-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathserver_config.toml.simple
More file actions
311 lines (249 loc) · 11.8 KB
/
server_config.toml.simple
File metadata and controls
311 lines (249 loc) · 11.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
# ==============================================================================
# MasterDnsVPN Go Server Configuration (Sample)
# This sample is written for the current Go server implementation.
# Comments below describe the real Go code paths, not the legacy Python server.
# ==============================================================================
# ------------------------------------------------------------------------------
# 1) Tunnel Policy
# What this section does:
# - Defines which domains belong to this tunnel.
# - Defines label policy and allowed compression negotiation.
# ------------------------------------------------------------------------------
# Tunnel domains handled by this server.
# Must match client DOMAINS.
DOMAIN = ["v.domain.com"]
# How this server should handle new connections.
# Allowed values:
# "SOCKS5" = the client/program chooses the destination for each connection.
# Use this when you want the server to behave like a normal SOCKS proxy.
# "TCP" = the client does not choose the destination.
# The server sends every connection to one fixed target defined by
# FORWARD_IP and FORWARD_PORT below.
PROTOCOL_TYPE = "SOCKS5"
# Compression types the server allows the client to request.
# Allowed values:
# 0 = OFF
# 1 = ZSTD
# 2 = LZ4
# 3 = ZLIB
SUPPORTED_UPLOAD_COMPRESSION_TYPES = [0, 1, 2, 3]
SUPPORTED_DOWNLOAD_COMPRESSION_TYPES = [0, 1, 2, 3]
# ------------------------------------------------------------------------------
# 2) UDP Listener & Front-Door Capacity
# What this section does:
# - Defines where the server listens for DNS tunnel traffic.
# - Defines front-door queueing and worker limits before session handling.
# ------------------------------------------------------------------------------
# UDP bind endpoint.
UDP_HOST = "0.0.0.0"
