1 | # This is a sample configuration file for freeDiameter daemon. |
---|
2 | |
---|
3 | # Most of the options can be omitted, as they default to reasonable values. |
---|
4 | # Only TLS-related options must be configured properly in usual setups. |
---|
5 | |
---|
6 | # It is possible to use "include" keyword to import additional files |
---|
7 | # e.g.: include "/etc/freeDiameter.d/*.conf" |
---|
8 | # This is exactly equivalent as copy & paste the content of the included file(s) |
---|
9 | # where the "include" keyword is found. |
---|
10 | |
---|
11 | |
---|
12 | ############################################################## |
---|
13 | ## Peer identity and realm |
---|
14 | |
---|
15 | # The Diameter Identity of this daemon. |
---|
16 | # This must be a valid FQDN that resolves to the local host. |
---|
17 | # Default: hostname's FQDN |
---|
18 | #Identity = "aaa.koganei.freediameter.net"; |
---|
19 | |
---|
20 | # The Diameter Realm of this daemon. |
---|
21 | # Default: the domain part of Identity (after the first dot). |
---|
22 | #Realm = "koganei.freediameter.net"; |
---|
23 | |
---|
24 | ############################################################## |
---|
25 | ## Transport protocol configuration |
---|
26 | |
---|
27 | # The port this peer is listening on for incoming connections (TCP and SCTP). |
---|
28 | # Default: 3868. Use 0 to disable. |
---|
29 | #Port = 3868; |
---|
30 | |
---|
31 | # The port this peer is listening on for incoming TLS-protected connections (TCP and SCTP). |
---|
32 | # See TLS_old_method for more information about TLS flavours. |
---|
33 | # Note: we use TLS/SCTP instead of DTLS/SCTP at the moment. This will change in future version of freeDiameter. |
---|
34 | # Default: 5868. Use 0 to disable. |
---|
35 | #SecPort = 5868; |
---|
36 | |
---|
37 | # Use RFC3588 method for TLS protection, where TLS is negociated after CER/CEA exchange is completed |
---|
38 | # on the unsecure connection. The alternative is RFC6733 mechanism, where TLS protects also the |
---|
39 | # CER/CEA exchange on a dedicated secure port. |
---|
40 | # This parameter only affects outgoing connections. |
---|
41 | # The setting can be also defined per-peer (see Peers configuration section). |
---|
42 | # Default: use RFC6733 method with separate port for TLS. |
---|
43 | #TLS_old_method; |
---|
44 | |
---|
45 | # Disable use of TCP protocol (only listen and connect over SCTP) |
---|
46 | # Default : TCP enabled |
---|
47 | #No_TCP; |
---|
48 | |
---|
49 | # Disable use of SCTP protocol (only listen and connect over TCP) |
---|
50 | # Default : SCTP enabled |
---|
51 | #No_SCTP; |
---|
52 | # This option is ignored if freeDiameter is compiled with DISABLE_SCTP option. |
---|
53 | |
---|
54 | # Prefer TCP instead of SCTP for establishing new connections. |
---|
55 | # This setting may be overwritten per peer in peer configuration blocs. |
---|
56 | # Default : SCTP is attempted first. |
---|
57 | #Prefer_TCP; |
---|
58 | |
---|
59 | # Default number of streams per SCTP associations. |
---|
60 | # This setting may be overwritten per peer basis. |
---|
61 | # Default : 30 streams |
---|
62 | #SCTP_streams = 30; |
---|
63 | |
---|
64 | ############################################################## |
---|
65 | ## Endpoint configuration |
---|
66 | |
---|
67 | # Disable use of IP addresses (only IPv6) |
---|
68 | # Default : IP enabled |
---|
69 | #No_IP; |
---|
70 | |
---|
71 | # Disable use of IPv6 addresses (only IP) |
---|
72 | # Default : IPv6 enabled |
---|
73 | #No_IPv6; |
---|
74 | |
---|
75 | # Specify local addresses the server must bind to |
---|
76 | # Default : listen on all addresses available. |
---|
77 | #ListenOn = "202.249.37.5"; |
---|
78 | #ListenOn = "2001:200:903:2::202:1"; |
---|
79 | #ListenOn = "fe80::21c:5ff:fe98:7d62%eth0"; |
---|
80 | |
---|
81 | |
---|
82 | ############################################################## |
