diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
commit | 50b37d4a27d3295a29afca2286f1a5a086142cec (patch) | |
tree | 9212f763934ee090ef72d823f559f52ce387f268 /raddb/sites-available/abfab-tls | |
parent | Initial commit. (diff) | |
download | freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.tar.xz freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.zip |
Adding upstream version 3.2.1+dfsg.upstream/3.2.1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'raddb/sites-available/abfab-tls')
-rw-r--r-- | raddb/sites-available/abfab-tls | 118 |
1 files changed, 118 insertions, 0 deletions
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls new file mode 100644 index 0000000..b8d0626 --- /dev/null +++ b/raddb/sites-available/abfab-tls @@ -0,0 +1,118 @@ +# +# Example configuration for ABFAB listening on TLS. +# +# $Id$ +# +listen { + ipaddr = * + port = 2083 + type = auth + proto = tcp + + tls { + tls_min_version = "1.2" + private_key_password = whatever + + # Moonshot tends to distribute certs separate from keys + private_key_file = ${certdir}/server.key + certificate_file = ${certdir}/server.pem + ca_file = ${cadir}/ca.pem + dh_file = ${certdir}/dh + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + cache { + enable = no + lifetime = 24 # hours + name = "abfab-tls" + # persist_dir = ${logdir}/abfab-tls + } + require_client_cert = yes + verify { + } + + psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" + } + + virtual_server = abfab-idp + clients = radsec-abfab +} + +# There needs to be a separated "listen" section for IPv6. +# Typically it will be identical to the IPv4 one above, but there might be +# some differences (e.g. if a different certificate or port is desired) +listen { + ipaddr = :: + port = 2083 + type = auth + proto = tcp + + tls { + tls_min_version = "1.2" + private_key_password = whatever + + # Moonshot tends to distribute certs separate from keys + private_key_file = ${certdir}/server.key + certificate_file = ${certdir}/server.pem + ca_file = ${cadir}/ca.pem + dh_file = ${certdir}/dh + fragment_size = 8192 + ca_path = ${cadir} + cipher_list = "DEFAULT" + cache { + enable = no + lifetime = 24 # hours + name = "abfab-tls" + # persist_dir = ${logdir}/abfab-tls + } + require_client_cert = yes + verify { + } + + psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}" + } + + virtual_server = abfab-idp + clients = radsec-abfab +} + +clients radsec-abfab { + # + # Allow all clients, but require TLS. + # This client stanza will match other RP proxies from other + # realms established via the trustrouter. In general + # additional client stanzas are also required for local services. + # + client default { + ipaddr = 0.0.0.0/0 + proto = tls + } + + client default_ip6 { + ipaddr = ::/0 + proto = tls + } + + # An example local service + # client service_1 { + # ipaddr = 192.0.2.20 + # # You should either set gss_acceptor_host_name below + # # or set up policy to confirm that a client claims + # # the right acceptor hostname when using ABFAB. If + # # set, the RADIUS server will confirm that all + # # requests have this value for the acceptor host name + # gss_acceptor_host_name = "server.example.com" + # # If set, this acceptor realm name will be included. + # # Foreign realms will typically reject a request if this is not + # # properly set. + # gss_acceptor_realm_name = "example.com" + # # Additionally, trust_router_coi can be set; if set + # # it will override the default_community in the realm + # # module + # trust_router_coi = "community1.example.net" + # # In production depployments it is important to set + # # up certificate verification so that even if + # # clients spoof IP addresses, one client cannot + # # impersonate another. + # } +} |