From 9dbc40d83a89ef735d94dc235aa825135aef5407 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Sat, 30 Sep 2023 09:37:46 +0000 Subject: s6-tlsserver bugfix, doc updates Signed-off-by: Laurent Bercot --- doc/s6-tlsserver.html | 59 +++++++++++++++++++++------------------------------ 1 file changed, 24 insertions(+), 35 deletions(-) (limited to 'doc/s6-tlsserver.html') diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html index b338326..d1ca3e2 100644 --- a/doc/s6-tlsserver.html +++ b/doc/s6-tlsserver.html @@ -41,8 +41,7 @@ listens to TCP connections on IP address ip port port and forks a command line for every connection. Note that s6-tcpserver also rewrites itself into a more complex command line (the final long-lived -process being s6-tcpserver4d -or s6-tcpserver6d), +process being s6-tcpserverd), so your end command line may look a lot longer in ps than what you originally wrote. This is normal and healthy.
  • (if applicable) s6-tcpserver-access, @@ -73,9 +72,8 @@ be a network socket - they will be pipes.

    s6-tlsserver reacts to the same signals as -s6-tcpserver4d or -s6-tcpserver6d, -one of which is the long-lived process hanging around. +s6-tcpserverd, +which is the long-lived process hanging around.

    Environment variables

    @@ -104,9 +102,8 @@ every s6-tlsd invocation:

    prog... is run with the following variables added to, -or removed from, its environment by s6-tcpserver4d -or s6-tcpserver6d, and possibly -by s6-tcpserver-access: +or removed from, its environment by s6-tcpserverd +and possibly by s6-tcpserver-access:

      @@ -142,28 +139,17 @@ variables will not appear in prog's environment.

      Options

      - s6-tlsserver accepts a myriad of options, most of which are + s6-tlsserver accepts a myriad of options, all of which are passed as is to the correct executable. Not giving any options will generally work, but unless you're running a very public server (such as a Web server) or base your access control on client certificates, you probably still want TCP access rules.

      -

      Options handled directly by s6-tlsserver

      - -
        -
      • -e: : indicates that -s6-tcpserver-access should -be invoked, even if no other option requires it, even in the absence -of an access control ruleset. This ensures that prog... -will always have access to environment variables such as TCPLOCALPORT.
      • -
      -

      Options passed as is to s6-tcpserver

      • -q, -Q, -v
      • -
      • -4, -6
      • -1
      • -c maxconn
      • -C localmaxconn
      • @@ -174,31 +160,34 @@ will always have access to environment variables such as TCPLOCALPORT.
        • The verbosity level, if not default, as -v0 or -v2
        • -
        • -w, -W
        • -
        • -d, -D
        • -
        • -r, -R
        • -
        • -p, -P
        • -
        • -h, -H, -l localname
        • -
        • -B banner
        • -
        • -t timeout
        • -
        • -i rulesdir, -x rulesfile
        • +
        • -w, -W : be strict or tolerant with DNS or IDENT resolution errors
        • +
        • -d, -D : enable or disable Nagle's algorithm
        • +
        • -r, -R : enable or disable IDENT lookups
        • +
        • -p, -P : enable or disable paranoid DNS cross-checking
        • +
        • -h, -H : enable or disable DNS lookups
        • +
        • -l localname : get the local name from the command line, not from DNS
        • +
        • -B banner : initial server-side banner
        • +
        • -t timeout : set a timeout for all the lookups
        • +
        • -i rulesdir, -x rulesfile : TCP access control

        Options passed as is to s6-tlsd

          -
        • -Z, -z
        • -
        • -S, -s
        • -
        • -Y, -y
        • -
        • -K kimeout
        • -
        • -k snilevel
        • +
        • -Z, -z : keep or remove the s6-tlsd-io-specific +variables from the application's environment
        • +
        • -S, -s : use close_notify or EOF to signal the end of a TLS connection
        • +
        • -Y, -y : request an optional or a mandatory client certificate
        • +
        • -K kimeout : set a timeout for the TLS handshake
        • +
        • -k snilevel : support SNI-based certificate chains

        Options passed to s6-applyuidgid

          -
        • -u uid, -g gid, -G gidlist
        • -
        • -U (passed as -Uz)
        • +
        • -u uid, -g gid, -G gidlist : set uid, gid, or supplementary group list
        • +
        • -U (passed as -Uz) : get the uid, gid and supplementary group list from the UID, GID and GIDLIST variables, +and remove these variables from the application's environment

        Example

        -- cgit v1.3.1