---|
83 | ## Server configuration |
---|
84 | |
---|
85 | # How many Diameter peers are allowed to be connecting at the same time ? |
---|
86 | # This parameter limits the number of incoming connections from the time |
---|
87 | # the connection is accepted until the first CER is received. |
---|
88 | # Default: 5 unidentified clients in paralel. |
---|
89 | #ThreadsPerServer = 5; |
---|
90 | |
---|
91 | # If this host is used as relay or proxy, it can be useful to limit |
---|
92 | # connections from "outside" until enough processing nodes are available. |
---|
93 | # This parameter defines a regex pattern for recognizing such nodes; |
---|
94 | # Default: NO DEFAULT |
---|
95 | #ProcessingPeersPattern = "worker[0-9]*.example.com"; |
---|
96 | |
---|
97 | # This next parameter defines how many of these processing peers |
---|
98 | # must be connected before CERs from other hosts are accepted. |
---|
99 | # If this is set, ProcessingPeersPattern must also be defined. |
---|
100 | # If unset or less than 1, ProcessingPeersPattern and this variable do nothing. |
---|
101 | # Default: 0 |
---|
102 | #ProcessingPeersMinimum = 0; |
---|
103 | |
---|
104 | ############################################################## |
---|
105 | ## TLS Configuration |
---|
106 | |
---|
107 | # TLS is managed by the GNUTLS library in the freeDiameter daemon. |
---|
108 | # You may find more information about parameters and special behaviors |
---|
109 | # in the relevant documentation. |
---|
110 | # http://www.gnu.org/software/gnutls/manual/ |
---|
111 | |
---|
112 | # Credentials of the local peer |
---|
113 | # The X509 certificate and private key file to use for the local peer. |
---|
114 | # The files must contain PKCS-1 encoded RSA key, in PEM format. |
---|
115 | # (These parameters are passed to gnutls_certificate_set_x509_key_file function) |
---|
116 | # Default : NO DEFAULT |
---|
117 | #TLS_Cred = "<x509 certif file.PEM>" , "<x509 private key file.PEM>"; |
---|
118 | TLS_Cred = "/etc/ssl/certs/freeDiameter.pem", "/etc/ssl/private/freeDiameter.key"; |
---|
119 | |
---|
120 | # Certificate authority / trust anchors |
---|
121 | # The file containing the list of trusted Certificate Authorities (PEM list) |
---|
122 | # (This parameter is passed to gnutls_certificate_set_x509_trust_file function) |
---|
123 | # The directive can appear several times to specify several files. |
---|
124 | # Default : GNUTLS default behavior |
---|
125 | #TLS_CA = "<file.PEM>"; |
---|
126 | |
---|
127 | # Certificate Revocation List file |
---|
128 | # The information about revoked certificates. |
---|
129 | # The file contains a list of trusted CRLs in PEM format. They should have been verified before. |
---|
130 | # (This parameter is passed to gnutls_certificate_set_x509_crl_file function) |
---|
131 | # Note: openssl CRL format might have interoperability issue with GNUTLS format. |
---|
132 | # Default : GNUTLS default behavior |
---|
133 | #TLS_CRL = "<file.PEM>"; |
---|
134 | |
---|
135 | # GNU TLS Priority string |
---|
136 | # This string allows to configure the behavior of GNUTLS key exchanges |
---|
137 | # algorithms. See gnutls_priority_init function documentation for information. |
---|
138 | # You should also refer to the Diameter required TLS support here: |
---|
139 | # http://tools.ietf.org/html/rfc6733#section-13.1 |
---|
140 | # Default : "NORMAL" |
---|
141 | # Example: TLS_Prio = "NONE:+VERS-TLS1.1:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL"; |
---|
142 | #TLS_Prio = "NORMAL"; |
---|
143 | |
---|
144 | # Diffie-Hellman parameters size |
---|
145 | # Set the number of bits for generated DH parameters |
---|
146 | # Valid value should be 768, 1024, 2048, 3072 or 4096. |
---|
147 | # (This parameter is passed to gnutls_dh_params_generate2 function, |
---|
148 | # it usually should match RSA key size) |
