   -- CACHE search (without connection) 
icp     -- via a PROXY hinted by ICP server 
proxy   -- via a PROXY server 
master  -- via a PROXY or a MASTER-DeleGate server 
https   -- via a SSLTUNNEL (SSL tunnel on HTTP) 
vsap    -- via a VSAP server 
direct  -- direct connection to the target server 
socks   -- via SOCKS servers 
udp     -- by UDP 
None    -- don't connect 
If ProtoList and dstHostList are given, this control is applied only
to the protocols and hosts included in the lists.  For example,
to use cached data in a host which is not connected to external networks,
specify as CONNECT="cache:*:!./@".
SRCIF parameter*    ==  SRCIF=host[:[port][:connMap]]
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: SRCIF="*:*:*:*:*"
This parameter is useful for DeleGate running on a multi-homed host or
on a host behind a firewall with packet filtering.
SRCIF="*:0:ftp-data"
// use a random port number for FTP data connection
SRCIF="*:8020-8120:ftp-data"
// use a port number in the specified range
SRCIF="150.29.202.120:*:tcpbind"
// use the specified address to accept via SOCKS
SRCIF="150.29.202.120:*:udpbind"
// use the specified address to relay UDP on SOCKS
TUNNEL parameter    ==  TUNNEL=tunnelType:script
        tunnelType  ==  tty7
                    --  default: none
If specified, communication with an upstream DeleGate will be tunneled
via the standard input/output of the command.
The tunnel can be made of any kind of channel,
a raw serial line for example,
as long as it provides bi-directional transmission on it.
Possibly it may be the channel to the DeleGate
which will be invoked from inetd at remote host.
TUNNEL=tty7:tunnel.shio
Example: make a tunnel with login dialogue
[content of tunnel.shio]
o rsh host delegated SERVER=tunnel1\n
i READY\r\n
=
TUNNEL=tty7:tunnel.shio
As shown in above examples, the first line in a SHIO-script file is
expected to be a shell command like "o command\n" to establish a
connection to a remote server.
Another way to establish a connection is putting "c host:port"
on the first line.  No shell nor shell command is invoked in this case.
[content of tunnel.shio]
o telnet hostname\n
i login: 
o username\n
i Password:
o password\n
i % 
o delegated SERVER=tunnel1 \n
i READY\r
i \n
=
PERMIT parameter*   ==  PERMIT=connMap
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
A PERMIT parameter specifies what kind of accesses should be
permitted by this DeleGate.  An access will be permitted if the
access is from a client host included in srcHostList,
and to a server host included in dstHostList,
and with a protocol included in ProtoList.
PERMIT="*:*:.localnet"
PERMIT="http:www:*"
REJECT parameter*   ==  REJECT=connMap
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
REJECT parameter specifies what kind of access is to be rejected
in the same syntax with PERMIT.
It can be more convenient than PERMIT
when cases to be rejected are exceptional and
are easier to describe than cases to be permitted.
REJECT="pop//DELE:mail-server:mail-client"
REJECT="imap//EXPUNGE:mail-server:mail-client"
REMITTABLE parameter == REMITTABLE=ProtoList
                    --  default: REMITTABLE="*" for generalist
                    --  default: REMITTABLE="." for specialist
Only protocols (to the server) listed in ProtoList will be permitted
by this DeleGate.
For generalist (a DeleGate with SERVER="delegate" parameter) any
protocols are permitted by default.  For specialist, only the protocol
specified in the SERVER parameter (which can be represented by ".")
is permitted by default.
When the current destination server is determined by
a MOUNT parameter like
MOUNT="Path1 Proto://Server/Path2",
the protocol Proto is automatically allowed as a destination
protocol with Server, regardless of REMITTABLE restriction.
Note that "https" implies that non-HTTPS protocol on the SSLtunnel may
be detected and rejected.
If arbitrary protocol is to be relayed on the SSLtunnel,
specify "ssltunnel" instead of "https" like REMITTABLE="+,ssltunnel".
REACHABLE parameter* ==  REACHABLE=dstHostList
                    --  default: REACHABLE="*" (any host is reachable)
Only requests directed to the servers on the hosts (or networks)
listed in dstHostList will be accepted by the DeleGate.
When you use multiple REACHABLE parameters,
you must be certain of the meaning.
RELIABLE parameter* ==  RELIABLE=srcHostList
                    --  default: RELIABLE=".localnet"
Only requests sent from clients on hosts (or networks)
listed in srcHostList
will be accepted by the DeleGate.
By default, only accesses from client hosts on networks
local to the host of the DeleGate (.localnet)
are permitted.
RELAY parameter*    ==  RELAY=relayTypeList[:connMap]
     relayTypeList  ==  relayType[,relayType]*
         relayType  ==  proxy | delegate | vhost | no | nojava | noapplet
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: RELAY="delegate,vhost,nojava:*:*:.localnet"
                                 RELAY="proxy:*:*:*"
This parameter controls in which way the DeleGate works as a HTTP server.
DeleGate as a HTTP proxy server works in two ways (proxying modes):
as a standard (CERN compatible) HTTP proxy which accepts full URL
in a request ("proxy" relayType),
and as a DeleGate original proxy which accepts
/-_-URL in a request
and rewrites URLs in the response ("delegate" relayType).
In a full specification format with ":connMap",
available proxying modes
can be classified by combination of server protocol, server host and
client host.
    RELAY=no             ... do not work as a proxy (origin server only)
RELAY=proxy          ... CERN compatible mode only
RELAY=delegate       ... DeleGate mode only (/-_-URL)
RELAY=proxy,delegate ... both CERN and DeleGate mode
RELAY=proxy,noapplet ... inhibit <APPLET> tag to be relayed by proxy
Both "proxy" and "delegate" modes are allowed to users on ".localnet",
while only "proxy" mode is allowed to other users.
AUTH parameter*     ==  AUTH=what:authProto:who
                    --  default: none
Authorize who to do what.
Authentication of user will be done using protocol specified in
authProto.
Identification about "who the client's user is"
is done based on Identification protocol to the client host
if it supports the protocol.
Otherwise FTP-server may be used as an authentication server.
Given a set of User, Host and Password,
DeleGate tries to login to the (FTP) server on Host
with User and Password.
If succeed, then the client is authenticated to be
User@Host.
AUTH="admin:*:user@host"
 
The second field should be "*" in current implementation.  
The E-mail address must be in the form of user@host,
otherwise (if the host part is not given) the FTP login is
rejected by DeleGate.
HTTP-DeleGate asks anonymous users to declare his/her E-mail address
as Username part in Authorization.
If passWord field is specified as "*" (i.e. AUTH="anonftp:*:*"),
then any Password in the Authorization will be acceptable.
In FTP-DeleGate, the E-mail address must be given as a password (in PASS
command) for the anonymous user, and the password is used for matching
with passWord too.
The second field must be "*" in current implementation.
 
Example:
 
 ident  -- Identification protocol [default]
  pauth  -- Use Proxy-Authorization field "user@host:password"
  auth   -- Use Authorization field "user@host:password"
  
