mirror/ULib
1
0
Fork 0
mirror of https://github.com/stefanocasazza/ULib.git synced 2025-09-28 19:05:55 +08:00
Code Issues Releases Wiki Activity
ab56ae55a7
ULib/tests/examples/nocat/etc/nodog.conf.plain
stefanocasazza bcdc99a8ac some fix + xxhash
2016-06-08 16:10:01 +02:00

279 lines
14 KiB
Plaintext
Raw Blame History

## -------------------------------------------------------------------------------
## configuration parameters
## -------------------------------------------------------------------------------
userver {
## ----------------------------------------------------------------------------------------------------------------------------------------
## userver - configuration parameters
## ----------------------------------------------------------------------------------------------------------------------------------------
## ENABLE_IPV6 flag to indicate use of ipv6
## SERVER host name or ip address for the listening socket
## PORT port number for the listening socket
## SOCKET_NAME file name for the listening socket
## IP_ADDRESS public ip address of host for the interface connected to the Internet (autodetected if not specified)
## ALLOWED_IP client address IP-based access control (IPADDR[/MASK])
##
## LISTEN_BACKLOG max number of ready to be delivered connections to accept()
## USE_TCP_OPTIMIZATION flag indicating the use of TCP/IP options to optimize data transmission (NODELAY/CORK, DEFER_ACCEPT, QUICKACK)
## SET_REALTIME_PRIORITY flag indicating that the preforked processes will be scheduled under the real-time policies SCHED_FIFO
## MIN_SIZE_FOR_SENDFILE for major size it is better to use sendfile() to serve static content
##
## PID_FILE write pid on file indicated
## WELCOME_MSG message of welcome to send initially to client
## RUN_AS_USER change the current working directory to the user home dir, and downgrade security to that user account
## DOCUMENT_ROOT The directory out of which you will serve your documents
##
## LOG_FILE locations for file log
## LOG_FILE_SZ memory size for file log
## LOG_MSG_SIZE limit length of print network message to LOG_MSG_SIZE chars (default 128) (-1 => only HTTP header)
##
## PLUGIN list of plugins to load, a flexible way to add specific functionality to the server
## PLUGIN_DIR directory of plugins to load
##
## REQ_TIMEOUT timeout for request from client
## MAX_KEEP_ALIVE Specifies the maximum number of requests that can be served through a Keep-Alive (Persistent) session.
## (Value <= 1 will disable Keep-Alive)
##
## CERT_FILE certificate of server
## KEY_FILE private key of server
## PASSWORD password for private key of server
## CA_FILE locations of trusted CA certificates used in the verification
## CA_PATH locations of trusted CA certificates used in the verification
##
## VERIFY_MODE mode of verification (SSL_VERIFY_NONE=0, SSL_VERIFY_PEER=1, SSL_VERIFY_FAIL_IF_NO_PEER_CERT=2, SSL_VERIFY_CLIENT_ONCE=4)
## ----------------------------------------------------------------------------------------------------------------------------------------
## how to verify peer certificates. The possible values of this setting are:
##
## SSL_VERIFY_NONE - do not verify anything
## SSL_VERIFY_PEER - verify the peer certificate, if one is presented
## SSL_VERIFY_FAIL_IF_NO_PEER_CERT - require a peer certificate, fail if one is not presented
##
## SSL/TLS servers will usually set VERIFY_MODE to SSL_VERIFY_NONE.
## SSL/TLS clients will usually set VERIFY_MODE to SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
## ----------------------------------------------------------------------------------------------------------------------------------------
##
## PREFORK_CHILD number of child server processes created at startup ( 0 - serialize, no forking
## 1 - classic, forking after accept client)
## >1 - pool of process serialize plus monitoring process)
## ----------------------------------------------------------------------------------------------------------------------------------------
## ENABLE_IPV6 no
## SERVER 10.30.1.131
## PORT 5280
## IP_ADDRESS 10.30.1.131
## ALLOWED_IP 10.30.1.131,10.30.0.0/16
## LISTEN_BACKLOG 1024
USE_TCP_OPTIMIZATION yes
## SET_REALTIME_PRIORITY yes
DOCUMENT_ROOT /usr/lib/nodog
## RUN_AS_USER nobody
PID_FILE /tmp/nodog.pid
## LOG_FILE syslog
LOG_FILE /tmp/nodog.log
LOG_FILE_SZ 1M
LOG_MSG_SIZE -1
PLUGIN "proxy nocat http"
PLUGIN_DIR /usr/lib/ulib
## ------------------------------------------------------------------------------------------------------------------------------------------
## Max Keep-Alive Requests
## ------------------------------------------------------------------------------------------------------------------------------------------
