# ----------------------------------------------------------------------------------------------------------------------------------------
# userver - configuration parameters
# ----------------------------------------------------------------------------------------------------------------------------------------
# ENABLE_IPV6        flag to indicate use of ipv6
# SERVER             host name or ip address for the listening socket
# PORT               port number             for the listening socket
# SOCKET_NAME        file name               for the listening socket
# IP_ADDRESS         public ip address of host for the interface connected to the Internet (autodetected if not specified)
# ALLOWED_IP         list of comma separated client         address for IP-based access control (IPADDR[/MASK])
#
# ENABLE_RFC1918_FILTER reject request from private IP to public server address
# ALLOWED_IP_PRIVATE    list of comma separated client private address for IP-based access control (IPADDR[/MASK]) for public server
#
# LISTEN_BACKLOG        max number of ready to be delivered connections to accept()
# USE_TCP_OPTIMIZATION  flag indicating the use of TCP/IP options to optimize data transmission (NODELAY, DEFER_ACCEPT, QUICKACK)
# SET_REALTIME_PRIORITY flag indicating that the preforked processes will be scheduled under the real-time policies SCHED_FIFO
#
# PID_FILE      write pid on file indicated
# WELCOME_MSG   message of welcome to send initially to client
# RUN_AS_USER   downgrade security to that user account
# DOCUMENT_ROOT The directory out of which you will serve your documents
#
# LOG_FILE      locations for file log
# LOG_FILE_SZ   memory size for file log
# LOG_MSG_SIZE  limit length of print network message to LOG_MSG_SIZE chars (default 128)
#
# PLUGIN        list of plugins to load, a flexible way to add specific functionality to the server
# PLUGIN_DIR    directory of plugins to load
#
# REQ_TIMEOUT    timeout for request from client
# MAX_KEEP_ALIVE Specifies the maximum number of requests that can be served through a Keep-Alive (Persistent) session.
#                (Value <= 1 will disable Keep-Alive)
#
# DH_FILE       DH param
# CERT_FILE     certificate of server
# KEY_FILE      private key of server
# PASSWORD      password for private key of server
# CA_FILE       locations of trusted CA certificates used in the verification
# CA_PATH       locations of trusted CA certificates used in the verification
#
# VERIFY_MODE   mode of verification (SSL_VERIFY_NONE=0, SSL_VERIFY_PEER=1, SSL_VERIFY_FAIL_IF_NO_PEER_CERT=2, SSL_VERIFY_CLIENT_ONCE=4)
# ----------------------------------------------------------------------------------------------------------------------------------------
# how to verify peer certificates. The possible values of this setting are:
#
# SSL_VERIFY_NONE                 - do not verify anything
# SSL_VERIFY_PEER                 - verify the peer certificate, if one is presented
# SSL_VERIFY_FAIL_IF_NO_PEER_CERT - require a peer certificate, fail if one is not presented
#
# SSL/TLS servers will usually set VERIFY_MODE to SSL_VERIFY_NONE.
# SSL/TLS clients will usually set VERIFY_MODE to SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
# ----------------------------------------------------------------------------------------------------------------------------------------
#
# PREFORK_CHILD number of child server processes created at startup ( 0 - serialize, no forking
#                                                                     1 - classic, forking after accept client)
#                                                                    >1 - pool of process serialize plus monitoring process)
# ----------------------------------------------------------------------------------------------------------------------------------------

userver {

  PID_FILE       /var/run/userver-firenze_tcp.pid
  RUN_AS_USER    unirel
  DOCUMENT_ROOT  ~/wi-auth/www

  LOG_FILE       /var/log/userver-firenze_tcp.log
# LOG_FILE_SZ    1M
  LOG_MSG_SIZE   -1

  PLUGIN "proxy ssi http"

