From 46c79526fd34996605a97ce52437069aa6462cef Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sat, 14 Sep 2019 18:28:54 +0000 Subject: doc: update nntpd with NNTPS and STARTTLS examples NNTPS and STARTTLS seems to be working for several months without incident on news.public-inbox.org, so consider it a success and maybe others can try using it. HTTPS technically works, too, but isn't documented at the moment since I can't recommend production deployments without varnish protecting it. --- Documentation/public-inbox-daemon.pod | 2 -- Documentation/public-inbox-nntpd.pod | 38 +++++++++++++++++++++++++++++++++++ MANIFEST | 1 + examples/public-inbox-nntpd@.service | 13 +++++++----- examples/public-inbox-nntps.socket | 12 +++++++++++ 5 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 examples/public-inbox-nntps.socket diff --git a/Documentation/public-inbox-daemon.pod b/Documentation/public-inbox-daemon.pod index abb84dd7..e8d1ff29 100644 --- a/Documentation/public-inbox-daemon.pod +++ b/Documentation/public-inbox-daemon.pod @@ -25,8 +25,6 @@ breaking existing connections during software upgrades. These daemons may also utilize multiple pre-forked worker processes to take advantage of multiple CPUs. -Native TLS (Transport Layer Security) support is planned. - =head1 OPTIONS =over diff --git a/Documentation/public-inbox-nntpd.pod b/Documentation/public-inbox-nntpd.pod index b56580bf..4214fd75 100644 --- a/Documentation/public-inbox-nntpd.pod +++ b/Documentation/public-inbox-nntpd.pod @@ -18,6 +18,44 @@ may be run as a different user than the user running L, L, or L. +=head1 OPTIONS + +See common options in L. +Additionally, NNTP-specific behavior for certain options +are supported and documented below. + +=over + +=item -l, --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key + +In addition to the normal C<-l>/C<--listen> switch described in +L, the protocol prefix (e.g. C or +C) may be specified to force a given protocol. + +For STARTTLS and NNTPS support, the C and C may be specified +on a per-listener basis after a C character and separated by C<,>. +These directives are per-directive, and it's possible to use a different +cert for every listener. + +=item --cert /path/to/cert + +The default TLS certificate for optional STARTTLS and NNTPS support +if the C option is not given with C<--listen>. + +If using systemd-compatible socket activation and a TCP listener on port +563 is inherited, it is automatically NNTPS when this option is given. +When a listener on port 119 is inherited and this option is given, it +automatically gets STARTTLS support. + +=item --key /path/to/key + +The default private TLS certicate key for optional STARTTLS and NNTPS +support if the C option is not given with C<--listen>. The private +key may concatenated into the path used by C<--cert>, in which case this +option is not needed. + +=back + =head1 CONFIGURATION These configuration knobs should be used in the diff --git a/MANIFEST b/MANIFEST index 777367d0..f5290b40 100644 --- a/MANIFEST +++ b/MANIFEST @@ -60,6 +60,7 @@ examples/public-inbox-httpd.socket examples/public-inbox-httpd@.service examples/public-inbox-nntpd.socket examples/public-inbox-nntpd@.service +examples/public-inbox-nntps.socket examples/public-inbox-watch.service examples/public-inbox.psgi examples/unsubscribe-milter.socket diff --git a/examples/public-inbox-nntpd@.service b/examples/public-inbox-nntpd@.service index a879841e..4dd2f5d7 100644 --- a/examples/public-inbox-nntpd@.service +++ b/examples/public-inbox-nntpd@.service @@ -7,8 +7,8 @@ [Unit] Description = public-inbox NNTP server %i -Wants = public-inbox-nntpd.socket -After = public-inbox-nntpd.socket +Wants = public-inbox-nntpd.socket public-inbox-nntps.socket +After = public-inbox-nntpd.socket public-inbox-nntps.socket [Service] Environment = PI_CONFIG=/home/pi/.public-inbox/config \ @@ -18,17 +18,20 @@ PERL_INLINE_DIRECTORY=/tmp/.pub-inline LimitNOFILE = 30000 ExecStartPre = /bin/mkdir -p -m 1777 /tmp/.pub-inline ExecStart = /usr/local/bin/public-inbox-nntpd \ --1 /var/log/public-inbox/nntpd.out.log +-1 /var/log/public-inbox/nntpd.out.log \ +--cert /etc/ssl/certs/news.example.com.pem \ +--key /etc/ssl/private/news.example.com.key StandardError = syslog # NonBlocking is REQUIRED to avoid a race condition if running # simultaneous services NonBlocking = true -Sockets = public-inbox-nntpd.socket + +Sockets = public-inbox-nntpd.socket public-inbox-nntps.socket KillSignal = SIGQUIT User = nobody -Group = nogroup +Group = ssl-cert ExecReload = /bin/kill -HUP $MAINPID TimeoutStopSec = 86400 KillMode = process diff --git a/examples/public-inbox-nntps.socket b/examples/public-inbox-nntps.socket new file mode 100644 index 00000000..fa678196 --- /dev/null +++ b/examples/public-inbox-nntps.socket @@ -0,0 +1,12 @@ +# ==> /etc/systemd/system/public-inbox-nntps.socket <== +[Unit] +Description = public-inbox-nntps socket + +[Socket] +ListenStream = 0.0.0.0:563 +BindIPv6Only = ipv6-only +ListenStream = [::]:563 +Service = public-inbox-nntpd@1.service + +[Install] +WantedBy = sockets.target -- cgit v1.2.3-24-ge0c7