X-Git-Url: https://jfr.im/git/solanum.git/blobdiff_plain/f105844aadcf9fe3a7aa7d103b6e9d63e184f036..6d5be11fb141829ccee9df782d1633000f7dc3c1:/doc/ircd.conf.example

diff --git a/doc/ircd.conf.example b/doc/ircd.conf.example
index ef779228..705a0d6d 100644
--- a/doc/ircd.conf.example
+++ b/doc/ircd.conf.example
@@ -8,6 +8,7 @@
  */
 
 /* Extensions */
+#loadmodule "extensions/chm_nonotice";
 #loadmodule "extensions/chm_operonly_compat";
 #loadmodule "extensions/chm_quietunreg_compat";
 #loadmodule "extensions/chm_sslonly_compat";
@@ -28,6 +29,7 @@
 #loadmodule "extensions/m_extendchans";
 #loadmodule "extensions/m_findforwards";
 #loadmodule "extensions/m_identify";
+#loadmodule "extensions/m_locops";
 #loadmodule "extensions/no_oper_invis";
 #loadmodule "extensions/sno_farconnect";
 #loadmodule "extensions/sno_globalkline";
@@ -60,18 +62,20 @@ serverinfo {
 	/* for IPv6 */
 	#vhost6 = "2001:db8:2::6";
 
-	/* ssl_private_key: our ssl private key */
-	ssl_private_key = "etc/ssl.key";
-
-	/* ssl_cert: certificate for our ssl server */
+	/* ssl_cert: certificate (and optionally key) for our ssl server */
 	ssl_cert = "etc/ssl.pem";
 
+	/* ssl_private_key: our ssl private key (if not contained in ssl_cert file) */
+	#ssl_private_key = "etc/ssl.key";
+
 	/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 2048
 	 * In general, the DH parameters size should be the same as your key's size.
 	 * However it has been reported that some clients have broken TLS implementations which may
 	 * choke on keysizes larger than 2048-bit, so we would recommend using 2048-bit DH parameters
 	 * for now if your keys are larger than 2048-bit.
-	 */
+	 *
+	 * If you do not provide parameters, some TLS backends will fail on DHE- ciphers,
+	 * and some will succeed but use weak, common DH groups! */
 	ssl_dh_params = "etc/dh.pem";
 
 	/* ssld_count: number of ssld processes you want to start, if you
@@ -160,7 +164,13 @@ listen {
 	/* Listen on IPv6 (if you used host= above). */
 	#host = "2001:db8:2::6";
 	#port = 5000, 6665 .. 6669;
-	#sslport = 9999;
+	#sslport = 6697;
+
+	/* wsock: listeners defined with this option enabled will be websocket listeners,
+	 * and will not accept normal clients.
+	 */
+	wsock = yes;
+	sslport = 9999;
 };
 
 /* auth {}: allow users to connect to the ircd (OLD I:)
@@ -195,15 +205,17 @@ auth {
 	 * encrypted                  | password is encrypted with mkpasswd
 	 * spoof_notice               | give a notice when spoofing hosts
 	 * exceed_limit (old > flag)  | allow user to exceed class user limits
-	 * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines&dnsbls
-	 * dnsbl_exempt		      | exempt this user from dnsbls
-	 * spambot_exempt	      | exempt this user from spambot checks
-	 * shide_exempt		      | exempt this user from serverhiding
+	 * kline_exempt (old ^ flag)  | exempt this user from k/g/xlines,
+	 *                            | dnsbls, and proxies
+	 * proxy_exempt               | exempt this user from proxies
+	 * dnsbl_exempt               | exempt this user from dnsbls
+	 * spambot_exempt             | exempt this user from spambot checks
+	 * shide_exempt               | exempt this user from serverhiding
 	 * jupe_exempt                | exempt this user from generating
 	 *                              warnings joining juped channels
-	 * resv_exempt		      | exempt this user from resvs
+	 * resv_exempt                | exempt this user from resvs
 	 * flood_exempt               | exempt this user from flood limits
-	 *                                     USE WITH CAUTION.
+	 *                              USE WITH CAUTION.
 	 * no_tilde     (old - flag)  | don't prefix ~ to username if no ident
 	 * need_ident   (old + flag)  | require ident for user in this class
 	 * need_ssl                   | require SSL/TLS for user in this class
@@ -224,7 +236,7 @@ auth {
  * means they must be defined before operator {}.
  */
 privset "local_op" {
-	privs = oper:local_kill, oper:operwall;
+	privs = oper:general, auspex:oper, oper:privs, oper:local_kill, oper:operwall;
 };
 