  REQ_TIMEOUT 5

  PREFORK_CHILD  6
}

# ------------------------------------------------------------------------------------------------------------------------------------------
# http - plugin parameters
# ------------------------------------------------------------------------------------------------------------------------------------------
# ALIAS                      vector of URI redirection (request -> alias)
# REWRITE_RULE_NF            vector of URI rewrite rule applied after checks that files do not exist (regex1 -> uri1 ...)
#
# MAINTENANCE_MODE           to switch the site to a maintenance page only
#
# APACHE_LIKE_LOG            file to write NCSA extended/combined log format: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
#
# ENABLE_INOTIFY             enable automatic update of document root image with inotify
# CACHE_FILE_MASK            mask (DOS regexp) of pathfile that be cached in memory
#
# MIN_SIZE_FOR_SENDFILE      for major size it is better to use sendfile() to serve static content
#
# VIRTUAL_HOST               flag to activate practice of maintaining more than one server on one machine,
#                            as differentiated by their apparent hostname 
# DIGEST_AUTHENTICATION      flag authentication method (yes = digest, no = basic)
#
# ENABLE_CACHING_BY_PROXY_SERVERS enable caching by proxy servers (add Cache control: public directive)
#
# URI_PROTECTED_MASK         mask (DOS regexp) of URI protected from prying eyes
# URI_PROTECTED_ALLOWED_IP   list of comma separated client address for IP-based access control (IPADDR[/MASK]) for URI_PROTECTED_MASK
#
# URI_REQUEST_CERT_MASK                      mask (DOS regexp) of URI where client must comunicate a certificate in the SSL connection
# URI_REQUEST_STRICT_TRANSPORT_SECURITY_MASK mask (DOS regexp) of URI where use HTTP Strict Transport Security to force client to use only SSL
#
# SESSION_COOKIE_OPTION      eventual params for session cookie (lifetime, path, domain, secure, HttpOnly)  
# ------------------------------------------------------------------------------------------------------------------------------------------
# This directive gives greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks
# ------------------------------------------------------------------------------------------------------------------------------------------
# LIMIT_REQUEST_BODY         restricts the total size of the HTTP request body sent from the client
# REQUEST_READ_TIMEOUT       set timeout for receiving requests
# ------------------------------------------------------------------------------------------------------------------------------------------

http {

  ALIAS [
        /favicon.ico|/images/logo_fiwifi.png|/css/livevalidation.css|/js/livevalidation_standalone.compressed.js /nostat
  ]

  APACHE_LIKE_LOG /var/log/httpd/access_log 

# MAINTENANCE_MODE /ErrorDocument/down.html

  CACHE_FILE_STORE webif.gz

  CACHE_FILE_MASK "images/logo_fiwifi.png| \
                  10.30.1.111/index.shtml| \
                  10.30.1.111/css/layoutv1.css| \
        wifi-aaa.comune.fi.it/js/*.js| \
        wifi-aaa.comune.fi.it/css/*.css| \
        wifi-aaa.comune.fi.it/index.shtml| \
        wifi-aaa.comune.fi.it/images/*.png"

  URI_PROTECTED_MASK /edit_ap
  URI_REQUEST_STRICT_TRANSPORT_SECURITY_MASK /admin*

  VIRTUAL_HOST         yes
  LIMIT_REQUEST_BODY   1M
  REQUEST_READ_TIMEOUT 30 
}

# -----------------------------------------------------------------------------------------------------
# ssi - plugin parameters
# -----------------------------------------------------------------------------------------------------
# ENVIRONMENT              path of file configuration environment for SSI
#
# SSI_AUTOMATIC_ALIASING   special SSI HTML file that is recognized automatically as alias of all
#                          uri request without suffix (generally cause navigation directory not working)
# -----------------------------------------------------------------------------------------------------

ssi {

  ENVIRONMENT ~/wi-auth/etc/environment.conf

  SSI_AUTOMATIC_ALIASING /index.shtml
}

# ---------------------------------------------------------------------------------------------------------------------------------
# proxy - plugin parameters
# ---------------------------------------------------------------------------------------------------------------------------------
# ERROR MESSAGE      Allows you to tell clients about what type of error occurred
#
# URI                uri trigger
# HOST               name host client
# METHOD_NAME        what type of HTTP method is considered (GET|HEAD|POST)
# CLIENT_CERTIFICATE yes if client must comunicate a certificate in the SSL connection
# REMOTE_ADDRESS_IP  list of comma separated client address for IP-based control (IPADDR[/MASK]) for routing-like policy
#
# COMMAND            command to execute
# ENVIRONMENT        environment for command to execute
# RESPONSE_TYPE      output type of the command (yes = response for client, no = request to server)
#
# PORT               port of server for connection
# SERVER             name of server for connection
#
# FOLLOW_REDIRECTS   yes if     manage to automatically follow redirects from server
# USER                   if     manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: user
# PASSWORD               if     manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: password
# REPLACE_RESPONSE       if NOT manage to follow redirects, vector of substitution string
# ---------------------------------------------------------------------------------------------------------------------------------

proxy {

   Service_WEBIF {

   METHOD_NAME GET
   URI         ^/cgi-bin/webif/(info|graph*|status|data).*.sh$
   SERVER      ~/wi-auth/client
   }
}