AUTH=proxy:auth PERMIT="*:*:{*,!?}@*"
Note:
// Any user at any host is allowed as long as he/she is identified.
When the client does not support Proxy-Authentication,
you are obliged to use "proxy:auth" for Authentication.
In such case, note that the client cannot access
resources which requires Authentication.
AUTHORIZER parameter* ==  AUTHORIZER=authServList[@realmValue][:connMap]
       authServList  ==  authServ[,authServ]* | & | *
           authServ  ==  authHost[/portNum]
           authHost  ==  hostName | hostAddr
            connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
                    --  restriction: applicable to Telnet, FTP, NNTP, SMTP, Socks, and HTTP
Specify the server for authentication and authorization ("auth-server").
If specified, an access by a client is not permitted without
authenticated successfully by the auth-server,
sending an appropriate pair of user-name and pass-word
over the application protocol.
Two special authServ "-none" and "-never" are exceptions
to make authentication unnecessary.
// a HTTP proxy or server with the Digest authentication with clients.
SERVER=http AUTHORIZER=-dgauth
// a POP proxy which uses APOP authentication with clients.
SERVER=pop MOUNT="* pop://server/*" AUTHORIZER=-dgauth
Note that most of PAM authentications need to be executed under the
privilege of superuser on Unix (with OWNER="root" option).
But you can avoid running your DeleGate with superuser privilege by
installing external program "dgpam" under DGROOT/subin/.
Also PAM authentication can be delegated to a remote
PAM server.
"&" -- the client host (user name on the client host is required)
"*" -- any authHost specified by the client as "user@authHost"
// clients from outside of local.domain is required authentication
SERVER=telnet AUTHORIZER="&:::!*.local.domain"
// any clients is allowed if the user is authenticated with localhost
SERVER=telnet AUTHORIZER="localhost" RELIABLE="*"
// using DeleGate's own list of "-socksusers" maintained with
"-Fauth"
SERVER=socks AUTHORIZER=-socks.users
MYAUTH parameter*   ==  MYAUTH=username:password[:connMap]
                    --  default: none
                    --  restriction: applicable to Socks, VSAP, SMTP, and HTTP
Specify authorization information to be sent to an upstream server/proxy.
Special characters in username or password must be escaped
with "%XX" where XX is hexadecimal representation of
a character code (see ascii(7)).
Special characters to be escaped are:
TAB ("%09"), SPACE ("%20"), '"' ("%22"), '%' ("%25"), ':' ("%3A"),
'{' ("%7B"), and '}' ("%7D").
MYAUTH=userS:passS:socks
MYAUTH=userV:passV:vsap
MYAUTH=userM:passM:smtp:smtpserverM
MYAUTH=userH:passH:http:httpserverH
MYAUTH=userP:passP:http-proxy:httpproxyP
RIDENT parameter    ==  RIDENT=ridentType[,ridentType]*
       ridentType   ==  client | server
                    --  default: none
If RIDENT="server" is specified, identification information about the
client socket got by getsockname(2) and getpeername(2) will be
forwarded to the PROXY or MASTER-DeleGate which will receive the
information by RIDENT="client", and will use it for access control.
A DeleGate server with RIDENT="client" can accept both from DeleGate
with RIDENT="server" and other proxy servers with no RIDENT support.
An intermediate DeleGate in a chain of cascaded DeleGate servers
should be given RIDENT="client,server".
host1# delegated -P8080 RIDENT=server MASTER=host2:8080
host2# delegated -P8080 RIDENT=client
MAXIMA parameter*   ==  MAXIMA=what:number,...
                    --  default: MAXIMA=listen:20,ftpcc:2,...
Specify the maximum number of resource usage, processes, connections, etc.
randstack  --  randomization range of stack base for security [32]
 randenv   --  randomization range of environment variables base [1024]
 randfd    --  randomization range of client socket file-descriptor [32]
 listen    --  max. size of the queue for entrance port [20]
 delegated --  max. number of DeleGate processes runnable at a time [64]
 service  --  max. number of services per delegated process [unlimited]
 standby   --  max. number of standby process [16]
 conpch    --  max. number of connections at a time per client host [unlimited]
 ftpcc    --  max. number of FTP connection cache servers to a host [16]
 nntpcc   --  max. number of NNTP connection cache processes to a host[16]
 http-cka  -- 
(replaced by HTTPCONF=max-cka)
 http-ckapch -- 
(replaced by HTTPCONF=max-ckapch)
 udprelay --  max. number of parallel UDPrelay client [256]
 winmtu --  max. unit of send() on Win32 [1024]
 
TIMEOUT parameter*  ==  TIMEOUT=what:seconds,...
                    --  default: TIMEOUT=dns:10,acc:10,con:10,lin:30,...
Specify timeout period (in seconds by default) of what.
The timeout value "0" means "never timeout" (unlimited).
The unit of period is second by default,
but can be changed like 1d(day), 1h(hour), 1m(minute).
DELAY parameter*    ==  DELAY=what:seconds
                    --  default: DELAY=reject:60,unknown:60,...
Delay for specified seconds before doing what.
reject      --   continuous Reject resp. from self or MOUNTed servers [60]
 unknown     --   continuous Unknown resp. from self or MOUNTed servers [60]
 reject_p    --   continuous Reject resp. from origin server [0]
 unknown_p   --   continuous Unknown resp. from origin server [0]
 
MOUNT parameter*    ==  MOUNT="vURL rURL [MountOptions]"
                    --  default: MOUNT="/* SERVER_URL*"
Map vURL to/from the rURL.
URLs matches with vURL in a request message from a client
are rewritten to rURL and forwarded to a server, and
URLs matches with rURL in a response message from the server
is rewritten to vURL and forwarded to the client.
What is rewritten by MOUNT in each protocol is like follows: 
MOUNT="/abc/* http://host/*"
// rewrites "/abc/def" to/from "http://host/def"
// DeleGate's parameters: SERVER=http -Pdhost:9080 ... 
// Requested URL:  http://vhost:9080/x/ 
MOUNT="/x/* =://=:=/y/*"   -> http://vhost:9080/y/ 
MOUNT="/x/* ///y/*"        -> (the abbreviation of the above) 
MOUNT="/x/* //-P/y/*"      -> http://dhost:9080/y/ 
MOUNT="/x/* =://serv/y/*"  -> http://serv:80/y/ 
MOUNT="/x/* //serv/y/*"    -> (the abbreviation of the above) 
MOUNT="/x/* //serv:=/y/*"  -> http://serv:9080/y/ 
MOUNT="/x/* //=:9088/y/*"  -> http://vhost:9088/y/ 
MOUNT="/x/* https://=/y/*" -> https://vhost:443/y/ 
// Requested URL:  http://dhost/x/abc/def 
MOUNT="/x/*%S/%S     ///y/*%S.%S"     -> http://dhost/y/abc.def 
MOUNT="/x/*%S/%S     ///y/*%(1)/%(0)" -> http://dhost/y/def/abc 
MOUNT="/x/*%1[a-z]%S http://w/*%S/%S" -> http://w/a/bc/def 
MountOptions == option[,option]*
MountOptions is a list of options, to make MOUNT be conditional,
or to apply some functions only to MOUNTed URLs.
Some of them are common to any protocol
and others are specific to a protocol (
HTTP,
NNTP
).
Note that this option is applicable to any client side protocol, that is,
not only HTTP-DeleGate but also DeleGate for FTP, POP, NNTP, etc. can
switch destination server based on the client side interface if
its has an IP address distinguishable from others.
When the DeleGate is acting as an origin HTTP server and a virtual
host name is shown in "Host: host" field in the request message,
the virtual name is examined prior to the real host name. If
multiple virtual names are bound to the same IP-address,
prefix "-" to the virtual hostname like "host=-hostname" to
distinguish among virtual names.
// switch MOUNT depending on from which interface the client is
MOUNT="* URL1 host=this-host"
MOUNT="* URL2 host=localhost"
// switch MOUNT depending on from which port the client is
-P70,80
MOUNT="* URL1 host=*:70"
MOUNT="* URL2 host=*:80"
URICONV parameter*  ==  URICONV={convSpec|defElem|defAttr}
          convSpec  ==  convList:attrList
           defElem  ==  defelem:+,elemnameList
           defAttr  ==  defattr:+,attrnameList
                    --  default: it will be shown by URICONV=dump
Specify which kind of URI rewriting should be applied to which kind
of attributes of tags in HTML document.  The convList is a list of
following items.
mount     --  rewriting by MOUNT
 normal    --  normalize MOUNTed URL if it includes "../" in URL-path
 partial   --  represent (MOUNTed) URLs as partial URLs if possible
 full      --  convert all of URLs to full URLs
 
URICONV=mount,normal,partial:+  -- might be the default after Ver.6
URICONV=full:+,-HREF/BASE       -- rewrite everything except HREF/BASE
URICONV=dump                    -- show the current URICONV config.
URICONV=+ URICONV=mount:-SRC/IMG URICONV=full:SRC/IMG
BASEURL parameter   ==  BASEURL=URL
                    --  default: none
The base of (virtual) URL of this server which will be embedded
in each absolute URL generated by the DeleGate: ex. icon URLs
in HTML pages generated by NNTP/HTTP gateway DeleGate.
MOUNT='/* nntp://newsserver/*" BASEURL="http://wwwserver/news"
// this will be useful when a HTTP server "http://wwwserver" is mapping
// its path "/news" to the root of this HTTP-DeleGate.
DELEGATE parameter  ==  DELEGATE=gwHost:Port[:ProtoList]
                    --  default: DELEGATE=currentHost:currentPort
This parameter seems to be almost superseded by BASEURL, RELAY, and
URICONV parameters.
This parameter is introduced to customize the representation of
the gwHost:Port part.
It is a representation of the entrance port of this DeleGate
which must be resolvable and reachable from clients.
To make it be most usable, the default value of gwHost is
that of current network interface of the host of this DeleGate
through which the current client reached to this DeleGate,
and it is represented in raw IP address number so that clients can
reach the DeleGate even if they don't know how to resolve
the host name of the DeleGate.
Exceptionally, if the entrance port is specified with
with an explicit network interface like "-Phost:port,
the default value of DELEGATE is set to the host:port.
By specifying an optional ProtoList,
you can limit to which protocols this proxying is applied.
URLs (or pointers) in a response message are rewritten
prefixed with "proto://gwHost:Port/-_-" so that
the request to it is directed again to this DeleGate
(at gwHost:Port), if the protocol is included in
the ProtoList.
CACHE parameter*    ==  CACHE=cacheControl[,cacheControl]*
      cacheControl  ==  do | no | ro
                    --  default: none
                    --  restriction: applicable to HTTP, FTP, NNTP and Gopher
Specify a restriction of cache usage.
    do -- create CACHEDIR if not exist (to enable cache)
    no -- disable cache
    ro -- use cache in read-only
Cache is enabled by default.
Cache will be disabled if the CACHEDIR directory does not exist,
or it is not readable and writable by the DeleGate,
or CACHE="no" is specified,
or "cache" is not included in CONNECT.
EXPIRE parameter*   ==  EXPIRE=validity[/custody][:connMap]
           connMap  ==  ProtoList:dstHostList:srcHostList
          validity  ==  period
           custody  ==  period
            period  ==  Num[d|h|m|s]
                    --  default: EXPIRE=1h
EXPIRE specifies the term of validity of cached data, in unit of
days, hours, minutes, or seconds.  Validity does not mean active removal of
cached data by DeleGate; DeleGate merely ignores cached data if it
is older than the specified term.
CACHEFILE parameter ==  CACHEFILE=fileNameSpec
                    --  default: CACHEFILE='$[server:%P/%L/%p]'
CACHEFILE specifies how the file name of a cache file is formed.
The name is derived mainly from informations about server host and
requested URL.
Those informations are specified in the format "$[server:format]"
where the format is a sequence of symbols each refers a part of an URL
scheme://host.d2.d1:port/path
as follows:
%P  --  scheme
     Protocol name part       
 %L -- host.d2.d1:port
     Login (or site) part               
 %H -- host.d2.d1
     Host name                
 %T -- port
     Port number              
 %h -- d1/d2/host
     hierarchical host name directory      
 %d -- d1/d2
     hierarchical domain name directory    
 %1 -- d1
     top level domain         
 %2 -- d2
     second level domain      
 %p -- path
     URL-path part            
 %Q -- host.d2.d1.d0
     use FQDN of a host name (like %Q%L or %Q%H)
 
