#  -*- text -*-
#
#
#	$Id: c85bcc95593e0003672ea8596a87d565162f2d49 $

#######################################################################
#
#  = ABFAB listening on TLS
#
#  If you need to provide the `abfab-tr-idp` with SSL support, enable it.
#

#
#  ## Example configuration
#

#
#  ### listen { ... }
#
listen {
	ipaddr = *
	port = 2083
	type = auth
	proto = tcp

	#
	#  ## tls { ... }
	#
	tls {
		#
		#  NOTE: Moonshot tends to distribute certs separate from keys.
		#
		chain {
			certificate_file = ${certdir}/server.pem
			private_key_file = ${certdir}/server.key
			private_key_password = whatever
		}

		ca_file = ${cadir}/ca.pem
		dh_file = ${certdir}/dh
		fragment_size = 8192
		ca_path = ${cadir}
		cipher_list = "DEFAULT"

		cache {
			enable = no
			lifetime = 24 # hours
			max_entries = 255
		}

		require_client_cert = yes
		verify {

		}

		psk_query = %psksql("select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'")
	}

	#
	#  .Please see the `sites-availables/abfab-idp` file.
	#
	virtual_server = abfab-idp

	#
	#  .Reference to the next `clients {...}` section.
	#
	clients = radsec-abfab
}

#
#  ### clients { ... }
#
#  This client stanza will match other RP proxies from other realms
#  established via the trustrouter.  In general additional client
#  stanzas are also required for local services.
#
clients radsec-abfab {
	#
	#  .Allow all clients, but require TLS.
	#
	client default {
		ipaddr = 0.0.0.0/0
		proto = tls
	}

	#
	#  .An example local service.
	#
	client service_1 {

	#
	#  ipaddr::
	#
#		ipaddr = 192.0.2.20
	#
	#  gss_acceptor_host_name::
	#
	#  You should either set `gss_acceptor_host_name` below or set up policy to confirm
	#  that a client claims the right acceptor hostname when using ABFAB.
	#
	#  If set, the RADIUS server will confirm that all requests have this value for the
	#  acceptor host name.
  	#
#		gss_acceptor_host_name = "server.example.com"

	#
	#  gss_acceptor_realm_name:: Foreign realms will typically reject a request
	#  if this is not properly set.
	#
#		gss_acceptor_realm_name = "example.com"

	#
  	#  trust_router_coi:: Override the `default_community` in the realm module.
  	#
#		trust_router_coi =  "community1.example.net"

	#
	#  IMPORTANT: In production deployments it is important to set up certificate
	#  verification so that even if clients spoof IP addresses, one client cannot
	#  impersonate another.
  	#

	}
}