## Description: Specifies the maximum number of requests that can be served through a Keep-Alive (Persistent) session.
## Connection will be closed once this limit is reached.
## Syntax: Integer number
## Tips: [Performance] Set it to a resonable high value (256). Value <= 1 will disable Keep-Alive.
## ------------------------------------------------------------------------------------------------------------------------------------------
## MAX_KEEP_ALIVE 256
## ------------------------------------------------------------------------------------------------------------------------------------------
## Keep-Alive Timeout
## ------------------------------------------------------------------------------------------------------------------------------------------
## Description: Specifies the maximum idle time between requests from a Keep-Alive connection. If no new request is received during
## this period of time, the connection will be closed.
## Syntax: Integer number
## Tips: [Security & Performance] We recommend you to set the value just long enough to handle all requests for a single page view.
## It is unnecessary to keep connection alive for an extended period of time. A smaller value can reduce idle connections, increase
## capacity to service more users and guard against DoS attacks. 2-5 seconds is a reasonable range for most applications.
## ------------------------------------------------------------------------------------------------------------------------------------------
REQ_TIMEOUT 5
## CERT_FILE ../ulib/CA/server.crt
## KEY_FILE ../ulib/CA/server.key
## PASSWORD stefano
## CA_PATH ../ulib/CA/CApath
## CA_FILE ../ulib/CA/cacert.pem
## VERIFY_MODE 1
## VERIFY_MODE 7
## -----------------------------------------------------------------------
## NB: MUST BE IN THIS WAY... (otherwise cannot share hash table of peers)
## -----------------------------------------------------------------------
PREFORK_CHILD 0
## -----------------------------------------------------------------------
}
# ---------------------------------------------------------------------------------------------------------------------------------
# proxy - plugin parameters
# ---------------------------------------------------------------------------------------------------------------------------------
# ERROR MESSAGE Allows you to tell clients about what type of error occurred
#
# URI uri trigger
# HOST name host client
# METHOD_NAME what type of HTTP method is considered (GET|HEAD|POST)
# CLIENT_CERTIFICATE yes if client must comunicate a certificate in the SSL connection
# REMOTE_ADDRESS_IP list of comma separated client address for IP-based control (IPADDR[/MASK]) for routing-like policy
#
# COMMAND command to execute
# ENVIRONMENT environment for command to execute
# RESPONSE_TYPE output type of the command (yes = response for client, no = request to server)
#
# PORT port of server for connection
# SERVER name of server for connection
#
# FOLLOW_REDIRECTS yes if manage to automatically follow redirects from server
# USER if manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: user
# PASSWORD if manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: password
# REPLACE_RESPONSE if NOT manage to follow redirects, vector of substitution string
# ---------------------------------------------------------------------------------------------------------------------------------
proxy {
Service_GOOGLE1 {
METHOD_NAME GET
HOST ajax.googleapis.com
SERVER ajax.googleapis.com
}
Service_GOOGLE2 {
METHOD_NAME GET
HOST maps.googleapis.com
SERVER maps.googleapis.com
}
Service_GOOGLE3 {
METHOD_NAME GET
HOST fonts.googleapis.com
SERVER fonts.googleapis.com
}
Service_GOOGLE4 {
METHOD_NAME GET
HOST google-maps-utility-library-v3.googlecode.com
SERVER google-maps-utility-library-v3.googlecode.com
}
}
## -----------------------------------------------------------------------------------------------------------------------
## nocat - plugin parameters
## -----------------------------------------------------------------------------------------------------------------------
## FW_ENV environment for shell script to execute
## FW_CMD shell script to manage the firewall
## DECRYPT_KEY DES3 password stuff
## ALLOWED_MEMBERS file with list of allowed MAC/IP pairs or NETWORKS (default: /etc/nodog.allowed)
## LOCAL_NETWORK_LABEL access point localization tag to be used from portal
## LOGIN_TIMEOUT Number of seconds after a client last login/renewal to terminate their connection
## CHECK_TYPE mode of verification ( U_CHECK_ARP_CACHE=1, U_CHECK_ARP_PING=2, U_CHECK_MAC=4, U_CHECK_FIREWALL=8)
## CHECK_EXPIRE_INTERVAL Number of seconds to check if some client has terminate their connection
## NUM_PEERS_PREALLOCATE Size of memory block to preallocate for table of users
## -----------------------------------------------------------------------------------------------------------------------
nocat {
