summaryrefslogtreecommitdiffstats
path: root/raddb/sites-available/tls-cache
blob: e6451c502f23adfe98b3a95403905c9a4025b052 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# -*- text -*-
######################################################################
#
#	This is a virtual server which handles TLS session caching.
#
#	$Id$
#
######################################################################
#
#  In mods-enabled/eap, "cache" subsection
#
#  comment out
#
#	persist_dir
#
#  add
#
#	virtual_server = tls-cache
#
#  and set
#
#	enable = yes
#
#  In order to enable caching.
#

#
#  This virtual server SHOULD NOT have any "listen" sections.
#
#
#  All of the cache sections key off of &request:TLS-Session-Id
#
#  The cache sections also run the "post-auth" section of any
#  module which they use.
#
#  These sections do not need to return any specific codes (e.g. ok /
#  fail /etc.).  The cache functionality depends only on which
#  attributes are saved / loaded.
#
#  For example, if the "cache save" process fails, there is nothing
#  that the server can do about that.  The users authentication
#  session will still succeed.  The only difference from a successful
#  "cache save" is that the user will be unable to resume their
#  session.  Instead, they will need to do a full re-authentication
#  process.
#
#  Similarly for "cache load".  If the session (and/or) the VPs are
#  not loaded from the cache, then the user will do a full
#  re-authentication.
#
#  Whilst any store can be used for tls session caching, whatever is
#  chosen should be faster than performing a full re-authentication
server tls-cache {

cache clear {
	#  clear the cache entry by keying off of &request:TLS-Session-Id

	#  An example using redis
#	"%{redis:DEL %{request:TLS-Session-ID}}"

	#  An example using SQL
#	"%{sql:DELETE FROM tls_cache WHERE session_id = '%{request:TLS-Session-ID}'}"
}

cache save {
	#  use the key &request:TLS-Session-ID
	#  save &session-state:TLS-Session-Data
	#  save &reply:...

	#  The &reply: list is initialized to the attributes
	#  which should be saved.  This includes attributes
	#  mentioned in the "store" subsection of the "cache"
	#  section configuration.  This is the same set of
	#  attributes which is saved when the 'persist_dir'
	#  configuration is used.
	#
	#  Note the "store" subsection will only copy matching
	#  attributes from the &reply: list at the time that
	#  eap authentication succeeds.
	#
	#  Other attributes can be saved by referring to them
	#  e.g. &outer.request:...

	#  An example using redis
#	update {
#		&Tmp-String-0 := "%{session-state:TLS-Session-Data}|%{escape:%{reply:Tunnel-Private-Group-ID}}"
#	}
#	"%{redis: SET %{request:TLS-Session-ID} \"%{Tmp-String-0}\" EX 86400}"

	#  An example using SQL
#	"%{sql: INSERT INTO tls_cache (session_id, session_data, vlan, expiry) VALUES ('%{request:TLS-Session-ID}', '%{session-state:TLS-Session-Data}', '%{escape:%{reply:Tunnel-Private-Group-ID}}', DATE_ADD(NOW(), INTERVAL 24 HOUR))}"
}

cache load {
	#  use the key &request:TLS-Session-ID
	#  load &session-state:TLS-Session-Data
	#  load &reply:...
	
	#  Attributes returned in &reply: which are listed
	#  in the "store" subsection of the "cache" section
	#  configuration will be copied to &session-state:
	#
	#  Certificate attributes returned in &reply: are added
	#  to &request: if they do not already exist and if
	#  EAP-Type is returned it is added to &control:
	#
	#  Any other attributes returned are added to &reply:
	
	#  An example using redis
#	update {
#		&Tmp-String-0 := "%{redis:GET %{request:TLS-Session-ID}}"
#	}
#	if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) {
#		return
#	}
#	update {
#		&session-state:TLS-Session-Data := "%{1}"
#		&reply:Tunnel-Private-Group-ID := "%{unescape:%{2}}"
#	}

	#  An example using SQL
#	update {
#		&Tmp-String-0 := "%{sql:SELECT CONCAT(session_data, '|', vlan) FROM session_cache WHERE session_id = '%{request:TLS-Session-ID}'}"
#	}
#	if (!&Tmp-String-0 || &Tmp-String-0 !~ /^([^|]+)\|([^|]+)$/) {
#		return
#	}
#	update {
#		&session-state:TLS-Session-Data := "%{1}"
#		&reply:Tunnel-Private-Group-ID := "%{unescape:%{2}}"
#	}
}

cache refresh {
	#  refresh the cache entry by keying off of &request:TLS-Session-ID

	#  An example using redis
#	"%{redis:EXPIRE %{request:TLS-Session-ID} 86400}"

	#  An example using SQL
#	"%{sql:UPDATE tls_cache SET expiry = DATE_ADD(NOW(), INTERVAL 24 HOUR) WHERE session_id = '%{request:TLS-Session-ID}'}"
}

}