summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/rest
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/mods-available/rest289
1 files changed, 289 insertions, 0 deletions
diff --git a/raddb/mods-available/rest b/raddb/mods-available/rest
new file mode 100644
index 0000000..2860aa3
--- /dev/null
+++ b/raddb/mods-available/rest
@@ -0,0 +1,289 @@
+rest {
+ #
+ # This subsection configures the tls related items
+ # that control how FreeRADIUS connects to a HTTPS
+ # server.
+ #
+ tls {
+ # Certificate Authorities:
+ # "ca_file" (libcurl option CURLOPT_ISSUERCERT).
+ # File containing a single CA, which is the issuer of the server
+ # certificate.
+ # "ca_info_file" (libcurl option CURLOPT_CAINFO).
+ # File containing a bundle of certificates, which allow to handle
+ # certificate chain validation.
+ # "ca_path" (libcurl option CURLOPT_CAPATH).
+ # Directory holding CA certificates to verify the peer with.
+# ca_file = ${certdir}/cacert.pem
+# ca_info_file = ${certdir}/cacert_bundle.pem
+# ca_path = ${certdir}
+
+# certificate_file = /path/to/radius.crt
+# private_key_file = /path/to/radius.key
+# private_key_password = "supersecret"
+# random_file = /dev/urandom
+
+ # Server certificate verification requirements. Can be:
+ # "no" (don't even bother trying)
+ # "yes" (verify the cert was issued by one of the
+ # trusted CAs)
+ #
+ # The default is "yes"
+# check_cert = yes
+
+ # Server certificate CN verification requirements. Can be:
+ # "no" (don't even bother trying)
+ # "yes" (verify the CN in the certificate matches the host
+ # in the URI)
+ #
+ # The default is "yes"
+# check_cert_cn = yes
+ }
+
+ # rlm_rest will open a connection to the server specified in connect_uri
+ # to populate the connection cache, ready for the first request.
+ # The server will not start if the server specified is unreachable.
+ #
+ # If you wish to disable this pre-caching and reachability check,
+ # comment out the configuration item below.
+ connect_uri = "http://127.0.0.1/"
+
+ #
+ # How long before new connection attempts timeout, defaults to 4.0 seconds.
+ #
+# connect_timeout = 4.0
+
+ #
+ # Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
+ # '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
+ #
+# http_negotiation = 1.1
+
+ #
+ # The following config items can be used in each of the sections.
+ # The sections themselves reflect the sections in the server.
+ # For example if you list rest in the authorize section of a virtual server,
+ # the settings from the authorize section here will be used.
+ #
+ # The following config items may be listed in any of the sections:
+ # uri - to send the request to.
+ # method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
+ # 'delete' or any custom HTTP method.
+ # body - The format of the HTTP body sent to the remote server.
+ # May be 'none', 'post' or 'json', defaults to 'none'.
+ # attr_num - If true, the attribute number is supplied for each attribute.
+ # Defaults to false.
+ # raw_value - If true, enumerated attribute values are provided as numeric
+ # values. Defaults to false.
+ # data - Send custom freeform data in the HTTP body. Content-type
+ # may be specified with 'body'. Will be expanded.
+ # Values from expansion will not be escaped, this should be
+ # done using the appropriate xlat method e.g. %{urlencode:<attr>}.
+ # force_to - Force the response to be decoded with this decoder.
+ # May be 'plain' (creates reply:REST-HTTP-Body), 'post'
+ # or 'json'.
+ # tls - TLS settings for HTTPS.
+ # auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
+ # 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
+ # 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
+ # username - User to authenticate as, will be expanded.
+ # password - Password to use for authentication, will be expanded.
+ # require_auth - Require HTTP authentication.
+ # timeout - HTTP request timeout in seconds, defaults to 4.0.
+ # chunk - Chunk size to use. If set, HTTP chunked encoding is used to
+ # send data to the REST server. Make sure that this is large
+ # enough to fit your largest attribute value's text
+ #  representation.
+ # A number like 8192 is good.
+ #
+ # Additional HTTP headers may be specified with control:REST-HTTP-Header.
+ # The values of those attributes should be in the format:
+ #
+ # control:REST-HTTP-Header := "<HTTP attribute>: <value>"
+ #
+ # The control:REST-HTTP-Header attributes will be consumed
+ # (i.e. deleted) after each call to the rest module, and each
+ # %{rest:} expansion. This is so that headers from one REST
+ # call do not affect headers from a different REST call.
+ #
+ # Body encodings are the same for requests and responses
+ #
+ # POST - All attributes and values are urlencoded
+ # [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
+ #
+ # JSON - All attributes and values are escaped according to the JSON specification
+ # - attribute Name of the attribute.
+ # - attr_num Number of the attribute. Only available if the configuration item
+ # 'attr_num' is enabled.
+ # - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
+ # - value Attribute value, for enumerated attributes the human readable value is
+ # provided and not the numeric value (Depends on the 'raw_value' config item).
