Navigation

source: freeDiameter/doc/freediameter.conf.sample @ 706:4ffbc9f1e922

Revision 706:4ffbc9f1e922, 8.1 KB checked in by Sebastien Decugis <sdecugis@nict.go.jp>, 16 months ago (diff)

Large UNTESTED commit with the following changes:

  • Improved DiameterIdentity? handling (esp. interationalization issues), and improve efficiency of some string operations in peers, sessions, and dictionary modules (closes #7)
  • Cleanup in the session module to free only unreferenced sessions (#16)
  • Removed fd_cpu_flush_cache(), replaced by more robust alternatives.
  • Improved peer state machine algorithm to counter SCTP multistream race condition.
Line 
1# This is a sample configuration file for freeDiameter daemon.
2
3# Only the "TLS_Cred" directive is really mandatory in this file.
4
5##############################################################
6##  Peer identity and realm
7
8# The Diameter Identity of this daemon.
9# This must be a valid FQDN that resolves to the local host.
10# Default: hostname's FQDN
11#Identity = "aaa.koganei.freediameter.net";
12
13# The Diameter Realm of this daemon.
14# Default: the domain part of Identity (after the first dot).
15#Realm = "koganei.freediameter.net";
16
17##############################################################
18##  Transport protocol configuration
19
20# The port this peer is listening on for incoming connections (TCP and SCTP).
21# Default: 3868
22#Port = 3868;
23
24# The port this peer is listening on for incoming TLS connections (TCP and SCTP).
25# See TLS_old_method for more information.
26# Default: 3869
27#SecPort = 3869;
28
29# Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA
30# on the same port. This only affects outgoing connections. It can be overwritten
31# on per peer basis.
32# Default: use RFC3588bis method with separate port for TLS.
33#TLS_old_method;
34
35# Disable use of TCP protocol (only listen and connect in SCTP)
36# Default : TCP enabled
37#No_TCP;
38
39# Disable use of SCTP protocol (only listen and connect in TCP)
40# Default : SCTP enabled
41#No_SCTP;
42# This option has no effect if freeDiameter is compiled with DISABLE_SCTP option,
43# in which case the value is forced to "SCTP disabled".
44
45# Prefer TCP over SCTP for establishing new connections.
46# It may be overwritten per peer in peer configuration blocs.
47# Default : SCTP is prefered.
48#Prefer_TCP;
49
50# Default number of streams per SCTP associations.
51# It can be overwritten per peer basis.
52# Default : 30 streams
53#SCTP_streams = 30;
54
55##############################################################
56##  Endpoints configuration
57
58# Disable use of IP addresses (only IPv6)
59# Default : IP enabled
60#No_IP;
61
62# Disable use of IPv6 addresses (only IP)
63# Default : IPv6 enabled
64#No_IPv6;
65
66# Specify local addresses where the server must listen
67# Default : listen on all addresses available.
68#ListenOn = "202.249.37.5";
69#ListenOn = "2001:200:903:2::202:1";
70#ListenOn = "fe80::21c:5ff:fe98:7d62%eth0";
71
72# Note: although by default freeDiameter listens also on the loopback interface, it
73# will not be able to connect to the loopback address.
74
75##############################################################
76##  TLS Configuration
77
78# TLS is managed by the GNUTLS library in the freeDiameter daemon.
79# You may find more information about parameters and special behaviors
80# in the relevant documentation.
81# http://www.gnu.org/software/gnutls/manual/
82
83# Credentials of the local peer
84# The X509 certificate and private key file to use for the local peer.
85# The files must contain PKCS-1 encoded RSA key, in PEM format.
86# (These parameters are passed to gnutls_certificate_set_x509_key_file function)
87# Default : NO DEFAULT
88#TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>";
89TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key";
90
91# Certificate authority / trust anchors
92# The file containing the list of trusted Certificate Authorities (PEM list)
93# (This parameter is passed to gnutls_certificate_set_x509_trust_file function)
94# The directive can appear several times to specify several files.
95# Default : GNUTLS default behavior
96#TLS_CA = "<file.PEM>";
97
98# Certificate Revocation List file
99# The information about revoked certificates.
100# The file contains a list of trusted CRLs in PEM format. They should have been verified before.
101# (This parameter is passed to gnutls_certificate_set_x509_crl_file function)
102# Note: currently, openssl CRL seems not supported...
103# Default : GNUTLS default behavior
104#TLS_CRL = "<file.PEM>";
105
106# GNU TLS Priority string
107# This string allows to configure the behavior of GNUTLS key exchanges
