mirror/ULib
1
0
Fork 0
mirror of https://github.com/stefanocasazza/ULib.git synced 2025-09-28 19:05:55 +08:00
Code Issues Releases Wiki Activity
bc17a662ad
ULib/examples/userver/userver.cfg.default
stefanocasazza bc17a662ad add URI_PROTECTED_SSE
2019-01-29 15:34:55 +01:00

727 lines
34 KiB
Plaintext
Raw Blame History

# ----------------------------------------------------------------------------------------------------------------------------------------
# S E R V E R P A R A M E T E R S
# ----------------------------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------------------------
# userver - configuration parameters
# ----------------------------------------------------------------------------------------------------------------------------------------
# ENABLE_IPV6 flag to indicate the possible use of ipv6
# SERVER host name or ip address for the listening socket
# PORT port number for the listening socket
# SOCKET_NAME file name for the listening socket
# IP_ADDRESS ip address of host for the interface connected to the Internet (autodetected if not specified)
#
# ALLOWED_IP list of comma separated client address for IP-based access control (IPADDR[/MASK])
# ALLOWED_IP_PRIVATE list of comma separated client private address for IP-based access control (IPADDR[/MASK]) for public server
# ENABLE_RFC1918_FILTER reject request from private IP to public server address
#
# MIN_SIZE_FOR_SENDFILE for major size it is better to use sendfile() to serve static content
#
# LISTEN_BACKLOG max number of ready to be delivered connections to accept()
# CLIENT_THRESHOLD min number of clients to active polling
# SET_REALTIME_PRIORITY flag indicating that the preforked processes will be scheduled under the real-time policies SCHED_FIFO
#
# LOAD_BALANCE_CLUSTER list of comma separated IP address (IPADDR[/MASK]) to define the load balance cluster
# LOAD_BALANCE_DEVICE_NETWORK network interface name of cluster of physical server
# LOAD_BALANCE_LOADAVG_THRESHOLD system load threshold to proxies the request on other userver on the network cluster ([0-9].[0-9])
#
# PID_FILE write pid on indicated file
# WELCOME_MSG message of welcome to send initially to client
# RUN_AS_USER downgrade privileges to that user account
# DOCUMENT_ROOT The directory out of which you will serve your documents
#
# LOG_FILE locations for file log
# LOG_FILE_SZ memory size for file log (to use memory mapping and automatic rotate)
# LOG_MSG_SIZE limit length of print network message to LOG_MSG_SIZE chars (default 128) (for HTTP -1 indicate to print the header)
#
# PLUGIN list of plugins to load, a flexible way to add specific functionality to the server
# PLUGIN_DIR directory where there are the plugins to load
#
# ORM_DRIVER list of ORM drivers to load, a flexible way to add specific functionality to the ORM
# ORM_DRIVER_DIR directory where there are the ORM drivers to load
#
# REQ_TIMEOUT timeout for request from client
# TCP_KEEP_ALIVE specifies to active the TCP keepalive implementation in the linux kernel
# TCP_LINGER_SET specifies how the TCP initiated the close
# MAX_KEEP_ALIVE specifies the maximum number of requests that can be served through a Keep-Alive (Persistent) session. (Value <= 0 will disable Keep-Alive)
#
# DH_FILE [Diffie-Hellman Key Agreement protocol](http://www.rsa.com/rsalabs/node.asp?id=2248) cmd: openssl dhparam -out dh.pem 1024
# CERT_FILE certificate of server
# KEY_FILE private key of server
# PASSWORD password for private key of server
# CA_FILE locations of trusted CA certificates used in the verification
# CA_PATH