Example:
CACHEFILE='$[server:%P]/$[hash:%H]/$[server:%L/%p]'
ICP parameter*      ==  ICP=icpServerList[:icpServerSpec[:connMap]]
     icpServerList  ==  icpServer[,icpServer]*
         icpServer  ==  icpHost[/icpType/proxyPort/icpPort]
     icpServerSpec  ==  icpOptions:proxyPort:icpPort
           connMap  ==  ProtoList:dstHostList:srcHostList
                    --  default: none
                    --  restriction: applicable to {HTTP,FTP}-DeleGate
If specified, and if "icp" is included in the CONNECT sequence,
a HTTP-DeleGate will try to get a requested resource
from specified ICP server.
The meaning and default value of each field is as follows:
s  -- the ICP server is a "sibling" [default]
 p  -- the ICP server is a "parent"
 l  -- the ICP server is a "listener" which never respond
 n  -- the ICP server is a navigation proxy
 o  -- require HIT_OBJ response
 H  -- the object server is a HTTP proxy [default]
 D  -- the object server is a MASTER-DeleGate.
 O  -- the object server is an origin server.
 
timeout/N  -- period to wait response as an ICP client (in seconds)[2.0]
 parent  -- mark the default type of icpServers as "parent"
 listener  -- mark the default type of icpServers as "listener"
 hitobj  -- enable HIT_OBJ for all icpServers by default
 Origin  -- object servers are origin server
 DeleGate  -- object servers are DeleGate
 
ICP=icphost
// This is the simplest usage which is the abbreviation of 
// ICP="icphost/sH/8080/3130:timeout/2.0:8080:3130:*:*:*"  
ICP="host0//8080/3130"
ICP="host0::8080:3130"
ICP="host1:timeout/1.0:::http,ftp:!*.my.domain:*.my.domain"
ICP="host1,host2/O/80/13130:timeout/2.0:8080:3130"
CHARCODE parameter  ==  CHARCODE=[inputCode/]outputCode
        outputCode  ==  charCode
          charCode  ==  iso-2022-jp | euc-jp | shift_jis | JIS | EUC | SJIS | UTF8
                    --  default: none
If specified, DeleGate will convert the JIS code in text type response
message into the specified character code.
When UTF8 is specified, a mapping table necessary for conversion between
UTF8 and JIS is downloaded automatically from the server at Unicode.Org.
The full specification format of the parameter value is
inputCode/output-code.  CHARCODE=JIS is the abbreviation of
CHARCODE=JP/JIS where JP means Japanese text encoding {JIS,EUC,SJIS,UTF8}.
HTMLCONV parameter  ==  HTMLCONV=convList
          convList  ==  conv[,conv]*
              conv  ==  deent | enent | fullurl
                    --  default: HTMLCONV=deent
Specify a list of flags to control conversion for HTML text in
a HTTP response message.
deent     --   decode entity symbol
 enent     --   encode entity symbol
 fullurl   --   convert all of URLs to full URLs
             (equals to URICONV="full:+,-HREF/BASE")
 
If "enent" is specified then entity symbols appearing
out of multi-byte charset text will be encoded.
This may be useful in case of NNTP-DeleGate to be accessed by
WWW client.
If empty list is specified, any conversion is disabled.
MIMECONV parameter  ==  MIMECONV=mimeConv[,mimeConv]
          mimeConv  ==  thru | charcode | nospenc
                    --  default: none
                    --  MIMECONV="" if CHARCODE parameter is given
Control MIME encoding/decoding in NNTP/POP/SMTP DeleGate.
MIMECONV=thru disables any MIME encoding/decoding, and
MIMECONV=charcode enables only character code conversion.
MIMECONV=nospenc disables a special encoding of space character in
non-ASCII (ISO-2022-JP) text in MIME header.
FCL parameter       ==  FCL=filterCommand
FTOCL parameter     ==  FTOCL=filterCommand
FFROMCL parameter   ==  FFROMCL=filterCommand
FSV parameter       ==  FSV=filterCommand
FTOSV parameter     ==  FTOSV=filterCommand
FFROMSV parameter   ==  FFROMSV=filterCommand
FMD parameter       ==  FMD=filterCommand
FTOMD parameter     ==  FTOMD=filterCommand
FFROMMD parameter   ==  FFROMMD=filterCommand
filterCommand       ==  [-s,][-p,][-w,]command
                    --  default: none
Specify a filter command
to be applied to data transmitted between DeleGate and clients,
or between DeleGate and servers.
When a filterCommand is specified in relative path name,
it is searched in LIBPATH.
Example:
FTOCL=-tee-h-n FTOSV=-tee
XCOM parameter      ==  XCOM=filterCommand
XFIL parameter      ==  XFIL=filterCommand
                    --  default: none
XCOM and XFIL is used together with SERVER="exec" parameter.
A special protocol name "exec" means executing some local command
rather than connecting to a server. With "exec", DeleGate will work
like simple inetd or wrapper.
What will be executed is specified with either XCOM or XFIL parameter.
Commands executed as XCOM will be given standard I/O
which are bound for a socket connected to the client.
Commands executed as XFIL will be given standard I/O
which are redirected to a pair of pipes bound for DeleGate,
which relays it to and from the client.
CHROOT parameter    ==  CHROOT=dirPath
                    --  default:  none
                    --  restriction: super-user only on most of Unix
Change the root of file system to dirPath at the start
using chroot(2) system call,
restricting accessible (visible) files to ones under dirPath.
This is effective to isolate the DeleGate from the whole file system
of the host machine preventing DeleGate from possible destruction of them
by its bug or by intrusion.
DGROOT is interpreted after the root is changed. 
A special case CHROOT="/" means using the value of
(default or specified) DGROOT as CHROOT and set DGROOT="/".
That is, DGROOT="/path" with CHROOT="/" are equal to
DGROOT="/" with CHROOT="/path".
DGROOT parameter    ==  DGROOT=dirPath
                    --  default:  on Unix: '/' if CHROOT is set or
                                           '${HOME}/delegate' or
                                           '/var/spool/delegate-${OWNER}' or
                                           '/tmp/delegate-${OWNER}'
                               on Windows: '/Program Files/DeleGate'
All of sub-directories (LOGDIR, ADMDIR, CACHEDIR, WORKDIR, ETCDIR,
ACTDIR and TMPDIR) will be located under the DGROOT by default.
At the start up time (on Unix), DeleGate searches an available DGROOT
which is both readable and writable by the OWNER.
When a candidate directory does not exist, DeleGate tries to make the
directory by itself.
If DGROOT is specified explicitly, it is tried first.
If it failed or no DGROOT is given,
default candidates will be tried in order until an available directory
is found.
SHARE parameter     ==  SHARE=dirPatternList
                    --  default: empty
If specified, created directories or files
which has name matches with given pattern
will be set with mode
0777(rwxrwxrwx) or 0666(rw-rw-rw-) respectively,
to be sharable among arbitrary users.
When a pattern is specified in non-absolute form, it is regarded as
relative to DGROOT.
By default, directories or files will be created with
mode 0755(rwxr-xr-x) or 0666(rw-rw-rw-),
as modified by UMASK which is 022 typically.
// make everything sharable
SHARE=""
// share cache and log under DGROOT
SHARE="cache/*,log/*"
// share directories with older versions
SHARE='${CACHEDIR}/*' CACHEDIR='/var/spool/delegate-anybody'
SHARE='${VARDIR}/*' VARDIR='/var/spool/delegate'
UMASK parameter     ==  UMASK=mask
                    --  default: the value of umask(2)
Set mask for file creation mode, using umask(2) system call.
VARDIR parameter    ==  VARDIR=dirPath
                    --  default: VARDIR='${DGROOT?&:/var/spool/delegate}'
This parameter seems be obsolete after DGROOT has become standard in
DeleGate/6.0.
It specifies the default base of sub directories like DGROOT
except for ACTDIR and TMPDIR.
The default value of VARDIR is the value of DGROOT.
CACHEDIR parameter  ==  CACHEDIR=dirPath
                    --  default: CACHEDIR='${VARDIR}/cache'
To enable cache, the directory CACHEDIR must exist and
is both readable and writable by the DeleGate.
It will be automatically created with CACHE="do"
with necessary permissions.
ETCDIR parameter    ==  ETCDIR=dirPath
                    --  default: ETCDIR='${VARDIR}/etc'
LOGDIR parameter    ==  LOGDIR=dirPath
                    --  default: LOGDIR='${VARDIR}/log'
The default directory where log files are placed.
LOGFILE parameter   ==  LOGFILE=[LogFilename]
PROTOLOG parameter  ==  PROTOLOG=[LogFilename][:logFormat]
ERRORLOG parameter  ==  ERRORLOG=LogFilename
TRACELOG parameter  ==  TRACELOG=LogFilename
                    --  default: LOGFILE='${LOGDIR}/${PORT}'
                    --  default: PROTOLOG='${LOGDIR}/${PORT}.${PROTO}'
                    --  default: ERRORLOG='${LOGDIR}/errors.log'
                    --  default: TRACELOG='${LOGDIR}/ptrace.log'
If LogFilenames are specified in a relative path then they are placed
under ${LOGDIR}.  If those names start with "./" then they are placed
under ${WORKDIR}.
If the pattern "[date+format]" is included in the file name,
the format string is evaluated by strftime(3) compatible function
with the current time,
and will be substituted with the evaluated value.
This means that a log directory (or file) specified
will be divided into a granularity of specified time period,
thus it is aged.
Formats to represent typical time periods are as follows:
%Y -- year (like 2000)
%y -- year without century [00-99]
%m -- month number [01-12]
%d -- day of month [01-31]
%W -- week number of year [00-53]
%w -- weekday number [0-6, Sunday=0]
%H -- hour [00-23]
LOGFILE='${PORT}[date+.%d]'
LOGDIR='log[date+/aged/%y/%m/%d]'
EXPIRELOG parameter ==  EXPIRELOG=LogFilename
                    --  default: EXPIRELOG='${LOGDIR}/expire.log'
The log-file for expiration by "-Fexpire" function or "-expire" action in CRON.
WORKDIR parameter   ==  WORKDIR=dirPath
                    --  default: WORKDIR='${VARDIR}/work/${PORT}'
If WORKDIR is not accessible, or if WORKDIR is not explicitly
specified when -vv option is given, then current directory (of
invoker of this DeleGate) will be used as WORKDIR.
ACTDIR parameter    ==  ACTDIR=dirPath
TMPDIR parameter    ==  TMPDIR=dirPath
PIDFILE parameter   ==  PIDFILE=fileName
                    --  default: ACTDIR='${DGROOT}/act'
                    --  default: TMPDIR=system dependent
                    --  default: PIDFILE='${ACTDIR}/pid/${PORT}'
Information about currently active servers are placed at ACTDIR.
Those are temporary files which are made on invocation of a
DeleGate server and are removed at its termination.
HOSTS parameter*    ==  HOSTS=nameList[/addrList]
          nameList  ==  name | {name[,name]*}
          addrList  ==  addr | {addr[,addr]*}
                    --  default: HOSTS=localhost/127.0.0.1
List of domain-names/IP-addresses pairs which will override DNS
(or NIS or /etc/hosts table) data.
This could be used for speed-up of resolution for
frequently referred hosts, aliasing,
or relief of unknown hosts by any resolvers.
Multiple names or addresses could be specified in the
form {name1,name2,...}/{addr1,addr2,...}.
If only {name1,name2,...} is given without addr part,
it makes name1,name2,... be regarded as a single host.
RESOLV parameter    ==  RESOLV=[resolver[,resolver]*]
          resolver  ==  cache | file | nis | dns | sys
                    --  default: RESOLV=cache,file,nis,dns,sys
Specify which name resolver should be used in what order.
cache  -- means cached result from following resolvers
 file   -- means local hosts(5) file usually located at /etc/hosts,
 nis    -- means hosts map on NIS or YP(4) service,
 dns    -- means DNS service, and
 sys    -- means using gethostbyname(2) and gethostbyaddr(2)
which usually call system's standard resolver of the host.
 
