Context Navigation

proxy.conf @ c5c522c

gcc484ntopperl-5.22

Last change on this file since c5c522c was c5c522c, checked in by Edwin Eefting <edwin@datux.nl>, 8 years ago
initial commit, transferred from cleaned syn3 svn tree
Property mode set to `100644`
File size: 8.6 KB

Line
1	#
2	# proxy.conf - proxy radius and realm configuration directives
3	#
4	# This file is included by default. To disable it, you will need
5	# to modify the PROXY CONFIGURATION section of "radiusd.conf".
6	#
7	#######################################################################
8	#
9	# Proxy server configuration
10	#
11	# This entry controls the servers behaviour towards ALL other servers
12	# to which it sends proxy requests.
13	#
14	proxy server {
15
16	#
17	# If the NAS re-sends the request to us, we can immediately re-send
18	# the proxy request to the end server. To do so, use 'yes' here.
19	#
20	# If this is set to 'no', then we send the retries on our own schedule,
21	# and ignore any duplicate NAS requests.
22	#
23	# If you want to have the server send proxy retries ONLY when the NAS
24	# sends it's retries to the server, then set this to 'yes', and
25	# set the other proxy configuration parameters to 0 (zero).
26	#
27	# Additionally, if you want 'failover' to work, the server must manage
28	# retries and timeouts. Therefore, if this is set to yes, then no
29	# failover functionality is possible.
30	#
31	synchronous = no
32
33	#
34	# The time (in seconds) to wait for a response from the proxy, before
35	# re-sending the proxied request.
36	#
37	# If this time is set too high, then the NAS may re-send the request,
38	# or it may give up entirely, and reject the user.
39	#
40	# If it is set too low, then the RADIUS server which receives the proxy
41	# request will get kicked unnecessarily.
42	#
43	retry_delay = 5
44
45	#
46	# The number of retries to send before giving up, and sending a reject
47	# message to the NAS.
48	#
49	retry_count = 3
50
51	#
52	# If the home server does not respond to any of the multiple retries,
53	# then FreeRADIUS will stop sending it proxy requests, and mark it 'dead'.
54	#
55	# If there are multiple entries configured for this realm, then the
56	# server will fail-over to the next one listed. If no more are listed,
57	# then no requests will be proxied to that realm.
58	#
59	#
60	# After a configurable 'dead_time', in seconds, FreeRADIUS will
61	# speculatively mark the home server active, and start sending requests
62	# to it again.
63	#
64	# If this dead time is set too low, then you will lose requests,
65	# as FreeRADIUS will quickly switch back to the home server, even if
66	# it isn't up again.
67	#
68	# If this dead time is set too high, then FreeRADIUS may take too long
69	# to switch back to the primary home server.
70	#
71	# Realistic values for this number are in the range of minutes to hours.
72	# (60 to 3600)
73	#
74	dead_time = 120
75
76	# An ldflag attribute for all realms to be included in a round-robin
77	# setup must be specified, and that ldflag must be the same for all
78	# realms of the same name.
79	# Currently (0 or fail_over) and (1 or round_robin) are the
80	# supported values for ldflag. Fail over is the default setup.
81	#
82	# DO NOT INCLUDE LOCAL AUTH/ACCT HOST REALMS IN A ROUND-ROBIN QUEUE.
83
84
85	#
86	# If all exact matching realms did not respond, we can try the
87	# DEFAULT realm, too. This is what the server normally does.
88	#
89	# This behaviour may be undesired for some cases. e.g. You are proxying
90	# for two different ISP's, and then act as a general dial-up for Gric.
91	# If one of the first two ISP's has their RADIUS server go down, you do
92	# NOT want to proxy those requests to GRIC. Instead, you probably want
93	# to just drop the requests on the floor. In that case, set this value
94	# to 'no'.
95	#
96	# allowed values: {yes, no}
97	#
98	default_fallback = yes
99
100	#
101	# Older versions of the server would pass proxy requests through the
102	# 'authorize' sections twice; once when the packet was received
103	# from the NAS, and again after the reply was received from the home
104	# server. Now that we have a 'post_proxy' section, the replies from
105	# the home server should be sent through that, instead of through
106	# the 'authorize' section again.
107	#
108	# However, for backwards compatibility, this behaviour is configurable.
109	# The default configuration is 'no', because this option is deprecated
110	# and will be removed in the future.
111	#
112	# allowed values: {yes, no}
113	#
114	post_proxy_authorize = no
115
116	}
117
118	#######################################################################
119	#
120	# Configuration for the proxy realms.
121	#
122	# The information given here is used in conjunction with the 'realms'
123	# file. This format is preferred, as it is more flexible. The realms
124	# listed here take priority over those listed in the 'realms' file.
125
