mirror of https://github.com/nealey/eris.git
27 lines
989 B
Plaintext
27 lines
989 B
Plaintext
SSL with eris
|
|
=============
|
|
|
|
Eris does not care what transport is in use: that job is left to the invoking
|
|
program (eg. tcpserver).
|
|
|
|
Gerrit Pape's `ipsvd` package comes with two programs for running SSL daemons:
|
|
`sslsvd` and `sslio`. At the time of this writing, however, Gerrit's `ipsvd`
|
|
has no support for IPv6. Busybox `ipsvd`, and `ucspi-tcp-ipv6`, both do
|
|
support IPv6.
|
|
|
|
Here is how you can support SSL *and* IPv6:
|
|
|
|
cd /srv/www
|
|
HTTPS=enabled; export HTTPS
|
|
exec tcpserver -H -R 0 443 \
|
|
/usr/bin/sslio -u nobody:ssl-cert -U www-data \
|
|
-C /path/to/mydomain.crt -K /path/to/mydomain.key \
|
|
/service/httpd/eris -c
|
|
|
|
This uses `tcpserver` to listen for and accept TCP4 and TCP6 connections.
|
|
These connections are then handed to `sslio`, which drops permissions to
|
|
`nobody:ssl-cert` and starts speaking SSL to `eris` running as `www-data`.
|
|
|
|
I like to set the `HTTPS` environment variable also, so CGI can tell whether or
|
|
not its connection is secure.
|