add sample "proxy" virtual server

alandekok · alandekok · commit a8a4815b280c · 2026-02-10T12:48:59.000-05:00
diff --git a/debian/freeradius-config.postinst b/debian/freeradius-config.postinst
@@ -49,7 +49,7 @@ case "$1" in
         # install or an upgrade from before there were links; users may
         # want to remove them...
         if [ -z "$2" ] || dpkg --compare-versions "$2" lt 2.0.4+dfsg-4; then
-          for site in default inner-tunnel; do
+          for site in default inner-tunnel proxy; do
             if test ! -h /etc/freeradius/sites-enabled/$site && \
                test ! -e /etc/freeradius/sites-enabled/$site; then
               ln -s ../sites-available/$site /etc/freeradius/sites-enabled/$site
diff --git a/doc/antora/modules/reference/nav.adoc b/doc/antora/modules/reference/nav.adoc
@@ -262,6 +262,7 @@
 *** xref:raddb/sites-available/ldap_sync.adoc[LDAP Sync]
 *** xref:raddb/sites-available/doc/radius.adoc[RADIUS]
 **** xref:raddb/sites-available/default.adoc[Default]
+**** xref:raddb/sites-available/proxy.adoc[Proxy]
 **** xref:raddb/sites-available/buffered-sql.adoc[Buffered SQL]
 **** xref:raddb/sites-available/challenge.adoc[Challenge-Response]
 **** xref:raddb/sites-available/coa.adoc[CoA]
diff --git a/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc b/doc/antora/modules/reference/pages/raddb/sites-available/proxy.adoc
@@ -0,0 +1,152 @@
+
+= Proxy RADIUS packets
+
+This virtual server replaces the old `pre-proxy` and `post-proxy`
+sections that were in v3.
+
+It can be called from another virtual server via the `call` keyword:
+
+```
+#	subrequest {
+#		request := parent.request
+#		call proxy {
+#		}
+#	}
+```
+
+For server pools with load-balancing, fail-over, etc., you can just
+use the `load-balance` and `redundant` keywords.  Those sections
+should then include multiple `radius` modules, one for each home
+server.
+
+You can also create virtual modules in `mods-enabled/`, simply by
+giving the `load-balance` section a name.  See the keyword
+documentation for `load-balance` for more details.
+
+See also the proxy upgrade documentation for examples.
+xref:howto:upgrade/proxy.adoc[proxy]
+
+
+
+
+```
+server proxy {
+	namespace = radius
+
+```
+
+== Authentication
+
+Process Access-Request packets and responses.
+
+=== Receive the Access-Request from the parent
+
+This section replaces `pre-proxy`.  It receives an Access-Request
+from the parent, and uses the `radius` module to proxy it.
+
+Note that there is no `send Access-Request` section.  If you add
+one, the server will give an error, and will refuse to start.
+
+```
+recv Access-Request {
+```
+
+Rewrite the Access-Request before it gets sent to the home server
+
+
+
+This is where you decide which home server the packet is
+proxied to.
+
+```
+	radius
+}
+
+```
+
+=== Return the Access-Accept to the parent
+
+```
+send Access-Accept {
+}
+
+```
+
+=== Return the Access-Reject to the parent
+
+```
+send Access-Reject {
+}
+
+```
+
+=== Return the Access-Challenge to the parent
+
+```
+send Access-Challenge {
+}
+
+```
+
+== Accounting
+
+
+=== Receive the Accounting-Request from the parent
+
+```
+recv Accounting-Request {
+
+```
+
+As the last thing in the section, proxy it.
+
+```
+     radius
+}
+
+```
+
+=== Return the Accounting-Response to the parent
+
+```
+send Accounting-Response {
+}
+
+```
+
+== Other Packet Types
+
+You can add sections here such as `recv CoA-Request`, `send
+CoA-ACK`, etc.
+
+
+
+== Finalize the response
+
+```
+finally {
+```
+
+Remove all Proxy-State attributes from the response
+
+```
+	reply -= Proxy-State[*]
+
+```
+
+Over-write all of the parents response attributes with our response.
+
+```
+	parent.reply := reply
+}
+
+}
+```
+
+== Default Configuration
+
+```
+```
+
+// Copyright (C) 2026 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.
+// This documentation was developed by Network RADIUS SAS.
diff --git a/raddb/all.mk b/raddb/all.mk
@@ -4,7 +4,7 @@
 LOCAL_FILES :=		clients.conf dictionary \
 			radiusd.conf trigger.conf panic.gdb
 
-DEFAULT_SITES :=	default inner-tunnel
+DEFAULT_SITES :=	default inner-tunnel proxy
 LOCAL_SITES :=		$(addprefix raddb/sites-enabled/,$(DEFAULT_SITES))
 
 DEFAULT_MODULES :=	always attr_filter cache_eap chap client \
diff --git a/raddb/sites-available/proxy b/raddb/sites-available/proxy
@@ -0,0 +1,123 @@
+#  -*- text -*-
+######################################################################
+#
+#  = Proxy RADIUS packets
+#
+#  This virtual server replaces the old `pre-proxy` and `post-proxy`
+#  sections that were in v3.
+#
+#  It can be called from another virtual server via the `call` keyword:
+#
+#	subrequest {
+#		request := parent.request
+#		call proxy {
+#		}
+#	}
+#
+#  For server pools with load-balancing, fail-over, etc., you can just
+#  use the `load-balance` and `redundant` keywords.  Those sections
+#  should then include multiple `radius` modules, one for each home
+#  server.
+#
+#  You can also create virtual modules in `mods-enabled/`, simply by
+#  giving the `load-balance` section a name.  See the keyword
+#  documentation for `load-balance` for more details.
+#
+#  See also the proxy upgrade documentation for examples.
+#  doc/antora/modules/howto/pages/upgrade/proxy.adoc
+#
+#
+#	$Id$
+#
+######################################################################
+
+server proxy {
+	namespace = radius
+
+#
+#  == Authentication
+#
+#  Process Access-Request packets and responses.
+#
+#  === Receive the Access-Request from the parent
+#
+#  This section replaces `pre-proxy`.  It receives an Access-Request
+#  from the parent, and uses the `radius` module to proxy it.
+#
+#  Note that there is no `send Access-Request` section.  If you add
+#  one, the server will give an error, and will refuse to start.
+#
+recv Access-Request {
+	#
+	#  Rewrite the Access-Request before it gets sent to the home server
+	#
+
+	#
+	#  This is where you decide which home server the packet is
+	#  proxied to.
+	#
+	radius
+}
+
+
+#
+#  === Return the Access-Accept to the parent
+#
+send Access-Accept {
+}
+
+#
+#  === Return the Access-Reject to the parent
+#
+send Access-Reject {
+}
+
+#
+#  === Return the Access-Challenge to the parent
+#
+send Access-Challenge {
+}
+
+#
+#  == Accounting
+#
+#
+#  === Receive the Accounting-Request from the parent
+#
+recv Accounting-Request {
+
+     #
+     #  As the last thing in the section, proxy it.
+     #
+     radius
+}
+
+#
+#  === Return the Accounting-Response to the parent
+#
+send Accounting-Response {
+}
+
+#
+#  == Other Packet Types
+#
+#  You can add sections here such as `recv CoA-Request`, `send
+#  CoA-ACK`, etc.
+#
+
+#
+#  == Finalize the response
+#
+finally {
+	#
+	#  Remove all Proxy-State attributes from the response
+	#
+	reply -= Proxy-State[*]
+
+	#
+	#  Over-write all of the parents response attributes with our response.
+	#
+	parent.reply := reply
+}
+
+}
