## ------------------------------------------------------------------------------- ## configuration parameters ## ------------------------------------------------------------------------------- userver { ## ---------------------------------------------------------------------------------------------------------------------------------------- ## userver - configuration parameters ## ---------------------------------------------------------------------------------------------------------------------------------------- ## ENABLE_IPV6 flag to indicate use of ipv6 ## SERVER host name or ip address for the listening socket ## PORT port number for the listening socket ## SOCKET_NAME file name for the listening socket ## IP_ADDRESS public ip address of host for the interface connected to the Internet (autodetected if not specified) ## ALLOWED_IP client address IP-based access control (IPADDR[/MASK]) ## ## LISTEN_BACKLOG max number of ready to be delivered connections to accept() ## USE_TCP_OPTIMIZATION flag indicating the use of TCP/IP options to optimize data transmission (NODELAY/CORK, DEFER_ACCEPT, QUICKACK) ## SET_REALTIME_PRIORITY flag indicating that the preforked processes will be scheduled under the real-time policies SCHED_FIFO ## MIN_SIZE_FOR_SENDFILE for major size it is better to use sendfile() to serve static content ## ## PID_FILE write pid on file indicated ## WELCOME_MSG message of welcome to send initially to client ## RUN_AS_USER change the current working directory to the user home dir, and downgrade security to that user account ## DOCUMENT_ROOT The directory out of which you will serve your documents ## ## LOG_FILE locations for file log ## LOG_FILE_SZ memory size for file log ## LOG_MSG_SIZE limit length of print network message to LOG_MSG_SIZE chars (default 128) (-1 => only HTTP header) ## ## PLUGIN list of plugins to load, a flexible way to add specific functionality to the server ## PLUGIN_DIR directory of plugins to load ## ## REQ_TIMEOUT timeout for request from client ## MAX_KEEP_ALIVE Specifies the maximum number of requests that can be served through a Keep-Alive (Persistent) session. ## (Value <= 1 will disable Keep-Alive) ## ## CERT_FILE certificate of server ## KEY_FILE private key of server ## PASSWORD password for private key of server ## CA_FILE locations of trusted CA certificates used in the verification ## CA_PATH locations of trusted CA certificates used in the verification ## ## VERIFY_MODE mode of verification (SSL_VERIFY_NONE=0, SSL_VERIFY_PEER=1, SSL_VERIFY_FAIL_IF_NO_PEER_CERT=2, SSL_VERIFY_CLIENT_ONCE=4) ## ---------------------------------------------------------------------------------------------------------------------------------------- ## how to verify peer certificates. The possible values of this setting are: ## ## SSL_VERIFY_NONE - do not verify anything ## SSL_VERIFY_PEER - verify the peer certificate, if one is presented ## SSL_VERIFY_FAIL_IF_NO_PEER_CERT - require a peer certificate, fail if one is not presented ## ## SSL/TLS servers will usually set VERIFY_MODE to SSL_VERIFY_NONE. ## SSL/TLS clients will usually set VERIFY_MODE to SSL_VERIFY_FAIL_IF_NO_PEER_CERT. ## ---------------------------------------------------------------------------------------------------------------------------------------- ## ## PREFORK_CHILD number of child server processes created at startup ( 0 - serialize, no forking ## 1 - classic, forking after accept client) ## >1 - pool of process serialize plus monitoring process) ## ---------------------------------------------------------------------------------------------------------------------------------------- ## ENABLE_IPV6 no ## SERVER 10.30.1.131 ## PORT 5280 ## IP_ADDRESS 10.30.1.131 ## ALLOWED_IP 10.30.1.131,10.30.0.0/16 ## LISTEN_BACKLOG 1024 USE_TCP_OPTIMIZATION yes ## SET_REALTIME_PRIORITY yes DOCUMENT_ROOT /usr/lib/nodog ## RUN_AS_USER nobody PID_FILE /tmp/nodog.pid ## LOG_FILE syslog LOG_FILE /tmp/nodog.log LOG_FILE_SZ 1M LOG_MSG_SIZE -1 PLUGIN "proxy nocat http" PLUGIN_DIR /usr/lib/ulib ## ------------------------------------------------------------------------------------------------------------------------------------------ ## Max Keep-Alive Requests ## ------------------------------------------------------------------------------------------------------------------------------------------ ## Description: Specifies the maximum number