# shell script to manage the firewall
FW_ENV "ExternalDevice=eth0 \
InternalDevice=eth1 \
LocalNetwork=192.168.253.0/24 \
#GatewayPort=80 \
#AuthServiceAddr=http://172.16.1.254 \
AuthServiceAddr=http://wifi-aaa.comune.fi.it \
www.unifi.it=150.217.6.125 \
www.055055.it=195.110.124.133 \
telematica_regione_toscana=159.213.0.0/16 \
'AllowedWebHosts=$www_unifi_it $www_055055_it $telematica_regione_toscana'"
FW_CMD firewall/nodog.fw
# DES3 password stuff
DECRYPT_KEY PASSWORD
LOCAL_NETWORK_LABEL "radio1 radio2"
# Number of seconds after a client last login/renewal to terminate their connection
# Probably do not want to set this to less than 60 or a lot of bandwidth is likely to get consumed by the client renewal attempts
# LOGIN_TIMEOUT 86400 # one notification per day
CHECK_TYPE 4
# Number of seconds to check if some client has terminate their connection
CHECK_EXPIRE_INTERVAL 360
}
## ------------------------------------------------------------------------------------------------------------------------------------------------
## http - plugin parameters
## ------------------------------------------------------------------------------------------------------------------------------------------------
## ALIAS vector of URI redirection (request -> alias)
## REWRITE_RULE_NF vector of URI rewrite rule applied after checks that files do not exist (regex1 -> uri1 ...)
##
## MAINTENANCE_MODE to switch the site to a maintenance page only
##
## APACHE_LIKE_LOG file to write NCSA extended/combined log format: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
##
## ENABLE_INOTIFY enable automatic update of cached document root image with inotify
## CACHE_FILE_MASK mask (DOS regexp) of pathfile that be cached in memory
##
## VIRTUAL_HOST flag to activate practice of maintaining more than one server on one machine,
## as differentiated by their apparent hostname
## DIGEST_AUTHENTICATION flag authentication method (yes = digest, no = basic)
##
## ENABLE_CACHING_BY_PROXY_SERVERS enable caching by proxy servers (add Cache control: public directive)
##
## URI_PROTECTED_MASK mask (DOS regexp) of URI protected from prying eyes
## URI_PROTECTED_ALLOWED_IP list of comma separated client address for IP-based access control (IPADDR[/MASK]) for URI_PROTECTED_MASK
##
## URI_REQUEST_CERT_MASK mask (DOS regexp) of URI where client must comunicate a certificate in the SSL connection
## URI_REQUEST_STRICT_TRANSPORT_SECURITY_MASK mask (DOS regexp) of URI where use HTTP Strict Transport Security to force client to use only SSL
##
##
## SESSION_COOKIE_OPTION eventual params for session cookie (lifetime, path, domain, secure, HttpOnly)
## ------------------------------------------------------------------------------------------------------------------------------------------
## This directive gives greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks
## ------------------------------------------------------------------------------------------------------------------------------------------
## LIMIT_REQUEST_BODY restricts the total size of the HTTP request body sent from the client
## REQUEST_READ_TIMEOUT set timeout for receiving requests
## ------------------------------------------------------------------------------------------------------------------------------------------------
http {
## Allows you to tell clients about documents that used to exist in your server's namespace, but do not anymore.
## The client will make a request for the document at its new location
ALIAS "[ \
/ /test \
/printenv /cgi-bin/printenv.sh \
]"
## VIRTUAL_HOST yes
## ENABLE_INOTIFY yes
DIGEST_AUTHENTICATION yes
URI_PROTECTED_MASK /cgi-bin/*
## URI_PROTECTED_ALLOWED_IP 10.30.1.131,10.30.0.0/16
# This directive gives greater control over abnormal client request behavior,
# which may be useful for avoiding some forms of denial-of-service attacks
LIMIT_REQUEST_BODY 10K
REQUEST_READ_TIMEOUT 5
}
Reference in New Issue View Git Blame Copy Permalink