locations of trusted CA certificates used in the verification
# VERIFY_MODE mode of verification (SSL_VERIFY_NONE=0, SSL_VERIFY_PEER=1, SSL_VERIFY_FAIL_IF_NO_PEER_CERT=2, SSL_VERIFY_CLIENT_ONCE=4)
# CIPHER_SUITE [cipher suite model (Intermediate=0, Modern=1, Old=2)](https://wiki.mozilla.org/Security/Server_Side_TLS)
#
# ----------------------------------------------------------------------------------------------------------------------------------------
# how to verify peer certificates. The possible values of this setting are:
#
# SSL_VERIFY_NONE - do not verify anything
# SSL_VERIFY_PEER - verify the peer certificate, if one is presented
# SSL_VERIFY_FAIL_IF_NO_PEER_CERT - require a peer certificate, fail if one is not presented
#
# SSL/TLS servers will usually set VERIFY_MODE to SSL_VERIFY_NONE
# SSL/TLS clients will usually set VERIFY_MODE to SSL_VERIFY_FAIL_IF_NO_PEER_CERT
# ----------------------------------------------------------------------------------------------------------------------------------------
# PREFORK_CHILD number of child server processes created at startup: -1 - thread approach (experimental)
# 0 - serialize, no forking
# 1 - classic, forking after accept client
# >1 - pool of process serialize plus monitoring process
#
# if PREFORK_CHILD is not defined is as case (>1) with num process the number of CPU in the system
#
# CRASH_COUNT this is the threshold for the number of crash of child server processes
# CRASH_EMAIL_NOTIFY the email address to send a message whenever the number of crash > CRASH_COUNT
# ----------------------------------------------------------------------------------------------------------------------------------------
# This directive are for evasive action in the event of an HTTP DoS or DDoS attack or brute force attack
# ----------------------------------------------------------------------------------------------------------------------------------------
# DOS_PAGE_COUNT this is the threshold for the number of requests for the same page (or URI) per page interval
# DOS_PAGE_INTERVAL the interval for the page count threshold; defaults to 1 second intervals
# DOS_SITE_COUNT this is the threshold for the total number of requests for any object by the same client per site interval
# DOS_SITE_INTERVAL the interval for the site count threshold; defaults to 1 second intervals
# DOS_BLOCKING_PERIOD the blocking period is the amount of time (in seconds) that a client will be blocked for if they are added to the blocking list (defaults to 10)
# DOS_WHITE_LIST list of comma separated IP addresses of trusted clients can be whitelisted to insure they are never denied (IPADDR[/MASK])
# DOS_EMAIL_NOTIFY the email address to send a message whenever an IP address becomes blacklisted
# DOS_SYSTEM_COMMAND the system command specified will be executed whenever an IP address becomes blacklisted. Use %.*s to denote the IP address of the blacklisted IP
# DOS_LOGFILE the file to write DOS event
# ----------------------------------------------------------------------------------------------------------------------------------------
userver {
# ENABLE_IPV6 yes
# SERVER www.example.org
# PORT 8080
# SOCKET_NAME tmp/socket
# IP_ADDRESS 10.30.1.131
# ALLOWED_IP 127.0.0.1,10.30.0.0/16
# ALLOWED_IP_PRIVATE 127.0.0.1,10.30.0.0/16
# ENABLE_RFC1918_FILTER yes
# MIN_SIZE_FOR_SENDFILE 500k
# LISTEN_BACKLOG 1024
# CLIENT_THRESHOLD 100
# SET_REALTIME_PRIORITY yes
# LOAD_BALANCE_CLUSTER 10.30.0.0/16
# LOAD_BALANCE_DEVICE_NETWORK eth1
# LOAD_BALANCE_LOADAVG_THRESHOLD 4.5
# PID_FILE /var/run/userver.pid
# WELCOME_MSG "220 david.unirel.intranet ULib WEB server (Version 1.1.0) ready.\n"
# RUN_AS_USER apache
DOCUMENT_ROOT /var/www
