-
Notifications
You must be signed in to change notification settings - Fork 4
/
alaya.conf
132 lines (96 loc) · 5.52 KB
/
alaya.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# default user/group for cgi-scripts etc
DefaultUser=nobody
DefaultGroup=users
# Chroot into users home directory
ChHome
# Defaults to 80/443 if not specified
Port=80
# Do DNS lookups to log client name?
LookupClientName=N
LogVerbose
LogFile=/var/log/alaya.log
#Alaya will rotate logs when they hit this size
MaxLogSize=100M
# Max RSS and Stack. These are conservative, if using something monstrous like PHP or JAVA
# (both of which must be used via command-line programs like php-cgi) then these will
# need to be increased. Alaya's default is larger, and seems okay for PHP
MaxMemory=50M
MaxStack=500k
###### Directory Page Settings ######
# These settings relate to the 'directory listing' page. Some of them only
# apply if DirListType is 'Full' or 'Interactive'
DirListType=Full,MimeIcons
DisplayNameLen=30
PackFormats=tar:internal,zip:zip -,tbz:tar -jcO,txz:tar -JcO
####### Authentication Settings ######
#Methods allowed to authenticate user. Default is just 'native'
AuthMethods=pam-account,cookie,accesstoken,certificate,native
#Path to file that contains 'native' authentication details
AuthPath=/etc/FileServices.auth
#Realm used to ask people to log on to (defaults to hostname)
AuthRealm=whatever
#Who can log in, who can't
AllowUsers=Eve,Mallory
DenyUsers=Bob,Alice
######## SSL Settings #######
#Minimum allowed SSL/TLS version options are ssl, tls, tls1.1, tls.1.2
SSLVersion=tls1.2
#SSL Ciphers to use (this is in openssl format)
SSLCiphers=DH+AESGCM:DH+AES256:DH+CAMELLIA256:ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+AES:EDH-RSA-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:CAMELLIA256:CAMELLIA128:DES-CBC3-SHA:!ADH:!AECDH:!MD5
#Personally I normally supply these on command line
# SSLKey=/etc/ssl/local.key
# SSLCert=/etc/ssl/local.crt
#How to treat client certificates. 'required' means one is needed to log in, but username/password or access token may also
#be required. 'sufficient' means a valid certificate is enough to log on. 'required+sufficient' means here must be one, and
#it's enough to log in
SSLClientCertificate=sufficient
#Path to file that contains the CA certificate used to validate client certificates
SSLVerifyPath=/etc/ssl/ColumsCerts.crt
#Path to file that contains Diffie-Helman parameters for perfect forward secrecy
SSLDHParams=/etc/ssl/dh/dh_param_1024.pem
# Turn this on to use eliptic curve, or DH with auto-generated params
#PerfectForwardSecrecy=yes
####### VPaths and FileType Settings ######
#### NOTE: Options like cache=3600 or user=nobody are optional, alaya has default values for these
#Settings that apply to file types
FileType=*.jpg,cache=3600,compress=N
FileType=*.mp3,cache=3600,compress=N
#A cgi VPath. If a file is accessed under /cgi-bin/, then look in /usr/share/cgi for it, and treat it as a program to run
Path=cgi,/cgi-bin/,/usr/share/cgi,user=clamav,group=pppd
#A files VPath. Documents under the URL /public/ are in /home/public, and can be accessed even if this directory is outside chroot
Path=files,/public/,/home/public,cache=120,uploads=Y
#Proxy VPath, when someone asks for he directory /google, get it from http://www.google.com/
Path=proxy,/google,http://www.google.com/
#'Logout' VPath, used to re-authenticate and switch user
Path=logout,/Logout
#MimeIcons VPath. This is used on the 'directory listing' page to find icons to display for files
Path=MimeIcons,/mimeicons,/home/app-themes/icons/Free-file-icons-master/32px/$(FileExtn).png,/home/app-themes/icons/mediatype-icons/gnome-mime-$(mimeclass)-$(mimesub).png,/home/app-themes/icons/nuvola/32x32/filesystems/$(type).png,/home/app-themes/icons/FreeUserInterfaceIcons/$(type).png,/home/app-themes/icons/nuvola/32x32/mimetypes/unknown.png,cache=3600
##### Scripts and websockets #####
# Lookup script md5, sha1, sha256 or sha512 hashes in a file. Alaya will check the file before running a
# cgi script/program and only run it if there's a matching entry in the file. This means that if you specify
# this option then you must put the correct hashes in the file for cgi scripts to work.
# Hashes can be generated with md5sum, shasum or sha256sum or sha512sum. They should be generated against
# the full path of the script files
ScriptHashFile=/etc/alaya-scripts.hash
###### For files ending in .pl use /usr/bin/perl as their interpreter, even if they lack a #! line
ScriptHandler:pl=/usr/bin/perl
######## Websockets #########
# For any URL (*) and the requested protocol 'test' run /tmp/test.sh
WebsocketHandler:*:test=/tmp/test.sh
###### EVENTS #######
# When certain things happen, trigger a script etc.
# Event Types:
# Path (when a Path is requested),
# Method (when an HTTP Method is requested),
# Header (when a Client Header is sent),
# User (when a matching User logs in)
# Peer (request from a matching peer)
# ResponseCode (when the server sends a particular response code)
# BadURL (when the server considers a requested URL to be malformed)
Event=Path:/favicon.ico:ignore
Event=Path:*/setup.php,*/xmlrpc.php,/vtigercrm/,/cgi-bin/php*,/sql*,/manager/html,/mysql*,/HNAP1/,/tmUnblock.cgi,/hndUnblock.cgi,*() {*:/usr/local/sbin/BlockHTTPHacker.sh Exploit $(ClientIP) $(Method) $(URL)
Event=Header:*() {*:deny,/usr/local/sbin/malget.exe '$(Match)',logfile /var/log/shellshocks.log Client=$(ClientIP) Request=$(Method) $(URL) User=$(User) MatchStr=$(Match)
Event=Method:PUT:/usr/local/sbin/AlayaFilePut.sh
Event=BadURL::/usr/local/sbin/BlockHTTPHacker.sh BadURL $(ClientIP) $(Method) $(URL)
Event=ResponseCode:404:/usr/local/sbin/BlockHTTPHacker.sh InvalidPath $(ClientIP) $(Method) $(URL)
Event=Upload:*:/bin/logger -t alaya 'upload $(Match)',logfile uploads.log $(URL)