If empty value is specified as RESOLV="" then only hosts listed
in HOSTS parameter can be resolved (this could be useful
when you must hide hosts table for security consideration).
Each resolver can be specified with optional argment like follows:
By default, a connection to a host which has multiple IP addresses
is tried for each address in the order they are defined in each
resolver.   A special parameter HOSTS="*/*/RR" can be added to
specify "Round Robin" where those IP addresses are tried in
round robin order.
cache:/path    -- path name of cache directory [$TMPDIR/resolvy]
 file:/path     -- path name of password file [/etc/hosts]
 nis:nisDomain  -- NIS domain name [default domain]
 dns:dnsHost    -- DNS server and default domain
 
RES_CONF parameter  ==  RES_CONF=URL
                    --  default: RES_CONF="file:/etc/resolv.conf"
                        or from registry (on Windows)
Specify where the "resolv.conf" file is.  The file is interpreted
by the DeleGate original resolver named Resolvy.
Resolvy recognizes "nameserver", "domain", "ndots", "search", and
"sortlist" in it.
RES_NS parameter    ==  RES_NS=dnsServer[//socksV5Host]
                    --  default: depend on RES_CONF
Specify a DNS server to be used: dnsServer is a host name or an
IP-address of the host name DNS server, which may optionally be
followed by port number, like "host:8053" when the port number
is not standard port(53).
With "dnsServer//socksV5Host", a DNS server
beyond a firewall can be referred through the specified Socks V5 server.
RES_RR parameter    ==  RES_RR=HostList
                    --  default: RES_RR="*"
Round robin IP-address-list for the hosts included in the HostList.
Currently, only RES_RR="*" and RES_RR="" are supported.
RES_VRFY parameter  ==  RES_VRFY=""
                    --  default: none
With "RES_VRFY=", results of reverse look-up of DNS server is verified.
When an IPaddress1 is resolved to Hostname, and when the
Hostname is resolved to IPaddress-list which does not include
the IPaddress1, the verification fail and the result is ignored.
RES_DEBUG parameter ==  RES_VRFY=number
                    --  default: none
The level of logging for debugging of the built-in resolver.
PROTOLIST
       ProtoList  ==  [!]protoSpec[,ProtoList]
       protoSpec  ==  protocolName[/[portNumList][/methodList]]
A ProtoList is a list of protocol names.
Reserved name "*" means all of protocols.
If "!" or "-" is prefixed,
the protocol is excluded from the protocol list.  
HOSTLIST
        HostList  ==  [!][-iType]hostSpec[,HostList]
           iType  ==  {h|a|c|*}/[iType]
        hostSpec  ==  [{userList}@]hostSpec[/netMask]
        userList  ==  userNamePattern[,userNamePattern]*
        hostSpec  ==  hostNamePattern | hostAddrPattern
 userNamePattern  ==  [*]uname[*]
 hostNamePattern  ==  [*]hname[*]
 hostAddrPattern  ==  IPaddressPattern | IPrange
         netMask  ==  IPaddress | maskLength
A HostList is a list of hosts (by name or address)
to be used for matching to examine whether a certain host is included
in the list or not.
Each host (hostSpec)
is optionally prefixed with a list of users (userList),
and optionally followed by a netMask.
PARAMETER SUBSTITUTION
Implicitly, A hostSpec like "host" without "user@"
part matches only with peer host's identity
while "user@host" matches with any kind of identities.
By prefixing -iType before hostSpec, identities to be
matched can be specified explicitly.  for example:
user@host
 -- matches if at least one of identities is "user@host"
-h/user@host
 -- matches if peer host's identity is "user@host"
host
 -- matches if peer host's identity is "host"
-*/host
 -- matches if at least one of identities is "*@host"
-a/host
 -- matches if authenticated identity is "*@host"
-a/c/host
 -- matches if authenticated or certificated identity is "*@host"
-a/*
 -- matches if authenticated successfully
  "*.dom,!*.xx.dom,*.yy.xx.dom"
RELIABLE="{!?,!?@*}"
For a dstHostList  (i.e. HostList concerning server hosts), a list of
port numbers (postList) can be postfixed to a host,
to make matching by port number as well as host name/address.
 
