Commit d9c6653aac2302eb9c0b724575230366ced31ca2
Update README about connections
explained a little more what one can do with connections updates https://github.com/ssbc/secret-stack/pull/23Henry committed on 9/4/2018, 10:35:15 AM
Parent: 1d27c475fcaaa9752bc5b212598c6b26ac4aa14a
Files changed
README.md | changed |
README.md | |||
---|---|---|---|
@@ -15,8 +15,10 @@ | |||
15 | 15 … | ``` | |
16 | 16 … | ||
17 | 17 … | ## Configuration | |
18 | 18 … | ||
19 … | +There are some configuration options for the sysadmins out there. All configuration is loaded via [`rc`](https://github.com/dominictarr/rc). You can pass any configuration value in as cli arg, env var, or in a file. | ||
20 … | + | ||
19 | 21 … | * `host` *(string)* The domain or ip address for `sbot`. Defaults to your public ip address. | |
20 | 22 … | * `port` *(string|number)* The port for `sbot`. Defaults to `8008`. | |
21 | 23 … | * `timeout`: *(number)* Number of milliseconds a replication stream can idle before it's automatically disconnected. Defaults to `30000`. | |
22 | 24 … | * `pub` *(boolean)* Replicate with pub servers. Defaults to `true`. | |
@@ -26,12 +28,74 @@ | |||
26 | 28 … | * `gossip.connections` *(number)* How many other nodes to connect with at one time. Defaults to `2`. | |
27 | 29 … | * `path` *(string)* Path to the application data folder, which contains the private key, message attachment data (blobs) and the leveldb backend. Defaults to `$HOME/.ssb`. | |
28 | 30 … | * `master` *(array)* Pubkeys of users who, if they connect to the Scuttlebot instance, are allowed to command the primary user with full rights. Useful for remotely operating a pub. Defaults to `[]`. | |
29 | 31 … | * `logging.level` *(string)* How verbose should the logging be. Possible values are error, warning, notice, and info. Defaults to `notice`. | |
30 | -* `connections.incoming` *(array)* Incoming transports and transformations to listen on | ||
31 | -* `connections.outgoing` *(array)* Outgoing transports and transformations to connect using | ||
32 | 32 … | ||
33 | -There are some configuration options for the sysadmins out there. All configuration is loaded via [`rc`](https://github.com/dominictarr/rc). You can pass any configuration value in as cli arg, env var, or in a file. | ||
33 … | +### `connections` | ||
34 | 34 … | ||
35 … | +Two objects to specify `incoming` and `outgoing` transports and transformations for connections. | ||
36 … | + | ||
37 … | +The default is this. It specifies the default tcp `net`work transport for incoming and outging connections, using secret-handshake/boxstream ([shs](https://github.com/auditdrivencrypto/secret-handshake)) for authentication and encryption. | ||
38 … | + | ||
39 … | +```json | ||
40 … | +"connections": { | ||
41 … | + | ||
42 … | +"incoming": { | ||
43 … | + "net": [{ "port": 8008, "scope": "private", "transform": "shs" }] | ||
44 … | +}, | ||
45 … | + | ||
46 … | +"outgoing": { | ||
47 … | + "net": [{ "transform": "shs" }] | ||
48 … | +} | ||
49 … | + | ||
50 … | +}, | ||
51 … | +``` | ||
52 … | + | ||
53 … | +If you want to use [TOR](https://torproject.org) to create outgoing connections you can specify this as your. It will use `localhost:9050` as the socks server for creating this. | ||
54 … | + | ||
55 … | +TODO: make the onion socks server configurable. | ||
56 … | + | ||
57 … | +TODO: support creating hidden services via `incoming` blocks | ||
58 … | + | ||
59 … | +```json | ||
60 … | +"connections": { | ||
61 … | + "outgoing": { | ||
62 … | + "onion": [{ "transform": "shs" }] | ||
63 … | + } | ||
64 … | + }, | ||
65 … | +``` | ||
66 … | + | ||
67 … | +If you want to run a peer behind NAT or other kind proxy but still want it to be able to create invites, you can specify a `public` scope in your `incoming.net` by defining the `external` paramter like this: | ||
68 … | + | ||
69 … | +```json | ||
70 … | +"incoming": { | ||
71 … | +"net": [ | ||
72 … | + | ||
73 … | + { "scope": "public", "external": ["cryptop.home"], | ||
74 … | + "transform": "shs", "port": 8008 | ||
75 … | + }, | ||
76 … | + | ||
77 … | + { "scope": "private", | ||
78 … | + "transform": "shs", "port": 8008, "host": "internal1.con.taine.rs" | ||
79 … | + }, | ||
80 … | +] | ||
81 … | +}, | ||
82 … | +``` | ||
83 … | + | ||
84 … | +One thing to nice is that you _need_ `incoming` connections for Apps (like patchwork or git-ssb) to function. By default they use the same authentication mechanism (shs) to grant access to the database, choosing access levels depending on the keypair that opens the connection. If you connect to yourself, you get full access (query and publish). If a remote peer connects, it can only replicate. So be sure to have **at least one** `incoming` connection. | ||
85 … | + | ||
86 … | +That beeing said, the overhead of encryption for local applications can be very high, especially on low-powered devices. For this use-case there is a `noauth` transform which by-passes the authentication and grants full access to anybody that can connect to it. **hint:** *This is risky! it might expose private messages or enables people to publish as you!* Therefore be sure to bind the listener to `localhost` or use the `unix` socket. The `unix` file socket is creted as `$HOME/.ssb/socket` by default and has permissions such that only the user running `sbot server` can open it, just like the `.ssb/secret` file. | ||
87 … | + | ||
88 … | +```json | ||
89 … | +"incoming": { | ||
90 … | + "unix": [{"scope":"local", "transform":"noauth"}], | ||
91 … | + "net": [{ | ||
92 … | + "scope": "local", "transform": "noauth", | ||
93 … | + "port": 8009, "host": "localhost" | ||
94 … | + } | ||
95 … | +] | ||
96 … | +}, | ||
97 … | +``` | ||
98 … | + | ||
35 | 99 … | ## License | |
36 | 100 … | ||
37 | 101 … | MIT |
Built with git-ssb-web