My server.cfg sample
# If you want APS to authenticate you at WWW servers using NTLM then just leave this
# value blank like PARENT_PROXY: and APS will connect to web servers directly.
# You can specify more than one proxy by leaving a space between each one, and
# APS will detect when one fails and automatically fail-over to the next. EG:
#PARENT_PROXY:first_proxy second_proxy third_proxy
# And NOTE that NTLM cannot pass through another proxy server.
# APS will poll the upstream proxy and attempt to fail-over to a new one if it doesn't
# get a response within an appropriate time frame. The amount of time that it will
# wait for a response before attempting fail-over is specified, in seconds, below:
# Set to 1 if you want to grant this authorization service to clients from other computers.
# NOTE: all the users from other hosts that will be using you copy of APS for authentication
# will be using your credentials in NTLM auth at the remote host.
# If you want to allow some other but not all computers to use your proxy for authorization,
# just set ALLOW_EXTERNAL_CLIENTS:0 and put friendly IP addresses here.
# Use space as a delimiter.
# NOTE that special addesses don't work here (192.168.3.0 for example).
# Requested URLs are written to "url.log" file. May be useful.
# When a network service listens for connections, there is a maximum number of connection
# attempts to that service that the underlying OS will allow to backlog waiting for a response
# before the OS will start dropping new connection attempts with 'Connection refused'. The
# standard method of determining the maximum number of backlogged connections is to use the
# SOMAXCONN constant, which is supposed to represent the maximum number that an OS will support
# (for example, 5 on Windows 2000 Pro, and 200 on Windows 2000 server). However, because this
# is a statically compiled value in a Python distribution, usually this instead represents the
# the most conservative value (5 on all Windows platforms, and 128 on the GNU/Linux variant I
# tried). So if you are running (for example) a massively threaded/parallel download manager,
# the default value of, say, 5, or whatever SOMAXCONN happens to be set to, may be too low and
# cause some connections to fail. The value below can be set to any integer (it seems that
# Python just silently caps values above the hard limit for the underlying platform), or it can
# be set to the special value of SOMAXCONN (i.e. MAX_CONNECTION_BACKLOG:SOMAXCONN), to use
# whatever this value happens to be set to in your Python build. Setting this higher than
# necessary may cause APS to consume more memory than you needed to.
# This section describes what and how the server should change in the clients headers.
# Made in order to prevent parent proxy from seeing that you are using wget instead of IE5.5
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
# for windows 2000 emulation ;)
# User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT5)
# You can uncomment these chages in client's header to mimic IE5+ better, but in this case
# you may expirience problems with *.html if your client does not really handle compression.
#Accept-Encoding: gzip, deflate
# Optional value, if leaved blank then APS will use gethostname() to determine
# host's name.
# NOTE1: If you Linux host name differs from Windows host name then it may be that
# MS server wont recognize you host at all and wont grant you access
# to resources requested. Then you have to use this option and APS will use
# this name in NTLM negotiations.
# NOTE2: There are several reports that you can successfully use "foreign" host name
# here. Say, if user may access a resource from 'host1' and may not from 'host2'
# then there is a chance that APS running on 'host2' with NT_HOSTNAME:host1 will
# be able to be granted access to the restricted resource. However use this on
# you own risk as such a trick may be considered as a hack or something.
# Windows Domain.
# NOTE: it is not full qualified internet domain, but windows network domain.
# What user's name to use during authorization. It may differ form real current username.
# If you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out.
# Password. Just leave it blank here and server will request it at the start time,
# or, if you enable NTLM_TO_BASIC, below, you can either leave this blank or simply
# hash it out, and you *won't* be prompted for a password at start time.
# These two options replace old FULL_NTLM option.
# NTLM authentication consists virtually of two parts: LM and NT. Windows95/98 use
# only LM part, WindowsNT/2000 can use NT and LM or just NT part.
# Almost always using just LM part will be enough. I had several reports
# about LM and NT requirement and no about just NT.
# So try to setup 1, 1 only if you have enough reasons to do so and when you understand
# what you are doing.
# 0, 0 is an illegal combination
# NOTE: if you change these options then you have to setup flag option accordingly.
# Highly experimental option. See research.txt for details.
# LM - 06820000
# NT - 05820000
# LM + NT - 07820000
# This option makes APS try to translate NTLM authentication to very usual "Basic"
# scheme. Almost all http clients know it. With this option set to 1 user will be requested
# by his browser to enter his credentials and these username and password will be used by
# APS for NTLM authentication at MS Proxy server or Web server.
# In such a case different users can use one runnig APS with their own credentials.
# NOTE1: currently translation works so it allows only one try for entering
# username/password. If you make a mistake you will have to restart you browser.
# NOTE2: With debug:1 basic username/password will be written in log file in clear
# text format. I could try hide it, but the basic scheme is so weak that anybody
# who had access to APS would be able to get it.
# Set this to 1 if you want to see debug info in many log files. One per connection.
# Set this to 1 to get even more debug info.
# Set this to 1 to see some strange activity on screen. Actually you won't want it.
# Not actually a debug option but gives you some details on authentication process
# into *.auth logs. Also see research.txt.