 CMAP="sslway:FSV:*:{*:{563,636,990,992,995}}:*"
 which is similar to
 
 CMAP="sslway:FSV:nntps,ldaps,ftps,telnets,pop3s:*:*"
 
 
RELIABLE="-A/Mozilla/4,!-A/MSIE 5" ... which is similar to
RELIABLE=.realmozi4 HOSLIST=".realmozi4/A:Mozilla/4,!MSIE 5"
PERMIT="*:-T.9-16:hostList1" PERMIT="*:-T.17-8:hostList2"
// hostList1 is permitted during office hours whereas
// hostList2 is permitted non-office hours.
-T.w5-0 // Friday through Sunday
-T.w5-7 // Friday through Sunday
-T.w51730-10830 // from 5:30pm on Friday to 8:30am on Monday
PERMIT="*:*:-T.9-16,&,hostList1" PERMIT="*:*:-T.17-8,&,hostList2"
// the same meaning with the above example.
There is no format of configuration file with some syntax sugar
for DeleGate (yet),
but there is a simple recursive substitution mechanism instead,
to assemble hierarchical and possibly distributed parts of parameters 
into a single list of parameters (or options).
       paramRef ==  +=[URL][?label,[label]*]
      paramList ==  line
                    line
                    ...
  paramListPart ==  CASE label
                         paramList
                    ESAC
PERMIT=a:b:d
PERMIT=a:e:f
PERMIT=x:y:z
...
a:b:d
a:e:f
x:y:z
...
d
x:y:z
...
  d
  x:y:z
  ...
Communication between client and DeleGate or between DeleGate and server
can be filtered or translated by user defined
filter programs attached to DeleGate using a simple scheme named
CFI (Common Filter Interface).
Existing filter programs, from standard input to standard output,
can be used as a CFI program without modification.
The usage of CFI is controlled by parameters like following:
filterName="filterSpec"
CMAP="filterSpec":filterName:connMap
  filterName  ==  FCL | FTOCL | FFROMCL |
                  FSV | FTOSV | FFROMSV |
                  FMD | FTOMD | FFROMMD 
  filterSpec  ==  filterCommand | CFIscriptName
                  | tcprelay://host:port
filterName is named as
FXX, FTOXX and FFROMXX
where XX is one of
CL (client), SV (server) and MD (MASTER-DeleGate).
Filter commands for FXX are bidirectional filter
given file descriptor 0 bound for the client,
and file descriptor 1 bound for the DeleGate.
Filters commands for FTOXX and FFROMXX
getting input from standard input and put output to standard output
which is bound for XX.
A unidirectional filter at a remote host can be used by connecting it on TCP
by "tcprelay://host:port"
CFI script
  ==  "!#cfi" NL filterUnit [ "--" NL filterUnit ]*
filterUnit
  ==  filterRule [ filterRule ]*
filterRule
  == [ Action "/" ] ruleName ":" ruleBody
Action
  ==  "Output" | "Remove"
ruleName
  == "Body-Filter" | "CGI" | "Header-Filter" | "Message-Filter" | MIMEhdr | X-hdr
MIMEhdr
  == "Content-Type" | "User-Agent" | ...
X-hdr
  == "X-Status-Ver" | "X-Status-Code"
   | "X-Request-Method"  | "X-Request-Ver"| "X-Request-URL" | ...
ruleBody
  == string NL [ SP  string NL ]*
SERVER=http FTOCL=test.cfi
#!cfi
Content-Type: text/html
Body-Filter: sed 's/string1/string2/'
--
Content-Type: image/gif
Output/Content-Type: image/jpeg
Body-Filter: gif2jpeg
DeleGate with RELAY="delegate" provides a special proxying without
changing "proxy configuration" in browsers.
When the URL of such DeleGate is http://delegate/,
a user can access target URL via the DeleGate
by giving a URL like http://delegate/-_-URL to the browser.
A request message for the URL from the client will be in form of
/-_-URL which is regarded as a request for URL
by DeleGate.
Then the DeleGate rewrites a URL included in a response messages to client
so that the access to the URL is directed to the DeleGate again.
This redirection is achieved by prefixing the URL of DeleGate
(http://delegate/) and "-_-" sign before original URL like
http://delegate/-_-URL.
U->C: 
user opens http://delegate/-_-http://www/path1
C->D: GET /-_-http://www/path1
D->S: GET /path1
D<-S: HREF=/path2
C<-D: HREF=http://delegate/-_-http://www/path2
U->C: user clicks the anchor
C->D: GET /-_-http://www/path2
D->S: GET /path2
S->D: HREF=ftp://ftp/path
D->C: HREF=http://delegate/-_-ftp://ftp/path
MOUNT="/-_-* *"
<A HREF="http://proxy1:8080/-_-http://www.w3.org/"> W3C via firewall1 </A>
<A HREF="http://proxy2:8080/-_-http://www.w3.org/"> W3C via firewall2 </A>
http://delegate/-_-/Modifier/URL
Modifier can be a list of multiple Modifiers separated each other by
by comma (,) character.
PROTOCOL SPECIFIC ISSUE AND EXAMPLES
DeleGate with a SERVER=tcprelay parameter
relays communication between a client and a server
on a single TCP connection
without interpreting what is transmitted on it.
Thus an arbitrary application protocol on TCP,
even if it is not in supported protocol list of DeleGate,
can be relayed by SERVER=tcprelay.
But value added services, including caching, mounting and logging,
are not available in this case.
Connecting to arbitrary destination servers depending on a request from
a client is not possible.
Application protocols which dynamically create other connections besides
the main connection, like FTP, are not relayable.
Application protocols which exchange some kind of name depends on
an origin server on the protocol, like a full URL in HTTP,
are not relayable too. 
# delegated -P25 SERVER=smtp://mailserver
# delegated -P25 SERVER=tcprelay://mailserver:25
DeleGate with a SERVER=udprelay parameter
relays communication between a server and clients on UDP
without interpreting what is transmitted on it.
It has similar merits/demerits to tcprelay for TCP.
Also application protocols on which routing information are exchanged,
like CU-SeeMe, are not relayable with udprelay.
# delegated -P53 SERVER=dns://nameserver
# delegated -P53 SERVER=udprelay://nameserver:53
// UDP clients and a TCP server
# delegated -P53 SERVER=udprelay://nameserver:53 CONNECT=tcp
// TCP clients and a UDP server
# delegated -P53/tcp SERVER=udprelay://nameserver:53
"DGAuth" server by DeleGate provides Digest Authentication functionality
remotely, over an experimental "DGAuth" protocol.
hostS% delegated SERVER=dgauth -P8787
hostC% delegated SERVER=http -P8080 AUTHORIZER=-dgauth//hostS..8787
hostX% delegated SERVER=dgauth
hostX% delegated SERVER=http -P8080 AUTHORIZER=-dgauth
Request:
  HTTP user nonce realm method uri
  APOP user nonce [realm] (not used currently)
Response:
  200 digest
  501 syntax error
  502 unknown user
PAM server by DeleGate provides PAM (Pluggable Authentication Modules)
functionality remotely,
over an experimental protocol compatible with HTTP (PAM/HTTP).
hostX% delegated -P8686 SERVER=httpam
hostY% delegated -P8023 SERVER=telnet AUTHORIZER=-pam//hostX/passwd
delegated hostX% -P8686 SERVER=httpam FCL=sslway
delegated hostY% -P8023 SERVER=telnet AUTHORIZER=-pam//hostX/passwd
CMAP=sslway:FSV:pam
Request:
  GET /-/pam/service/auth HTTP/1.0
  Authorization: Basic BASE64of(User:Pass)
Response (one of followings):
  HTTP/1.0 200 OK, authorized
  HTTP/1.0 401 Not authorized
  HTTP/1.0 403 Forbidden to use the PAM server
The base of request URL "/-/pam/" can be replaced with an arbitrary path
with PAMCONF="baseurl:/basePath/".
The whole request URL can be replaced by PAMCONF="url:/path".
The content of response message is not cared in the current specification
but it could convey some authentication related data or
capability information in future.
SockMux is an experimental protocol designed for inter-DeleGate communication.
It is a simple protocol for "port forwarding" to accept, relay and destroy
connections, multiplexed over a single persistent connection.
A pair of SockMux-DeleGate establish and retain a connection between them,
then forward port from local to remote each other over the connection.
hostX% delegated SERVER=sockmux -PhostX:9000 PORT=9023 SERVER="telnet://hostX,-in"
hostY% delegated SERVER=sockmux://hostX:9000 PORT=9023 SERVER="telnet://hostY,-in"
// a pair of SockMux-DeleGate is connected at the port "hostX:9000", then
// the port "hostX:9023" is forwarded to "telnet://hostY"
// the port "hostY:9023" is forwarded to "telnet://hostX"
hostX% delegated SERVER=sockmux -PhostX:9000 SERVER="telnet://hostX,-in"
hostY% delegated SERVER=sockmux://hostX:9000 PORT=hostY:9023
// hostY:9023 is forwarded to "telnet://hostX".
hostX% delegated SERVER=sockmux -PhostX:9000 PORT=hostX:9023
hostY% delegated SERVER=sockmux://hostX:9000 SERVER="telnet,-in"
// hostX:9023 is forwarded to a Telnet proxy on hostY.
DEST=host:port[:srcHostList]
for
SERVER=tcprelay://host:port,-in[:-:srcHostList]
DEST=host:port/udp[:srcHostList]
for
SERVER=udprelay://host:port,-in[:-:srcHostList]
hostX% delegated SERVER=sockmux://hostY:9000 PORT=hostX:111
hostY% delegated SERVER=sockmux -PhostY:9000 DEST=hostT:111
// hostX:111/tcp is forwarded to the server at hostT:111/tcp via hostY.
hostX% delegated SERVER=sockmux://hostY:9000 PORT=hostX:53/udp
hostY% delegated SERVER=sockmux -PhostY:9000 DEST=hostU:53/udp
// hostX:53/udp is forwarded to the server at hostU:53/udp via hostY.
% mkfifo /tmp/com0
% mkfifo /tmp/com1
serv1) SERVER=sockmux:commin@/tmp/com0 SERVER=sockmux:commout@/tmp/com1 ...
serv2) SERVER=sockmux:commin@/tmp/com1 SERVER=sockmux:commout@/tmp/com0 ...
host1) SERVER=sockmux:comm@com1 ...
host2) SERVER=sockmux:comm@com2 ...
% SERVER="sockmux:proc@connectCommand" ...
hostX% ... PORT=8023,8080
hostY% ... SERVER=telnet,-in:-:-P8023 SERVER=http,-in:-:-P8080
// hostX:8023 is forwarded to Telnet-proxy on hostY
// hostX:8080 is forwarded to HTTP-proxy on hostY
Socks-DeleGate accepts both SocksV4 and V5.
Currently, only USER/PASS authentication scheme of SocksV5 is supported.
# delegated -P1080 SERVER=socks
Example: forwarding to an upstream Socks server
# delegated -P1080 SERVER=socks SOCKS=sockhost
Example: DeleGate as an HTTP proxy
firewall% delegated -P8080 SERVER=http
firewall% delegated -P8888 SERVER=delegate RELIABLE=internal
internal% delegated -P8080 SERVER=http MASTER=firewall:8888
MOUNT="/xxx/* cgi:/path/of/cgi-bin/*"
You can use DeleGate as a CGI program from a HTTP server. For example,
specify in the "httpd.conf" file of your HTTP server(A) as follows.
Exec /other/*  /path/of/cgi-delegate
Then write the content of the file /path/of/cgi-delegate as follows:
#!/bin/sh
This will add a pseudo sub tree "/other/" onto server(A)
including 
/other/www2/ which is a content of a HTTP server "wwwserv2", and
/other/news/ which is a content of a NNTP server "newsserv".
MOUNT="/www2/* http://wwwserv2/*" \
MOUNT="/news/* nntp://newsserv/*"
The format of PROTOLOG for HTTP protocol can be modified with a
optional format specification postfixed after the LogFilename as
PROTOLOG="LogFilename:format".
In this case, default file name can be omitted.
For example, PROTOLOG=":%X" specifies making a NCSA like
extended common logfile format.
The default format is PROTOLOG=":%C %D".
%C  -- common logfile format of CERN-HTTPD
 %c  -- same as %C except the date is recorded in millisecond precision
 %D  -- extension by DeleGate
 (connTime+relayTime:status)
 %X  == '%C "%r" "%u"' common logfile format with Referer and User-Agent
 %r  -- Referer field in the request message
 %u  -- User-Agent field in the request message
 %S  -- status of CONNECTion to the server (c,m,p,d,s,v)
 %s  -- session Id by HTTPCONF=session
 %As  -- session Id in Digest Authorization 
 %{field}  -- arbitrary field in the request message
 
