#
#	Example configuration for ABFAB listening on TLS.
#
#	$Id$
#
listen {
	ipaddr = *
	port = 2083
	type = auth
	proto = tcp

	tls {
		tls_min_version = "1.2"
		private_key_password = whatever

		# Moonshot tends to distribute certs separate from keys
		private_key_file = ${certdir}/server.key
		certificate_file = ${certdir}/server.pem
		ca_file = ${cadir}/ca.pem
		dh_file = ${certdir}/dh
		fragment_size = 8192
		ca_path = ${cadir}
		cipher_list = "DEFAULT"
		cache {
			enable = no
			lifetime = 24 # hours
			name = "abfab-tls"
			# persist_dir = ${logdir}/abfab-tls
		}
		require_client_cert = yes
		verify {
		}

		psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
	}

	virtual_server = abfab-idp
	clients = radsec-abfab
}

# There needs to be a separated "listen" section for IPv6.
# Typically it will be identical to the IPv4 one above, but there might be
# some differences (e.g. if a different certificate or port is desired)
listen {
	ipaddr = ::
	port = 2083
	type = auth
	proto = tcp

	tls {
		tls_min_version = "1.2"
		private_key_password = whatever

		# Moonshot tends to distribute certs separate from keys
		private_key_file = ${certdir}/server.key
		certificate_file = ${certdir}/server.pem
		ca_file = ${cadir}/ca.pem
		dh_file = ${certdir}/dh
		fragment_size = 8192
		ca_path = ${cadir}
		cipher_list = "DEFAULT"
		cache {
			enable = no
			lifetime = 24 # hours
			name = "abfab-tls"
			# persist_dir = ${logdir}/abfab-tls
		}
		require_client_cert = yes
		verify {
		}

		psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
	}

	virtual_server = abfab-idp
	clients = radsec-abfab
}

clients radsec-abfab {
	#
	#  Allow all clients, but require TLS.
	#  This client stanza will match other RP proxies from other
	#  realms  established via the trustrouter.  In general
	#  additional client stanzas are also required for local services.
	#
        client default {
		ipaddr = 0.0.0.0/0
		proto = tls
	}

        client default_ip6 {
		ipaddr = ::/0
		proto = tls
	}

	#  An example local service
	#  client service_1 {
	#  	ipaddr = 192.0.2.20
	#  	#  You should either set gss_acceptor_host_name below
	#  	#  or set up policy to confirm that a client claims
	#  	#  the right acceptor hostname when using ABFAB.  If
	#  	#  set,  the RADIUS server will confirm that all
	#  	#  requests have this value for the acceptor host name
	#  	gss_acceptor_host_name = "server.example.com"
	#  	#  If set, this acceptor realm name will be included.
	#  	#  Foreign realms will typically reject a request if this is not
	#  	#  properly set.
	#  	gss_acceptor_realm_name = "example.com"
	#  	#  Additionally, trust_router_coi can be set; if set
	#  	#  it will override the default_community in the realm
 	#  	#  module
	#  	trust_router_coi =  "community1.example.net"
	#  	#  In production depployments it is important to set
	#  	#  up certificate verification  so that even if
	#  	#  clients spoof IP addresses, one client cannot
	#  	#  impersonate another.
	#  }
}