 privset "server_bot" {
@@ -235,7 +247,7 @@ privset "server_bot" {
 privset "global_op" {
 	extends = "local_op";
 	privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
-		oper:resv, oper:mass_notice, oper:remoteban;
+		oper:resv, oper:cmodes, oper:mass_notice, oper:remoteban;
 };
 
 privset "admin" {
@@ -307,10 +319,6 @@ connect "irc.uplink.com" {
 	flags = compressed, topicburst;
 
 	#fingerprint = "c77106576abf7f9f90cca0f63874a60f2e40a64b";
-
-	/* If the connection is IPv6, uncomment below.
-	 * Use 0::1, not ::1, for IPv6 localhost. */
-	#aftype = ipv6;
 };
 
 connect "ssl.uplink.com" {
@@ -366,6 +374,7 @@ channel {
 	autochanmodes = "+nt";
 	displayed_usercount = 3;
 	strip_topic_colors = no;
+	opmod_send_statusmsg = no;
 };
 
 serverhide {
@@ -375,14 +384,14 @@ serverhide {
 	disable_hidden = no;
 };
 
-/* These are the blacklist settings.
+/* These are the DNSBL settings.
  * You can have multiple combinations of host and rejection reasons.
  * They are used in pairs of one host/rejection reason.
  *
- * These settings should be adequate for most networks.
+ * The default settings should be adequate for most networks.
  *
- * Word to the wise: Do not use blacklists like SPEWS for blocking IRC
- * connections.
+ * It is not recommended to use DNSBL services designed for e-mail spam
+ * prevention, such as SPEWS for blocking IRC connections.
  *
  * As of charybdis 2.2, you can do some keyword substitution on the rejection
  * reason. The available keyword substitutions are:
@@ -402,13 +411,13 @@ serverhide {
  * is considered a match. If included, a comma-separated list of *quoted*
  * strings is allowed to match queries. They may be of the format "0" to "255"
  * to match the final octet (e.g. 127.0.0.1) or "127.x.y.z" to explicitly match
- * an A record. The blacklist is only applied if it matches anything in the
+ * an A record. The DNSBL match is only applied if it matches anything in the
  * list. You may freely mix full IP's and final octets.
  *
- * Consult your blacklist provider for the meaning of these parameters; they
- * are usually used to denote different ban types.
+ * Consult your DNSBL provider for the meaning of these parameters; they
+ * are usually used to denote different block reasons.
  */
-blacklist {
+dnsbl {
 	host = "rbl.efnetrbl.org";
 	type = ipv4;
 	reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";
@@ -420,6 +429,78 @@ blacklist {
 #	reject_reason = "${nick}, your IP (${ip}) is listed in ${dnsbl-host} for some reason. In order to protect ${network-name} from abuse, we are not allowing connections listed in ${dnsbl-host} to connect";
 };
 
