added reject support

[libradsec.git] / radsecproxy.conf-example

diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
index 62d5836..6dc133b 100644 (file)
--- a/radsecproxy.conf-example
+++ b/radsecproxy.conf-example
@@ -33,6 +33,15 @@ TLSCertificateKeyPassword    follow the white rabbit
 #also the lines above may be in any order, except that a realm
 #can only be configured to use a server that is previously configured.
 
+#A realm can be a literal domain name, * which matches all, or a
+#regexp. A regexp is specified by the character prefix /
+#For regexp we do case insensitive matching of the entire username string.
+#The matching of realms is done in the order they are specified, using the
+#first match found. Some examples are
+#"@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$".
+#To treat local users separately you might try first specifying "@"
+#and after that "*".
+
 client 2001:db8::1 {
        type    tls
        secret  verysecret
@@ -62,18 +71,24 @@ server 2001:db8::1 {
 server radius.example.com {
        type    tls
        secret  verysecret
+       StatusServer on
+# statusserver is optional, can be on or off. Off is default
 }
 
-realm example.com {
+# Equivalent to example.com
+realm /@example\.com$ {
        server 2001:db8::1
 }
-realm com {
-       server 2001:db8::1
+# One can define a realm without servers, the proxy will then reject
+# and requests matching this. Optionally one can specify ReplyMessage
+# attribute to be included in the reject message.
+# 
+realm /\.com$ {
+}
+realm /^anonymous$ {
+        replymessage "No Access"
 }
-# Matching of realms is done in the order specified.
-# Except * which is a catch all that is used as a last resort
-# The matching is going to be changed to be regexp of the
-# entire username value
+# The realm below is equivalent to /.*
 realm * {
        server radius.example.com
 }