X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/d4214e9445d9f9d0f0ede3e09a9f81deee95d69c..05281d7a0d98102edfda24c18fc9d82af5eee4c2:/doc/reference.conf diff --git a/doc/reference.conf b/doc/reference.conf index 731eadf8..c499a365 100644 --- a/doc/reference.conf +++ b/doc/reference.conf @@ -44,6 +44,7 @@ * To use them, uncomment the lines below. * * Channel mode +-A (admin only) -- chm_adminonly + * Channel mode +-T (blocks notices) -- chm_nonotice * Channel mode +-O (oper only) -- chm_operonly * Channel mode +-S (ssl only) -- chm_sslonly * Emulates channel mode +-O (oper only) (+-iI $o) -- chm_operonly_compat @@ -80,6 +81,7 @@ * Stop services kills -- no_kill_services */ #loadmodule "extensions/chm_adminonly"; +#loadmodule "extensions/chm_nonotice"; #loadmodule "extensions/chm_operonly"; #loadmodule "extensions/chm_sslonly"; #loadmodule "extensions/chm_operonly_compat"; @@ -148,13 +150,15 @@ serverinfo { */ #vhost6 = "2001:db7:2::6"; - /* ssl_private_key: our ssl private key */ - ssl_private_key = "etc/ssl.key"; - - /* ssl_cert: certificate for our ssl server */ + /* ssl_cert: certificate (and optionally key) for our ssl server */ ssl_cert = "etc/ssl.pem"; - /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ + /* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */ + #ssl_private_key = "etc/ssl.key"; + + /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048 */ + /* If you do not provide parameters, some TLS backends will fail on DHE- ciphers, + and some will succeed but use weak, common DH groups! */ ssl_dh_params = "etc/dh.pem"; /* ssl_cipher_list: A list of ciphers, dependent on your TLS backend */ @@ -320,8 +324,8 @@ listen { /* port: listen on all available IPs, ports 5000 and 6665 to 6669 */ port = 5000, 6665 .. 6669; - /* sslport: listen for ssl connections on all available IPs, port 9999 */ - sslport = 9999; + /* sslport: listen for ssl connections on all available IPs, port 6697 */ + sslport = 6697; /* host: set a specific IP/host the ports after the line will listen * on. This may be ipv4 or ipv6. @@ -333,6 +337,12 @@ listen { host = "2001:db8:2::6"; port = 7002; sslport = 9002; + + /* wsock: listeners defined with this option enabled will be websocket listeners, + * and will not accept normal clients. + */ + wsock = yes; + sslport = 9999; }; /* auth {}: allow users to connect to the ircd (OLD I:) */ @@ -566,6 +576,7 @@ connect "irc.uplink.com" { * compressed - compress traffic via ziplinks * topicburst - burst topics between servers * ssl - ssl/tls encrypted server connections + * no-export - marks the link as a no-export link (not exported to other links) */ flags = compressed, topicburst; }; @@ -1407,9 +1418,15 @@ general { * * The spki_* variants operate on the SubjectPublicKeyInfo of the certificate, which does * not change unless the private key is changed. This allows the fingerprint to stay - * constant even if the certificate is reissued. + * constant even if the certificate is reissued. These fingerprints will be prefixed with + * "SPKI:SHA2-256:" or "SPKI:SHA2-512:" depending on the hash type. These fingerprints + * are not supported on servers running charybdis 3.5 or earlier. + * + * To generate a fingerprint from a certificate file, please use the mkfingerprint utility + * program located in the bin/ subdirectory of your IRCd installation. Running it with no + * arguments will give you a brief usage message; it takes method and filename arguments. */ - certfp_method = sha1; + certfp_method = spki_sha256; /* hide_opers_in_whois: if set to YES, then oper status will be hidden in /WHOIS output. */ hide_opers_in_whois = no;