|
|
|
|
@ -34,7 +34,7 @@
|
|
|
|
|
# and all configuration will be read from radius. That also includes the
|
|
|
|
|
# Acct-Interim-Interval, and Session-Timeout values.
|
|
|
|
|
#
|
|
|
|
|
# See doc/README-radius.md for the supported radius configuration atributes.
|
|
|
|
|
# See doc/README-radius.md for the supported radius configuration attributes.
|
|
|
|
|
#
|
|
|
|
|
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
|
|
|
|
|
# The gssapi option allows one to use authentication methods supported by GSSAPI,
|
|
|
|
|
@ -72,25 +72,29 @@ auth = "pam"
|
|
|
|
|
# Only one accounting method can be specified.
|
|
|
|
|
#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
|
|
|
|
|
|
|
|
|
|
# Use listen-host to limit to specific IPs or to the IPs of a provided
|
|
|
|
|
# Use listen-host to limit to specific IPs or to the IPs of a provided
|
|
|
|
|
# hostname.
|
|
|
|
|
#listen-host = [IP|HOSTNAME]
|
|
|
|
|
|
|
|
|
|
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
|
|
|
|
|
# hostname. if not set, listen-host will be used
|
|
|
|
|
#udp-listen-host = [IP|HOSTNAME]
|
|
|
|
|
|
|
|
|
|
# When the server has a dynamic DNS address (that may change),
|
|
|
|
|
# should set that to true to ask the client to resolve again on
|
|
|
|
|
# reconnects.
|
|
|
|
|
#listen-host-is-dyndns = true
|
|
|
|
|
|
|
|
|
|
# Use udp-listen-host to limit udp to specific IPs or to the IPs of a provided
|
|
|
|
|
# hostname. if not set, listen-host will be used
|
|
|
|
|
#udp-listen-host = [IP|HOSTNAME]
|
|
|
|
|
# move the listen socket within the specified network namespace
|
|
|
|
|
# listen-netns = "foo"
|
|
|
|
|
|
|
|
|
|
# TCP and UDP port number
|
|
|
|
|
tcp-port = 443
|
|
|
|
|
udp-port = 443
|
|
|
|
|
|
|
|
|
|
# The user the worker processes will be run as. It should be
|
|
|
|
|
# unique (no other services run as this user).
|
|
|
|
|
# The user the worker processes will be run as. This should be a dedicated
|
|
|
|
|
# unprivileged user (e.g., 'ocserv') and no other services should run as this
|
|
|
|
|
# user.
|
|
|
|
|
run-as-user = ocserv
|
|
|
|
|
run-as-group = ocserv
|
|
|
|
|
|
|
|
|
|
@ -148,7 +152,10 @@ server-key = /etc/pki/ocserv/private/server.key
|
|
|
|
|
# is set.
|
|
|
|
|
#ca-cert = /etc/ocserv/ca.pem
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The number of sub-processes to use for the security module (authentication)
|
|
|
|
|
# processes. Typically this should not be set as the number of processes
|
|
|
|
|
# is determined automatically by the initially set maximum number of clients.
|
|
|
|
|
#sec-mod-scale = 4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### All configuration options below this line are reloaded on a SIGHUP.
|
|
|
|
|
@ -167,7 +174,7 @@ server-key = /etc/pki/ocserv/private/server.key
|
|
|
|
|
# Note however, that process isolation is restricted to the specific libc versions
|
|
|
|
|
# the isolation was tested at. If you get random failures on worker processes, try
|
|
|
|
|
# disabling that option and report the failures you, along with system and debugging
|
|
|
|
|
# information at: https://gitlab.com/ocserv/ocserv/issues
|
|
|
|
|
# information at: https://gitlab.com/openconnect/ocserv/issues
|
|
|
|
|
isolate-workers = true
|
|
|
|
|
|
|
|
|
|
# A banner to be displayed on clients after connection
|
|
|
|
|
@ -176,7 +183,8 @@ isolate-workers = true
|
|
|
|
|
# A banner to be displayed on clients before connection
|
|
|
|
|
#pre-login-banner = "Welcome"
