-
Notifications
You must be signed in to change notification settings - Fork 29
Expand file tree
/
Copy pathserver_config.toml.simple
More file actions
242 lines (192 loc) · 8.75 KB
/
server_config.toml.simple
File metadata and controls
242 lines (192 loc) · 8.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
# ==============================================================================
# MasterDnsVPN Go Server Configuration (Sample)
# This sample is written for the current Go server implementation.
# Comments below describe the real Go code paths, not the legacy Python server.
# ==============================================================================
# ------------------------------------------------------------------------------
# 1) Tunnel Policy
# What this section does:
# - Defines which domains belong to this tunnel.
# - Defines label policy and allowed compression negotiation.
# ------------------------------------------------------------------------------
# Tunnel domains handled by this server.
# Must match client DOMAINS.
DOMAIN = ["v.domain.com"]
# Which setup protocol this server accepts for new stream creation.
# Allowed values:
# "SOCKS5" = accept only PACKET_SOCKS5_SYN
# "TCP" = accept only PACKET_STREAM_SYN
PROTOCOL_TYPE = "SOCKS5"
# Compression types the server allows the client to request.
# Allowed values:
# 0 = OFF
# 1 = ZSTD
# 2 = LZ4
# 3 = ZLIB
SUPPORTED_UPLOAD_COMPRESSION_TYPES = [0, 1, 2, 3]
SUPPORTED_DOWNLOAD_COMPRESSION_TYPES = [0, 1, 2, 3]
# ------------------------------------------------------------------------------
# 2) UDP Listener & Front-Door Capacity
# What this section does:
# - Defines where the server listens for DNS tunnel traffic.
# - Defines front-door queueing and worker limits before session handling.
# ------------------------------------------------------------------------------
# UDP bind endpoint.
UDP_HOST = "0.0.0.0"
