- CI: replace GitLab pipeline with Gitea Actions (.gitea/workflows/release.yaml); publish .deb/image/hosted/chart to Gitea registries; gate image+hosted on .deb (needs + registry pre-check) - drop connectone/Nexus; apt now from the Gitea Debian registry - single version source (/VERSION=3.2.8); CI enforces .env/Chart consistency - restructure: build/->packaging/deb, root Dockerfile->packaging/image, hosted/->packaging/hosted, .kube/->charts/freeradius - Helm chart: documented values, DB password via Secret/$ENV, configurable scheduling/persistence; remove plaintext creds and hostPath PV - gitignore *.env_cnf; docs for hosted (RU)/helm/root + agent KB sync Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
300 lines
11 KiB
Plaintext
300 lines
11 KiB
Plaintext
rest {
|
||
#
|
||
# This subsection configures the tls related items
|
||
# that control how FreeRADIUS connects to a HTTPS
|
||
# server.
|
||
#
|
||
tls {
|
||
# Certificate Authorities:
|
||
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
|
||
# File containing a single CA, which is the issuer of the server
|
||
# certificate.
|
||
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
|
||
# File containing a bundle of certificates, which allow to handle
|
||
# certificate chain validation.
|
||
# "ca_path" (libcurl option CURLOPT_CAPATH).
|
||
# Directory holding CA certificates to verify the peer with.
|
||
# ca_file = ${certdir}/cacert.pem
|
||
# ca_info_file = ${certdir}/cacert_bundle.pem
|
||
# ca_path = ${certdir}
|
||
|
||
# certificate_file = /path/to/radius.crt
|
||
# private_key_file = /path/to/radius.key
|
||
# private_key_password = "supersecret"
|
||
# random_file = /dev/urandom
|
||
|
||
# Server certificate verification requirements. Can be:
|
||
# "no" (don't even bother trying)
|
||
# "yes" (verify the cert was issued by one of the
|
||
# trusted CAs)
|
||
#
|
||
# The default is "yes"
|
||
# check_cert = yes
|
||
|
||
# Server certificate CN verification requirements. Can be:
|
||
# "no" (don't even bother trying)
|
||
# "yes" (verify the CN in the certificate matches the host
|
||
# in the URI)
|
||
#
|
||
# The default is "yes"
|
||
# check_cert_cn = yes
|
||
}
|
||
|
||
# rlm_rest will open a connection to the server specified in connect_uri
|
||
# to populate the connection cache, ready for the first request.
|
||
# The server will not start if the server specified is unreachable.
|
||
#
|
||
# If you wish to disable this pre-caching and reachability check,
|
||
# comment out the configuration item below.
|
||
connect_uri = "http://#API_HOST#:#API_PORT#/"