of requests that can be served through a Keep-Alive (Persistent) session. ## Connection will be closed once this limit is reached. ## Syntax: Integer number ## Tips: [Performance] Set it to a resonable high value (256). Value <= 1 will disable Keep-Alive. ## ------------------------------------------------------------------------------------------------------------------------------------------ ## MAX_KEEP_ALIVE 256 ## ------------------------------------------------------------------------------------------------------------------------------------------ ## Keep-Alive Timeout ## ------------------------------------------------------------------------------------------------------------------------------------------ ## Description: Specifies the maximum idle time between requests from a Keep-Alive connection. If no new request is received during ## this period of time, the connection will be closed. ## Syntax: Integer number ## Tips: [Security & Performance] We recommend you to set the value just long enough to handle all requests for a single page view. ## It is unnecessary to keep connection alive for an extended period of time. A smaller value can reduce idle connections, increase ## capacity to service more users and guard against DoS attacks. 2-5 seconds is a reasonable range for most applications. ## ------------------------------------------------------------------------------------------------------------------------------------------ REQ_TIMEOUT 5 ## CERT_FILE ../ulib/CA/server.crt ## KEY_FILE ../ulib/CA/server.key ## PASSWORD stefano ## CA_PATH ../ulib/CA/CApath ## CA_FILE ../ulib/CA/cacert.pem ## VERIFY_MODE 1 ## VERIFY_MODE 7 ## ----------------------------------------------------------------------- ## NB: MUST BE IN THIS WAY... (otherwise cannot share hash table of peers) ## ----------------------------------------------------------------------- PREFORK_CHILD 0 ## ----------------------------------------------------------------------- } # --------------------------------------------------------------------------------------------------------------------------------- # proxy - plugin parameters # --------------------------------------------------------------------------------------------------------------------------------- # ERROR MESSAGE Allows you to tell clients about what type of error occurred # # URI uri trigger # HOST name host client # METHOD_NAME what type of HTTP method is considered (GET|HEAD|POST) # CLIENT_CERTIFICATE yes if client must comunicate a certificate in the SSL connection # REMOTE_ADDRESS_IP list of comma separated client address for IP-based control (IPADDR[/MASK]) for routing-like policy # # COMMAND command to execute # ENVIRONMENT environment for command to execute # RESPONSE_TYPE output type of the command (yes = response for client, no = request to server) # # PORT port of server for connection # SERVER name of server for connection # # FOLLOW_REDIRECTS yes if manage to automatically follow redirects from server # USER if manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: user # PASSWORD if manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: password # REPLACE_RESPONSE if NOT manage to follow redirects, vector of substitution string # --------------------------------------------------------------------------------------------------------------------------------- proxy { Service_GOOGLE1 { METHOD_NAME GET HOST ajax.googleapis.com SERVER ajax.googleapis.com } Service_GOOGLE2 { METHOD_NAME GET HOST maps.googleapis.com SERVER maps.googleapis.com } Service_GOOGLE3 { METHOD_NAME GET HOST fonts.googleapis.com SERVER fonts.googleapis.com } Service_GOOGLE4 { METHOD_NAME GET HOST google-maps-utility-library-v3.googlecode.com SERVER google-maps-utility-library-v3.googlecode.com } } ## ----------------------------------------------------------------------------------------------------------------------- ## nocat - plugin parameters ## ----------------------------------------------------------------------------------------------------------------------- ## FW_ENV environment for shell script to execute ## FW_CMD shell script to manage the firewall ## DECRYPT_KEY DES3 password stuff ## ALLOWED_MEMBERS file with list of allowed MAC/IP pairs or NETWORKS (default: /etc/nodog.allowed) ## LOCAL_NETWORK_LABEL access point localization tag to be used from portal ## LOGIN_TIMEOUT Number of