# LOG_FILE /var/log/userver.log
# LOG_FILE_SZ 1M
# LOG_MSG_SIZE -1
# PLUGIN "tsa http"
# PLUGIN "rpc http"
# PLUGIN "soap http"
# PLUGIN "fcgi http"
# PLUGIN "scgi http"
# PLUGIN "proxy http"
# PLUGIN "geoip http"
# PLUGIN "stream http"
# PLUGIN "socket http"
# PLUGIN_DIR /usr/local/libexec/ulib
# ORM_DRIVER "sqlite mysql pgsql"
# ORM_DRIVER_DIR /usr/local/libexec
# REQ_TIMEOUT 30
# TCP_KEEP_ALIVE yes
# TCP_LINGER_SET 0
# MAX_KEEP_ALIVE 1000
# DH_FILE ../ulib/CA/param.dh
# CERT_FILE ../ulib/CA/server.crt
# KEY_FILE ../ulib/CA/server.key
# PASSWORD stefano
# CA_PATH ../ulib/CA/CApath
# CA_FILE ../ulib/CA/cacert.pem
# VERIFY_MODE 1
# CIPHER_SUITE 0
# PREFORK_CHILD 4
# CRASH_COUNT 5
# CRASH_EMAIL_NOTIFY mail.unirel.com:stefano.casazza2@unirel.com
#
# DOS_PAGE_COUNT 2
# DOS_PAGE_INTERVAL 1
# DOS_SITE_COUNT 50
# DOS_SITE_INTERVAL 1
# DOS_BLOCKING_PERIOD 10
# DOS_WHITE_LIST 127.0.0.1,10.8.0.0/16
# DOS_EMAIL_NOTIFY mail.unirel.com:stefano.casazza2@unirel.com
# DOS_SYSTEM_COMMAND "sh -c 'echo `date \"+[%%d/%%b/%%Y:%%T %%z]\"` %.*s: %.*s >> /tmp/dos_blacklist.txt'"
# DOS_LOGFILE /tmp/dos_blacklist.txt
}
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# P L U G I N P A R A M E T E R S
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# http - plugin parameters
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# ALIAS vector of URI redirection (request -> alias)
# REWRITE_RULE_NF vector of URI rewrite rule applied after checks that files do not exist (regex1 -> uri1 ...)
# USP_AUTOMATIC_ALIASING usp page that is recognized automatically as alias of all uri request without suffix
#
# MAINTENANCE_MODE to switch the site to a maintenance page only
#
# APACHE_LIKE_LOG file to write NCSA extended/combined log format: "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
# LOG_FILE_SZ memory size for file apache like log (to use memory mapping and automatic rotate)
#
# ENABLE_INOTIFY enable automatic update of cached document root image with inotify
# CACHE_FILE_MASK mask (DOS regexp) of pathfile that content be cached in memory
# CACHE_AVOID_MASK mask (DOS regexp) of pathfile that presence NOT be cached in memory
# NOCACHE_FILE_MASK mask (DOS regexp) of pathfile that content NOT be cached in memory
# CACHE_FILE_STORE pathfile of memory cache filesystem stored on a single file (may be compressed)
#
# CACHE_FILE_AS_DYNAMIC_MASK mask (DOS regexp) of pathfile that content be cached as dynamic in memory (to avoid 'Last-Modified: ...' in header response)
#
# CGI_TIMEOUT timeout for cgi execution
# VIRTUAL_HOST flag to activate practice of maintaining more than one server on one machine, as differentiated by their apparent hostname
# WEBSOCKET_TIMEOUT timeout for websocket request
# DIGEST_AUTHENTICATION flag authentication method (yes = digest, no = basic)
#
# URI_PROTECTED_SSE SSE needs authentication (/sse_event/<name_of_passwd_file>)
# URI_PROTECTED_MASK mask (DOS regexp) of URI protected from prying eyes (that needs authentication)
# URI_PROTECTED_ALLOWED_IP list of comma separated client address for IP-based access control (IPADDR[/MASK]) for URI_PROTECTED_MASK
#
# ENABLE_CACHING_BY_PROXY_SERVERS enable caching by proxy servers (add Cache control: public directive on header response)
#
# URI_REQUEST_CERT_MASK mask (DOS regexp) of URI where client must comunicate a certificate in the SSL connection
# BANDWIDTH_THROTTLING_MASK lets you set maximum byte rates on URLs or URL groups (*.jpg|*.gif 50)
# URI_REQUEST_STRICT_TRANSPORT_SECURITY_MASK mask (DOS regexp) of URI where use HTTP Strict Transport Security to force client to use only SSL
#
# SESSION_COOKIE_OPTION eventual params for session cookie (lifetime, path, domain, secure, HttpOnly)
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# This directive gives greater control over abnormal client request behavior, which may be useful for avoiding some forms of denial-of-service attacks
