From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Subject: [PATCH] doc: update nntpd with NNTPS and STARTTLS examples
Date: Sat, 14 Sep 2019 18:28:54 +0000 [thread overview]
Message-ID: <20190914182854.27864-1-e@80x24.org> (raw)
NNTPS and STARTTLS seems to be working for several months
without incident on news.public-inbox.org, so consider it a
success and maybe others can try using it.
HTTPS technically works, too, but isn't documented at
the moment since I can't recommend production deployments
without varnish protecting it.
---
Documentation/public-inbox-daemon.pod | 2 --
Documentation/public-inbox-nntpd.pod | 38 +++++++++++++++++++++++++++
MANIFEST | 1 +
examples/public-inbox-nntpd@.service | 13 +++++----
examples/public-inbox-nntps.socket | 12 +++++++++
5 files changed, 59 insertions(+), 7 deletions(-)
create mode 100644 examples/public-inbox-nntps.socket
diff --git a/Documentation/public-inbox-daemon.pod b/Documentation/public-inbox-daemon.pod
index abb84dd7..e8d1ff29 100644
--- a/Documentation/public-inbox-daemon.pod
+++ b/Documentation/public-inbox-daemon.pod
@@ -25,8 +25,6 @@ breaking existing connections during software upgrades.
These daemons may also utilize multiple pre-forked worker
processes to take advantage of multiple CPUs.
-Native TLS (Transport Layer Security) support is planned.
-
=head1 OPTIONS
=over
diff --git a/Documentation/public-inbox-nntpd.pod b/Documentation/public-inbox-nntpd.pod
index b56580bf..4214fd75 100644
--- a/Documentation/public-inbox-nntpd.pod
+++ b/Documentation/public-inbox-nntpd.pod
@@ -18,6 +18,44 @@ may be run as a different user than the user running
L<public-inbox-watch(1)>, L<public-inbox-mda(1)>, or
L<git-fetch(1)>.
+=head1 OPTIONS
+
+See common options in L<public-inbox-daemon(8)/OPTIONS>.
+Additionally, NNTP-specific behavior for certain options
+are supported and documented below.
+
+=over
+
+=item -l, --listen PROTO://ADDRESS/?cert=/path/to/cert,key=/path/to/key
+
+In addition to the normal C<-l>/C<--listen> switch described in
+L<public-inbox-daemon(8)>, the protocol prefix (e.g. C<nntp://> or
+C<nntps://>) may be specified to force a given protocol.
+
+For STARTTLS and NNTPS support, the C<cert> and C<key> may be specified
+on a per-listener basis after a C<?> character and separated by C<,>.
+These directives are per-directive, and it's possible to use a different
+cert for every listener.
+
+=item --cert /path/to/cert
+
+The default TLS certificate for optional STARTTLS and NNTPS support
+if the C<cert> option is not given with C<--listen>.
+
+If using systemd-compatible socket activation and a TCP listener on port
+563 is inherited, it is automatically NNTPS when this option is given.
+When a listener on port 119 is inherited and this option is given, it
+automatically gets STARTTLS support.
+
+=item --key /path/to/key
+
+The default private TLS certicate key for optional STARTTLS and NNTPS
+support if the C<key> option is not given with C<--listen>. The private
+key may concatenated into the path used by C<--cert>, in which case this
+option is not needed.
+
+=back
+
=head1 CONFIGURATION
These configuration knobs should be used in the
diff --git a/MANIFEST b/MANIFEST
index 777367d0..f5290b40 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -60,6 +60,7 @@ examples/public-inbox-httpd.socket
examples/public-inbox-httpd@.service
examples/public-inbox-nntpd.socket
examples/public-inbox-nntpd@.service
+examples/public-inbox-nntps.socket
examples/public-inbox-watch.service
examples/public-inbox.psgi
examples/unsubscribe-milter.socket
diff --git a/examples/public-inbox-nntpd@.service b/examples/public-inbox-nntpd@.service
index a879841e..4dd2f5d7 100644
--- a/examples/public-inbox-nntpd@.service
+++ b/examples/public-inbox-nntpd@.service
@@ -7,8 +7,8 @@
[Unit]
Description = public-inbox NNTP server %i
-Wants = public-inbox-nntpd.socket
-After = public-inbox-nntpd.socket
+Wants = public-inbox-nntpd.socket public-inbox-nntps.socket
+After = public-inbox-nntpd.socket public-inbox-nntps.socket
[Service]
Environment = PI_CONFIG=/home/pi/.public-inbox/config \
@@ -18,17 +18,20 @@ PERL_INLINE_DIRECTORY=/tmp/.pub-inline
LimitNOFILE = 30000
ExecStartPre = /bin/mkdir -p -m 1777 /tmp/.pub-inline
ExecStart = /usr/local/bin/public-inbox-nntpd \
--1 /var/log/public-inbox/nntpd.out.log
+-1 /var/log/public-inbox/nntpd.out.log \
+--cert /etc/ssl/certs/news.example.com.pem \
+--key /etc/ssl/private/news.example.com.key
StandardError = syslog
# NonBlocking is REQUIRED to avoid a race condition if running
# simultaneous services
NonBlocking = true
-Sockets = public-inbox-nntpd.socket
+
+Sockets = public-inbox-nntpd.socket public-inbox-nntps.socket
KillSignal = SIGQUIT
User = nobody
-Group = nogroup
+Group = ssl-cert
ExecReload = /bin/kill -HUP $MAINPID
TimeoutStopSec = 86400
KillMode = process
diff --git a/examples/public-inbox-nntps.socket b/examples/public-inbox-nntps.socket
new file mode 100644
index 00000000..fa678196
--- /dev/null
+++ b/examples/public-inbox-nntps.socket
@@ -0,0 +1,12 @@
+# ==> /etc/systemd/system/public-inbox-nntps.socket <==
+[Unit]
+Description = public-inbox-nntps socket
+
+[Socket]
+ListenStream = 0.0.0.0:563
+BindIPv6Only = ipv6-only
+ListenStream = [::]:563
+Service = public-inbox-nntpd@1.service
+
+[Install]
+WantedBy = sockets.target
--
EW
reply other threads:[~2019-09-14 18:28 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://public-inbox.org/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190914182854.27864-1-e@80x24.org \
--to=e@80x24.org \
--cc=meta@public-inbox.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).