126	# A standard realm entry. A request from "user@company.com" will be
127	# sent to radius.company.com as "user", unless the 'nostrip'
128	# configuration item is specified. If the 'nostrip' configuration
129	# item is specified, then the request will be proxied as
130	# "user@company.com"
131	#
132	#realm company.com {
133	# type = radius
134	# authhost = radius.company.com:1600
135	# accthost = radius.company.com:1601
136	# secret = testing123
137	#}
138
139	# A realm entry with an optional fail-over realm. A request from
140	# "user@isp2.com" will be sent to radius.isp2.com as "user@isp2.com",
141	# because the 'nostrip' directive is specified for this realm.
142	#
143	#realm isp2.com {
144	# type = radius
145	# authhost = radius.isp2.com:1645
146	# accthost = radius.isp2.com:1646
147	# secret = TheirKey
148	# nostrip
149	#}
150	#
151	# The fail-over realm for isp2.com
152	#
153	#realm isp2.com {
154	# type = radius
155	# authhost = radius2.isp2.com:1645
156	# accthost = radius2.isp2.com:1646
157	# secret = TheirKey2
158	# nostrip
159	#}
160
161	#
162	# 1st node serv.com...set up for round-robin.
163	#
164	# The load balancing 'ldflag' attribute can be used to perform
165	# load balancing. Allowed values are 'fail_over' and 'round_robin'.
166	#
167	# If there is no ldflag attribute, or it is set to 'fail_over', then
168	# the realms are treated as "fail-over". That is, the first matching
169	# realm is used, unless it is down, in which case the realm "fails
170	# over" to the second matching realm. The process continues until an
171	# active matching realm is found, OR the DEFAULT realm is returned.
172	#
173	# If the ldflag attribute is set to 'round_robin', then all active
174	# realms of the same name are put into a pool internally in the
175	# server, and the proxied requests are evenly divided among the
176	# realms in the pool. For this to work, all realms of the same name
177	# MUST have the same value of their 'ldflag' attributes. Mixing up
178	# different types of load balancing schemes for the same realm will
179	# cause problems.
180	#
181	# The round_robin load balancing method is a probabilistic method
182	# which evenly scatters the requests among the home servers.
183	#
184	# Note that you CANNOT include local auth/acct host realms in a
185	# round-robin queue. Having a server load balance requests to itself
186	# doesn't make any sense, as it only doubles the amount of work
187	# which is needed to be done.
188	#
189	#realm serv.com {
190	# type = radius
191	# authhost = radius.serv.com:1645
192	# accthost = radius.serv.com:1646
193	# secret = TheirKey
194	# ldflag = round_robin
195	# nostrip
196	#}
197
198	#
199	# Another node for serv.com
200	#
201	#realm serv.com {
202	# type = radius
203	# authhost = radius2.serv.com:1645
204	# accthost = radius2.serv.com:1646
205	# secret = TheirKey2
206	# ldflag = round_robin
207	# nostrip
208	#}
209
210	#
211	# A third round-robin node realm for serv.com
212	#
213	#realm serv.com {
214	# type = radius
215	# authhost = radius3.serv.com:1645
216	# accthost = radius3.serv.com:1646
217	# secret = TheirKey2
218	# ldflag = round_robin
219	# nostrip
220	#}
221	#
222	#
223
224	#
225	# This is a local realm. The requests are NOT proxied,
226	# but instead are authenticated by the RADIUS server itself.
227	#
228	# You don't need a secret if BOTH 'authhost' and 'accthost' are
229	# set to LOCAL.
230	#
231	#realm bla.com {
232	# type = radius
233	# authhost = LOCAL
234	# accthost = LOCAL
235	#}
236
237	#
238	# This is a sample entry for iPass.
239	#
240	#realm IPASS {
241	# type = radius
242	# authhost = ipass.server.hostname:11812
243	# accthost = ipass.server.hostname:11813
244	#
245	# The shared secret here must be the same
246	# value as the secret of the NetServer found in the
247	# /usr/ipass/raddb/clients file of your NetServer software.
248	# secret = mysecret
249	# nostrip
250	#}
251
252	#
253	# This realm is used mainly to cancel proxying. You can have
254	# the "realm suffix" module configured to proxy all requests for
255	# a realm, and then later cancel the proxying, based on other
256	# configuration.
257	#
258	# For example, you want to terminate PEAP or EAP-TTLS locally,
259	# you can add the following to the "users" file:
260	#
261	# DEFAULT EAP-Type == PEAP, Proxy-To-Realm := LOCAL
262	#
263	realm LOCAL {
264	type = radius
265	authhost = LOCAL
266	accthost = LOCAL
267	}
268
269	#
270	# This realm is for requests which don't have an explicit realm
271	# prefix or suffix. User names like "bob" will match this one.
272	#
273	#realm NULL {
274	# type = radius
275	# authhost = radius.company.com:1600
276	# accthost = radius.company.com:1601
277	# secret = testing123
278	#}
279
280	#
281	# This realm is for ALL OTHER requests.
282	#
283	#realm DEFAULT {
284	# type = radius
285	# authhost = radius.company.com:1600
286	# accthost = radius.company.com:1601
287	# secret = testing123
288	#}

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format