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# LIMIT_REQUEST_BODY restricts the permitted total size of a HTTP request body sent from the client
# REQUEST_READ_TIMEOUT set timeout for receiving a complete request from a client
# ------------------------------------------------------------------------------------------------------------------------------------------------
#
# ------------------------------------------------------------------------------------------------------------------------------------------------
# PHP
# ------------------------------------------------------------------------------------------------------------------------------------------------
# MOUNT_POINT mount point application (to adjust var SCRIPT_NAME)
# ------------------------------------------------------------------------------------------------------------------------------------------------
# RUBY
# ------------------------------------------------------------------------------------------------------------------------------------------------
# RUBY_LIBDIR directory to add to the ruby libdir search path
# ------------------------------------------------------------------------------------------------------------------------------------------------
# PYTHON
# ------------------------------------------------------------------------------------------------------------------------------------------------
# PY_PROJECT_APP full python name of WSGI entry point expected in form <module>.<app>
# PY_PROJECT_ROOT python module search root; relative to workdir
# PY_VIRTUALENV_PATH
# ----------------------------------------------------------------------------------------------------------------------------------------------------
http {
# Allows you to tell clients about documents that used to exist in your server's namespace, but do not anymore.
# The client will make a request for the document at its new location
# ALIAS "[ \
# /login /RA/cgi-bin/login.sh \
# /admin /RA/admin/cgi-bin/card-generation.sh \
# ]"
# vector of URI rewrite rule applied after checks that files do not exist (regex1 -> uri1 ...)
# REWRITE_RULE_NF "[ \
# ^/.*\.[A-Za-z0-9]+.*?$ $0 \
# ^/(.*?)(\?|$)(.*) /sapphire/main.php?url=$1&$3 \
# ]"
# USP_AUTOMATIC_ALIASING servlet/example
# MAINTENANCE_MODE /ErrorDocument/down.html
# APACHE_LIKE_LOG /var/log/httpd/access_log
# LOG_FILE_SZ 1M
# ENABLE_INOTIFY yes
# CACHE_FILE_MASK *.b64|*.txt
# CACHE_AVOID_MASK ap|phpldapadmin|login_request|10.1.55.83|immagini
# NOCACHE_FILE_MASK banner.html
# CACHE_FILE_STORE ../webifv.gz
# CGI_TIMEOUT 60
# VIRTUAL_HOST yes
# WEBSOCKET_TIMEOUT -1
# DIGEST_AUTHENTICATION yes
# URI_PROTECTED_SSE yes
# URI_PROTECTED_MASK /RA/admin/cgi-bin/*
# URI_PROTECTED_ALLOWED_IP 127.0.0.1,10.30.0.0/16
# ENABLE_CACHING_BY_PROXY_SERVERS yes
# URI_REQUEST_CERT_MASK /wi-auth/cgi-bin/cpe.sh
# BANDWIDTH_THROTTLING_MASK @FILE:../throttling.txt
# URI_REQUEST_STRICT_TRANSPORT_SECURITY_MASK /admin/*
# SESSION_COOKIE_OPTION "[\"\" 24 / www.example.com yes yes]"
# LIMIT_REQUEST_BODY 100K
# REQUEST_READ_TIMEOUT 30
# MOUNT_POINT /phpldapadmin/htdocs
}
