mirror of
https://git.freebsd.org/ports.git
synced 2025-04-28 09:36:41 -04:00
187 lines
8.7 KiB
Text
187 lines
8.7 KiB
Text
--- doc/sample.config.orig 2023-12-17 10:19:23 UTC
|
|
+++ doc/sample.config
|
|
@@ -19,7 +19,7 @@
|
|
# This enabled PAM authentication of the user. The gid-min option is used
|
|
# by auto-select-group option, in order to select the minimum valid group ID.
|
|
#
|
|
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
|
|
+# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp]
|
|
# The plain option requires specifying a password file which contains
|
|
# entries of the following format.
|
|
# "username:groupname1,groupname2:encoded-password"
|
|
@@ -28,7 +28,7 @@
|
|
# an oath password file to be used for one time passwords; the format of
|
|
# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
|
|
#
|
|
-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
|
|
+# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
|
|
# The radius option requires specifying freeradius-client configuration
|
|
# file. If the groupconfig option is set, then config-per-user/group will be overridden,
|
|
# and all configuration will be read from radius. That also includes the
|
|
@@ -48,9 +48,9 @@
|
|
#auth = "pam"
|
|
#auth = "pam[gid-min=1000]"
|
|
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
|
|
-auth = "plain[passwd=./sample.passwd]"
|
|
+auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
|
|
#auth = "certificate"
|
|
-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
|
|
+#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
|
|
|
|
# Specify alternative authentication methods that are sufficient
|
|
# for authentication. That is, if set, any of the methods enabled
|
|
@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]"
|
|
# PAM.
|
|
#
|
|
# Only one accounting method can be specified.
|
|
-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
|
|
+#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]"
|
|
|
|
# Use listen-host to limit to specific IPs or to the IPs of a provided
|
|
# hostname.
|
|
@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
|
|
# certificate renewal (they are checked and reloaded periodically;
|
|
# a SIGHUP signal to main server will force reload).
|
|
|
|
-#server-cert = /etc/ocserv/server-cert.pem
|
|
-#server-key = /etc/ocserv/server-key.pem
|
|
-server-cert = ../tests/certs/server-cert.pem
|
|
-server-key = ../tests/certs/server-key.pem
|
|
+server-cert = %%ETCDIR%%/server-cert.pem
|
|
+server-key = %%ETCDIR%%/server-key.pem
|
|
|
|
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
|
|
# versions of GnuTLS for supporting DHE ciphersuites.
|
|
# Can be generated using:
|
|
-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
|
|
-#dh-params = /etc/ocserv/dh.pem
|
|
+# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem
|
|
+#dh-params = %%ETCDIR%%/dh.pem
|
|
|
|
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
|
|
# in files. The srk-pin-file is applicable to TPM keys only, and is the
|
|
# storage root key.
|
|
-#pin-file = /etc/ocserv/pin.txt
|
|
-#srk-pin-file = /etc/ocserv/srkpin.txt
|
|
+#pin-file = %%ETCDIR%%/pin.txt
|
|
+#srk-pin-file = %%ETCDIR%%/srkpin.txt
|
|
|
|
# The password or PIN needed to unlock the key in server-key file.
|
|
# Only needed if the file is encrypted or a PKCS #11 object. This
|
|
@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem
|
|
# The Certificate Authority that will be used to verify
|
|
# client certificates (public keys) if certificate authentication
|
|
# is set.
|
|
-#ca-cert = /etc/ocserv/ca.pem
|
|
-ca-cert = ../tests/certs/ca.pem
|
|
+ca-cert = %%ETCDIR%%/ca.pem
|
|
|
|
# The number of sub-processes to use for the security module (authentication)
|
|
# processes. Typically this should not be set as the number of processes
|
|
@@ -172,16 +169,6 @@ ca-cert = ../tests/certs/ca.pem
|
|
### failures during the reloading time.
|
|
|
|
|
|
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
|
|
-# system calls allowed to a worker process, in order to reduce damage from a
|
|
-# bug in the worker process. It is available on Linux systems at a performance cost.