UDP_PORT = 53
# UDP readers, DNS workers, and front-door request queue are smart-sized
# internally. Only override them if you are profiling a specific host.
UDP_READERS = 4
DNS_REQUEST_WORKERS = 8
MAX_CONCURRENT_REQUESTS = 16384
# UDP socket read/write buffer size in bytes.
SOCKET_BUFFER_SIZE = 8388608
# Maximum packet buffer size allocated by the server packet pool.
MAX_PACKET_SIZE = 65535
# Minimum interval between overload/drop logs.
DROP_LOG_INTERVAL_SECONDS = 2.0
# ------------------------------------------------------------------------------
# 3) Deferred Session Runtime
# What this section does:
# - Controls the per-session deferred workers used for setup/DNS/ordered tasks.
# - Controls initial queue capacities used inside session runtime structures.
# ------------------------------------------------------------------------------
# Deferred-session workers and queue depth are also smart-sized internally.
# Override them only if you are tuning a specific production host.
DEFERRED_SESSION_WORKERS = 4
DEFERRED_SESSION_QUEUE_LIMIT = 4096
# Initial queue / store capacities are now derived automatically by the server
# from workers, ARQ window, and batching pressure.
# ------------------------------------------------------------------------------
# 4) Session Lifecycle & Invalid-Cookie Handling
# What this section does:
# - Controls how long sessions live.
# - Controls cleanup cadence.
# - Controls recently-closed stream tracking.
# - Controls invalid-cookie detection before ERROR_DROP behavior.
# ------------------------------------------------------------------------------
# Sliding window used by the invalid-cookie tracker.
INVALID_COOKIE_WINDOW_SECONDS = 2.0
# How many invalid-cookie hits inside the window are tolerated before the
# server escalates the response behavior for that session.
INVALID_COOKIE_ERROR_THRESHOLD = 10
# Session inactivity timeout.
SESSION_TIMEOUT_SECONDS = 300.0
# How often the background cleanup loop runs.
SESSION_CLEANUP_INTERVAL_SECONDS = 30.0
# How long closed-session metadata is kept after cleanup.
CLOSED_SESSION_RETENTION_SECONDS = 600.0
# How long an accepted SESSION_INIT signature can be reused before the server
# stops treating it as reusable init state.
SESSION_INIT_REUSE_TTL_SECONDS = 600.0
# How long a closed stream remains in the "recently closed" table.
# Used to reject late SYNs / duplicates without reviving dead streams.
RECENTLY_CLOSED_STREAM_TTL_SECONDS = 600.0
# Maximum number of recently-closed stream records kept per session.
RECENTLY_CLOSED_STREAM_CAP = 2000
# How long terminal streams remain before terminal-stream sweep removes them.
TERMINAL_STREAM_RETENTION_SECONDS = 45.0
# ------------------------------------------------------------------------------
# 5) DNS Tunnel Upstream
# What this section does:
# - Controls upstream DNS resolution used for DNS-over-tunnel requests.
# - Controls fragment assembly and tunnel DNS cache behavior.
# ------------------------------------------------------------------------------
# Upstream resolvers used when the client sends DNS_QUERY_REQ through the tunnel.
DNS_UPSTREAM_SERVERS = ["1.1.1.1:53", "1.0.0.1:53"]
# Timeout for each upstream DNS exchange attempt.
DNS_UPSTREAM_TIMEOUT = 4.0
# Wait timeout for followers sharing an inflight DNS resolution.
# This is used when multiple identical queries arrive while one upstream lookup
# is already in progress.
DNS_INFLIGHT_WAIT_TIMEOUT_SECONDS = 15.0
# Fragment assembly timeout for inbound DNS query fragments.
DNS_FRAGMENT_ASSEMBLY_TIMEOUT = 300.0
# In-memory tunnel DNS cache size is auto-raised internally when needed.
DNS_CACHE_MAX_RECORDS = 50000
DNS_CACHE_TTL_SECONDS = 300.0
# ------------------------------------------------------------------------------
# 6) Upstream SOCKS / Forwarding
# What this section does:
# - Controls how the server opens outbound connections.
# - In SOCKS5 mode, the destination normally comes from the client request.
# - In TCP mode, all connections go to one fixed destination.
# - You can also tell the server to use another SOCKS5 proxy as an upstream proxy.
# ------------------------------------------------------------------------------
# Timeout for outbound connect attempts made by the server.
SOCKS_CONNECT_TIMEOUT = 120.0
# If true, then in SOCKS5 mode the server does not connect to the final target directly.
# Instead, it first connects to another SOCKS5 proxy at FORWARD_IP:FORWARD_PORT
# and asks that proxy to open the destination connection.
# If false, SOCKS5 mode connects directly to the destination requested by the client.
# This option does NOT change TCP mode behavior.
USE_EXTERNAL_SOCKS5 = false
# Username/password for the upstream SOCKS5 proxy.
# Used only when:
# - PROTOCOL_TYPE = "SOCKS5"
# - USE_EXTERNAL_SOCKS5 = true
# - and that upstream proxy requires username/password authentication
SOCKS5_AUTH = false
SOCKS5_USER = "admin"
SOCKS5_PASS = "123456"
# FORWARD_IP / FORWARD_PORT mean different things depending on how the server is used:
# - If PROTOCOL_TYPE = "TCP":
# This is the final fixed target.
# Every client connection will be forwarded to this one address and port.
# - If PROTOCOL_TYPE = "SOCKS5" and USE_EXTERNAL_SOCKS5 = true:
# This is the address and port of the upstream SOCKS5 proxy.
# - If PROTOCOL_TYPE = "SOCKS5" and USE_EXTERNAL_SOCKS5 = false:
# These values are not used for normal client SOCKS connections.
FORWARD_IP = ""
FORWARD_PORT = 0
# ------------------------------------------------------------------------------
# 7) Security
# What this section does:
# - Controls payload encryption method and where the server key is loaded from.
# ------------------------------------------------------------------------------
# Allowed values:
# 0 = None
# 1 = XOR
# 2 = ChaCha20
# 3 = AES-128-GCM
# 4 = AES-192-GCM
# 5 = AES-256-GCM
# Must match the client.
DATA_ENCRYPTION_METHOD = 1
# Relative or absolute path to the encryption key file.
ENCRYPTION_KEY_FILE = "encrypt_key.txt"
