// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
// Extra HTTP headers to add in responses.
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
// TLS trust anchor (Certificate Authority). This is a file name or
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
// TLS trust anchor (Certificate Authority). This is a file name or
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
// Extra HTTP headers to add in responses.
// commands should still be sent to a control socket.
// The dedicated listener is specifically for HA
// updates only.
- "socket-port": 8000,
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 894)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "socket-port": 8004,
// TLS trust anchor (Certificate Authority). This is a
// file name or a directory path. Make sense with other
"comment": "HTTP control socket",
"socket-type": "http",
"socket-address": "::1",
- "socket-port": 8000,
+ "socket-port": 8004,
// In authentication
"authentication": {
// instance if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
// values then the ones used by the Control Agent.
- "url": "http://192.168.56.33:8000/",
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 895) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.33:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// Client certificate file name.
// channel can be reached. The Control Agent is not required
// to run on the partner's machine if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
- // values then the ones used by the Control Agent.
- "url": "http://192.168.56.66:8000/",
+ // values then the ones used by the Control Agent
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 895) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.66:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// Client certificate file name.
// to run on the partner's machine if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
// values then the ones used by the Control Agent.
- "url": "http://192.168.56.33:8000/",
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 895) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.33:8005",
// The partner is primary. This server is secondary.
"role": "primary"
},
// instance if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
// values then the ones used by the Control Agent.
- "url": "http://192.168.56.66:8000/",
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 895) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.66:8005",
// This server is secondary. The other one must be
// primary.
"role": "secondary"
// commands should still be sent to a control socket.
// The dedicated listener is specifically for HA
// updates only.
- "socket-port": 8000,
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 896)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "socket-port": 8006,
// TLS trust anchor (Certificate Authority). This is a
// file name or a directory path. Make sense with other
"comment": "HTTP control socket",
"socket-type": "http",
"socket-address": "127.0.0.1",
- "socket-port": 8000,
+ "socket-port": 8006,
// In authentication
"authentication": {
// Control Agent must run along with this DHCPv6 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- "url": "http://192.168.56.33:8000/",
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 897)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.33:8007",
// This server is primary. The other one must be
// standby.
"role": "primary"
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- "url": "http://192.168.56.66:8000/",
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 897)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.66:8007",
// The partner is standby. This server is primary.
"role": "standby"
}
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- "url": "http://192.168.56.33:8000/",
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 897)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.33:8007",
// The partner is primary. This server is standby.
"role": "primary"
},
// Control Agent must run along with this DHCPv6 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- "url": "http://192.168.56.66:8000/",
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 897)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.56.66:8007",
// This server is standby. The other one must be
// primary.
"role": "standby"
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8001,
"control-sockets":
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8001,
"control-sockets":
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- "url": "http://192.168.1.2:8000/",
+ // For security reasons, Kea should be run as non root user, a port
+ // lower than 1024 should be used (e.g. 895) and, on Linux systems,
+ // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.1.2:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// Client certificate file name.
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- "url": "http://192.168.1.3:8000/",
+ // For security reasons, Kea should be run as non root user, a port
+ // lower than 1024 should be used (e.g. 895) and, on Linux systems,
+ // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.1.3:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// Client certificate file name.
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- "url": "http://192.168.1.2:8000/",
+ // For security reasons, Kea should be run as non root user, a port
+ // lower than 1024 should be used (e.g. 895) and, on Linux systems,
+ // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.1.2:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// Client certificate file name.
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- "url": "http://192.168.1.3:8000/",
+ // For security reasons, Kea should be run as non root user, a port
+ // lower than 1024 should be used (e.g. 895) and, on Linux systems,
+ // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.168.1.3:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// Client certificate file name.
"http-host": "192.168.1.2",
// This specifies the port CA will listen on.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
"control-sockets":
"http-host": "192.168.1.3",
// This specifies the port CA will listen on.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
"control-sockets":
// Control Agent must run along with this DHCPv4 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- "url": "http://192.168.1.2:8000/",
+ // For security reasons, Kea should be run as non root user,
+ // a port lower than 1024 should be used (e.g. 895) and, on
+ // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
+ // capabilities.
+ "url": "http://192.168.1.2:8005",
// This server is primary. The other one must be
// secondary.
