User

The user config is in map format. We can specify how to authenticate the user, set limitations and we may also specify som custom actions for each user.

name

required, type: username

Set the username.

token

required, type: mix

Set the token used to authenticate the user.

This config option will only be used by the following user groups:

basic

The token can be in the following types:

null

The null value means password token auth is disabled.

Note

This is different from not setting token value, which means forbid the user.

Added in version 1.7.20.
str

The value should be a string in unix format, see crypt(5).
map

The key type specify the real type.
- fast_hash
  
  A custom type. We use salt, and one or more value of md5, sha1, blake3. The hash is weak, but fast. The values for salt, md5, sha1, blake3 should be in hex encoded ascii string.
- xcrypt_hash
  
  The required key is value, which value should be a valid crypt(5) string.

The currently supported crypt(5) methods are: md5, sha256, sha512.

match_by_facts

optional, type: facts_match_value | seq

Set the authenticate facts that will match this user.

This config option will only be used by the following user groups:

facts

default: not set

Added in version 1.13.0.

expire

optional, type: rfc3339 datetime str

Set when the user should be considered expired. The check interval is set by refresh interval in group config.

default: not set

block_and_delay

optional, type: humanize duration

Block the user, and delay sending of the error response by the specified duration.

The response code for blocked user will be forbidden instead of auth failed.

default: not set

ingress_network_filter

optional, type: ingress network acl rule

Set the network filter for clients.

If a server is chained after a PROXY Protocol server, the used client address will be the one in the PROXY Protocol message.

This ACL will be checked before we select the anonymous auth method, so an auth failed error will be returned to client, and forbidden stats for anonymous won’t be added.

default: not set

Added in version 1.7.20.

proxy_request_filter

optional, type: proxy request acl rule

Set the proxy request types that we should handle.

default: not set

dst_host_filter_set

optional, type: dst host acl rule set

Set the filter for dst host of each request, which means it won’t apply to udp associate tasks.

default: not set

dst_port_filter

optional, type: exact port acl rule

Set the filter for dst port of each request, which means it won’t apply to udp associate tasks.

default: not set

http_user_agent_filter

optional, type: user agent acl rule

Set the filter for HTTP User-Agent header.

Note

This only applies to layer-7 http traffic, including http forward and https forward.

default: not set

tcp_connect

optional, type: tcp connect

Set user level tcp connect params, which will take effect for direct type escapers. And this will be limited by the escaper level settings.

default: not set

tcp_sock_speed_limit

optional, type: tcp socket speed limit

Set speed limit for each tcp socket.

default: no limit

tcp_conn_speed_limit

deprecated

Changed in version 1.11.8: deprecated, use tcp_sock_speed_limit instead

tcp_conn_limit

deprecated

Changed in version 1.11.8: deprecated, use tcp_sock_speed_limit instead

udp_sock_speed_limit

optional, type: udp socket speed limit

Set speed limit for each udp socket.

default: no limit

udp_relay_speed_limit

deprecated

Changed in version 1.11.8: deprecated, use udp_sock_speed_limit instead

udp_relay_limit

deprecated

Changed in version 1.11.8: deprecated, use udp_sock_speed_limit instead

tcp_all_upload_speed_limit

optional, type: global stream speed limit

Set process level upload speed limit for all client side tcp connections.

This will only count in the data that will be forwarded.

default: no limit

Added in version 1.9.6.

tcp_all_download_speed_limit

optional, type: global stream speed limit

Set process level download speed limit for all client side tcp connections.

This will only count in the data received from upstream.

default: no limit

Added in version 1.9.6.

udp_all_upload_speed_limit

optional, type: global datagram speed limit

Set process level upload speed limit for all client side udp connections.

This will only count in the data that will be forwarded.

default: no limit

Added in version 1.9.6.

udp_all_download_speed_limit

optional, type: global datagram speed limit

Set process level download speed limit for all client side udp connections.

This will only count in the data received from upstream.

default: no limit

Added in version 1.9.6.

tcp_remote_keepalive

optional, type: tcp keepalive

Set tcp keepalive for the remote tcp socket.

The tcp keepalive set in user config will only be taken into account in Direct type escapers.

default: no keepalive set

tcp_remote_misc_opts

optional, type: tcp misc sock opts

Set misc tcp socket options for the remote tcp socket.

The user level TOS and Mark config will overwrite the one set at escaper level. Other fields will be limited to the smaller ones.

default: not set

udp_remote_misc_opts

optional, type: udp misc sock opts

Set misc udp socket options for the remote udp socket.

The user level TOS and Mark config will overwrite the one set at escaper level. Other fields will be limited to the smaller ones.

default: not set

tcp_client_misc_opts

optional, type: tcp misc sock opts

Set misc tcp socket options for the client tcp socket before task connecting stage.

The user level TOS and Mark config will overwrite the one set at escaper level. Other fields will be limited to the smaller ones.

default: not set

udp_client_misc_opts

optional, type: udp misc sock opts

Set misc udp socket options for the client udp socket.

The user level TOS and Mark config will overwrite the one set at server level. Other fields will be limited to the smaller ones.

default: not set

http_upstream_keepalive

optional, type: http keepalive

Set http keepalive config at user level.

default: set with default value

http_rsp_header_recv_timeout

optional, type: humanize duration

Set a custom http response receive timeout value for this user.

This will overwrite:

http proxy server rsp_header_recv_timeout
auditor h1 interception
auditor h2 interception

This will be overwritten by:

user-site http_rsp_header_recv_timeout

default: not set

Added in version 1.9.0.

tcp_conn_rate_limit

deprecated, alias: tcp_conn_limit_quota

Changed in version 1.13.0: deprecated, use connection_rate_limit instead

connection_rate_limit

optional, type: rate limit quota

Set rate limit on client side new connections.

The same connection used for different users will be counted for each of them.

default: no limit

Added in version 1.13.0.

request_rate_limit

optional, type: rate limit quota

Set rate limit on request.

default: no limit, alias: request_limit_quota

request_max_alive

optional, type: usize, alias: request_alive_max

Set max alive requests at user level.

Even if not set, the max alive requests should not be more than usize::MAX.

default: no limit

resolve_strategy

optional, type: resolve strategy

Set an user custom resolve strategy, within the range of the one set on the escaper. Not all escapers support this, see the documentation for each escaper for more info.

default: not custom resolve strategy is set

resolve_redirection

optional, type: resolve redirection

Set the dns redirection rules at user level.

default: not set

log_rate_limit

optional, type: rate limit quota

Set rate limit on log request.

default: no limit, alias: log_limit_quota

log_uri_max_chars

optional, type: usize

Set the max number of characters of uri should be logged in logs.

If set, this will override the one set in server level.

If not set, the one in server level will take effect.

The password in uri will be replaced by xyz before logging.

default: not set

task_idle_max_count

optional, type: usize

The task will be closed if the idle check return IDLE the times as this value.

This will overwrite the one set at server side, see server task_idle_max_count.

The idle check interval can only set at server side, see server task_idle_check_interval.

default: not set

Changed in version 1.11.3: change default from 1 to not set

socks_use_udp_associate

optional, type: bool

Set if we should use socks udp associate instead of the simplified udp connect method.

default: false

audit

optional, type: user audit

Set audit config for this user.

default: set with default values

explicit_sites

optional, type: seq of user site

Set explicit sites for this user.

egress_path_id_map

optional, type: string id egress path value map

Set ID based egress path selection for this user.

Added in version 1.9.2.

egress_path_value_map

optional, type: json value egress path value map

Set JSON value based egress path selection for this user.

Added in version 1.9.2.