---|
149 | # Default : 1024 |
---|
150 | #TLS_DH_Bits = 1024; |
---|
151 | |
---|
152 | # Alternatively, you can specify a file to load the PKCS#3 encoded |
---|
153 | # DH parameters directly from. This accelerates the daemon start |
---|
154 | # but is slightly less secure. If this file is provided, the |
---|
155 | # TLS_DH_Bits parameters has no effect. |
---|
156 | # Default : no default. |
---|
157 | #TLS_DH_File = "<file.PEM>"; |
---|
158 | |
---|
159 | |
---|
160 | ############################################################## |
---|
161 | ## Timers configuration |
---|
162 | |
---|
163 | # The Tc timer of this peer. |
---|
164 | # It is the delay before a new attempt is made to reconnect a disconnected peer. |
---|
165 | # The value is expressed in seconds. The recommended value is 30 seconds. |
---|
166 | # Default: 30 |
---|
167 | #TcTimer = 30; |
---|
168 | |
---|
169 | # The Tw timer of this peer. |
---|
170 | # It is the delay before a watchdog message is sent, as described in RFC 3539. |
---|
171 | # The value is expressed in seconds. The default value is 30 seconds. Value must |
---|
172 | # be greater or equal to 6 seconds. See details in the RFC. |
---|
173 | # Default: 30 |
---|
174 | #TwTimer = 30; |
---|
175 | |
---|
176 | ############################################################## |
---|
177 | ## Applications configuration |
---|
178 | |
---|
179 | # Disable the relaying of Diameter messages? |
---|
180 | # For messages not handled locally, the default behavior is to forward the |
---|
181 | # message to another peer if any is available, according to the routing |
---|
182 | # algorithms. In addition the "0xffffff" application is advertised in CER/CEA |
---|
183 | # exchanges. |
---|
184 | # Default: Relaying is enabled. |
---|
185 | #NoRelay; |
---|
186 | |
---|
187 | # Number of server threads that can handle incoming messages at the same time. |
---|
188 | # Default: 4 |
---|
189 | #AppServThreads = 4; |
---|
190 | |
---|
191 | # Number of server threads that can handle incoming message routing at the same time. |
---|
192 | # Default: 1 |
---|
193 | #RoutingInThreads = 1; |
---|
194 | |
---|
195 | # Number of server threads that can handle outgoing message routing at the same time. |
---|
196 | # Default: 1 |
---|
197 | #RoutingOutThreads= 1; |
---|
198 | |
---|
199 | # Maximum size of the incoming queue (messages queued after accepting |
---|
200 | # them from the network) before blocking |
---|
201 | # Default: 20 |
---|
202 | #IncomingQueueLimit = 20; |
---|
203 | |
---|
204 | # Maximum size of the outgoing queue (messages queued for sending to |
---|
205 | # the network) before blocking |
---|
206 | # Default: 30 |
---|
207 | #OutgoingQueueLimit = 30; |
---|
208 | |
---|
209 | # Maximum size of the local queue (messages queued for local handling) |
---|
210 | # before blocking |
---|
211 | # Default: 25 |
---|
212 | #LocalQueueLimit = 25; |
---|
213 | |
---|
214 | # Other applications are configured by loaded extensions. |
---|
215 | |
---|
216 | ############################################################## |
---|
217 | ## Extensions configuration |
---|
218 | |
---|
219 | # The freeDiameter framework merely provides support for |
---|
220 | # Diameter Base Protocol. The specific application behaviors, |
---|
221 | # as well as advanced functions, are provided |
---|
222 | # by loadable extensions (plug-ins). |
---|
223 | # These extensions may in addition receive the name of a |
---|
224 | # configuration file, the format of which is extension-specific. |
---|
225 | # |
---|
226 | # Format: |
---|
227 | #LoadExtension = "/path/to/extension" [ : "/optional/configuration/file" ] ; |
---|
228 | # |
---|
229 | # Examples: |
---|
230 | #LoadExtension = "extensions/sample.fdx"; |
---|
231 | #LoadExtension = "extensions/sample.fdx":"conf/sample.conf"; |
---|
232 | |
---|
233 | # Extensions are named as follow: |