seconds after a client last login/renewal to terminate their connection ## CHECK_TYPE mode of verification ( U_CHECK_ARP_CACHE=1, U_CHECK_ARP_PING=2, U_CHECK_MAC=4, U_CHECK_FIREWALL=8) ## CHECK_EXPIRE_INTERVAL Number of seconds to check if some client has terminate their connection ## NUM_PEERS_PREALLOCATE Size of memory block to preallocate for table of users ## ----------------------------------------------------------------------------------------------------------------------- nocat { # shell script to manage the firewall FW_ENV "ExternalDevice=eth0 \ InternalDevice=eth1 \ LocalNetwork=192.168.253.0/24 \ #GatewayPort=80 \ #AuthServiceAddr=http://172.16.1.254 \ AuthServiceAddr=http://wifi-aaa.comune.fi.it \ www.unifi.it=150.217.6.125 \ www.055055.it=195.110.124.133 \ telematica_regione_toscana=159.213.0.0/16 \ 'AllowedWebHosts=$www_unifi_it $www_055055_it $telematica_regione_toscana'" FW_CMD firewall/nodog.fw # DES3 password stuff DECRYPT_KEY PASSWORD LOCAL_NETWORK_LABEL "radio1 radio2" # Number of seconds after a client last login/renewal to terminate their connection # Probably do not want to set this to less than 60 or a lot of bandwidth is likely to get consumed by the client renewal attempts # LOGIN_TIMEOUT 86400 # one notification per day CHECK_TYPE 4 # Number of seconds to check if some client has terminate their connection CHECK_EXPIRE_INTERVAL 360 } ## ------------------------------------------------------------------------------------------------------------------------------------------------ ## http - plugin parameters ## ------------------------------------------------------------------------------------------------------------------------------------------------ ## ALIAS vector of URI redirection (request -> alias) ## REWRITE_RULE_NF vector of URI rewrite rule applied after checks that files do not exist (regex1 -> uri1 ...) ## ## MAINTENANCE_MODE to switch the site to a maintenance page only ## ## APACHE_LIKE_LOG file to write NCSA extended/combined log format: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" ## ## ENABLE_INOTIFY enable automatic update of cached document root image with inotify ## CACHE_FILE_MASK mask (DOS regexp) of pathfile that be cached in memory ## ## VIRTUAL_HOST flag to activate practice of maintaining more than one server on one machine, ## as differentiated by their apparent hostname ## DIGEST_AUTHENTICATION flag authentication method (yes = digest, no = basic) ## ## ENABLE_CACHING_BY_PROXY_SERVERS enable caching by proxy servers (add Cache control: public directive) ## ## URI_PROTECTED_MASK mask (DOS regexp) of URI protected from prying eyes ## URI_PROTECTED_ALLOWED_IP list of comma separated client address for IP-based access control (IPADDR[/MASK]) for URI_PROTECTED_MASK ## ## URI_REQUEST_CERT_MASK mask (DOS regexp) of URI where client must comunicate a certificate in the SSL connection ## URI_REQUEST_STRICT_TRANSPORT_SECURITY_MASK mask (DOS regexp) of URI where use HTTP Strict Transport Security to force client to use only SSL ## ## ## SESSION_COOKIE_OPTION eventual params for session cookie (lifetime, path, domain, secure, HttpOnly) ## ------------------------------------------------------------------------------------------------------------------------------------------ ## This directive gives greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks ## ------------------------------------------------------------------------------------------------------------------------------------------ ## LIMIT_REQUEST_BODY restricts the total size of the HTTP request body sent from the client ## REQUEST_READ_TIMEOUT set timeout for receiving requests ## ------------------------------------------------------------------------------------------------------------------------------------------------ http { ## Allows you to tell clients about documents that used to exist in your server's namespace, but do not anymore. ## The client will make a request for the document at its new location ALIAS "[ \ / /test \ /printenv /cgi-bin/printenv.sh \ ]" ## VIRTUAL_HOST yes ## ENABLE_INOTIFY yes DIGEST_AUTHENTICATION yes URI_PROTECTED_MASK /cgi-bin/* ## URI_PROTECTED_ALLOWED_IP 10.30.1.131,10.30.0.0/16 # This directive gives greater control over abnormal client request behavior, # which may be useful for avoiding some forms of denial-of-service attacks LIMIT_REQUEST_BODY 10K REQUEST_READ_TIMEOUT 5 }