Files
freeradius/hosted/config/mods-enabled/rest
2023-01-06 05:29:32 +03:00

301 lines
11 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
rest {
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to a HTTPS
# server.
#
tls {
# Certificate Authorities:
# "ca_file" (libcurl option CURLOPT_ISSUERCERT).
# File containing a single CA, which is the issuer of the server
# certificate.
# "ca_info_file" (libcurl option CURLOPT_CAINFO).
# File containing a bundle of certificates, which allow to handle
# certificate chain validation.
# "ca_path" (libcurl option CURLOPT_CAPATH).
# Directory holding CA certificates to verify the peer with.
# ca_file = ${certdir}/cacert.pem
# ca_info_file = ${certdir}/cacert_bundle.pem
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# private_key_password = "supersecret"
# random_file = /dev/urandom
# Server certificate verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the cert was issued by one of the
# trusted CAs)
#
# The default is "yes"
# check_cert = yes
# Server certificate CN verification requirements. Can be:
# "no" (don't even bother trying)
# "yes" (verify the CN in the certificate matches the host
# in the URI)
#
# The default is "yes"
# check_cert_cn = yes
}
# rlm_rest will open a connection to the server specified in connect_uri
# to populate the connection cache, ready for the first request.
# The server will not start if the server specified is unreachable.
#
# If you wish to disable this pre-caching and reachability check,
# comment out the configuration item below.
#connect_uri = "http://connectone.me:31668"
connect_uri = "http://#API_HOST#:#API_PORT#/"