"role": "primary"
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- "url": "http://192.168.1.3:8000/",
+ // For security reasons, Kea should be run as non root user,
+ // a port lower than 1024 should be used (e.g. 895) and, on
+ // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
+ // capabilities.
+ "url": "http://192.168.1.3:8005",
// The other server is secondary. This one must be
// primary.
"role": "standby"
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- "url": "http://192.168.1.2:8000/",
+ // For security reasons, Kea should be run as non root user,
+ // a port lower than 1024 should be used (e.g. 895) and, on
+ // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
+ // capabilities.
+ "url": "http://192.168.1.2:8005",
// The other server is primary. This one must be
// secondary.
"role": "primary"
// Control Agent must run along with this DHCPv4 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- "url": "http://192.168.1.3:8000/",
+ // For security reasons, Kea should be run as non root user,
+ // a port lower than 1024 should be used (e.g. 895) and, on
+ // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
+ // capabilities.
+ "url": "http://192.168.1.3:8005",
// This server is secondary. The other one must be
// primary.
"role": "standby"
``https://10.20.30.40:8000/``. If these parameters are not specified, the
default URL is ``http://127.0.0.1:8000/``.
+For security reasons, Kea should be run as non root user, a port lower
+than 1024 should be used (e.g. 890) and, on Linux systems, the process
+should have 'CAP_NET_BIND_SERVICE' capabilities.
+
When using Kea's HA hook library with multi-threading,
the address:port combination used for CA must be
different from the HA peer URLs, which are strictly
``socket-port`` (default 8000) specify an IP address and port to which
the HTTP service will be bound.
+For security reasons, Kea should be run as non root user, a port lower
+than 1024 should be used (e.g. 892) and, on Linux systems, the process
+should have 'CAP_NET_BIND_SERVICE' capabilities.
+
The ``trust-anchor``, ``cert-file``, ``key-file``, and ``cert-required``
parameters specify the TLS setup for HTTP, i.e. HTTPS. If these parameters
are not specified, HTTP is used. The TLS/HTTPS support in Kea is
``socket-port`` (default 8000) specify an IP address and port to which
the HTTP service will be bound.
+For security reasons, Kea should be run as non root user, a port lower
+than 1024 should be used (e.g. 894) and, on Linux systems, the process
+should have 'CAP_NET_BIND_SERVICE' capabilities.
+
Since Kea 2.7.5 the ``http-headers`` parameter specifies a list of
extra HTTP headers to add to HTTP responses.
``socket-port`` (default 8000) specify an IP address and port to which
the HTTP service will be bound.
+For security reasons, Kea should be run as non root user, a port lower
+than 1024 should be used (e.g. 896) and, on Linux systems, the process
+should have 'CAP_NET_BIND_SERVICE' capabilities.
+
Since Kea 2.7.5 the ``http-headers`` parameter specifies a list of
extra HTTP headers to add to HTTP responses.
}
},
- // Currently the DHCP-DDNS (nicknamed D2) server does not support
- // a command channel.
"d2":
{
"model": "kea-dhcp-ddns",
"control-socket":
{
- "socket-type": "stdout",
- "user-context": { "in-use": false }
+ "socket-type": "unix",
+ "socket-name": "kea-ddns-ctrl-socket",
+ "user-context": { "in-use": true }
}
},
"max-unacked-clients": 5,
"peers": [{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary",
"auto-failover": true
}, {
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "standby",
"auto-failover": true
}]
"max-unacked-clients": 5,
"peers": [{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary",
"auto-failover": true
}, {
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "standby",
"auto-failover": true
}]
"delayed-updates-limit": 100,
"peers": [{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary",
"auto-failover": true
}, {
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "secondary",
"auto-failover": true
}, {
"name": "server3",
- "url": "http://192.168.56.99:8000/",
+ "url": "http://192.168.56.99:8005",
"role": "backup",
"basic-auth-user": "foo",
"basic-auth-password": "1234",
"max-rejected-lease-updates": 10,
"peers": [{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary",
"auto-failover": true
}, {
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "standby",
"auto-failover": true
}, {
"name": "server3",
- "url": "http://192.168.56.99:8000/",
+ "url": "http://192.168.56.99:8005",
"basic-auth-user": "foo",
"basic-auth-password": "1234",
"role": "backup",
"wait-backup-ack": false,
"peers": [{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary"
}, {
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "backup"
}, {
"name": "server3",
- "url": "http://192.168.56.99:8000/",
+ "url": "http://192.168.56.99:8005",
"basic-auth-user": "foo",
"basic-auth-password": "1234",
"role": "backup"
"peers": [
{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary"
},
{
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "secondary"
}
]
"peers": [
{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary"
},
{
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "secondary"
}
]
"peers": [
{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary"
},
{
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "secondary"
}
],
"peers": [
{
"name": "server1",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8005",
"role": "primary"
},
{
"name": "server2",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8005",
"role": "secondary"
}
],
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port
+ // lower than 1024 should be used (e.g. 890) and, on Linux systems,
+ // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
"control-sockets": {
// Since the HA+MT uses a direct connection, the
// DHCPv4 server open its own socket. Note that it
// must be different than the one used by the CA
- // (typically 8000). In this example, 8001 is used.