---|
234 | # dict_* for extensions that add content to the dictionary definitions. |
---|
235 | # dbg_* for extensions useful only to retrieve more information on the framework execution. |
---|
236 | # acl_* : Access control list, to control which peers are allowed to connect. |
---|
237 | # rt_* : routing extensions that impact how messages are forwarded to other peers. |
---|
238 | # app_* : applications, these extensions usually register callbacks to handle specific messages. |
---|
239 | # test_* : dummy extensions that are useful only in testing environments. |
---|
240 | |
---|
241 | |
---|
242 | # The dbg_msg_dump.fdx extension allows you to tweak the way freeDiameter displays some |
---|
243 | # information about some events. This extension does not actually use a configuration file |
---|
244 | # but receives directly a parameter in the string passed to the extension. Here are some examples: |
---|
245 | ## LoadExtension = "dbg_msg_dumps.fdx" : "0x1111"; # Removes all default hooks, very quiet even in case of errors. |
---|
246 | ## LoadExtension = "dbg_msg_dumps.fdx" : "0x2222"; # Display all events with few details. |
---|
247 | ## LoadExtension = "dbg_msg_dumps.fdx" : "0x0080"; # Dump complete information about sent and received messages. |
---|
248 | # The four digits respectively control: connections, routing decisions, sent/received messages, errors. |
---|
249 | # The values for each digit are: |
---|
250 | # 0 - default - keep the default behavior |
---|
251 | # 1 - quiet - remove any specific log |
---|
252 | # 2 - compact - display only a summary of the information |
---|
253 | # 4 - full - display the complete information on a single long line |
---|
254 | # 8 - tree - display the complete information in an easier to read format spanning several lines. |
---|
255 | |
---|
256 | |
---|
257 | ############################################################## |
---|
258 | ## Peers configuration |
---|
259 | |
---|
260 | # The local server listens for incoming connections. By default, |
---|
261 | # all unknown connecting peers are rejected. Extensions can override this behavior (e.g., acl_wl). |
---|
262 | # |
---|
263 | # In addition to incoming connections, the local peer can |
---|
264 | # be configured to establish and maintain connections to some |
---|
265 | # Diameter nodes and allow connections from these nodes. |
---|
266 | # This is achieved with the ConnectPeer directive described below. |
---|
267 | # |
---|
268 | # Note that the configured Diameter Identity MUST match |
---|
269 | # the information received inside CEA, or the connection will be aborted. |
---|
270 | # |
---|
271 | # Format: |
---|
272 | #ConnectPeer = "diameterid" [ { parameter1; parameter2; ...} ] ; |
---|
273 | # Parameters that can be specified in the peer's parameter list: |
---|
274 | # No_TCP; No_SCTP; No_IP; No_IPv6; Prefer_TCP; TLS_old_method; |
---|
275 | # No_TLS; # assume transparent security instead of TLS. DTLS is not supported yet (will change in future versions). |
---|
276 | # Port = 5868; # The port to connect to |
---|
277 | # TcTimer = 30; |
---|
278 | # TwTimer = 30; |
---|
279 | # ConnectTo = "202.249.37.5"; |
---|
280 | # ConnectTo = "2001:200:903:2::202:1"; |
---|
281 | # TLS_Prio = "NORMAL"; |
---|
282 | # Realm = "realm.net"; # Reject the peer if it does not advertise this realm. |
---|
283 | # Examples: |
---|
284 | #ConnectPeer = "aaa.wide.ad.jp"; |
---|
285 | #ConnectPeer = "old.diameter.serv" { TcTimer = 60; TLS_old_method; No_SCTP; Port=3868; } ; |
---|
286 | |
---|
287 | |
---|
288 | ############################################################## |
---|
289 | ## General settings |
---|
290 | |
---|
291 | # If Route-Record AVPs should be added in Answers. |
---|
292 | # Possible values: Always, Never |
---|
293 | # Default: Always |
---|
294 | #RouteRecordInAnswers = Never; |
---|
295 | |
---|