server.cfg

#========================================================================
[GENERAL]

LISTEN_PORT:5865

# If you want APS to authenticate you at WWW servers using NTLM then just leave this
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
# You can specify more than one proxy by leaving a space between each one, and
# APS will detect when one fails and automatically fail-over to the next. EG:
#PARENT_PROXY:first_proxy second_proxy third_proxy
# And NOTE that NTLM cannot pass through another proxy server.
PARENT_PROXY:your_parentproxy

PARENT_PROXY_PORT:8080

# APS will poll the upstream proxy and attempt to fail-over to a new one if it doesn't
# get a response within an appropriate time frame.  The amount of time that it will
# wait for a response before attempting fail-over is specified, in seconds, below:
PARENT_PROXY_TIMEOUT:15

# Set to 1 if you want to grant this authorization service to clients from other computers.
# NOTE: all the users from other hosts that will be using you copy of APS for authentication
# will be using your credentials in NTLM auth at the remote host.
ALLOW_EXTERNAL_CLIENTS:0

# If you want to allow some other but not all computers to use your proxy for authorization,
# just set ALLOW_EXTERNAL_CLIENTS:0 and put friendly IP addresses here.
# Use space as a delimiter.  You may use hostnames as well as IP addresses if you wish. EG:
#FRIENDLY_IPS: 192.168.1.1 friendlyhost.local otherhost
# NOTE that special addesses don't work here (192.168.3.0 for example).
FRIENDLY_IPS:

# If you have some local intranet servers that require you to authenticate, but you
# also want to be able to access the internet via an upstream proxy (ie, with the
# PARENT_PROXY value above), then add the addresses that you use to access your intranet
# servers here in the HOSTS_TO_BYPASS_PARENT_PROXY variable as a space delimitted list;
# or otherwise, if you want to bypass the upstream proxy for *all possible hosts* (ie, every
# one to whom a connection can be made directly without going through the proxy), change
# the value of DIRECT_CONNECT_IF_POSSIBLE to 1.  Note that use of one option does not 
# preclude use of the other also.  Examples:
#HOSTS_TO_BYPASS_PARENT_PROXY:myintranetserver.local 172.16.0.1 intranetbox
# ... this would specify three hosts that ntlmaps will bypass the internet proxy for
# and authenticate you to directly.
#DIRECT_CONNECT_IF_POSSIBLE:1
# ... all hosts to whom a connection can be made will now be authenticated to directly.
HOSTS_TO_BYPASS_PARENT_PROXY:
DIRECT_CONNECT_IF_POSSIBLE:0

# Requested URLs are written to "url.log" file. May be useful.
URL_LOG:0

# When a network service listens for connections, there is a maximum number of connection
# attempts to that service that the underlying OS will allow to backlog waiting for a response
# before the OS will start dropping new connection attempts with 'Connection refused'.  The
# standard method of determining the maximum number of backlogged connections is to use the
# SOMAXCONN constant, which is supposed to represent the maximum number that an OS will support
# (for example, 5 on Windows 2000 Pro, and 200 on Windows 2000 server).  However, because this
# is a statically compiled value in a Python distribution, usually this instead represents the
# the most conservative value (5 on all Windows platforms, and 128 on the GNU/Linux variant I
# tried).  So if you are running (for example) a massively threaded/parallel download manager,
# the default value of, say, 5, or whatever SOMAXCONN happens to be set to, may be too low and
# cause some connections to fail.  The value below can be set to any integer (it seems that
# Python just silently caps values above the hard limit for the underlying platform), or it can
# be set to the special value of SOMAXCONN (i.e. MAX_CONNECTION_BACKLOG:SOMAXCONN), to use
# whatever this value happens to be set to in your Python build.  Setting this higher than
# necessary may cause APS to consume more memory than you needed to.
MAX_CONNECTION_BACKLOG:5

#========================================================================
[CLIENT_HEADER]

# This section describes what and how the server should change in the clients headers.
# Made in order to prevent parent proxy from seeing that you are using wget instead of IE5.5

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*

# Various User-Agent strings for imitating various browsers and OSes.
# Windows 98, IE 5.5:
# User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
# Windows 2000, IE 5.5:
# User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT5)
# Windows XP SP2, IE 6.0:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