|
||
|
||
#
|
||
# How long before new connection attempts timeout, defaults to 4.0 seconds.
|
||
#
|
||
# connect_timeout = 4.0
|
||
|
||
#
|
||
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
|
||
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
|
||
#
|
||
# http_negotiation = 1.1
|
||
|
||
#
|
||
# The following config items can be used in each of the sections.
|
||
# The sections themselves reflect the sections in the server.
|
||
# For example if you list rest in the authorize section of a virtual server,
|
||
# the settings from the authorize section here will be used.
|
||
#
|
||
# The following config items may be listed in any of the sections:
|
||
# uri - to send the request to.
|
||
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
|
||
# 'delete' or any custom HTTP method.
|
||
# body - The format of the HTTP body sent to the remote server.
|
||
# May be 'none', 'post' or 'json', defaults to 'none'.
|
||
# attr_num - If true, the attribute number is supplied for each attribute.
|
||
# Defaults to false.
|
||
# raw_value - If true, enumerated attribute values are provided as numeric
|
||
# values. Defaults to false.
|
||
# data - Send custom freeform data in the HTTP body. Content-type
|
||
# may be specified with 'body'. Will be expanded.
|
||
# Values from expansion will not be escaped, this should be
|
||
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
|
||
# force_to - Force the response to be decoded with this decoder.
|
||
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
|
||
# or 'json'.
|
||
# tls - TLS settings for HTTPS.
|
||
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
|
||
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
|
||
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
|
||
# username - User to authenticate as, will be expanded.
|
||
# password - Password to use for authentication, will be expanded.
|
||
# require_auth - Require HTTP authentication.
|
||
# timeout - HTTP request timeout in seconds, defaults to 4.0.
|
||
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
|
||
# send data to the REST server. Make sure that this is large
|
||
# enough to fit your largest attribute value's text
|
||
# representation.
|
||
# A number like 8192 is good.
|
||
#
|
||
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
|
||
# The values of those attributes should be in the format:
|
||
#
|
||
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
|
||
#
|
||
# The control:REST-HTTP-Header attributes will be consumed
|
||
# (i.e. deleted) after each call to the rest module, and each
|
||
# %{rest:} expansion. This is so that headers from one REST
|
||
# call do not affect headers from a different REST call.
|
||
#
|
||
# Body encodings are the same for requests and responses
|
||
#
|
||
# POST - All attributes and values are urlencoded
|
||
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
|
||
#
|
||
# JSON - All attributes and values are escaped according to the JSON specification
|
||
# - attribute Name of the attribute.
|
||
# - attr_num Number of the attribute. Only available if the configuration item
|
||
# 'attr_num' is enabled.
|
||
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
|
||
# - value Attribute value, for enumerated attributes the human readable value is
|
||
# provided and not the numeric value (Depends on the 'raw_value' config item).
|
||
# {
|
||
# "<attribute0>":{
|
||
# "attr_num":<attr_num0>,
|
||
# "type":"<type0>",
|
||
# "value":[<value0>,<value1>,<valueN>]
|
||
# },
|
||
# "<attribute1>":{
|
||
# "attr_num":<attr_num1>,
|
||
# "type":"<type1>",
|
||
# "value":[...]
|
||
# },
|
||
# "<attributeN>":{
|
||
# "attr_num":<attr_numN>,
|
||
# "type":"<typeN>",
|
||
# "value":[...]
|
||
# },
|
||
# }
|
||
#
|
||
# The response format adds three optional fields:
|
||
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
|
||
# - is_json If true, any nested JSON data will be copied to the attribute
|
||
# in string form. Defaults to true.
|
||
# - op Controls how the attribute is inserted into the target list.
|
||
# Defaults to ':='. To create multiple attributes from multiple
|
||
# values, this should be set to '+=', otherwise only the last
|
||
# value will be used, and it will be assigned to a single
|
||
# attribute.
|
||
# {
|
||
# "<attribute0>":{
|
||
# "is_json":<bool>,
|
||
# "do_xlat":<bool>,
|
||
# "op":"<operator>",
|
||
# "value":[<value0>,<value1>,<valueN>]
|
||
# },
|
||
# "<attribute1>":"value",
|
||
# "<attributeN>":{
|
||