# ------------------------------------------------------------------------------------------------------
# ssi - plugin parameters
# ------------------------------------------------------------------------------------------------------
# ENVIRONMENT path of file configuration environment for SSI
#
# SSI_AUTOMATIC_ALIASING special SSI HTML file (.shtml) that is recognized automatically as alias of all
# uri request without suffix (generally cause navigation of directory not working)
# ------------------------------------------------------------------------------------------------------
# ssi {
# ENVIRONMENT ~/etc/environment.conf
# SSI_AUTOMATIC_ALIASING /index.shtml
# }
# -----------------------------------------------------------------------------------------------
# fcgi - plugin parameters
# -----------------------------------------------------------------------------------------------
# FCGI_URI_MASK mask (DOS regexp) of uri type that send request via FCGI (*.php)
#
# SOCKET_NAME name file for the listening socket
#
# SERVER host name or ip address for server
# PORT port number for the server
#
# RES_TIMEOUT timeout for response from server FCGI
# FCGI_KEEP_CONN If not zero, the server FCGI does not close the connection after
# responding to request; the plugin retains responsibility for the connection
#
# LOG_FILE location for file log (use server log if same value)
# -----------------------------------------------------------------------------------------------
#
# fcgi {
#
# FCGI_URI_MASK *.php
# SOCKET_NAME tmp/fcgi.socket
# SERVER 127.0.0.1
# PORT 8080
# RES_TIMEOUT 20
# FCGI_KEEP_CONN yes
# LOG_FILE /var/log/userver.log
# }
# -----------------------------------------------------------------------------------------------
# scgi - plugin parameters
# -----------------------------------------------------------------------------------------------
# SCGI_URI_MASK mask (DOS regexp) of uri type that send request via SCGI (*.py)
#
# SOCKET_NAME name file for the listening socket
#
# SERVER host name or ip address for server
# PORT port number for the server
#
# RES_TIMEOUT timeout for response from server SCGI
# SCGI_KEEP_CONN If not zero, the server SCGI does not close the connection after
# responding to request; the plugin retains responsibility for the connection
#
# LOG_FILE location for file log (use server log if same value)
# -----------------------------------------------------------------------------------------------
#
# scgi {
# SCGI_URI_MASK *.py
# SOCKET_NAME tmp/scgi.socket
# SERVER 127.0.0.1
# PORT 8080
# RES_TIMEOUT 20
# SCGI_KEEP_CONN yes
# LOG_FILE /var/log/userver.log
# }
# -----------------------------------------------------------------------------------------------
# tsa - plugin parameters
# -----------------------------------------------------------------------------------------------
# COMMAND command to execute
# ENVIRONMENT environment for command to execute
# -----------------------------------------------------------------------------------------------
# tsa {
# ENV[HOME] = Base directory for op
# ENV[OPENSSL] = Openssl path
# ENV[OPENSSL_CNF] = Openssl configuration
# ENV[ENGINE] = Openssl Engine to use
# ENV[PASSWORD] = Password for key decryption
# ENV[TSA_CACERT] = TSA CA chain certificate
# ENV[TSA_CERT] = TSA certificate
# ENV[TSA_KEY] = TSA private key
# ENV[FILE_LOG] = Log file for command
# ENV[MSG_LOG] = Log separator
# ENV[TMPDIR] = Temporary directory
# ENV[DEBUG] = Enable debugging
# ENVIRONMENT "HOME=TSA \
# OPENSSL=bin/openssl \
# OPENSSL_CNF=CA/openssl.cnf \
# TSA_CACERT=CA/cacert.pem \
# TSA_CERT=CA/server.crt \
# TSA_KEY=CA/server.key"
# ARGV[1] = TSA REQUEST
# ARGV[2] = TOKEN
# ARGV[3] = SEC
# ARGV[3] = POLICY
# COMMAND TSA/TSA_command/tsa_REPLY_BIN.sh
# }
# ------------------------------------------------------------------------------------------------------------------------------------------------
# stream - plugin parameters
# ------------------------------------------------------------------------------------------------------------------------------------------------
# COMMAND command to execute
# ENVIRONMENT environment for command to execute
#
# URI_PATH specifies the local part of the URL path at which you would like the content to appear (Ex. /my/video.ogv)
# METADATA specifies the needs to have setup headers prepended for each codec stream (Ex. /my/audio.ogg)
# CONTENT_TYPE specifies the Internet media type of the stream, which will appear in the Content-Type HTTP response header
# ------------------------------------------------------------------------------------------------------------------------------------------------
# stream {
# ENVIRONMENT "UTRACE=0 5M 0"
# COMMAND my_stream.sh
# URI_PATH /my/stream
# METADATA /tmp/metadata
# CONTENT_TYPE text/plain
# CONTENT_TYPE "multipart/x-mixed-replace; boundary=++++++++"
# }
# ------------------------------------------------------------------------------------------------------------------------------------------------
# socket - plugin parameters
# ------------------------------------------------------------------------------------------------------------------------------------------------
# COMMAND command (alternative to USP modsocket) to execute
# ENVIRONMENT environment for command (alternative to USP modsocket) to execute
#
# ENABLE_DB enable db management for web socket
# MAX_MESSAGE_SIZE maximum size (in bytes) of a message to accept; default is approximately 4GB
# ------------------------------------------------------------------------------------------------------------------------------------------------
#
# socket {
# ENVIRONMENT "UTRACE=0 5M 0"
# COMMAND my_websocket.sh
# ENABLE_DB yes
# MAX_MESSAGE_SIZE 100K
# }
# ------------------------------------------------------------------------------------------------------
# rpc - plugin parameters
# ------------------------------------------------------------------------------------------------------
# METHOD_NAME name of method
# COMMAND command to execute
# ENVIRONMENT environment for command to execute
# RESPONSE_TYPE input/output type of the command ( success_or_failure |
# stdin_success_or_failure |
# standard_output |
# stdin_standard_output |
# standard_output_binary |
# stdin_standard_output_binary )
# ------------------------------------------------------------------------------------------------------
# rpc {
# ------------------------------------------------------------------------------------------------------
# SOAP or RPC services
# ------------------------------------------------------------------------------------------------------
# ENV[HOME] = Base directory for op
# ENV[FILE_LOG] = Log file for command
# ENV[MSG_LOG] = Log separator
# ENV[DEBUG] = Enable debugging
# ------------------------------------------------------------------------------------------------------
# Method_01 {
# activate a card and send back login/pwd via SMS
# SMS from client = stringa "From: xxxx\nTo: xxxxx..." input
# METHOD_NAME CARD
# ENV[LDAP_HOST] = LDAP Host
# ENV[LDAP_PASSWORD] = file contenente password for LDAP binding
# ENV[MAIL_TO] = Email Address for workflow