#
# How long before new connection attempts timeout, defaults to 4.0 seconds.
#
# connect_timeout = 4.0
#
# Specify HTTP protocol version to use. one of '1.0', '1.1', '2.0', '2.0+auto',
# '2.0+tls' or 'default'. (libcurl option CURLOPT_HTTP_VERSION)
#
# http_negotiation = 1.1
#
# The following config items can be used in each of the sections.
# The sections themselves reflect the sections in the server.
# For example if you list rest in the authorize section of a virtual server,
# the settings from the authorize section here will be used.
#
# The following config items may be listed in any of the sections:
# uri - to send the request to.
# method - HTTP method to use, one of 'get', 'post', 'put', 'patch',
# 'delete' or any custom HTTP method.
# body - The format of the HTTP body sent to the remote server.
# May be 'none', 'post' or 'json', defaults to 'none'.
# attr_num - If true, the attribute number is supplied for each attribute.
# Defaults to false.
# raw_value - If true, enumerated attribute values are provided as numeric
# values. Defaults to false.
# data - Send custom freeform data in the HTTP body. Content-type
# may be specified with 'body'. Will be expanded.
# Values from expansion will not be escaped, this should be
# done using the appropriate xlat method e.g. %{urlencode:<attr>}.
# force_to - Force the response to be decoded with this decoder.
# May be 'plain' (creates reply:REST-HTTP-Body), 'post'
# or 'json'.
# tls - TLS settings for HTTPS.
# auth - HTTP auth method to use, one of 'none', 'srp', 'basic',
# 'digest', 'digest-ie', 'gss-negotiate', 'ntlm',
# 'ntlm-winbind', 'any', 'safe'. defaults to 'none'.
# username - User to authenticate as, will be expanded.
# password - Password to use for authentication, will be expanded.
# require_auth - Require HTTP authentication.
# timeout - HTTP request timeout in seconds, defaults to 4.0.
# chunk - Chunk size to use. If set, HTTP chunked encoding is used to
# send data to the REST server. Make sure that this is large
# enough to fit your largest attribute value's text
#  representation.
# A number like 8192 is good.
#
# Additional HTTP headers may be specified with control:REST-HTTP-Header.
# The values of those attributes should be in the format:
#
# control:REST-HTTP-Header := "<HTTP attribute>: <value>"
#
# The control:REST-HTTP-Header attributes will be consumed
# (i.e. deleted) after each call to the rest module, and each
# %{rest:} expansion. This is so that headers from one REST
# call do not affect headers from a different REST call.
#
# Body encodings are the same for requests and responses
#
# POST - All attributes and values are urlencoded
# [outer.][<list>:]<attribute0>=<value0>&[outer.][<list>:]<attributeN>=<valueN>
#
# JSON - All attributes and values are escaped according to the JSON specification
# - attribute Name of the attribute.
# - attr_num Number of the attribute. Only available if the configuration item
# 'attr_num' is enabled.
# - type Type of the attribute (e.g. "integer", "string", "ipaddr", "octets", ...).
# - value Attribute value, for enumerated attributes the human readable value is
# provided and not the numeric value (Depends on the 'raw_value' config item).
# {
# "<attribute0>":{
# "attr_num":<attr_num0>,
# "type":"<type0>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":{
# "attr_num":<attr_num1>,
# "type":"<type1>",
# "value":[...]
# },
# "<attributeN>":{
# "attr_num":<attr_numN>,
# "type":"<typeN>",
# "value":[...]
# },
# }
#
# The response format adds three optional fields:
# - do_xlat If true, any values will be xlat expanded. Defaults to true.
# - is_json If true, any nested JSON data will be copied to the attribute
# in string form. Defaults to true.
# - op Controls how the attribute is inserted into the target list.
# Defaults to ':='. To create multiple attributes from multiple
# values, this should be set to '+=', otherwise only the last
# value will be used, and it will be assigned to a single
# attribute.
# {
# "<attribute0>":{
# "is_json":<bool>,
# "do_xlat":<bool>,
# "op":"<operator>",
# "value":[<value0>,<value1>,<valueN>]
# },
# "<attribute1>":"value",
# "<attributeN>":{
# "value":[<value0>,<value1>,<valueN>],
# "op":"+="
# }
# }
#
# Module return codes are determined by HTTP response codes. These vary depending on the
# section.
#
# If the body is processed and found to be malformed or unsupported fail will be returned.
# If the body is processed and found to contain attribute updated will be returned,
# except in the case of a 401 code.
#
# Authorize/Authenticate
#
# Code Meaning Process body Module code
# 404 not found no notfound
# 410 gone no notfound
# 403 forbidden no userlock
# 401 unauthorized yes reject
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
#
# The status code is held in %{reply:REST-HTTP-Status-Code}.
#
authorize {
uri = "${..connect_uri}radius/auth"
method = 'post'
body = 'json'
data = '{"ip": "%{Packet-Src-IP-Address}", "hotspot-group": "%{raw:Called-Station-Id}", "hotspot-id": "%{raw:NAS-Identifier}"}'
force_to = 'json'
auth = 'none'
require_auth = no
timeout = 4.000000
}
# authorize {
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authorize"
# method = 'get'
# tls = ${..tls}
# }
# authenticate {
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=authenticate"
# method = 'get'
# tls = ${..tls}
# }
# Preacct/Accounting/Post-auth/Pre-Proxy/Post-Proxy
#
# Code Meaning Process body Module code
# 204 no content no ok
# 2xx successful yes ok/updated
# 5xx server error no fail
# xxx - no invalid
# preacct {
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=preacct"
# method = 'post'
# tls = ${..tls}
# }
# accounting {
# uri = "${..connect_uri}/user/%{User-Name}/sessions/%{Acct-Unique-Session-ID}?action=accounting"
# method = 'post'
# tls = ${..tls}
# }
# post-auth {
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-auth"
# method = 'post'
# tls = ${..tls}
# }
# pre-proxy {
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=pre-proxy"
# method = 'post'
# tls = ${..tls}
# }
# post-proxy {
# uri = "${..connect_uri}/user/%{User-Name}/mac/%{Called-Station-ID}?action=post-proxy"
# method = 'post'
# tls = ${..tls}
# }
#
# The connection pool is used to pool outgoing connections.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# web service being available.
start = ${thread[pool].start_servers}
# Minimum number of connections to keep open
min = ${thread[pool].min_spare_servers}
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
max = ${thread[pool].max_servers}
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = ${thread[pool].max_spare_servers}
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The number of seconds to wait after the server tries
# to open a connection, and fails. During this time,
# no new connections will be opened.
retry_delay = 30
# The lifetime (in seconds) of the connection
lifetime = 0
# idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
idle_timeout = 60
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}