Update to reflect ancient sslio

This commit is contained in:
Neale Pickett 2014-11-19 23:49:48 +00:00
parent 6121939bf0
commit aab1b7496b
2 changed files with 23 additions and 15 deletions

2
README
View File

@ -49,7 +49,7 @@ Start with:
tcpserver -v -RHl localhost -u 1234 -g 1234 0 80 ./eris tcpserver -v -RHl localhost -u 1234 -g 1234 0 80 ./eris
There are many other ways to start eris. There are many other ways to start eris.
For example, you can run an HTTPS server using tcpsvd and sslio. For example, you can run an HTTPS server with stunnel.
You just need something that launches eris with stdin and stdout connected to the client. You just need something that launches eris with stdin and stdout connected to the client.

View File

@ -4,23 +4,31 @@ SSL with eris
Eris does not care what transport is in use: that job is left to the invoking Eris does not care what transport is in use: that job is left to the invoking
program (eg. tcpserver). program (eg. tcpserver).
Gerrit Pape's `ipsvd` package comes with two programs for running SSL daemons: In the past you could use `sslio` with `tcpsvd`,
`sslsvd` and `sslio`. At the time of this writing, however, Gerrit's `ipsvd` but `sslio` has not been updated in a long time,
has no support for IPv6. Busybox `ipsvd`, and `ucspi-tcp-ipv6`, both do and won't work with (at least) Chrome 39.
support IPv6.
Here is how you can support SSL *and* IPv6: I recommend using stunnel,
which also works with IPv6.
You can invoke it like so:
#! /bin/sh
cd /srv/www cd /srv/www
HTTPS=enabled; export HTTPS HTTPS=enabled; export HTTPS
exec tcpserver -H -R 0 443 \
/usr/bin/sslio -u nobody:ssl-cert -U www-data \
-C /path/to/mydomain.crt -K /path/to/mydomain.key \
/service/httpd/eris -c
This uses `tcpserver` to listen for and accept TCP4 and TCP6 connections. exec stunnel -fd 3 3<<EOD
These connections are then handed to `sslio`, which drops permissions to foreground = yes
`nobody:ssl-cert` and starts speaking SSL to `eris` running as `www-data`. setuid = http
setgid = http
debug = 4
I like to set the `HTTPS` environment variable also, so CGI can tell whether or [https]
not its connection is secure. accept = ::443
cert = /path/to/yourserver.crt
key = /path/to/yourserver.key
exec = /path/to/eris
execargs = eris -c
EOD
I set the `HTTPS` environment variable,
so CGI can tell whether or not its connection is secure.