// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
// Extra HTTP headers to add in responses.
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
// TLS trust anchor (Certificate Authority). This is a file name or
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
// TLS trust anchor (Certificate Authority). This is a file name or
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
// Extra HTTP headers to add in responses.
// commands should still be sent to a control socket.
// The dedicated listener is specifically for HA
// updates only.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 894)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 894).
"socket-port": 8004,
// TLS trust anchor (Certificate Authority). This is a
// instance if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
// values then the ones used by the Control Agent.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 895) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.56.33:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// channel can be reached. The Control Agent is not required
// to run on the partner's machine if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
- // values then the ones used by the Control Agent
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 895) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // values then the ones used by the Control Agent.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.56.66:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// to run on the partner's machine if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
// values then the ones used by the Control Agent.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 895) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.56.33:8005",
// The partner is primary. This server is secondary.
"role": "primary"
// instance if multi-threading is enabled.
// The "http-host" and "http-port" values must be set to different
// values then the ones used by the Control Agent.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 895) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.56.66:8005",
// This server is secondary. The other one must be
// primary.
// commands should still be sent to a control socket.
// The dedicated listener is specifically for HA
// updates only.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 896)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 896).
"socket-port": 8006,
// TLS trust anchor (Certificate Authority). This is a
// Control Agent must run along with this DHCPv6 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 897)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 897).
"url": "http://192.168.56.33:8007",
// This server is primary. The other one must be
// standby.
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 897)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 897).
"url": "http://192.168.56.66:8007",
// The partner is standby. This server is primary.
"role": "standby"
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 897)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 897).
"url": "http://192.168.56.33:8007",
// The partner is primary. This server is standby.
"role": "primary"
// Control Agent must run along with this DHCPv6 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 897)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 897).
"url": "http://192.168.56.66:8007",
// This server is standby. The other one must be
// primary.
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8001,
"control-sockets":
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8001,
"control-sockets":
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- // For security reasons, Kea should be run as non root user, a port
- // lower than 1024 should be used (e.g. 895) and, on Linux systems,
- // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.2:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- // For security reasons, Kea should be run as non root user, a port
- // lower than 1024 should be used (e.g. 895) and, on Linux systems,
- // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.3:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- // For security reasons, Kea should be run as non root user, a port
- // lower than 1024 should be used (e.g. 895) and, on Linux systems,
- // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.2:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
// The Control Agent is not needed for the High Availability
// with multi-threading, but if it is used, it must use
// different values for "http-host" and "http-port".
- // For security reasons, Kea should be run as non root user, a port
- // lower than 1024 should be used (e.g. 895) and, on Linux systems,
- // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.3:8005",
// Trust anchor aka certificate authority file or directory.
"trust-anchor": "/usr/lib/kea/CA.pem",
"http-host": "192.168.1.2",
// This specifies the port CA will listen on.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
"control-sockets":
"http-host": "192.168.1.3",
// This specifies the port CA will listen on.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
"control-sockets":
// Control Agent must run along with this DHCPv4 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- // For security reasons, Kea should be run as non root user,
- // a port lower than 1024 should be used (e.g. 895) and, on
- // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
- // capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.2:8005",
// This server is primary. The other one must be
// secondary.
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- // For security reasons, Kea should be run as non root user,
- // a port lower than 1024 should be used (e.g. 895) and, on
- // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
- // capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.3:8005",
// The other server is secondary. This one must be
// primary.
// channel can be reached. The Control Agent is required
// to run on the partner's machine with "http-host" and
// "http-port" values set to the corresponding values.
- // For security reasons, Kea should be run as non root user,
- // a port lower than 1024 should be used (e.g. 895) and, on
- // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
- // capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.2:8005",
// The other server is primary. This one must be
// secondary.
// Control Agent must run along with this DHCPv4 server
// instance and the "http-host" and "http-port" must be
// set to the corresponding values.
