1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
--- doc/sample.config.orig 2020-12-03 22:31:10 UTC
+++ doc/sample.config
@@ -19,7 +19,7 @@
# This enabled PAM authentication of the user. The gid-min option is used
# by auto-select-group option, in order to select the minimum valid group ID.
#
-# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
+# plain[passwd=%%ETCDIR%%/ocpasswd,otp=%%ETCDIR%%/users.otp]
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
@@ -28,7 +28,7 @@
# an oath password file to be used for one time passwords; the format of
# the file is described in https://github.com/archiecobbs/mod-authn-otp/wiki/UsersFile
#
-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
+# radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
# The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user/group will be overridden,
# and all configuration will be read from radius. That also includes the
@@ -47,10 +47,10 @@
#auth = "pam"
#auth = "pam[gid-min=1000]"
-#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
-auth = "plain[passwd=./sample.passwd]"
+#auth = "plain[passwd=%%ETCDIR%%/sample.passwd,otp=%%ETCDIR%%/sample.otp]"
+auth = "plain[passwd=%%ETCDIR%%/sample.passwd]"
#auth = "certificate"
-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
+#auth = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
@@ -71,7 +71,7 @@ auth = "plain[passwd=./sample.passwd]"
# PAM.
#
# Only one accounting method can be specified.
-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
+#acct = "radius[config=%%PREFIX%%/etc/radiusclient/radiusclient.conf]"
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
@@ -96,8 +96,8 @@ udp-port = 443
# The user the worker processes will be run as. This should be a dedicated
# unprivileged user (e.g., 'ocserv') and no other services should run as this
# user.
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = %%USERS%%
+run-as-group = %%GROUPS%%
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
@@ -124,22 +124,20 @@ socket-file = /var/run/ocserv-socket
# certificate renewal (they are checked and reloaded periodically;
# a SIGHUP signal to main server will force reload).
-#server-cert = /etc/ocserv/server-cert.pem
-#server-key = /etc/ocserv/server-key.pem
-server-cert = ../tests/certs/server-cert.pem
-server-key = ../tests/certs/server-key.pem
+server-cert = %%ETCDIR%%/server-cert.pem
+server-key = %%ETCDIR%%/server-key.pem
# Diffie-Hellman parameters. Only needed if for old (pre 3.6.0
# versions of GnuTLS for supporting DHE ciphersuites.
# Can be generated using:
-# certtool --generate-dh-params --outfile /etc/ocserv/dh.pem
-#dh-params = /etc/ocserv/dh.pem
+# certtool --generate-dh-params --outfile %%ETCDIR%%/dh.pem
+#dh-params = %%ETCDIR%%/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
-#pin-file = /etc/ocserv/pin.txt
-#srk-pin-file = /etc/ocserv/srkpin.txt
+#pin-file = %%ETCDIR%%/pin.txt
+#srk-pin-file = %%ETCDIR%%/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
@@ -153,8 +151,7 @@ server-key = ../tests/certs/server-key.pem
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
-#ca-cert = /etc/ocserv/ca.pem
-ca-cert = ../tests/certs/ca.pem
+ca-cert = %%ETCDIR%%/ca.pem
### All configuration options below this line are reloaded on a SIGHUP.
@@ -166,15 +163,9 @@ ca-cert = ../tests/certs/ca.pem
### failures during the reloading time.
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
+# ocserv 1.1.1 on FreeBSD does not currently support process isolation,
+# because ocserv only supports Linux's seccomp system, but not capsicum(4).
+#isolate-workers = false
# A banner to be displayed on clients after connection
#banner = "Welcome"
@@ -255,7 +246,7 @@ try-mtu-discovery = false
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
-#ocsp-response = /etc/ocserv/ocsp.der
+#ocsp-response = %%ETCDIR%%/ocsp.der
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
@@ -274,7 +265,7 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
-#crl = /etc/ocserv/crl.pem
+#crl = %%ETCDIR%%/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4).
#compression = true
@@ -543,15 +534,15 @@ no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software.
-# If set, the script /usr/bin/ocserv-fw will be called to restrict
+# If set, the script %%PREFIX%%/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
-# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
+# All the routes applied by ocserv can be reverted using %%PREFIX%%/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
-# script /usr/bin/ocserv-fw will be called to restrict the user to
+# script %%PREFIX%%/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
@@ -599,13 +590,13 @@ no-route = 192.168.5.0/255.255.255.0
# hostname to override any proposed by the user. Note also, that, any
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
-#config-per-user = /etc/ocserv/config-per-user/
-#config-per-group = /etc/ocserv/config-per-group/
+#config-per-user = %%ETCDIR%%/config-per-user/
+#config-per-group = %%ETCDIR%%/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
-#default-user-config = /etc/ocserv/defaults/user.conf
-#default-group-config = /etc/ocserv/defaults/group.conf
+#default-user-config = %%ETCDIR%%/defaults/user.conf
+#default-group-config = %%ETCDIR%%/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
@@ -627,7 +618,7 @@ no-route = 192.168.5.0/255.255.255.0
# In MIT kerberos you'll need to add in realms:
# EXAMPLE.COM = {
# kdc = https://ocserv.example.com/KdcProxy
-# http_anchors = FILE:/etc/ocserv-ca.pem
+# http_anchors = FILE:%%ETCDIR%%/ocserv-ca.pem
# }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
@@ -701,13 +692,13 @@ dtls-legacy = true
[vhost:www.example.com]
auth = "certificate"
-ca-cert = ../tests/certs/ca.pem
+ca-cert = %%ETCDIR%%/ca.pem
# The certificate set here must include a 'dns_name' corresponding to
# the virtual host name.
-server-cert = ../tests/certs/server-cert-secp521r1.pem
-server-key = ../tests/certs/server-key-secp521r1.pem
+server-cert = %%ETCDIR%%/server-cert-secp521r1.pem
+server-key = %%ETCDIR%%/server-key-secp521r1.pem
ipv4-network = 192.168.2.0
ipv4-netmask = 255.255.255.0
|