UDP_PORT = 53
# Number of UDP reader goroutines.
# If <= 0, code falls back to an auto default.
UDP_READERS = 4
# Number of DNS request workers that process incoming packets.
# If <= 0, code falls back to an auto default.
DNS_REQUEST_WORKERS = 24
# Maximum queued requests waiting behind request workers.
# If the queue is full, packets are dropped and rate-limited overload logs appear.
MAX_CONCURRENT_REQUESTS = 32768
# UDP socket read/write buffer size in bytes.
SOCKET_BUFFER_SIZE = 8388608
# Maximum packet buffer size allocated by the server packet pool.
MAX_PACKET_SIZE = 65535
# Minimum interval between overload/drop logs.
DROP_LOG_INTERVAL_SECONDS = 2.0
# ------------------------------------------------------------------------------
# 3) Deferred Session Runtime
# What this section does:
# - Controls the per-session deferred workers used for setup/DNS/ordered tasks.
# - Controls initial queue capacities used inside session runtime structures.
# ------------------------------------------------------------------------------
# Worker count for deferred per-session processing.
# These workers serialize heavy or ordering-sensitive tasks behind session keys.
DEFERRED_SESSION_WORKERS = 12
# Queue limit for deferred per-session work.
DEFERRED_SESSION_QUEUE_LIMIT = 8192
# Initial queue / store capacities.
SESSION_ORPHAN_QUEUE_INITIAL_CAPACITY = 128
STREAM_QUEUE_INITIAL_CAPACITY = 256
DNS_FRAGMENT_STORE_CAPACITY = 512
SOCKS5_FRAGMENT_STORE_CAPACITY = 1024
# ------------------------------------------------------------------------------
# 4) Session Lifecycle & Invalid-Cookie Handling
# What this section does:
# - Controls how long sessions live.
# - Controls cleanup cadence.
# - Controls recently-closed stream tracking.
# - Controls invalid-cookie detection before ERROR_DROP behavior.
# ------------------------------------------------------------------------------
# Sliding window used by the invalid-cookie tracker.
INVALID_COOKIE_WINDOW_SECONDS = 2.0
# How many invalid-cookie hits inside the window are tolerated before the
# server escalates the response behavior for that session.
INVALID_COOKIE_ERROR_THRESHOLD = 10
# Session inactivity timeout.
SESSION_TIMEOUT_SECONDS = 300.0
# How often the background cleanup loop runs.
SESSION_CLEANUP_INTERVAL_SECONDS = 30.0
# How long closed-session metadata is kept after cleanup.
CLOSED_SESSION_RETENTION_SECONDS = 600.0
# How long an accepted SESSION_INIT signature can be reused before the server
# stops treating it as reusable init state.
SESSION_INIT_REUSE_TTL_SECONDS = 600.0
# How long a closed stream remains in the "recently closed" table.
# Used to reject late SYNs / duplicates without reviving dead streams.
RECENTLY_CLOSED_STREAM_TTL_SECONDS = 600.0
# Maximum number of recently-closed stream records kept per session.
RECENTLY_CLOSED_STREAM_CAP = 2000
# How long terminal streams remain before terminal-stream sweep removes them.
TERMINAL_STREAM_RETENTION_SECONDS = 45.0
# ------------------------------------------------------------------------------
# 5) DNS Tunnel Upstream
# What this section does:
# - Controls upstream DNS resolution used for DNS-over-tunnel requests.
# - Controls fragment assembly and tunnel DNS cache behavior.
# ------------------------------------------------------------------------------
# Upstream resolvers used when the client sends DNS_QUERY_REQ through the tunnel.
DNS_UPSTREAM_SERVERS = ["1.1.1.1:53", "1.0.0.1:53"]
# Timeout for each upstream DNS exchange attempt.
DNS_UPSTREAM_TIMEOUT = 4.0
# Wait timeout for followers sharing an inflight DNS resolution.
# This is used when multiple identical queries arrive while one upstream lookup
# is already in progress.
DNS_INFLIGHT_WAIT_TIMEOUT_SECONDS = 60.0
# Fragment assembly timeout for inbound DNS query fragments.
DNS_FRAGMENT_ASSEMBLY_TIMEOUT = 300.0
# In-memory tunnel DNS cache sizing.
DNS_CACHE_MAX_RECORDS = 50000
DNS_CACHE_TTL_SECONDS = 300.0
# ------------------------------------------------------------------------------
# 6) Upstream SOCKS / Forwarding
# What this section does:
# - Controls how the server opens outbound connections for accepted client streams.
# - In SOCKS5 mode, targets come from the client's SOCKS target payload.
# - In TCP mode, STREAM_SYN is payload-less and the server connects to FORWARD_IP:FORWARD_PORT.
# - External SOCKS5 chaining is only used for SOCKS5 target connects.
# ------------------------------------------------------------------------------
# Timeout for outbound connect attempts made by the server.
SOCKS_CONNECT_TIMEOUT = 120.0
# If true, the server chains outbound connections through FORWARD_IP:FORWARD_PORT.
# If false, the server dials targets directly.
USE_EXTERNAL_SOCKS5 = false
# Credentials for the external SOCKS5 proxy, used only when USE_EXTERNAL_SOCKS5=true.
SOCKS5_AUTH = false
SOCKS5_USER = "admin"
SOCKS5_PASS = "123456"
# Fixed upstream endpoint for TCP mode, and external SOCKS5 endpoint when
# USE_EXTERNAL_SOCKS5=true in SOCKS5 mode.
FORWARD_IP = ""
FORWARD_PORT = 0
# ------------------------------------------------------------------------------
# 7) Security
# What this section does:
# - Controls payload encryption method and where the server key is loaded from.
# ------------------------------------------------------------------------------
# Allowed values:
# 0 = None
# 1 = XOR
# 2 = ChaCha20
# 3 = AES-128-GCM
# 4 = AES-192-GCM
# 5 = AES-256-GCM
# Must match the client.
DATA_ENCRYPTION_METHOD = 1
# Relative or absolute path to the encryption key file.
ENCRYPTION_KEY_FILE = "encrypt_key.txt"
# ------------------------------------------------------------------------------
# 8) ARQ, Packing, and Setup-Control TTLs
# What this section does:
# - Controls reliability parameters for stream ARQ.
# - Controls control-block batching.
# - Controls TTLs for setup/result/failure control packets generated by the server.
# ------------------------------------------------------------------------------
# Maximum packable control blocks emitted in one response.
MAX_PACKETS_PER_BATCH = 20
# Duplicate the last packed control-block response this many dispatcher turns.
# 1 = disabled.
# Useful on lossy links so FIN/RST/SYN-ACK-style control blocks are repeated
# without repopping queues.
PACKET_BLOCK_CONTROL_DUPLICATION = 1
# TTLs for control packets sent during stream setup/result paths.
STREAM_SETUP_ACK_TTL_SECONDS = 400.0
STREAM_RESULT_PACKET_TTL_SECONDS = 300.0
STREAM_FAILURE_PACKET_TTL_SECONDS = 120.0
# ARQ timing / retry profile.
ARQ_WINDOW_SIZE = 600
ARQ_INITIAL_RTO_SECONDS = 0.5
ARQ_MAX_RTO_SECONDS = 3.0
ARQ_CONTROL_INITIAL_RTO_SECONDS = 0.4
ARQ_CONTROL_MAX_RTO_SECONDS = 2.0
ARQ_MAX_CONTROL_RETRIES = 300
ARQ_INACTIVITY_TIMEOUT_SECONDS = 1800.0
ARQ_DATA_PACKET_TTL_SECONDS = 2400.0
ARQ_CONTROL_PACKET_TTL_SECONDS = 1200.0
ARQ_MAX_DATA_RETRIES = 1200
ARQ_TERMINAL_DRAIN_TIMEOUT_SECONDS = 120.0
ARQ_TERMINAL_ACK_WAIT_TIMEOUT_SECONDS = 90.0
# ------------------------------------------------------------------------------
# 9) Logging
# What this section does:
# - Controls server logger verbosity.
# ------------------------------------------------------------------------------
# Typical values: DEBUG, INFO, WARN, ERROR
LOG_LEVEL = "INFO"
# ------------------------------------------------------------------------------
CONFIG_VERSION = "10"