# # Example configuration for ABFAB listening on TLS. # # $Id: b8d0626bbe8923a97506b7410e83f88e3af4c42a $ # listen { ipaddr = * port = 2083 type = auth proto = tcp tls { tls_min_version = "1.2" private_key_password = whatever # Moonshot tends to distribute certs separate from keys private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem ca_file = /etc/ssl/certs/ca-certificates.crt dh_file = ${certdir}/dh fragment_size = 8192 ca_path = ${cadir} cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours name = "abfab-tls" # persist_dir = ${logdir}/abfab-tls } require_client_cert = yes verify { } psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" } virtual_server = abfab-idp clients = radsec-abfab } # There needs to be a separated "listen" section for IPv6. # Typically it will be identical to the IPv4 one above, but there might be # some differences (e.g. if a different certificate or port is desired) listen { ipaddr = :: port = 2083 type = auth proto = tcp tls { tls_min_version = "1.2" private_key_password = whatever # Moonshot tends to distribute certs separate from keys private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh fragment_size = 8192 ca_path = ${cadir} cipher_list = "DEFAULT" cache { enable = no lifetime = 24 # hours name = "abfab-tls" # persist_dir = ${logdir}/abfab-tls } require_client_cert = yes verify { } psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" } virtual_server = abfab-idp clients = radsec-abfab } clients radsec-abfab { # # Allow all clients, but require TLS. # This client stanza will match other RP proxies from other # realms established via the trustrouter. In general # additional client stanzas are also required for local services. # client default { ipaddr = 0.0.0.0/0 proto = tls } client default_ip6 { ipaddr = ::/0 proto = tls } # An example local service # client service_1 { # ipaddr = 192.0.2.20 # # You should either set gss_acceptor_host_name below # # or set up policy to confirm that a client claims # # the right acceptor hostname when using ABFAB. If # # set, the RADIUS server will confirm that all # # requests have this value for the acceptor host name # gss_acceptor_host_name = "server.example.com" # # If set, this acceptor realm name will be included. # # Foreign realms will typically reject a request if this is not # # properly set. # gss_acceptor_realm_name = "example.com" # # Additionally, trust_router_coi can be set; if set # # it will override the default_community in the realm # # module # trust_router_coi = "community1.example.net" # # In production depployments it is important to set # # up certificate verification so that even if # # clients spoof IP addresses, one client cannot # # impersonate another. # } }