# ENV[MAIL_FROM] = Email Address for workflow
# ENVIRONMENT "HOME=WAGSM \
# DEBUG=1 \
# LDAP_HOST=rosso \
# LDAP_PASSWORD=unwired-portal_rootdn.pw \
# MAIL_TO=card-activation@auth.t-unwired.com \
# MAIL_FROM=gsmbox@auth.t-unwired.com"
# COMMAND WAGSM/WAGSM_command/card_activation.sh
# RESPONSE_TYPE standard_output
# }
# }
# ------------------------------------------------------------------------------------------------------
# soap - plugin parameters
# ------------------------------------------------------------------------------------------------------
# METHOD_NAME name of method
# COMMAND command to execute
# ENVIRONMENT environment for command to execute
# RESPONSE_TYPE input/output type of the command ( success_or_failure |
# stdin_success_or_failure |
# standard_output |
# stdin_standard_output |
# standard_output_binary |
# stdin_standard_output_binary )
# ------------------------------------------------------------------------------------------------------
# soap {
# ------------------------------------------------------------------------------------------------------
# SOAP or RPC services
# ------------------------------------------------------------------------------------------------------
# ENV[HOME] = Base directory for op
# ENV[FILE_LOG] = Log file for command
# ENV[MSG_LOG] = Log separator
# ENV[DEBUG] = Enable debugging
# ------------------------------------------------------------------------------------------------------
# Method_01 {
# activate a card and send back login/pwd via SMS
# SMS from client = stringa "From: xxxx\nTo: xxxxx..." input
# METHOD_NAME CARD
# ENV[LDAP_HOST] = LDAP Host
# ENV[LDAP_PASSWORD] = file contenente password for LDAP binding
# ENV[MAIL_TO] = Email Address for workflow
# ENV[MAIL_FROM] = Email Address for workflow
# ENVIRONMENT "HOME=WAGSM \
# DEBUG=1 \
# LDAP_HOST=rosso \
# LDAP_PASSWORD=unwired-portal_rootdn.pw \
# MAIL_TO=card-activation@auth.t-unwired.com \
# MAIL_FROM=gsmbox@auth.t-unwired.com"
# COMMAND WAGSM/WAGSM_command/card_activation.sh
# RESPONSE_TYPE standard_output
# }
# }
# ---------------------------------------------------------------------------------------------------------------------------------
# proxy - plugin parameters
# ---------------------------------------------------------------------------------------------------------------------------------
# ERROR MESSAGE Allows you to tell clients about what type of error occurred
#
# URI uri trigger
# HOST name host client
# METHOD_NAME mask name of what type of HTTP method is permitted (GET|POST|...)
#
# CLIENT_CERTIFICATE yes if client must comunicate a certificate in the SSL connection
# REMOTE_ADDRESS_IP list of comma separated client address for IP-based control (IPADDR[/MASK]) for routing-like policy
# WEBSOCKET yes if the proxy act as a Reverse Proxy Web Sockets
#
#
# COMMAND command to execute
# ENVIRONMENT environment for command to execute
# RESPONSE_TYPE output type of the command (yes = response for client, no = request to server)
#
# PORT port of server for connection
# SERVER name of server for connection
#
# FOLLOW_REDIRECTS yes if manage to automatically follow redirects from server
# USER if manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: user
# PASSWORD if manage to follow redirects, in response to a HTTP_UNAUTHORISED response from the HTTP server: password
# REPLACE_RESPONSE if NOT manage to follow redirects, vector of substitution string
# ---------------------------------------------------------------------------------------------------------------------------------