# You can uncomment these chages in client's header to mimic IE5+ better, but in this case
# you may expirience problems with *.html if your client does not really handle compression.
#Accept-Encoding: gzip, deflate

#========================================================================
[NTLM_AUTH]

# Optional value, if leaved blank then APS will use gethostname() to determine
# host's name.
# NOTE1: If you Linux host name differs from Windows host name then it may be that
#        MS server wont recognize you host at all and wont grant you access
#        to resources requested. Then you have to use this option and APS will use
#        this name in NTLM negotiations.
# NOTE2: There are several reports that you can successfully use "foreign" host name
#        here. Say, if user may access a resource from 'host1' and may not from 'host2'
#        then there is a chance that APS running on 'host2' with NT_HOSTNAME:host1 will
#        be able to be granted access to the restricted resource. However use this on
#        you own risk as such a trick may be considered as a hack or something.
NT_HOSTNAME:

# Windows Domain.
# NOTE: it is not full qualified internet domain, but windows network domain.
NT_DOMAIN:your_domain

# What user's name to use during authorization. It may differ form real current username.
# If you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out.
USER:username_to_use

# Password. Just leave it blank here and server will request it at the start time,
# or, if you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out, and you *won't* be prompted for a password at start time.
PASSWORD:your_nt_password

# Alternatively, fill in these hashes. You can use the hashes.py program supplied to
# generate the hashes.
# An example of the sort of thing to expect, for the password 'MyPassword' would be
# dKyZykDe1CDcGnPmzqZ+xQAAAAAA
# and
# 8SxBgIPAXjp954WC5h9lLQAAAAAA
#
# If both of these settings are used, then the PASSWORD setting above is ignored.
LM_HASHED_PW:
NT_HASHED_PW:

# If you are running ntlmaps on Windows and your password includes complex characters,
# such as unicode characters outside of the ASCII 0-255 codepage for your native
# language, and you are planning on inputting your password at the prompt when ntlmaps
# starts, then you will need to enable COMPLEX_PASSWORD_INPUT, below.  It should
# be safe to leave enabled for everyone regardless, as ntlmaps will fall back to the
# standard password input mechanism if for some reason it is unable to support complex
# passwords, or if the extension is not required, such as for users on other platforms
# like MacOS X or various *nixes.
# Please note that because this mechanism relies on a custom C extension module 
# (win32console), that this will only work for people running ntlmaps with a supported
# version of Python.  Currently, that includes Python 1.5.2, and the current version
# of Python available (2.4.1).
COMPLEX_PASSWORD_INPUT:1

# These two options replace old FULL_NTLM option.
# NTLM authentication consists virtually of two parts: LM and NT. Windows95/98 use
# only LM part, WindowsNT/2000 can use NT and LM or just NT part.
# Almost always using just LM part will be enough. I had several reports
# about LM and NT requirement and no about just NT.
# So try to setup 1, 1 only if you have enough reasons to do so and when you understand
# what you are doing.
# 0, 0 is an illegal combination
# NOTE: if you change these options then you have to setup flag option accordingly.
LM_PART:1
NT_PART:0

# Highly experimental option. See research.txt for details.
# LM - 06820000
# NT - 05820000
# LM + NT - 07820000
NTLM_FLAGS: 06820000

# This option makes APS try to translate NTLM authentication to very usual "Basic"
# scheme. Almost all http clients know it. With this option set to 1 user will be requested
# by his browser to enter his credentials and these username and password will be used by
# APS for NTLM authentication at MS Proxy server or Web server.
# In such a case different users can use one runnig APS with their own credentials.
# NOTE1: currently translation works so it allows only one try for entering
#        username/password. If you make a mistake you will have to restart you browser.
# NOTE2: With debug:1 basic username/password will be written in log file in clear
#        text format. I could try hide it, but the basic scheme is so weak that anybody
#        who had access to APS would be able to get it.
NTLM_TO_BASIC:0

#========================================================================
[DEBUG]

# Set this to 1 if you want to see debug info in many log files. One per connection.
DEBUG:0

# Set this to 1 to get even more debug info.
BIN_DEBUG:0

# Set this to 1 to see some strange activity on screen. Actually you won't want it.
SCR_DEBUG:0

# Not actually a debug option but gives you some details on authentication process
# into *.auth logs. Also see research.txt.
AUTH_DEBUG:0