time.pid.proc#+conn#[+req#].reqnum
11/14 17:30:45 [1234] 5+6/7: NewSession 031114-173045.1234.5+6+7.0
HTTPCONF parameter  ==  what:conf
A list of index files or CGI scripts which should be used for URLs
of directories ending with "/" like "/path/".  This is a list of
candidate file names.  The list may be ended with "-dir.html" which
means a built-in index generator.  If the list is empty, empty data
is substituted for index data.
The path of a CGI script to be applied for URLs with search part like
"/path?search".  This is a global specification applied for all URLs.
Also you can specify a local search script for each MOUNT point like
MOUNT="/path2/* /root/of/path2/* search:script2".
This local specification is prior to the global one.  A special local
specification "search:-" can be used just to ignore the global
specification for the MOUNT point.
-- See the output to LOGFILE with HTTPCONF=methods:"+"
Limit or add HTTP methods to be accepted.
HTTPCONF=methods:GET,HEAD     -- accept only GET and HEAD
HTTPCONF=methods:-POST,-PUT   -- don't accept POST and PUT
HTTPCONF=methods:+,NEWMETHOD1 -- add NEWMETHOD1 to be accepted
HTTPCONF=methods:*            -- accept any methods
Add versions in response message from HTTP servers.
HTTPCONF=rvers:+,ICY
HTTPCONF=rvers:* -- accept any response version
HTTPCONF=kill-qhead:Referer
HTTPCONF=kill-qhead:If-*,Accept-*
HTTPCONF=kill-rhead:Set-Cookie
HTTPCONF="add-qhead:X-Forward-For:%a"
HTTPCONF=kill-tag:SCRIPT,APPLET
This is applied to the communication over a connection of SSLtunnel by the
CONNECT method too.  A pair of upstream and downstream data is
regarded as a pair of request and response on HTTP, then the maximum
number of such pairs is restricted.
specify response code or Content-Type of response message
not to be logged in access log (PROTOLOG).
HTTPCONF="nolog:302,304,image"
HTTPCONF=session PROTOLOG=":%s %X"
MOUNT="/bin/* cgi:/path/of/cgi-bin/* search:-"
MOUNT="/*     file:/path/of/data/*"
FILETYPE parameter  ==  suffix:gopherType:altText:iconName:contentType
                    --  default: FILETYPE=".txt:0:TXT:text:text/plain"
                                 FILETYPE=...
Define file name to content-type mapping.
FILETYPE=".txt:0:TXT:text:text/plain"
FILETYPE=".gif:g:GIF:image:image/gif"
CGIENV parameter    ==  CGIENV=name[,name]*
                    --  default: CGIENV="*"
A list of environment variables to be passed to CGI program.
MountOptions for HTTP-DeleGate
CONDITIONS:
The target server or local directory is switched by with which name
the DeleGate is referred (in the "Host:vhost" header field).
In this example, requests for "http://dom1.com" and "http://dom2.org"
are forwarded to each corresponding server, while requests for
"http://dom3.net" or any other name are retrieved in each corresponding
local directory.
MOUNT="/* http://wwwB/* vhost=-dom2.org"
MOUNT="/* file:data/wwwC/* vhost=-dom3.net"
MOUNT="/* file:data/www/*"
"useproxy", "method", "dst" and "withquery" options are introduced
originally to refuse potentially troublesome accesses which may invoke
CGI programs in target servers.  For example, to refuse any request
with POST method, or with URL including "?": 
MOUNT="http:* = withquery,asproxy,useproxy"
Like AUTH=proxy, specify using the value in "Authorization"
field in the HTTP header to authenticate the user, except
that accessibility to a DeleGate as a "HTTP origin server" is
checked in this case.
AUTH=origin:auth RELIABLE="*@localhost"
Any user who can login to the localhost of this DeleGate,
giving a correct pair of user name and password in
Authorization, will be authorized to access.
Forwarded: by Me (Version) for Client
Currently, if this is specified, it is regarded as
AUTH="forward:*:" regardless of the second field.
This is useful for a DeleGate on a firewall which relays
internal HTTP servers toward outside .
Via: protocol-version hostIdentifier ( comment )
If no AUTH=viagen is specified, a default pseudonym is used for
hostIdentifier.
If empty hostIdentifier is specified, as AUTH="viagen",
the hostname of this DeleGate is used.
A special specification AUTH="viagen:-" disables the insertion
of the Via field.
If '%' character is used in a hostIdentifier, it is interpreted
as the format for authString below.
%u  -- user name got using Ident protocol
 %h  -- host name of the client got from the socket
 %i  -- host name of the network interface to the client
 %I  -- like %i but use the value of "Host:" if given in HTTP
 %a  -- host address of the client
 %n  -- network address of the client
 %H  -- hostname of the DeleGate
 %M  -- the ADMIN of the DeleGate
 %A  -- generated string by "CMAP=string:authgen:mapSpec"
 %U  -- username part of client's [Proxy-]Authorization: username:password 
%P  -- password part of client's [Proxy-]Authorization: username:password 
When the firewall have two network interfaces and internal
and external hosts access from different interface, then
they can be distinguished by the name of interface.
AUTH="authgen:basic:%i:%h"
Otherwise, internal network should be explicitly defined
using CMAP as follows.
AUTH="authgen:basic:%A"
CMAP="{internal:passWord}:authgen:*:*:{InternalNetList}"
CMAP="{external:passWord}:authgen:*:*:*"
Note: obsoleted by MYAUTH="user:pass:http-proxy".
Consume Proxy-Authorization in a request message from a client then
forward it to an upstream proxy as is (by authString == %U:%P)
AUTH=proxy:pauth AUTH="pauthgen:basic:%U:%P" PROXY=...
%F  -- E-mail address in From field 
%L  -- local part of From: local@domain field 
%D  -- domain part of From: local@domain field 
%U  -- username part of Authorization: username:password 
%P  -- password part of Authorization: username:password 
%Q  -- "for clientFQDN" part of Forwarded: field 
 To record information about an original client in an internal
 DeleGate which is forwarded from a firewall DeleGate,
 generate From field at the firewall DeleGate and record it
 at the internal DeleGate.
 
 internal% delegated AUTH="log:%D/%h:%L/%u:%U" ...
 