# proxy {
# ---------------------------------------------------------------------------
# Allows you to tell clients about what type of error occurred
# ---------------------------------------------------------------------------
# ERROR MESSAGE [
# @STRING "HTTP/1.1 400 Bad Request\r\n\
# Date: %D\r\n\
# Server: ULib/1.0\r\n\
# Connection: close\r\n\
# Content-Type: text/html; charset=iso-8859-1\r\n\
# Content-Length: 238\r\n\
# \r\n\
# <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n\
# <html><head>\r\n\
# <title>Accesso negato</title>\r\n\
# </head><body>\r\n\
# <h1>Bad Request</h1>\r\n\
# <p>Errore parsing header<br />\r\n\ </p>\r\n\
# <hr>\r\n\
# <address>ULib Server (proxy)</address>\r\n\
# </body></html>\r\n"
#
# @FILE error_msg/X509_REJECTED
# ]
# Service_WAYF {
#
# URI ^/(WAYF/?|SWITCHaai/images/.*\.gif$)
# HOST localhost:444
#
# METHOD_NAME GET|POST
#
# PORT 80
# SERVER localhost
#
# CLIENT_CERTIFICATE yes
#
# la redirect chiede di nuovo al proxy (444)...!!!
# FOLLOW_REDIRECTS no
# }
#
# Service_IDP {
#
# URI ^/shibboleth-idp/SSO
# HOST localhost:444
#
# METHOD_NAME GET
#
# PORT 80
# SERVER laptop
#
# FOLLOW_REDIRECTS yes
#
# In response to a HTTP_UNAUTHORISED response from the HTTP server,
# obtain a user and password for the scheme/realm returned from the HTTP server
#
# USER user01
# PASSWORD stefano1
# }
#
# Service_webmail {
#
# URI /webmail
# HOST localhost
#
# METHOD_NAME GET|POST
#
# PORT 80
# SERVER ca.eraclito.unirel.test
#
# only if NOT manage to follow redirects
# REPLACE_RESPONSE [
# "^Location: http:" "Location: https:"
# ]
# }
# }
# ------------------------------------------------------------------------------------------------------------------------------------------
# geoip - plugin parameters
# ------------------------------------------------------------------------------------------------------------------------------------------
# COUNTRY_FORBIDDEN_MASK mask (DOS regexp) of GEOIP country code that give forbidden access
# ------------------------------------------------------------------------------------------------------------------------------------------
# geoip {
# COUNTRY_FORBIDDEN_MASK CN|JP
# }
# -----------------------------------------------------------------------------------------------------------------------
# nocat - plugin parameters
# -----------------------------------------------------------------------------------------------------------------------
# FW_ENV environment for shell script to execute
# FW_CMD shell script to manage the firewall
# DECRYPT_KEY DES3 password stuff
# ALLOWED_MEMBERS file with list of allowed MAC/IP pairs or NETWORKS (default: /etc/nodog.allowed)
# LOCAL_NETWORK_LABEL access point localization tag to be used from portal
# LOGIN_TIMEOUT number of seconds after a client last login/renewal to terminate their connection
# CHECK_TYPE mode of verification (U_CHECK_NONE=0, U_CHECK_ARP_CACHE=1, U_CHECK_ARP_PING=2, U_CHECK_TRAFFIC=4)
# CHECK_EXPIRE_INTERVAL number of seconds to check if some client has terminate their connection
# NUM_PEERS_PREALLOCATE size of memory block to preallocate for table of users
# -----------------------------------------------------------------------------------------------------------------------
# nocat {
# shell script to manage the firewall
# FW_CMD firewall/nodog.fw
# FW_ENV "FW_CONF=/etc/nodog_fw.conf \
# AuthServiceAddr=http://www.auth-firenze.com/login"
# DES3 password stuff
# DECRYPT_KEY PASSWORD
# access point localization tag to be used from portal
# LOCAL_NETWORK_LABEL "radio1 radio2"
# Number of seconds after a client last login/renewal to terminate their connection
# Probably do not want to set this to less than 60 or a lot of bandwidth is likely to get consumed by the client renewal attempts
# LOGIN_TIMEOUT 86400 # one notification per day
# Number of seconds to check if some client has terminate their connection
# CHECK_EXPIRE_INTERVAL 360
# }
# -----------------------------------------------------------------------------------------------------------------------------------
# nodog - plugin parameters
# -----------------------------------------------------------------------------------------------------------------------------------
# FW_CMD shell script to manage the firewall
# FW_ENV environment for shell script to execute
# DECRYPT_KEY DES3 password stuff
# ALLOWED_MEMBERS file with list of allowed MAC/IP pairs or NETWORKS (default: /etc/nodog.allowed)
# LOCAL_NETWORK_LABEL access point localization tag to be used from portal
# CHECK_EXPIRE_INTERVAL Number of seconds to send client info to portal
# -----------------------------------------------------------------------------------------------------------------------------------
# nodog {
# shell script to manage the firewall
# FW_CMD firewall/nodog.fw
# FW_ENV "FW_CONF=/etc/nodog_fw.conf \
# AuthServiceAddr=http://www.auth-firenze.com/login"
# DES3 password stuff
# DECRYPT_KEY PASSWORD
# access point localization tag to be used from portal
# LOCAL_NETWORK_LABEL "radio1 radio2"
# Number of seconds to check if some client has terminate their connection
# CHECK_EXPIRE_INTERVAL 360
# }
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# U S P P A G E S P A R A M E T E R S
# ----------------------------------------------------------------------------------------------------------------------------------------------------
# example.usp {
# .........
# }
Reference in New Issue View Git Blame Copy Permalink