# "value":[<value0>,<value1>,<valueN>],
|
||
# "op":"+="
|
||
# }
|
||
# }
|
||
|
||
#
|
||
# Module return codes are determined by HTTP response codes. These vary depending on the
|
||
# section.
|
||
#
|
||
# If the body is processed and found to be malformed or unsupported fail will be returned.
|
||
# If the body is processed and found to contain attribute updated will be returned,
|
||
# except in the case of a 401 code.
|
||
#
|
||
|
||
# Authorize/Authenticate
|
||
#
|
||
# Code Meaning Process body Module code
|
||
# 404 not found no notfound
|
||
# 410 gone no notfound
|
||
# 403 forbidden no userlock
|
||
# 401 unauthorized yes reject
|
||
# 204 no content no ok
|
||
# 2xx successful yes ok/updated
|
||
# 5xx server error no fail
|
||
# xxx - no invalid
|
||
#
|
||
# The status code is held in %{reply:REST-HTTP-Status-Code}.
|
||
#
|
||
authorize {
|
||
uri = "${..connect_uri}radius/auth"
|
||
method = 'post'
|
||
body = 'json'
|
||
data = '{"ip": "%{Packet-Src-IP-Address}", "hotspot-group": "%{raw:Called-Station-Id}", "hotspot-id": "%{raw:NAS-Identifier}"}'
|
||
force_to = 'json'
|
||
auth = 'none'
|
||
require_auth = no
|
||
timeout = 4.000000
|
||
}
|
||
# authorize {
|
||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
|
||
# method = 'get'
|
||
# tls = ${..tls}
|
||
# }
|
||
# authenticate {
|
||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
|
||
# method = 'get'
|
||
# tls = ${..tls}
|
||
# }
|
||
|
||
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
|
||
#
|
||
# Code Meaning Process body Module code
|
||
# 204 no content no ok
|
||
# 2xx successful yes ok/updated
|
||
# 5xx server error no fail
|
||
# xxx - no invalid
|
||
# preacct {
|
||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
|
||
# method = 'post'
|
||
# tls = ${..tls}
|
||
# }
|
||
# accounting {
|
||
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
|
||
# method = 'post'
|
||
# tls = ${..tls}
|
||
# }
|
||
# post-auth {
|
||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
|
||
# method = 'post'
|
||
# tls = ${..tls}
|
||
# }
|
||
# pre-proxy {
|
||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
|
||
# method = 'post'
|
||
# tls = ${..tls}
|
||
# }
|
||
# post-proxy {
|
||
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
|
||
# method = 'post'
|
||
# tls = ${..tls}
|
||
# }
|
||
|
||
#
|
||
# The connection pool is used to pool outgoing connections.
|
||
#
|
||
pool {
|
||
# Connections to create during module instantiation.
|
||
# If the server cannot create specified number of
|
||
# connections during instantiation it will exit.
|
||
# Set to 0 to allow the server to start without the
|
||
# web service being available.
|
||
start = ${thread[pool].start_servers}
|
||
|
||
# Minimum number of connections to keep open
|
||
min = ${thread[pool].min_spare_servers}
|
||
|
||
# Maximum number of connections
|
||
#
|
||
# If these connections are all in use and a new one
|
||
# is requested, the request will NOT get a connection.
|
||
#
|
||
# Setting 'max' to LESS than the number of threads means
|
||
# that some threads may starve, and you will see errors
|
||
# like 'No connections available and at max connection limit'
|
||
#
|
||
# Setting 'max' to MORE than the number of threads means
|
||
# that there are more connections than necessary.
|
||
max = ${thread[pool].max_servers}
|
||
|
||
# Spare connections to be left idle
|
||
#
|
||
# NOTE: Idle connections WILL be closed if "idle_timeout"
|
||
# is set. This should be less than or equal to "max" above.
|
||
spare = ${thread[pool].max_spare_servers}
|
||
|
||
# Number of uses before the connection is closed
|
||
#
|
||
# 0 means "infinite"
|
||
uses = 0
|
||
|
||
# The number of seconds to wait after the server tries
|
||
# to open a connection, and fails. During this time,
|
||
# no new connections will be opened.
|
||
retry_delay = 30
|
||
|
||
# The lifetime (in seconds) of the connection
|
||
lifetime = 0
|
||
|
||
# idle timeout (in seconds). A connection which is
|
||
# unused for this length of time will be closed.
|
||
idle_timeout = 60
|
||
|
||
# NOTE: All configuration settings are enforced. If a
|
||
# connection is closed because of "idle_timeout",
|
||
# "uses", or "lifetime", then the total number of
|
||
# connections MAY fall below "min". When that
|
||
# happens, it will open a new connection. It will
|
||
# also log a WARNING message.
|
||
#
|
||
# The solution is to either lower the "min" connections,
|
||
# or increase lifetime/idle_timeout.
|
||
}
|
||
}
|