From 46c79526fd34996605a97ce52437069aa6462cef Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 14 Sep 2019 18:28:54 +0000 Subject: doc: update nntpd with NNTPS and STARTTLS examples NNTPS and STARTTLS seems to be working for several months without incident on news.public-inbox.org, so consider it a success and maybe others can try using it. HTTPS technically works, too, but isn't documented at the moment since I can't recommend production deployments without varnish protecting it. --- Documentation/public-inbox-daemon.pod | 2 -- Documentation/public-inbox-nntpd.pod | 38 +++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 2 deletions(-) (limited to 'Documentation') diff --git a/Documentation/public-inbox-daemon.pod b/Documentation/public-inbox-daemon.pod index abb84dd7..e8d1ff29 100644 --- a/Documentation/public-inbox-daemon.pod +++ b/Documentation/public-inbox-daemon.pod @@ -25,8 +25,6 @@ breaking existing connections during software upgrades. These daemons may also utilize multiple pre-forked worker processes to take advantage of multiple CPUs. -Native TLS (Transport Layer Security) support is planned. - =head1 OPTIONS =over diff --git a/Documentation/public-inbox-nntpd.pod b/Documentation/public-inbox-nntpd.pod index b56580bf..4214fd75 100644 --- a/Documentation/public-inbox-nntpd.pod +++ b/Documentation/public-inbox-nntpd.pod @@ -18,6 +18,44 @@ may be run as a different user than the user running L, L, or L. +=head1 OPTIONS + +See common options in L. +Additionally, NNTP-specific behavior for certain options +are supported and documented below. + +=over + +=item -l, --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key + +In addition to the normal C<-l>/C<--listen> switch described in +L, the protocol prefix (e.g. C or +C) may be specified to force a given protocol. + +For STARTTLS and NNTPS support, the C and C may be specified +on a per-listener basis after a C character and separated by C<,>. +These directives are per-directive, and it's possible to use a different +cert for every listener. + +=item --cert /path/to/cert + +The default TLS certificate for optional STARTTLS and NNTPS support +if the C option is not given with C<--listen>. + +If using systemd-compatible socket activation and a TCP listener on port +563 is inherited, it is automatically NNTPS when this option is given. +When a listener on port 119 is inherited and this option is given, it +automatically gets STARTTLS support. + +=item --key /path/to/key + +The default private TLS certicate key for optional STARTTLS and NNTPS +support if the C option is not given with C<--listen>. The private +key may concatenated into the path used by C<--cert>, in which case this +option is not needed. + +=back + =head1 CONFIGURATION These configuration knobs should be used in the -- cgit v1.2.3-24-ge0c7