From: W. Trevor King Date: Sat, 1 Mar 2014 00:45:19 +0000 (-0800) Subject: ngircd: Add optional SSL / TLS support X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=f225594ffd0c3e2c893e84b682c4de981474ea92;p=dockerfile.git ngircd: Add optional SSL / TLS support Unfortunately, irssi doesn't have a command-line flag to select encrypted connections [1]. I'd like something like: $ irssi -c irc.example.net -p 6697 --ssl Until something like that is added, you'll need to add the server to your irssi config: $ cat ~/.irssi/config ... servers = ( { address = "irc.example.net"; chatnet = "example"; port = "6697"; use_ssl = "yes"; ssl_verify = "yes"; autoconnect = "yes"; }, ... ); chatnets = { example = { type = "IRC"; nick = "your-nick"; }; ... }; ... Or connect manually after firing up irssi: $ irssi --noconnect [(status)] /connect -ssl -ssl_verify nott 6697 Run `/help connect` for more information. [1]: http://www.irssi.org/documentation/manual --- diff --git a/ngircd/README.md b/ngircd/README.md index 054159e..7497288 100644 --- a/ngircd/README.md +++ b/ngircd/README.md @@ -7,4 +7,32 @@ Run this [ngIRCd][] image with: > -e INFO="testing, testing" \ > -p 6667:6667 wking/ngircd +For [SSL / TLS][TLS], set the `SSL` environment variable to `yes` and +[volume-mount][volume-mount] your keys under the container's +`/etc/ngircd/ssl/`: + + $ docker run -d --name ngircd-0 --hostname irc.example.net \ + > … + > -e SSL=yes \ + > -v /etc/ssl/ngircd-0:/etc/ngircd/ssl \ + > -p 6697:6697 wking/ngircd + +You'll [need][SSL-docs] at least `server-cert.pem` and +`server-key.pem` in that directory. If you're using DH or DSA keys, +you'll also want `dhparams.pem` with [Diffie–Hellman][DH] parameters; +you can manage the file with OpenSSH's [dhparam][]). If you don't +want to require SSL, you can expose both the [encrypted port][6697] +and the [unencrypted port][6667]: + + $ docker run -d --name ngircd-0 --hostname irc.example.net \ + > … + > -p 6667:6667 -p 6697:6697 wking/ngircd + [ngIRCd]: http://ngircd.barton.de/ +[TLS]: http://en.wikipedia.org/wiki/Transport_Layer_Security +[volume-mount]: http://docs.docker.io/en/latest/use/working_with_volumes/ +[SSL-docs]: http://ngircd.barton.de/doc/SSL.txt +[DH]: http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange +[dhparam]: http://www.openssl.org/docs/apps/dhparam.html +[6697]: http://tools.ietf.org/html/draft-hartmann-default-port-for-irc-via-tls-ssl-09 +[6667]: http://tools.ietf.org/html/draft-hartmann-default-port-for-irc-via-tls-ssl-09#section-1 diff --git a/ngircd/setup-ngircd-config-from-environment.sh b/ngircd/setup-ngircd-config-from-environment.sh index 6c23f3d..c957f40 100755 --- a/ngircd/setup-ngircd-config-from-environment.sh +++ b/ngircd/setup-ngircd-config-from-environment.sh @@ -24,8 +24,8 @@ # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. -# usage: C1_PORT=tcp://192.168.0.1:12345/ C1_NAME=a.com \ -# C2_PORT=tcp://192.168.0.2:54321/ C2_NAME=b.net \ +# usage: DESCRIPTION="My IRC server" LOCATION="My attic" \ +# EMAIL="admin@example.net" INFO="testing, testing" \ # setup-ngircd-config-from-environment HOSTNAME=$(hostname -f) \ @@ -38,3 +38,23 @@ HOSTNAME=$(hostname -f) \ ' \ < /etc/ngircd/ngircd.conf > /tmp/ngircd.conf && mv /tmp/ngircd.conf /etc/ngircd/ngircd.conf + +if [ "${SSL}" = 'yes' ] +then + sed -i \ + -e 's/;\[SSL\]/[SSL]/' \ + -e 's/;Ports = 6697, 9999/Ports = 6697/' \ + /etc/ngircd/ngircd.conf + if [ -f '/etc/ngircd/ssl/server-cert.pem' ] + then + sed -i 's/;CertFile/CertFile/' /etc/ngircd/ngircd.conf + fi + if [ -f '/etc/ngircd/ssl/server-key.pem' ] + then + sed -i 's/;KeyFile/KeyFile/' /etc/ngircd/ngircd.conf + fi + if [ -f '/etc/ngircd/ssl/dhparams.pem' ] + then + sed -i 's/;DHFile/DHFile/' /etc/ngircd/ngircd.conf + fi +fi