- // For security reasons, Kea should be run as non root user,
- // a port lower than 1024 should be used (e.g. 895) and, on
- // Linux systems, the process should have 'CAP_NET_BIND_SERVICE'
- // capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.168.1.3:8005",
// This server is secondary. The other one must be
// primary.
``https://10.20.30.40:8000/``. If these parameters are not specified, the
default URL is ``http://127.0.0.1:8000/``.
-For security reasons, Kea should be run as non root user, a port lower
-than 1024 should be used (e.g. 890) and, on Linux systems, the process
-should have 'CAP_NET_BIND_SERVICE' capabilities.
+For security reasons, a port lower than 1024 should be used (e.g. 890).
When using Kea's HA hook library with multi-threading,
the address:port combination used for CA must be
``socket-port`` (default 8000) specify an IP address and port to which
the HTTP service will be bound.
-For security reasons, Kea should be run as non root user, a port lower
-than 1024 should be used (e.g. 892) and, on Linux systems, the process
-should have 'CAP_NET_BIND_SERVICE' capabilities.
+For security reasons, a port lower than 1024 should be used (e.g. 892).
The ``trust-anchor``, ``cert-file``, ``key-file``, and ``cert-required``
parameters specify the TLS setup for HTTP, i.e. HTTPS. If these parameters
``socket-port`` (default 8000) specify an IP address and port to which
the HTTP service will be bound.
-For security reasons, Kea should be run as non root user, a port lower
-than 1024 should be used (e.g. 894) and, on Linux systems, the process
-should have 'CAP_NET_BIND_SERVICE' capabilities.
+For security reasons, a port lower than 1024 should be used (e.g. 894).
Since Kea 2.7.5 the ``http-headers`` parameter specifies a list of
extra HTTP headers to add to HTTP responses.
``socket-port`` (default 8000) specify an IP address and port to which
the HTTP service will be bound.
-For security reasons, Kea should be run as non root user, a port lower
-than 1024 should be used (e.g. 896) and, on Linux systems, the process
-should have 'CAP_NET_BIND_SERVICE' capabilities.
+For security reasons, a port lower than 1024 should be used (e.g. 896).
Since Kea 2.7.5 the ``http-headers`` parameter specifies a list of
extra HTTP headers to add to HTTP responses.
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port
- // lower than 1024 should be used (e.g. 890) and, on Linux systems,
- // the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
"control-sockets": {
// DHCPv4 server open its own socket. Note that it
// must be different than the one used by the CA
// (typically 8000). In this example, 8005 is used.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 895)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.0.2.1:8005",
// This server is primary. The other one must be
// secondary.
// DHCPv4 server open its own socket. Note that it
// must be different than the one used by the CA
// (typically 8000). In this example, 8005 is used.
- // For security reasons, Kea should be run as non root
- // user, a port lower than 1024 should be used (e.g. 895)
- // and, on Linux systems, the process should have
- // 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 895).
"url": "http://192.0.2.2:8005",
// The partner is a secondary. This server is a
// primary as specified in the previous "peers"
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
// TLS trust anchor (Certificate Authority). This is a file name or
The Control Agent (CA) can accept incoming HTTP or HTTPS connections. The default port is 8000, which
does not require privileged access.
-For security reasons, Kea should be run as non root user, a port lower than 1024 should be used (e.g. 890)
-and, on Linux systems, the process should have 'CAP_NET_BIND_SERVICE' capabilities.
+For security reasons, a port lower than 1024 should be used (e.g. 890).
Securing Kea Administrative Access
----------------------------------
// listener is different (e.g. 8001) than the one used by CA. Note
// the commands should still be sent via CA. The dedicated listener
// is specifically for HA updates only.
- // For security reasons, Kea should be run as non root user, a port lower
- // than 1024 should be used (e.g. 890) and, on Linux systems, the process
- // should have 'CAP_NET_BIND_SERVICE' capabilities.
+ // For security reasons, a port lower than 1024 should be used (e.g. 890).
"http-port": 8000,
// Allow access only to kea-api user.
projects / thirdparty / kea.git / commitdiff