|
|
|
|
|
|
|
|
|
|
# Limit the number of clients. Unset or set to zero for unlimited.
|
|
|
|
|
# Limit the number of clients. Unset or set to zero if unknown. In
|
|
|
|
|
# that case the maximum value is ~8k clients.
|
|
|
|
|
#max-clients = 1024
|
|
|
|
|
max-clients = 16
|
|
|
|
|
|
|
|
|
|
@ -238,6 +246,10 @@ switch-to-tcp-timeout = 25
|
|
|
|
|
# MTU discovery (DPD must be enabled)
|
|
|
|
|
try-mtu-discovery = false
|
|
|
|
|
|
|
|
|
|
# To enable load-balancer connection draining, set server-drain-ms to a value
|
|
|
|
|
# higher than your load-balancer health probe interval.
|
|
|
|
|
#server-drain-ms = 15000
|
|
|
|
|
|
|
|
|
|
# If you have a certificate from a CA that provides an OCSP
|
|
|
|
|
# service you may provide a fresh OCSP status response within
|
|
|
|
|
# the TLS handshake. That will prevent the client from connecting
|
|
|
|
|
@ -294,11 +306,8 @@ cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
|
|
|
tls-priorities = "NORMAL:%SERVER_PRECEDENCE"
|
|
|
|
|
|
|
|
|
|
# That option requires the established DTLS channel to use the same
|
|
|
|
|
# cipher as the primary TLS channel. This cannot be combined with
|
|
|
|
|
# listen-clear-file since the ciphersuite information is not available
|
|
|
|
|
# in that configuration. Note also, that this option implies that
|
|
|
|
|
# dtls-legacy option is false; this option cannot be enforced
|
|
|
|
|
# in the legacy/compat protocol.
|
|
|
|
|
# cipher as the primary TLS channel.Note also, that this option implies
|
|
|
|
|
# that the dtls-legacy option is false; this option cannot be enforced
|
|
|
|
|
#match-tls-dtls-ciphers = true
|
|
|
|
|
|
|
|
|
|
# The time (in seconds) that a client is allowed to stay connected prior
|
|
|
|
|
@ -327,11 +336,9 @@ min-reauth-time = 300
|
|
|
|
|
# that get a score over that configured number are banned for
|
|
|
|
|
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
|
|
|
|
|
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
|
|
|
|
|
# due to difference processes being involved the count of points
|
|
|
|
|
# will not be real-time precise.
|
|
|
|
|
#
|
|
|
|
|
# Score banning cannot be reliably used when receiving proxied connections
|
|
|
|
|
# locally from an HTTP server (i.e., when listen-clear-file is used).
|
|
|
|
|
# due to different processes being involved the count of points
|
|
|
|
|
# will not be real-time precise. Local subnet IPs are exempt to allow
|
|
|
|
|
# services that check for process health.
|
|
|
|
|
#
|
|
|
|
|
# Set to zero to disable.
|
|
|
|
|
max-ban-score = 80
|
|
|
|
|
@ -381,7 +388,8 @@ rekey-method = ssl
|
|
|
|
|
# Script to call when a client connects and obtains an IP.
|
|
|
|
|
# The following parameters are passed on the environment.
|
|
|
|
|
# REASON, VHOST, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
|
|
|
|
|
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
|
|
|
|
|
# REMOTE_HOSTNAME (the remotely advertised hostname), IP_REAL_LOCAL
|
|
|
|
|
# (the local interface IP the client connected), IP_LOCAL
|
|
|
|
|
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
|
|
|
|
|
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
|
|
|
|
|
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
|
|
|
|
|
@ -400,6 +408,12 @@ rekey-method = ssl
|
|
|
|
|
#connect-script = /usr/bin/ocserv-script
|
|
|
|
|
#disconnect-script = /usr/bin/ocserv-script
|
|
|
|
|
|
|
|
|
|
# This script is to be called when the client's advertised hostname becomes
|
|
|
|
|
# available. It will contain REASON with "host-update" value and the
|