|
|
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
|
|
-# Note however, that process isolation is restricted to the specific libc versions
|
|
-# the isolation was tested at. If you get random failures on worker processes, try
|
|
-# disabling that option and report the failures you, along with system and debugging
|
|
-# information at: https://gitlab.com/openconnect/ocserv/issues
|
|
-isolate-workers = true
|
|
-
|
|
# A banner to be displayed on clients after connection
|
|
#banner = "Welcome"
|
|
|
|
@@ -262,7 +249,7 @@ try-mtu-discovery = false
|
|
# You can update this response periodically using:
|
|
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
|
|
# Make sure that you replace the following file in an atomic way.
|
|
-#ocsp-response = /etc/ocserv/ocsp.der
|
|
+#ocsp-response = %%ETCDIR%%/ocsp.der
|
|
|
|
# The object identifier that will be used to read the user ID in the client
|
|
# certificate. The object identifier should be part of the certificate's DN
|
|
@@ -281,7 +268,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
# See the manual to generate an empty CRL initially. The CRL will be reloaded
|
|
# periodically when ocserv detects a change in the file. To force a reload use
|
|
# SIGHUP.
|
|
-#crl = /etc/ocserv/crl.pem
|
|
+crl = %%ETCDIR%%/crl.pem
|
|
|
|
# Uncomment this to enable compression negotiation (LZS, LZ4).
|
|
#compression = true
|
|
@@ -415,14 +402,14 @@ rekey-method = ssl
|
|
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes
|
|
# output from the tun device, and the duration of the session in seconds.
|
|
|
|
-#connect-script = /usr/bin/myscript
|
|
-#disconnect-script = /usr/bin/myscript
|
|
+#connect-script = %%PREFIX%%/bin/myscript
|
|
+#disconnect-script = %%PREFIX%%/bin/myscript
|
|
|
|
# This script is to be called when the client's advertised hostname becomes
|
|
# available. It will contain REASON with "host-update" value and the
|
|
# variable REMOTE_HOSTNAME in addition to the connect variables.
|
|
|
|
-#host-update-script = /usr/bin/myhostnamescript
|
|
+#host-update-script = %%PREFIX%%/bin/myhostnamescript
|
|
|
|
# UTMP
|
|
# Register the connected clients to utmp. This will allow viewing
|
|
@@ -563,15 +550,15 @@ no-route = 192.168.5.0/255.255.255.0
|
|
# Note the that following two firewalling options currently are available
|
|
# in Linux systems with iptables software.
|
|
|
|
-# If set, the script /usr/libexec/ocserv-fw will be called to restrict
|
|
+# If set, the script %%PREFIX%%/libexec/ocserv-fw will be called to restrict
|
|
# the user to its allowed routes and prevent him from accessing
|
|
# any other routes. In case of defaultroute, the no-routes are restricted.
|
|
-# All the routes applied by ocserv can be reverted using /usr/libexec/ocserv-fw
|
|
+# All the routes applied by ocserv can be reverted using %%PREFIX%%/libexec/ocserv-fw
|
|
# --removeall. This option can be set globally or in the per-user configuration.
|
|
#restrict-user-to-routes = true
|
|
|
|
# This option implies restrict-user-to-routes set to true. If set, the
|
|
-# script /usr/libexec/ocserv-fw will be called to restrict the user to
|
|
+# script %%PREFIX%%/libexec/ocserv-fw will be called to restrict the user to
|
|
# access specific ports in the network. This option can be set globally
|
|
# or in the per-user configuration.
|
|
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
|
|
@@ -619,13 +606,13 @@ no-route = 192.168.5.0/255.255.255.0
|
|
# hostname to override any proposed by the user. Note also, that, any
|
|
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
|
|
|
|
-#config-per-user = /etc/ocserv/config-per-user/
|
|
-#config-per-group = /etc/ocserv/config-per-group/
|
|
+#config-per-user = %%ETCDIR%%/config-per-user/
|
|
+#config-per-group = %%ETCDIR%%/config-per-group/
|
|
|
|
# When config-per-xxx is specified and there is no group or user that
|
|
# matches, then utilize the following configuration.
|
|
-#default-user-config = /etc/ocserv/defaults/user.conf
|
|
-#default-group-config = /etc/ocserv/defaults/group.conf
|
|
+#default-user-config = %%ETCDIR%%/defaults/user.conf
|
|
+#default-group-config = %%ETCDIR%%/defaults/group.conf
|
|
|
|
# The system command to use to setup a route. %{R} will be replaced with the
|
|
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
|
|
@@ -750,13 +737,13 @@ camouflage_realm = "Restricted Content"
|
|
[vhost:www.example.com]
|
|
auth = "certificate"
|
|
|
|
-ca-cert = ../tests/certs/ca.pem
|
|
+ca-cert = %%ETCDIR%%/www.example.com-ca.pem
|
|
|
|
# The certificate set here must include a 'dns_name' corresponding to
|
|
# the virtual host name.
|
|
|
|
-server-cert = ../tests/certs/server-cert-secp521r1.pem
|
|
-server-key = ../tests/certs/server-key-secp521r1.pem
|
|
+server-cert = %%ETCDIR%%/server-cert-secp521r1.pem
|
|
+server-key = %%ETCDIR%%/server-key-secp521r1.pem
|
|
|
|
ipv4-network = 192.168.2.0
|
|
ipv4-netmask = 255.255.255.0
|