+/* These are the OPM settings.
+ * This is similar to the functionality provided by BOPM. It will scan incoming
+ * connections for open proxies by connecting to clients and attempting several
+ * different open proxy handshakes. If they connect back to us (via a dedicated
+ * listening port), and send back the data we send them, they are considered
+ * an open proxy. For politeness reasons (users may be confused by the incoming
+ * connection attempts if they are logging incoming connections), the user is
+ * notified upon connect if they are being scanned.
+ *
+ * WARNING:
+ * These settings are considered experimental. Only the most common proxy types
+ * are checked for (Charybdis is immune from POST and GET proxies). If you are
+ * not comfortable with experimental code, do not use this feature.
+ */
+#opm {
+	/* IPv4 address to listen on. This must be a publicly facing IP address
+	 * to be effective.
+	 * If omitted, it defaults to serverinfo::vhost.
+	 */
+	#listen_ipv4 = "127.0.0.1";
+
+	/* IPv4 port to listen on.
+	 * This should not be the same as any existing listeners.
+	 */
+	#port_v4 = 32000;
+
+	/* IPv6 address to listen on. This must be a publicly facing IP address
+	 * to be effective.
+	 * If omitted, it defaults to serverinfo::vhost6.
+	 */
+	#listen_ipv6 = "::1";
+
+	/* IPv6 port to listen on.
+	 * This should not be the same as any existing listeners.
+	 */
+	#port_v6 = 32000;
+
+	/* You can also set the listen_port directive which will set both the
+	 * IPv4 and IPv6 ports at once.
+	 */
+	#listen_port = 32000;
+
+	/* This sets the timeout in seconds before ending open proxy scans.
+	 * Values less than 1 or greater than 60 are ignored.
+	 * It is advisable to keep it as short as feasible, so clients do not
+	 * get held up by excessively long scan times.
+	 */
+	#timeout = 5;
+
+	/* These are the ports to scan for SOCKS4 proxies on. They may overlap
+	 * with other scan types. Sensible defaults are given below.
+	 */
+	#socks4_ports = 1080, 10800, 443, 80, 8080, 8000;
+
+	/* These are the ports to scan for SOCKS5 proxies on. They may overlap
+	 * with other scan types. Sensible defaults are given below.
+	 */
+	#socks5_ports = 1080, 10800, 443, 80, 8080, 8000;
+
+	/* These are the ports to scan for HTTP connect proxies on (plaintext).
+	 * They may overlap with other scan types. Sensible defaults are given
+	 * below.
+	 */
+	#httpconnect_ports = 80, 8080, 8000;
+
+	/* These are the ports to scan for HTTPS CONNECT proxies on (SSL).
+	 * They may overlap with other scan types. Sensible defaults are given
+	 * below.
+	 */
+	#httpsconnect_ports = 443, 4443;
+#};
+
 alias "NickServ" {
 	target = "NickServ";
 };
@@ -483,7 +564,7 @@ general {
 	tkline_expire_notices = no;
 	default_floodcount = 10;
 	failed_oper_notice = yes;
-	dots_in_ident=2;
+	dots_in_ident = 2;
 	min_nonwildcard = 4;
 	min_nonwildcard_simple = 3;
 	max_accept = 100;
@@ -499,8 +580,8 @@ general {
 	resv_fnc = yes;
 	global_snotices = yes;
 	dline_with_reason = yes;
-	kline_delay = 0 seconds;
 	kline_with_reason = yes;
+	hide_tkdline_duration = no;
 	kline_reason = "K-Lined";
 	identify_service = "NickServ@services.int";
 	identify_command = "IDENTIFY";
@@ -508,13 +589,13 @@ general {
 	warn_no_nline = yes;
 	use_propagated_bans = yes;
 	stats_e_disabled = no;
-	stats_c_oper_only=no;
-	stats_h_oper_only=no;
-	stats_y_oper_only=no;
-	stats_o_oper_only=yes;
-	stats_P_oper_only=no;
-	stats_i_oper_only=masked;
-	stats_k_oper_only=masked;
+	stats_c_oper_only = no;
+	stats_h_oper_only = no;
+	stats_y_oper_only = no;
+	stats_o_oper_only = yes;
+	stats_P_oper_only = no;
+	stats_i_oper_only = masked;
+	stats_k_oper_only = masked;
 	map_oper_only = no;
 	operspy_admin_only = no;
 	operspy_dont_care_user_info = no;
@@ -529,6 +610,7 @@ general {
 	no_oper_flood = yes;
 	max_targets = 4;
 	client_flood_max_lines = 20;
+	post_registration_delay = 0 seconds;
 	use_whois_actually = no;
 	oper_only_umodes = operwall, locops, servnotice;
 	oper_umodes = locops, servnotice, operwall, wallop;
@@ -542,8 +624,9 @@ general {
 	throttle_count = 4;
 	max_ratelimit_tokens = 30;
 	away_interval = 30;
-	certfp_method = sha1;
+	certfp_method = spki_sha256;
 	hide_opers_in_whois = no;
+	tls_ciphers_oper_only = no;
 };
 
 modules {