From 916d51e31587fa0e27d3efd1aec80f3b3ea2d96d Mon Sep 17 00:00:00 2001 From: kakwa Date: Sat, 10 Sep 2016 00:55:19 +0200 Subject: [PATCH] adding documentation for each conf file parameters --- README.md | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/README.md b/README.md index 320b02b..c4b629e 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,74 @@ Report bugs to Pierre-Francois Carpentier . ## Configuration +### tsa + +Section defining which TSA section to use. + +* ```default_tsa```: Name of the TSA section to use as default. + +### main + +Main configuration section (mostly http configuration). + +* ```enable_keep_alive```: Allows clients to reuse TCP connection for subsequent + HTTP requests, which improves performance. +* ```num_threads```: Number of worker threads. +* ```ssl_ca_path```: Name of a directory containing trusted CA certificates. +* ```throttle```: Limit download speed for clients. throttle is a comma-separated list of key=value pairs: + - * -> limit speed for all connections + - x.x.x.x/mask -> limit speed for specified subnet + The value is a floating-point number of bytes per second, optionally followed by a k or m character + meaning kilobytes and megabytes respectively. A limit of 0 means unlimited rate. + Ex: throttle = *=1k,10.10.0.0/16=10m,10.20.0.0/16=0 +* ```ssl_verify_peer```: Enable client's certificate verification by the server. +* ```ssl_certificate```: Path to the SSL certificate file (PEM format containing private key and certificate). +* ```tcp_nodelay```: Enable TCP_NODELAY socket option on client connections. +* ```ssl_verify_depth```: Sets maximum depth of certificate chain. + If client's certificate chain is longer than the depth set here connection is refused. +* ```ssl_short_trust```: Enables the use of short lived certificates +* ```request_timeout_ms```: Timeout for network read and network write operations, in milliseconds. +* ```ssl_protocol_version```: Sets the minimal accepted version of SSL/TLS protocol according to the table: + SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2 0 + SSL3+TLS1.0+TLS1.1+TLS1.2 1 + TLS1.0+TLS1.1+TLS1.2 2 + TLS1.1+TLS1.2 3 + TLS1.2 4 +* ```ssl_ca_file```: Path to a .pem file containing trusted certificates. The file may contain more than one certificate. +* ```ssl_default_verify_paths```: Loads default trusted certificates locations set at openssl compile time. +* ```access_control_allow_origin```: Comma separated list of IP subnets to accept/deny + Ex: -0.0.0.0/0,+192.168.0.0/16 (deny all accesses, only allow 192.168.0.0/16 subnet) +* ```log_level```: Loglevel (debug, info, notice, warn, err, emerg, crit) +* ```ssl_cipher_list```: See https://www.openssl.org/docs/manmaster/apps/ciphers.html for more detailed +* ```listening_ports```: Comma-separated list of ips:ports to listen on. + If the port is SSL, a letter s must be appended. + Ex: listening_ports = 80,443s +* ```run_as_user```: Switch to given user credentials after startup. + Required to run on privileged ports and not be run as root. + +### tsa_config1 + +Example of timestamp section configuration. + +* ```clock_precision_digits```: Number of decimals for timestamp. (optional) +* ```tsa_name```: Must the TSA name be included in the reply? (optional, default: no) +* ```signer_key```: The TSA private key. (optional) +* ```signer_cert```: The TSA signing certificat. (optional) +* ```ordering```: Is ordering defined for timestamps? (optional, default: no) +* ```certs```: Certificate chain to include in reply. (optional) +* ```default_policy```: Policy if request did not specify it. (optional) +* ```other_policies```: Acceptable policies. (optional) +* ```crypto_device```: OpenSSL engine to use for signing. +* ```ess_cert_id_chain```: Must the ESS cert id chain be included? (optional, default: no) +* ```digests```: Acceptable message digests. (mandatory) +* ```dir```: TSA root directory. +* ```accuracy```: Timestamp accuracy. (optional) + +### oids + +Section for declaring OID mapping. Just add = pairs. + + ## Building ```bash