 
To make configuration of DeleGate be flexible,
allowing it not only to the administrator of the DeleGate
but also to the users (providers of WWW resources on an origin HTTP-DeleGate),
DeleGate supports reading user defined configuration parameters
at each request processing time.
Such parameters should be given in a files with file name extension ".dgp",
in the format of "+=parameters" file,
on MOUNTed local file systems.
It works like -Fcgi
but more efficiently without creating a new process.
MOUNT="/news/servN/* nntp://nntpserverN/*"
MOUNT="/news/* cgi:/dirPath/*"
delegated -Fcgi MOUNT="/* nntp://nntpserverN/*"
MOUNT="/news/* file:/dirPath/*" 
MOUNT="/* nntp://nntpserverN/*"
On an origin HTTP-DeleGate, a local file with suffix ".shtml" is regarded,
like a file with ".html",
as a HTML file except that it includes special tags for
Server Side Include (SSI) and META which are to be
interpreted and substituted by the HTTP-DeleGate
before it is sent to a client.
 
 
 
 
 
ICP-DeleGate provides remote clients with ICP service
about local CACHEDIR,
independently of contents server like HTTP-DeleGate
but sharing the same CACHEDIR.
See
http://www.delegate.org/delegate/icp/
for more details.
% delegated -P3130 SERVER=icp
% delegated -P8180 SERVER=http
% delegated -P3130 SERVER=icp ICP=icpHost1,icpHost2,...
ICPCONF parameter*  ==  ICPCONF={icpMaxima|icpConf}
         icpMaxima  ==  para:N|hitage:N|hitobjage:N|hitobjsize:N|timeout:N
           icpConf  ==  icpOptions:ProtoList:dstHostList:srcHostList
                    --  default: ICPCONF=para:2,hitage:1d,...
ICP configuration when the DeleGate server is running as an
ICP server (with SERVER=icp).
para:N  -- the number of parallel ICP-DeleGate servers [2]
 hitage:N  -- valid age of cached data to be notified as HIT [1d]
 hitobjage:N  -- valid age of cached data to be sent by HIT_OBJ [1h]
 hitobjsize:N  -- max. size of cached data by HIT_OBJ [1024](bytes)
 timeout:N  -- default timeout of waiting response [2.0](seconds)
 debug:N  -- the level of log for debug [0]
 
Existing FTP clients without any proxying feature can use DeleGate
as a FTP proxy in two ways:
A user name can be followed by an account name as follows.
USER user~account@host
USER ftp:foo%40bar@server
CWD //ftp:foo%40bar@server/path
firewall% delegated -P8021 SERVER=ftp
internal% ftp
ftp> open firewall 8021
220- firewall PROXY-FTP server (DeleGate/6.1.0) ready.
220-   @ @
220-  ( - ) { DeleGate/6.1.0 (February 3, 2000) }
...
220- --
220- You can connect to a SERVER by `user' command:
220-    ftp> user username@SERVER
220- or by `cd' command (after logged in as an anonymous user):
220-    ftp> cd //SERVER
220- Cache is enabled by default and can be disabled by `cd .' (toggle)
220- This (proxy) service is maintained by 'admin@your.domain'
220  
Name (yourhost:yourname): ftp@ftp1
331-- USER for ftp@ftp1.
220- ftp1 FTP server ready.
331- Guest login ok, send your complete e-mail address as password.
331--  @ @  
331  \( - )/ -- { connected to `ftp' }
Password: me@my.domain
230 Guest login ok, access restrictions apply.
ftp> cd //ftp2
250-- CWD for ftp@ftp2
220- ftp2 FTP server ready.
230- Guest login ok, access restrictions apply.
250--  @ @  
250  \( - )/ -- { connected to `ftp2' }
ftp> 
Note: The majority of ftp clients can allow to specify the port
number of FTP at command line like:
internal% ftp firewall 8021
firewall# delegated -P21 SERVER=ftp PERMIT="ftp:*:internal"
internal# delegated -P21 SERVER=ftp PROXY=firewall:21
MOUNT="/*     lpr://printer0/queue0/*"
MOUNT="/pr1/* lpr://printer1/queue1/*"
MOUNT="/pr2/* lpr://printer2/queue2/*"
host# delegated -P21 SERVER=ftp MOUNT="/* /path/of/root/*" RELAY=no
Retrieving the whole contents under a specified directory and
returning it as a single file in tar format
by "RETR directory.tar" command is supported to be
enabled by adding "tar" to the REMITTABLE list like REMITTABLE="+,tar".
FTPCONF parameter*  ==  FTPCONF=ftpControl[:{sv|cl}]
           ftpControl  ==  nopasv | noport | noxdc | rawxdc
                    --  default: none
a set of delimiters usable in place of "@" in "user@site",
ex. "ftp://user*server@proxy" or "ftp://anonymous:name*domain@server".
The format of PROTOLOG for FTP protocol is so called xferlog(5)
which is compatible with that of "wu-ftp".
Each line of xferlog consists of following elements (in a single line).
userName serviceName authenticationMethod
authenticatedUserID
DeleGateStatus
    webmaster@xyz.co.jp ftp 0 * L
Telnet-DeleGate can relay X Window protocol as well as Telnet protocol
in similar way to FWTK.
firewall% delegated -P8023 SERVER=telnet TIMEOUT=io:1h
internal% telnet firewall 8023
...
--  @ @  firewall PROXY-telnet server DeleGate/6.1.0
-- ( - ) { Hit '?' or enter `help' for help. }
...
-- -- -- This (proxy) service is maintained by 'admin@your.domain'
>> Host name: exthost
-- Connected to exthost.
SunOS UNIX (exthost)
login: 
C:\> delegated -P23 SERVER=exec XFIL=command.com WORKDIR="/"
// Use command.com of Windows95/98 as a simple telnet server.
firewall# delegated -P110 SERVER=pop
+OK Proxy-POP server (DeleGate6.1.0) at firewall starting.
USER username@servername
...
Instead of "@", "%" or "#" can be used as the delimiter between
username and servername, like
username%servername or
username#servername.
"pop://user@server" is represented
as "pop://server/user" internally thus
it can be controlled by MOUNT as follows:
MOUNT="*        pop://defaultHost/*"
... specify default POP server
MOUNT="user1    pop://host1/*"
... let the "host1" be the server of "user1"
MOUNT="//pop2/* pop://host2/*"
... map user@pop2 to user@host2, hiding real hostname "host2"
MOUNT="* pop://server/* noapop"
SERVER=pop
MOUNT="* nntp://nntpserver/*"
MOUNT="ns2-* nntp://nntpserver1/* apop=password"
MOUNT="ns3-* nntp://nntpserver2/* pass=password"
firewall# delegated -P80 MOUNT="/mail/* pop://mailHost/*"
Example: proxy IMAP-DeleGate
firewall# delegated -P143 SERVER=imap
* OK external Proxy-IMAP server DeleGate/6.1.15
C001 LOGIN username@servername
...
LOGIN username%servername is also acceptable.
// with aliasing and filtering
    MOUNT="* smtp://-"
SMTPCONF parameter  ==  SMTPCONF=what:conf
                    --  default: SMTPCONF=bgdatasize:64K
SMTPGATE parameter  ==  SMTPGATE=dirPath
                    --  default: SMTPGATE='${ETCDIR}/smtpgate'
Specify the configuration directory for SMTPGATE,
a SMTP to {SMTP,NNTP} gateway.
To accept and relay SMTP messages bound to
"recipient@the-host-of-DeleGate",
create a configuration directory at
"SMTPGATE/users/recipient"
for each recipient,
to hold files for configuration, log, counter, and spool.
Then create a configuration file named "SMTPGATE/users/recipient/conf".
// forward messages accepted at "feedback@delegate.org"
// toward "delegate-en@smtpgate.etl.go.jp"
INHERIT: sendmail
SERVER-HOST: mail.etl.go.jp
RECIPIENT: delegate-en@smtpgate.etl.go.jp
ACCEPT/From: !%, !MAILER_DAEMON@, !hotmail.com, ...
[the contents of SMTPGATE/users/feedback/conf]
INHERIT: postnews
SERVER-HOST: news.delegate.org
OUTPUT/Newsgroups: mail-lists.delegate-en
OUTPUT/Distribution: world
OUTPUT/Reply-To: feedback@delegate.org
OUTPUT/Subject: [DeleGate-En] ${subject:hc}
OUTPUT/Header: X-Seqno: ${seqno}
OUTPUT/Header: UNIX-From: ${unixfrom}
CONTROL/Errors-To: mladmin@delegate.org
ACCEPT/User-Text: delegate ## reject if a word "delegate" is not in body
ACCEPT/Max-Bytes: 50000 ## reject larger 50KB header+body
ACCEPT/Min-Body-Bytes: 64 ## reject smaller 64B body
OPTION: isn,rni,res,reb
isn -- Increment Sequence Number (to be referred by ${seqno})
rni -- Reject No message-Id
res -- Reject Empty Subject
reb -- Reject Empty Body
axo -- Append X-Original headers
rxo -- Remove X-Original headers
gwt -- GateWay Trace
ntr -- Do NOT add trace field (Received:)
SMTPGATE/admin/@default/
CONTROL/INHERIT:     sendmail
CONTROL/RECIPIENT:   ${recipient}
CONTROL/SERVER-HOST: ${recipient.mx}
MOUNT can be applied to NNTP-DeleGate, for filtering and aliasing of
newsgroups, and for merging multiple NNTP severs.
For example,
MOUNT="alias-group. nntp://server/group."
specifies to passing newsgroups "group.*" and aliases
them into "alias-group.*".
A simple filtering specification is
SERVER="nntp://server/group."
which is equivalent to
MOUNT="= nntp://server/group.".
If multiple MOUNT for multiple NNTP servers, then the DeleGate
merges the newsgroups on the servers, and serves the newsgroups
to a client as if they are on a single server.
# delegated -P119 SERVER=nntp://nntpServer/group.
    MOUNT="= nntp://server2/"
    MOUNT="= nntp://user2:pass2@server2/"
// mounts groups of group.* with it original names.
MOUNT="= nntp://server1/group."
// mounts groups of group.* with aliased names "alias-group.*"
MOUNT="alias-group. nntp://server1/group."
// mounts a mail spool as if it is a newsgroup named "+pop.user.host".
# delegated -P119 SERVER=nntp
  MOUNT="= pop://user:pass@host/"
# delegated -P80 MOUNT="/news/* nntp://nntpServer/*"
# delegated -P119 SERVER=nntp://-.-/
'${ETCDIR}/news/groups/newsGroup'
To relay an existing "/path/of/MH-folder" as newsGroup,
make a file like above and fill it with content like
0 0 0 0 /path/of/MH-folder
(four zeros followed by a path name of a MH-folder)
MountOptions for NNTP
Example: "hide={alt.*,!alt.comp*}"
NNTPCONF parameter* ==  what:conf
                    --  default: NNTPCONF=upact:600/300/120
Example: NNTPCONF="wall.etl.go.jp/delegate.org"
The format of the XOVER response generated by the DeleGate.
Limit the maximum number of articles in "XOVER range"
Specify "nntpcc:0" to disable "connection cache" for NNTP.
# delegated -P389 SERVER=ldap
Example: proxy Whois-DeleGate
firewall# delegated -P43 SERVER=whois
internal% whois -h firewall "whois://whois.nic.ad.jp/help"
Example: relaying to a display on a single host
x-server% xhost firewall
firewall% delegated -P6008 SERVER=X://x-server
internal% xterm -display firewall:8
firewall% delegated -P6002-6003 SERVER=X://x-server:-6002
SERVER=X://x-server2:-:{*:6012}
Example: Gopher-DeleGate
firewall% delegated -P8070 SERVER=gopher://gopher.ncc.go.jp
internal% gopher -p -_-gopher://gopher.tc.umn.edu firewall 8070
Using a filter program "sslway" in FCL, FSV, or
CMAP parameter,
client-side and/or server-side communication can be wrapped with
SSL protocol.
To use this filter, you need sslway and relevant PEM files placed
at some directories in LIBPATH, typically at DGROOT/lib.
See
http://www.delegate.org/delegate/ssl/
for more details.
# delegated -P80 SERVER=http FSV=sslway MOUNT="/* https://server/*"
Example: relay between SSL client and non-SSL server
# delegated -P443 SERVER=https FCL=sslway MOUNT="/* http://server/*"
A DNS-DeleGate server relays host name data gathered
from multiple sources including DNS, NIS and local file.
It can provide limited type of resource records only;
A, PTR, SOA and simplified MX.
SOA record is composed with information of
DNSCONF configuration.
10.1.2.3 hostA
10.4.5.6 hostB, -MX.hostA
DNSCONF parameter*  ==  what:value
Specify the configuration of the DNS-DeleGate server.
para:N  -- the number of parallel server process [2]
 domain:FQDN  -- [domain name of the host of DeleGate]
 origin:FQDH  -- [host name of the host of DeleGate]
 admin:Email  -- the mail address of the administrator [ADMIN]
 mx:FQDH  -- [primary host name of -MX.host if exists or inquired host itself]
 serial:N  -- serial number
[%Y%m%d%h of the last configuration change]
 refresh:period  -- refresh interval [6h]
 retry:period  -- retry interval [10m]
 expire:period  -- expire period [14d]
 minttl:period  -- minimum ttl [6h]
 
