Context Navigation

soju.1.scd@ 435

Last change on this file since 435 was 426, checked in by contact, 5 years ago

Don't accept any IP as a proxy by default

It's too easy to setup a reverse proxy which doesn't support the PROXY
protocol, or lets the X-Forwarded-For header fields pass through.
Disable this by default.

To restore the previous behaviour, add accept-proxy-ip localhost to
the config file.

File size: 6.4 KB

Rev	Line
[169]	1	soju(1)
	2
	3	# NAME
	4
	5	soju - IRC bouncer
	6
	7	# SYNOPSIS
	8
	9	soju [options...]
	10
	11	# DESCRIPTION
	12
	13	soju is a user-friendly IRC bouncer. It connects to upstream IRC servers on
	14	behalf of the user to provide extra features.
	15
	16	- Multiple separate users sharing the same bouncer, each with their own
	17	upstream servers
	18	- Clients connecting to multiple upstream servers via a single connection to
	19	the bouncer
	20	- Sending the backlog (messages received while the user was disconnected from
	21	the bouncer), with per-client buffers
	22
	23	When joining a channel, the channel will be saved and automatically joined on
	24	the next connection. When registering or authenticating with NickServ, the
	25	credentials will be saved and automatically used on the next connection if the
[284]	26	server supports SASL. When parting a channel with the reason "detach", the
	27	channel will be detached instead of being left.
[169]	28
[214]	29	When all clients are disconnected from the bouncer, the user is automatically
	30	marked as away.
	31
[169]	32	soju supports two connection modes:
	33
	34	- Single upstream mode: one downstream connection maps to one upstream
	35	connection. To enable this mode, connect to the bouncer with the username
	36	"<username>/<network>". If the bouncer isn't connected to the upstream
	37	server, it will get automatically added. Then channels can be joined and
	38	parted as if you were directly connected to the upstream server.
	39	- Multiple upstream mode: one downstream connection maps to multiple upstream
	40	connections. Channels and nicks are suffixed with the network name. To join
	41	a channel, you need to use the suffix too: _/join #channel/network_. Same
	42	applies to messages sent to users.
	43
[190]	44	For per-client history to work, clients need to indicate their name. This can
	45	be done by adding a "@<client>" suffix to the username.
	46
[169]	47	# OPTIONS
	48
	49	-h, -help
	50	Show help message and quit.
	51
	52	-config <path>
[264]	53	Path to the config file. If unset, a default config file is used.
[169]	54
	55	-debug
	56	Enable debug logging (this will leak sensitive information such as
	57	passwords).
	58
[317]	59	-listen <uri>
	60	Listening URI (default: ":6697").
[169]	61
	62	# CONFIG FILE
	63
	64	The config file has one directive per line.
	65
[368]	66	Example:
	67
	68	```
	69	listen ircs://
	70	tls cert.pem key.pem
	71	hostname example.org
	72	```
	73
	74	The following directives are supported:
	75
[317]	76	listen <uri>
	77	Listening URI (default: ":6697").
[169]	78
[317]	79	The following URIs are supported:
	80
	81	- _[ircs://][host][:port]_ listens with TLS over TCP (default port if
	82	omitted: 6697)
	83	- _irc+insecure://[host][:port]_ listens with plain-text over TCP (default
	84	port if omitted: 6667)
[323]	85	- _wss://[host][:port]_ listens for WebSocket connections over TLS (default
	86	port: 443)
	87	- _ws+insecure://[host][:port]_ listens for plain-text WebSocket
	88	connections (default port: 80)
[386]	89	- _ident://[host][:port]_ listens for plain-text ident connections (default
	90	port: 113)
[317]	91
	92	If the scheme is omitted, "ircs" is assumed. If multiple listen
	93	directives are specified, soju will listen on each of them.
	94
[169]	95	hostname <name>
	96	Server hostname (default: system hostname).
	97
	98	tls <cert> <key>
	99	Enable TLS support. The certificate and the key files must be PEM-encoded.
	100
	101	sql <driver> <source>
[254]	102	Set the SQL driver settings. The only supported driver is "sqlite3". The