+ # {
+ # "<attribute0>":{
+ # "attr_num":<attr_num0>,
+ # "type":"<type0>",
+ # "value":[<value0>,<value1>,<valueN>]
+ # },
+ # "<attribute1>":{
+ # "attr_num":<attr_num1>,
+ # "type":"<type1>",
+ # "value":[...]
+ # },
+ # "<attributeN>":{
+ # "attr_num":<attr_numN>,
+ # "type":"<typeN>",
+ # "value":[...]
+ # },
+ # }
+ #
+ # The response format adds three optional fields:
+ # - do_xlat If true, any values will be xlat expanded. Defaults to true.
+ # - is_json If true, any nested JSON data will be copied to the attribute
+ # in string form. Defaults to true.
+ # - op Controls how the attribute is inserted into the target list.
+ # Defaults to ':='. To create multiple attributes from multiple
+ # values, this should be set to '+=', otherwise only the last
+ # value will be used, and it will be assigned to a single
+ # attribute.
+ # {
+ # "<attribute0>":{
+ # "is_json":<bool>,
+ # "do_xlat":<bool>,
+ # "op":"<operator>",
+ # "value":[<value0>,<value1>,<valueN>]
+ # },
+ # "<attribute1>":"value",
+ # "<attributeN>":{
+ # "value":[<value0>,<value1>,<valueN>],
+ # "op":"+="
+ # }
+ # }
+
+ #
+ # Module return codes are determined by HTTP response codes. These vary depending on the
+ # section.
+ #
+ # If the body is processed and found to be malformed or unsupported fail will be returned.
+ # If the body is processed and found to contain attribute updated will be returned,
+ # except in the case of a 401 code.
+ #
+
+ # Authorize/Authenticate
+ #
+ # Code Meaning Process body Module code
+ # 404 not found no notfound
+ # 410 gone no notfound
+ # 403 forbidden no userlock
+ # 401 unauthorized yes reject
+ # 204 no content no ok
+ # 2xx successful yes ok/updated
+ # 5xx server error no fail
+ # xxx - no invalid
+ #
+ # The status code is held in %{reply:REST-HTTP-Status-Code}.
+ #
+ authorize {
+ uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
+ method = 'get'
+ tls = ${..tls}
+ }
+ authenticate {
+ uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
+ method = 'get'
+ tls = ${..tls}
+ }
+
+ # Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
+ #
+ # Code Meaning Process body Module code
+ # 204 no content no ok
+ # 2xx successful yes ok/updated
+ # 5xx server error no fail
+ # xxx - no invalid
+ preacct {
+ uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
+ method = 'post'
+ tls = ${..tls}
+ }
+ accounting {
+ uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
+ method = 'post'
+ tls = ${..tls}
+ }
+ post-auth {
+ uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
+ method = 'post'
+ tls = ${..tls}
+ }
+ pre-proxy {
+ uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
+ method = 'post'
+ tls = ${..tls}
+ }
+ post-proxy {
+ uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
+ method = 'post'
+ tls = ${..tls}
+ }
+
+ #
+ # The connection pool is used to pool outgoing connections.
+ #
+ pool {
+ # Connections to create during module instantiation.
+ # If the server cannot create specified number of
+ # connections during instantiation it will exit.
+ # Set to 0 to allow the server to start without the
+ # web service being available.
+ start = ${thread[pool].start_servers}
+
+ # Minimum number of connections to keep open
+ min = ${thread[pool].min_spare_servers}
+
+ # Maximum number of connections
+ #
+ # If these connections are all in use and a new one
+ # is requested, the request will NOT get a connection.
+ #
+ # Setting 'max' to LESS than the number of threads means
+ # that some threads may starve, and you will see errors
+ # like 'No connections available and at max connection limit'
+ #
+ # Setting 'max' to MORE than the number of threads means
+ # that there are more connections than necessary.
+ max = ${thread[pool].max_servers}
+
+ # Spare connections to be left idle
+ #
+ # NOTE: Idle connections WILL be closed if "idle_timeout"
+ # is set. This should be less than or equal to "max" above.
+ spare = ${thread[pool].max_spare_servers}
+
+ # Number of uses before the connection is closed
+ #
+ # 0 means "infinite"
+ uses = 0
+
+ # The number of seconds to wait after the server tries
+ # to open a connection, and fails. During this time,
+ # no new connections will be opened.
+ retry_delay = 30
+
+ # The lifetime (in seconds) of the connection
+ lifetime = 0
+
+ # idle timeout (in seconds). A connection which is
+ # unused for this length of time will be closed.
+ idle_timeout = 60
+
+ # NOTE: All configuration settings are enforced. If a
+ # connection is closed because of "idle_timeout",
+ # "uses", or "lifetime", then the total number of
+ # connections MAY fall below "min". When that
+ # happens, it will open a new connection. It will
+ # also log a WARNING message.
+ #
+ # The solution is to either lower the "min" connections,
+ # or increase lifetime/idle_timeout.
+ }
+}