Example: proxy CU-SeeMe-DeleGate
firewall% delegated -P7648 SERVER=cuseeme://Reflector/
INTERNAL# delegated -P7648 SERVER=cuseeme://firewall/
internal% {use firewall or INTERNAL as a proxy-reflector for Reflector}
Special names "-"and "-.-", when it is used in the "host:port" part
of URL,  means the host and port of the DeleGate itself.  And URL
"http://-.-/-/" is reserved for a entry point of a control page of
DeleGate.
Sockets in AF_LOCAL (or AF_UNIX) address space can be referred like
host names in pseudo top-level domain ".af-local".
For example, a socket with address "/tmp/sock" can be referred as
"sock.tmp.af-local", then it is referred in command line options like
"-Psock.tmp.af-local", SERVER=http://sock.tmp.af-local:123", or so.
Port number of socket is ignored in this naming.
The source of built-in data of DeleGate including icons and messages
are at the source code directory "src/builtin/*".
They are compiled into the executable file of DeleGate and
are accessible as resources on a run-time DeleGate with
URL "http://delegate/-/builtin/*".
Those data can be replaced without recompiling DeleGate but
by defining MOUNT for them.
For example, the error message returned on forbidden access is at
"http://delegate/-/builtin/mssgs/403-forbidden.dhtml", and
it can be replaced by a MOUNT parameter like this:
MOUNT="/-/builtin/mssgs/403-forbidden.dhtml /tmp/forbidden.dhtml"
MOUNT="/-/builtin/* http://yourwww/delegate/builtin/*"
Immediately after an occurrence of fatal signal, like SIGSEGV or SIGBUS,
DeleGate stops serving to the client host which caused the fatal error,
since the error could be a sign of a failed trial of intrusion.
At the same time, to notify the incident, DeleGate will send a
report mail to the administrator named in the ADMIN parameter.
PLATFORM SPECIFIC ISSUE
 
To make DeleGate restart gently
without aborting ongoing sessions in child processes,
and without changing the process ID of the DeleGate
and holding its resources like entrance ports,
send SIGHUP signal to the DeleGate process.
This can be done in a platform independent way
using -Fkill function like this:
FUNCTIONS
delegated -Fkill-hup -Pport
% delegated -Fresolvy www.delegate.org
% ln -s delegated Resolvy
% Resolvy www.delegate.org
Example: doing "find . -ls" together with "du(1)"
    delegated -Ffindu -ls -du
Example: cause an action every 15 minutes
delegated -Fsched "0,15,30,45 * * * * /bin/date"
schedSpec is the canonical format of scheduling specification.
schedSpec == Wday:year:month:mday:Hour:Min:Sec:action
Example: cause an action every 15 seconds
delegated -Fsched "*:*:*:*:*:*:0,15,30,45:/bin/date"
Example:
delegated -Fauth -a ken:blahblah -smtp.users.local
// and refer this as AUTHORIZER=-smtp.users.local
SEE ALSO
${DGROOT}/etc    -- persistent files mainly for configuration 
${DGROOT}/lib    -- library files and scripts 
${DGROOT}/adm    -- important log relevant to administration 
${DGROOT}/log    -- log files which will grow up 
${DGROOT}/work   -- for core dump 
${DGROOT}/cache  -- for cached data 
${DGROOT}/act    -- control info. of currently active DeleGate processes 
${DGROOT}/tmp    -- volatile files which should be erased on shutdown 
du(1),
ps(1),
tee(1),
cat(1),
find(1),
chroot(2),
execve(2),
getpeername(2),
getsockname(2),
pstat(2),
ptrace(2),
setgid(2),
setuid(2),
umask(2),
scanf(3),
strftime(3),
system(3),
YP(4),
crontab(5),
hosts(5),
inetd.conf(5),
cron(8),
inetd(8),
nslookup(8),
,
IMAP(RFC2060),
LDAP(RFC1777),
LPR(RFC1179),
MIME(RFC2045),
NNTP(RFC977),
POP(RFC1460),
Socks(RFC1928),
SMTP(RFC821),
Telnet(RFC854),
URI(RFC2396),
URL(RFC1738),
Wais(RFC1625),
X(RFC1013)
DNS(RFC1034),
FTP(RFC959),
Gopher(RFC1436),
HTML(RFC1866),
HTTP(RFC2068),
ICP(RFC2186),
Ident(RFC1413)
  @ @
 ( - )
_<   >_
Yutaka Sato <y DOT sato AT delegate DOT org>
National Institute of Advanced Industrial Science and Technology (AIST),
Tsukuba, Ibaraki 305-8568, Japan
Comments about DeleGate are expected to be directed to
mailto:feedback@delegate.org
to be open and shared at
http://www.delegate.org/feedback/.
The latest version of DeleGate is available at the following location.
<URL:ftp://ftp.delegate.org/pub/DeleGate/>
in a tar+gzip format file named "delegate*.tar.gz".
Release 8.9.6             Last change: June 25, 2004
--------- --------- --------- --------- --------- --------- --------- ---------