1 files changed, 118 insertions, 0 deletions
diff --git a/raddb/sites-available/abfab-tls b/raddb/sites-available/abfab-tls
new file mode 100644
index 0000000..b8d0626
--- /dev/null
+++ b/raddb/sites-available/abfab-tls
@@ -0,0 +1,118 @@
+#
+#	Example configuration for ABFAB listening on TLS.
+#
+#	$Id$
+#
+listen {
+	ipaddr = *
+	port = 2083
+	type = auth
+	proto = tcp
+
+	tls {
+		tls_min_version = "1.2"
+		private_key_password = whatever
+
+		# Moonshot tends to distribute certs separate from keys
+		private_key_file = ${certdir}/server.key
+		certificate_file = ${certdir}/server.pem
+		ca_file = ${cadir}/ca.pem
+		dh_file = ${certdir}/dh
+		fragment_size = 8192
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		cache {
+			enable = no
+			lifetime = 24 # hours
+			name = "abfab-tls"
+			# persist_dir = ${logdir}/abfab-tls
+		}
+		require_client_cert = yes
+		verify {
+		}
+
+		psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
+	}
+
+	virtual_server = abfab-idp
+	clients = radsec-abfab
+}
+
+# There needs to be a separated "listen" section for IPv6.
+# Typically it will be identical to the IPv4 one above, but there might be
+# some differences (e.g. if a different certificate or port is desired)
+listen {
+	ipaddr = ::
+	port = 2083
+	type = auth
+	proto = tcp
+
+	tls {
+		tls_min_version = "1.2"
+		private_key_password = whatever
+
+		# Moonshot tends to distribute certs separate from keys
+		private_key_file = ${certdir}/server.key
+		certificate_file = ${certdir}/server.pem
+		ca_file = ${cadir}/ca.pem
+		dh_file = ${certdir}/dh
+		fragment_size = 8192
+		ca_path = ${cadir}
+		cipher_list = "DEFAULT"
+		cache {
+			enable = no
+			lifetime = 24 # hours
+			name = "abfab-tls"
+			# persist_dir = ${logdir}/abfab-tls
+		}
+		require_client_cert = yes
+		verify {
+		}
+
+		psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
+	}
+
+	virtual_server = abfab-idp
+	clients = radsec-abfab
+}
+
+clients radsec-abfab {
+	#
+	#  Allow all clients, but require TLS.
+	#  This client stanza will match other RP proxies from other
+	#  realms  established via the trustrouter.  In general
+	#  additional client stanzas are also required for local services.
+	#
+        client default {
+		ipaddr = 0.0.0.0/0
+		proto = tls
+	}
+
+        client default_ip6 {
+		ipaddr = ::/0
+		proto = tls
+	}
+
+	#  An example local service
+	#  client service_1 {
+	#  	ipaddr = 192.0.2.20
+	#  	#  You should either set gss_acceptor_host_name below
+	#  	#  or set up policy to confirm that a client claims
+	#  	#  the right acceptor hostname when using ABFAB.  If
+	#  	#  set,  the RADIUS server will confirm that all
+	#  	#  requests have this value for the acceptor host name
+	#  	gss_acceptor_host_name = "server.example.com"
+	#  	#  If set, this acceptor realm name will be included.
+	#  	#  Foreign realms will typically reject a request if this is not
+	#  	#  properly set.
+	#  	gss_acceptor_realm_name = "example.com"
+	#  	#  Additionally, trust_router_coi can be set; if set
+	#  	#  it will override the default_community in the realm
+ 	#  	#  module
+	#  	trust_router_coi =  "community1.example.net"
+	#  	#  In production depployments it is important to set
+	#  	#  up certificate verification  so that even if
+	#  	#  clients spoof IP addresses, one client cannot
+	#  	#  impersonate another.
+	#  }
+}