# ------------------------------------------------------------------------------
# 8) ARQ, Packing, and Setup-Control TTLs
# What this section does:
# - Controls reliability parameters for stream ARQ.
# - Controls control-block batching.
# - Controls TTLs for setup/result/failure control packets generated by the server.
# ------------------------------------------------------------------------------
# Maximum packable control blocks emitted in one response.
# The default is already conservative; override only for deliberate batching tests.
MAX_PACKETS_PER_BATCH = 5
# Duplicate the last packed control-block response this many dispatcher turns.
# 1 = disabled.
# Useful on lossy links so CLOSE/RST/SYN-ACK-style control blocks are repeated
# without repopping queues.
PACKET_BLOCK_CONTROL_DUPLICATION = 1
# TTLs for control packets sent during stream setup/result paths.
STREAM_SETUP_ACK_TTL_SECONDS = 400.0
STREAM_RESULT_PACKET_TTL_SECONDS = 300.0
STREAM_FAILURE_PACKET_TTL_SECONDS = 120.0
# ARQ timing / retry profile.
ARQ_WINDOW_SIZE = 800
ARQ_INITIAL_RTO_SECONDS = 1.0
ARQ_MAX_RTO_SECONDS = 5.0
ARQ_CONTROL_INITIAL_RTO_SECONDS = 0.5
ARQ_CONTROL_MAX_RTO_SECONDS = 3.0
ARQ_MAX_CONTROL_RETRIES = 400
ARQ_INACTIVITY_TIMEOUT_SECONDS = 1800.0
ARQ_DATA_PACKET_TTL_SECONDS = 2400.0
ARQ_CONTROL_PACKET_TTL_SECONDS = 1200.0
ARQ_MAX_DATA_RETRIES = 1200
# Maximum out-of-order gap ahead of rcvNxt that can trigger STREAM_DATA_NACK.
# 0 disables NACK generation entirely.
# Keep this small so only near-miss gaps cause early resend requests.
ARQ_DATA_NACK_MAX_GAP = 16
# Minimum seconds between repeated NACKs for the same missing sequence number.
# Clamped to [0.1s, 30s].
ARQ_DATA_NACK_INITIAL_DELAY_SECONDS = 0.3
ARQ_DATA_NACK_REPEAT_SECONDS = 1.0
ARQ_TERMINAL_DRAIN_TIMEOUT_SECONDS = 120.0
ARQ_TERMINAL_ACK_WAIT_TIMEOUT_SECONDS = 90.0
# ------------------------------------------------------------------------------
# 8.0) Server-Side Session/Stream Limits
# What this section does:
# - Limits how many active sessions can exist at once on the server.
# - Limits how many active non-control streams each session can open.
# - These are enforced fully on the server and are not sent to the client
# during SESSION_ACCEPT.
# ------------------------------------------------------------------------------
MAX_ALLOWED_CLIENT_ACTIVE_SESSION = 255
MAX_ALLOWED_CLIENT_ACTIVE_STREAMS_PER_SESSION = 2000
# ------------------------------------------------------------------------------
# 8.1) Client Policy Sync Limits
# What this section does:
# - Defines server-side limits/minimums that can later be sent to the client
# during SESSION_INIT/SESSION_ACCEPT synchronization.
# - Values are clamped safely on load so they always fit into the intended
# on-wire integer size.
# ------------------------------------------------------------------------------
# Packed in one byte later (low nibble / high nibble), so each side is clamped
# to 0..15.
MAX_ALLOWED_CLIENT_PACKET_DUPLICATION_COUNT = 5
MAX_ALLOWED_CLIENT_SETUP_PACKET_DUPLICATION_COUNT = 6
# Fits in uint8.
MAX_ALLOWED_CLIENT_UPLOAD_MTU = 150
# Fits in uint16.
MAX_ALLOWED_CLIENT_DOWNLOAD_MTU = 4096
# Fits in uint8.
MAX_ALLOWED_CLIENT_RX_TX_WORKERS = 255
# Stored later as a scaled integer on wire. Allowed range here is 0.05..1.00.
MIN_ALLOWED_CLIENT_PING_AGGRESSIVE_INTERVAL_SECONDS = 0.05
# Fits in uint8.
MAX_ALLOWED_CLIENT_PACKETS_PER_BATCH = 20
# Fits in uint16 and also clamped to the current product policy ceiling.
MAX_ALLOWED_CLIENT_ARQ_WINDOW_SIZE = 8000
# Fits in uint8.
MAX_ALLOWED_CLIENT_ARQ_DATA_NACK_MAX_GAP = 255
# Fits in uint16.
MIN_ALLOWED_CLIENT_COMPRESSION_MIN_SIZE = 120
# Stored later as a scaled integer on wire. Allowed range here is 0.05..1.00.
MIN_ALLOWED_CLIENT_ARQ_INITIAL_RTO_SECONDS = 0.05
# ------------------------------------------------------------------------------
# 9) Logging
# What this section does:
# - Controls server logger verbosity.
# ------------------------------------------------------------------------------
# Typical values: DEBUG, INFO, WARN, ERROR
LOG_LEVEL = "INFO"
# ------------------------------------------------------------------------------
CONFIG_VERSION = "12"