|
|
|
|
# variable REMOTE_HOSTNAME in addition to the connect variables.
|
|
|
|
|
|
|
|
|
|
#host-update-script = /usr/bin/myhostnamescript
|
|
|
|
|
|
|
|
|
|
# UTMP
|
|
|
|
|
# Register the connected clients to utmp. This will allow viewing
|
|
|
|
|
# the connected clients using the command 'who'.
|
|
|
|
|
@ -412,6 +426,20 @@ use-occtl = true
|
|
|
|
|
# PID file. It can be overridden in the command line.
|
|
|
|
|
pid-file = /var/run/ocserv.pid
|
|
|
|
|
|
|
|
|
|
# Log Level. Ocserv sends the logging messages to standard error
|
|
|
|
|
# as well as the system log. The log level can be overridden in the
|
|
|
|
|
# command line with the -d option. All messages at the configured
|
|
|
|
|
# level and lower will be displayed.
|
|
|
|
|
# Supported levels (default 0):
|
|
|
|
|
# 0 default (Same as basic)
|
|
|
|
|
# 1 basic
|
|
|
|
|
# 2 info
|
|
|
|
|
# 3 debug
|
|
|
|
|
# 4 http
|
|
|
|
|
# 8 sensitive
|
|
|
|
|
# 9 TLS
|
|
|
|
|
log-level = 1
|
|
|
|
|
|
|
|
|
|
# Set the protocol-defined priority (SO_PRIORITY) for packets to
|
|
|
|
|
# be sent. That is a number from 0 to 6 with 0 being the lowest
|
|
|
|
|
# priority. Alternatively this can be used to set the IP Type-
|
|
|
|
|
@ -434,7 +462,8 @@ device = vpns
|
|
|
|
|
# same for the same user when possible.
|
|
|
|
|
predictable-ips = true
|
|
|
|
|
|
|
|
|
|
# The default domain to be advertised
|
|
|
|
|
# The default domain to be advertised. Multiple domains (functional on
|
|
|
|
|
# openconnect clients) can be provided in a space separated list.
|
|
|
|
|
default-domain = example.com
|
|
|
|
|
|
|
|
|
|
# The pool of addresses that leases will be given from. If the leases
|
|
|
|
|
@ -561,10 +590,10 @@ no-route = 192.168.5.0/255.255.255.0
|
|
|
|
|
# per group. Each file name on these directories must match the username
|
|
|
|
|
# or the groupname.
|
|
|
|
|
# The options allowed in the configuration files are dns, nbns,
|
|
|
|
|
# ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
|
|
|
|
|
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
|
|
|
|
|
# ipv?-network, ipv4-netmask, rx/tx-data-per-sec, iroute, route, no-route,
|
|
|
|
|
# explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
|
|
|
|
|
# keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
|
|
|
|
|
# restrict-user-to-routes, user-profile, cgroup, stats-report-time,
|
|
|
|
|
# restrict-user-to-routes, cgroup, stats-report-time,
|
|
|
|
|
# mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
|
|
|
|
|
# split-dns and session-timeout.
|
|
|
|
|
#
|
|
|
|
|
@ -628,10 +657,13 @@ no-route = 192.168.5.0/255.255.255.0
|
|
|
|
|
# </AnyConnectProfile>
|
|
|
|
|
#
|
|
|
|
|
# Other fields may be used by some of the CISCO clients.
|
|
|
|
|
# This file must be accessible from inside the worker's chroot.
|
|
|
|
|
# Note that enabling this option is not recommended as it will allow
|
|
|
|
|
# the worker processes to open arbitrary files (when isolate-workers is
|
|
|
|
|
# set to true).
|
|
|
|
|
# This file must be accessible from inside the worker's chroot.
|
|
|
|
|
# Note that:
|
|
|
|
|
# (1) enabling this option is not recommended as it will allow the
|
|
|
|
|
# worker processes to open arbitrary files (when isolate-workers is
|
|
|
|
|
# set to true).
|
|
|
|
|
# (2) This option cannot be set per-user or per-group; only the global
|
|
|
|
|
# version is being sent to client.
|
|
|
|
|
#user-profile = profile.xml
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
@ -657,6 +689,35 @@ cisco-client-compat = true
|
|
|
|
|