108# algorithms. See gnutls_priority_init function documentation for information.
109# You should also refer to the Diameter required TLS support here:
110#   http://tools.ietf.org/html/draft-ietf-dime-rfc3588bis-18#section-13.1
111# Default : "NORMAL"
112# Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL";
113#TLS_Prio = "NORMAL";
114
115# Diffie-Hellman parameters size
116# Set the number of bits for generated DH parameters
117# Valid value should be 768, 1024, 2048, 3072 or 4096.
118# (This parameter is passed to gnutls_dh_params_generate2 function,
119# it usually should match RSA key size)
120# Default : 1024
121#TLS_DH_Bits = 1024;
122
123# Alternatively, you can specify a file to load the PKCS#3 encoded
124# DH parameters directly from. This accelerates the daemon start
125# but is slightly less secure. If this file is provided, the
126# TLS_DH_Bits parameters has no effect.
127# Default : no default.
128#TLS_DH_File = "<file.PEM>";
129
130
131##############################################################
132##  Timers configuration
133
134# The Tc timer of this peer.
135# It is the delay before a new attempt is made to reconnect a disconnected peer.
136# The value is expressed in seconds. The recommended value is 30 seconds.
137# Default: 30
138#TcTimer = 30;
139
140# The Tw timer of this peer.
141# It is the delay before a watchdog message is sent, as described in RFC 3539.
142# The value is expressed in seconds. The default value is 30 seconds. Value must
143# be greater or equal to 6 seconds. See details in the RFC.
144# Default: 30
145#TwTimer = 30;
146
147##############################################################
148##  Applications configuration
149
150# Disable the relaying of Diameter messages?
151# For messages not handled locally, the default behavior is to forward the
152# message to another peer if any is available, according to the routing
153# algorithms. In addition the "0xffffff" application is advertised in CER/CEA
154# exchanges.
155# Default: Relaying is enabled.
156#NoRelay;
157
158# Number of server threads that can handle incoming messages at the same time.
159#  TODO: implement dynamic # of threads depending on the length of the queue.
160# Default: 4
161#AppServThreads = 4;
162
163# Other applications are configured by loading appropriate extensions.
164
165##############################################################
166##  Extensions configuration
167
168#  The freeDiameter daemon merely provides support for
169# Diameter Base Protocol. The specific application behaviors,
170# as well as advanced functions of the daemon, are provided
171# by loadable extensions (plug-ins).
172#  These extensions may in addition receive the name of a
173# configuration file, the format of which is extension-specific.
174#
175# Format:
176#LoadExtension = "/path/to/extension" [ : "/optional/configuration/file" ] ;
177#
178# Exemples:
179#LoadExtension = "extensions/sample.so";
180#LoadExtension = "extensions/sample.so":"conf/sample.conf";
181
182
183##############################################################
184##  Peers configuration
185
186#  The local server listens for incoming connections. By default,
187# all unknown connecting peers are rejected. Extensions can override this behavior.
188#
189#  In addition to incoming connections, the local peer can
190# be configured to establish and maintain connections to some
191# Diameter nodes and allow connections from these nodes.
192#  This is achieved with the ConnectPeer directive described bellow.
193#
194# Note that the configured Diameter Id MUST match
195# the information received inside CEA, or the connection will be aborted.
196#
197# Note also, loopback addresses are not allowed currently in freeDiameter
198# (because of a bad behavior if they are allowed).
199# As a workaround, one might provide a public address of the local machine to
200# test locally.
201#
202# Format:
203#ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ;
204# Parameters that can be specified in the peer's parameter list:
205#  No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method;
206#  No_TLS;       # assume transparent security instead of TLS
207#  Port = 3868;  # The port to connect to
208#  TcTimer = 30;
209#  TwTimer = 30;
210#  ConnectTo = "202.249.37.5";
211#  ConnectTo = "2001:200:903:2::202:1";
212#  TLS_Prio = "NORMAL";
213#  Realm = "realm.net"; # Reject the peer if it does not advertise this realm.
214# Examples:
215#ConnectPeer = "aaa.wide.ad.jp";
216#ConnectPeer = "old.diameter.serv" { TcTimer = 60; TLS_old_method; No_SCTP; } ;
217
218
219##############################################################
Note: See TracBrowser for help on using the repository browser.