[264]	103	source is the path to the SQLite database file. By default, the path to the
	104	database file is "soju.db".
[169]	105
[178]	106	log <path>
[264]	107	Path to the bouncer logs root directory, or empty to disable logging. By
	108	default, logging is disabled.
[178]	109
[323]	110	http-origin <patterns...>
	111	List of allowed HTTP origins for WebSocket listeners. The parameters are
	112	interpreted as shell patterns, see glob(7).
	113
[370]	114	accept-proxy-ip <cidr...>
	115	Allow the specified IPs to act as a proxy. Proxys have the ability to
[372]	116	overwrite the remote and local connection addresses (via the X-Forwarded-\*
[426]	117	HTTP header fields). The special name "localhost" accepts the loopback
	118	addresses 127.0.0.0/8 and ::1/128. By default, all IPs are rejected.
[370]	119
[169]	120	# IRC SERVICE
	121
	122	soju exposes an IRC service called BouncerServ to manage the bouncer.
	123	Commands can be sent via regular private messages
	124	(_/msg BouncerServ <command> [args...]_). Commands may be written in full or
	125	abbreviated form, for instance network can be abbreviated as net or just
	126	n.
	127
	128	help [command]
	129	Show a list of commands. If _command_ is specified, show a help message for
	130	the command.
	131
	132	network create -addr <addr> [options...]
[269]	133	Connect to a new network at _addr_. _-addr_ is mandatory.
[169]	134
[269]	135	_addr_ supports several connection types:
[317]	136
[353]	137	- _[ircs://]<host>[:port]_ connects with TLS over TCP
	138	- _irc+insecure://<host>[:port]_ connects with plain-text TCP
[369]	139	- _irc+unix:///<path>_ connects to a Unix socket
[269]	140
	141	Other options are:
	142
[169]	143	-name <name>
	144	Short network name. This will be used instead of _addr_ to refer to the
	145	network.
	146
	147	-username <username>
	148	Connect with the specified username. By default, the nickname is used.
	149
	150	-pass <pass>
	151	Connect with the specified server password.
	152
	153	-realname <realname>
	154	Connect with the specified real name. By default, the nickname is used.
	155
	156	-nick <nickname>
	157	Connect with the specified nickname. By default, the account's username
	158	is used.
	159
[361]	160	network update <name> [options...]
	161	Update an existing network. The options are the same as the
	162	_network create_ command.
	163
	164	When this command is executed, soju will disconnect and re-connect to the
	165	network.
	166
[329]	167	network delete <name>
	168	Disconnect and delete a network.
	169
	170	network status
	171	Show a list of saved networks and their current status.
	172
[361]	173	certfp generate [options...] <network name>
[365]	174	Generate self-signed certificate and use it for authentication (via SASL
	175	EXTERNAL).
[307]	176
[365]	177	Generates a RSA-3072 private key by default.
[307]	178
	179	Options are:
	180
	181	-key-type <type>
	182	Private key algoritm to use. Valid values are: rsa, ecdsa, ed25519.
	183	ecdsa uses NIST P-521 curve.
	184
	185	-bits <bits>
	186	Size of RSA key to generate. Ignored for other key types.
	187
	188	certfp fingerprint <network name>
	189	Show SHA-1 and SHA-256 fingerprints for the certificate
	190	currently used with the network.
	191
[363]	192	sasl set-plain <network name> <username> <password>
	193	Set SASL PLAIN credentials.
	194
[364]	195	sasl reset <network name>
	196	Disable SASL authentication and remove stored credentials.
	197
[329]	198	user create -username <username> -password <password> [-admin]
[331]	199	Create a new soju user. Only admin users can create new accounts.
[329]	200
[320]	201	change-password <new password>
	202	Change current user password.
	203
[169]	204	# AUTHORS
	205
	206	Maintained by Simon Ser <contact@emersion.fr>, who is assisted by other
	207	open-source contributors. For more information about soju development, see
[321]	208	https://sr.ht/~emersion/soju.

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format