- "url": "http://192.0.2.1:8001/",
+ // (typically 8000). In this example, 8005 is used.
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 895)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.0.2.1:8005",
// This server is primary. The other one must be
// secondary.
"role": "primary"
// Since the HA+MT uses a direct connection, the
// DHCPv4 server open its own socket. Note that it
// must be different than the one used by the CA
- // (typically 8000). In this example, 8001 is used.
- "url": "http://192.0.2.2:8001/",
+ // (typically 8000). In this example, 8005 is used.
+ // For security reasons, Kea should be run as non root
+ // user, a port lower than 1024 should be used (e.g. 895)
+ // and, on Linux systems, the process should have
+ // 'CAP_NET_BIND_SERVICE' capabilities.
+ "url": "http://192.0.2.2:8005",
// The partner is a secondary. This server is a
// primary as specified in the previous "peers"
// entry and in "this-server-name" before that.
"peers": [
{
"name": "server1",
- "url": "http://192.168.56.66:8000/",
+ "url": "http://192.168.56.66:8007",
"role": "primary",
"auto-failover": true
},
{
"name": "server2",
- "url": "http://192.168.56.33:8000/",
+ "url": "http://192.168.56.33:8007",
"role": "standby",
"auto-failover": true
}
"peers": [
{
"name": "server3",
- "url": "http://192.168.57.99:8000/",
+ "url": "http://192.168.57.99:8007",
"role": "primary",
"auto-failover": true
},
{
"name": "server4",
- "url": "http://192.168.57.33:8000/",
+ "url": "http://192.168.57.33:8007",
"role": "standby",
"auto-failover": true
}
"peers": [
{
"name": "server3",
- "url": "http://192.168.57.99:8000/",
+ "url": "http://192.168.57.99:8007",
"role": "primary",
"auto-failover": true
},
{
"name": "server4",
- "url": "http://192.168.57.33:8000/",
+ "url": "http://192.168.57.33:8007",
"role": "standby",
"auto-failover": true
}
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
// TLS trust anchor (Certificate Authority). This is a file name or
The Control Agent (CA) can accept incoming HTTP or HTTPS connections. The default port is 8000, which
does not require privileged access.
+For security reasons, Kea should be run as non root user, a port lower than 1024 should be used (e.g. 890)
+and, on Linux systems, the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+
Securing Kea Administrative Access
----------------------------------
// do. Comments in this configuration file sometimes refer to sections for more
// details. These are section numbers in Kea User's Guide. The version matching
// your software should come with your Kea package, but it is also available
-// in ISC's Knowledgebase (https://kea.readthedocs.io; the direct link for
+// in ISC's Knowledge base (https://kea.readthedocs.io; the direct link for
// the stable version is https://kea.readthedocs.io/).
//
// This configuration file contains only Control Agent's configuration.
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
+ // For security reasons, Kea should be run as non root user, a port lower
+ // than 1024 should be used (e.g. 890) and, on Linux systems, the process
+ // should have 'CAP_NET_BIND_SERVICE' capabilities.
"http-port": 8000,
// Allow access only to kea-api user.
projects / thirdparty / kea.git / commitdiff
