diff options
author | Eric Wong <e@80x24.org> | 2019-09-14 18:28:54 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2019-09-14 18:31:13 +0000 |
commit | 46c79526fd34996605a97ce52437069aa6462cef (patch) | |
tree | 7adea1d0e78bd804032b4e7add16c70e71669a74 /Documentation | |
parent | 6c89cf6208dd4f5251faeec18dc76ac123335fed (diff) | |
download | public-inbox-46c79526fd34996605a97ce52437069aa6462cef.tar.gz |
NNTPS and STARTTLS seems to be working for several months without incident on news.public-inbox.org, so consider it a success and maybe others can try using it. HTTPS technically works, too, but isn't documented at the moment since I can't recommend production deployments without varnish protecting it.
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/public-inbox-daemon.pod | 2 | ||||
-rw-r--r-- | Documentation/public-inbox-nntpd.pod | 38 |
2 files changed, 38 insertions, 2 deletions
diff --git a/Documentation/public-inbox-daemon.pod b/Documentation/public-inbox-daemon.pod index abb84dd7..e8d1ff29 100644 --- a/Documentation/public-inbox-daemon.pod +++ b/Documentation/public-inbox-daemon.pod @@ -25,8 +25,6 @@ breaking existing connections during software upgrades. These daemons may also utilize multiple pre-forked worker processes to take advantage of multiple CPUs. -Native TLS (Transport Layer Security) support is planned. - =head1 OPTIONS =over diff --git a/Documentation/public-inbox-nntpd.pod b/Documentation/public-inbox-nntpd.pod index b56580bf..4214fd75 100644 --- a/Documentation/public-inbox-nntpd.pod +++ b/Documentation/public-inbox-nntpd.pod @@ -18,6 +18,44 @@ may be run as a different user than the user running L<public-inbox-watch(1)>, L<public-inbox-mda(1)>, or L<git-fetch(1)>. +=head1 OPTIONS + +See common options in L<public-inbox-daemon(8)/OPTIONS>. +Additionally, NNTP-specific behavior for certain options +are supported and documented below. + +=over + +=item -l, --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key + +In addition to the normal C<-l>/C<--listen> switch described in +L<public-inbox-daemon(8)>, the protocol prefix (e.g. C<nntp://> or +C<nntps://>) may be specified to force a given protocol. + +For STARTTLS and NNTPS support, the C<cert> and C<key> may be specified +on a per-listener basis after a C<?> character and separated by C<,>. +These directives are per-directive, and it's possible to use a different +cert for every listener. + +=item --cert /path/to/cert + +The default TLS certificate for optional STARTTLS and NNTPS support +if the C<cert> option is not given with C<--listen>. + +If using systemd-compatible socket activation and a TCP listener on port +563 is inherited, it is automatically NNTPS when this option is given. +When a listener on port 119 is inherited and this option is given, it +automatically gets STARTTLS support. + +=item --key /path/to/key + +The default private TLS certicate key for optional STARTTLS and NNTPS +support if the C<key> option is not given with C<--listen>. The private +key may concatenated into the path used by C<--cert>, in which case this +option is not needed. + +=back + =head1 CONFIGURATION These configuration knobs should be used in the |