# by the dtls-psk protocol supported by openconnect 7.08+.
|
|
|
|
|
dtls-legacy = true
|
|
|
|
|
|
|
|
|
|
# This option will enable the settings needed for Cisco SVC IPPhone clients
|
|
|
|
|
# to connect. It implies dtls-legacy = true and tls-priorities is changed to
|
|
|
|
|
# only the ciphers the device supports.
|
|
|
|
|
cisco-svc-client-compat = false
|
|
|
|
|
|
|
|
|
|
# This option will enable the X-CSTP-Client-Bypass-Protocol (disabled by default).
|
|
|
|
|
# If the server has not configured an IPv6 or IPv4 address pool, enabling this option
|
|
|
|
|
# will instruct the client to bypass the server for that IP protocol. The option is
|
|
|
|
|
# currently only understood by Anyconnect clients.
|
|
|
|
|
client-bypass-protocol = false
|
|
|
|
|
|
|
|
|
|
# The following options are related to server camouflage (hidden service)
|
|
|
|
|
|
|
|
|
|
# This option allows you to enable the camouflage feature of ocserv that makes it look
|
|
|
|
|
# like a web server to unauthorized parties.
|
|
|
|
|
# With "camouflage" enabled, connection to the VPN can be established only if the client provided a specific
|
|
|
|
|
# "secret string" in the connection URL, e.g. "https://example.com/?mysecretkey",
|
|
|
|
|
# otherwise the server will return HTTP error for all requests.
|
|
|
|
|
camouflage = false
|
|
|
|
|
|
|
|
|
|
# The URL prefix that should be set on the client (after '?' sign) to pass through the camouflage check,
|
|
|
|
|
# e.g. in case of 'mysecretkey', the server URL on the client should be like "https://example.com/?mysecretkey".
|
|
|
|
|
camouflage_secret = "mysecretkey"
|
|
|
|
|
|
|
|
|
|
# Defines the realm (browser prompt) for HTTP authentication.
|
|
|
|
|
# If no realm is set, the server will return 404 Not found error instead of 401 Unauthorized.
|
|
|
|
|
# Better change it from the default value to avoid fingerprinting.
|
|
|
|
|
camouflage_realm = "Restricted Content"
|
|
|
|
|
|
|
|
|
|
#Advanced options
|
|
|
|
|
|
|
|
|
|
# Option to allow sending arbitrary custom headers to the client after
|
|
|
|
|
@ -669,8 +730,8 @@ dtls-legacy = true
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## An example virtual host with different authentication methods serviced
|
|
|
|
|
## by this server.
|
|
|
|
|
# An example virtual host with different authentication methods serviced
|
|
|
|
|
# by this server.
|
|
|
|
|
|
|
|
|
|
#[vhost:www.example.com]
|
|
|
|
|
#auth = "certificate"
|
|
|
|
|
@ -687,3 +748,18 @@ dtls-legacy = true
|
|
|
|
|
#ipv4-netmask = 255.255.255.0
|
|
|
|
|
|
|
|
|
|
#cert-user-oid = 0.9.2342.19200300.100.1.1
|
|
|
|
|
|
|
|
|
|
# HTTP headers
|
|
|
|
|
included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
|
|
|
|
|
included-http-headers = X-Frame-Options: deny
|
|
|
|
|
included-http-headers = X-Content-Type-Options: nosniff
|
|
|
|
|
included-http-headers = Content-Security-Policy: default-src 'none'
|
|
|
|
|
included-http-headers = X-Permitted-Cross-Domain-Policies: none
|
|
|
|
|
included-http-headers = Referrer-Policy: no-referrer
|
|
|
|
|
included-http-headers = Clear-Site-Data: "cache","cookies","storage"
|
|
|
|
|
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
|
|
|
|
|
included-http-headers = Cross-Origin-Opener-Policy: same-origin
|
|
|
|
|
included-http-headers = Cross-Origin-Resource-Policy: same-origin
|
|
|
|
|
included-http-headers = X-XSS-Protection: 0
|
|
|
|
|
included-http-headers = Pragma: no-cache
|
|
|
|
|
included-http-headers = Cache-control: no-store, no-cache
|
|
|
|
|
|
Nikos Mavrogiannopoulos
1 year ago