Mercurial > prosody-modules
diff mod_s2s_v6mesh/README.md @ 6478:bd785f524fd2
mod_s2s_v6mesh: Fix various bugs, s2s auth policies now work as expected
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Wed, 18 Mar 2026 18:54:30 +0000 |
| parents | 9f43226c7de1 |
| children | 771944f2a7c7 |
line wrap: on
line diff
--- a/mod_s2s_v6mesh/README.md Tue Mar 17 23:08:39 2026 +0000 +++ b/mod_s2s_v6mesh/README.md Wed Mar 18 18:54:30 2026 +0000 @@ -49,14 +49,10 @@ IP address `2a00:1098:3a0::1` but you should replace it with your own): ``` -$ prosodyctl shell v6alt get_domain localhost 2a00:1098:3a0::1 +$ prosodyctl shell v6alt get_domain 2a00:1098:3a0::1 OK: Encoded hostname: fiabbgadu-e.v6.alt ``` -In this command, "localhost" must be an existing domain in your Prosody config -("localhost" is in the default config), however it's required just to make the -command work and has no effect on the output. - You can then use this domain name in your config file, for example: ```lua @@ -76,14 +72,18 @@ Additionally, if the IP is within one of the CIDR ranges listed in the `s2s_v6mesh_secure_ranges` configuration option, then the module will tell -Prosody to not even perform TLS for the connection. Prosody will treat the -connections as totally secure, so be very sure you trust the underlying -network's security layer before adding an IP range to this list. If you want -similar behaviour for non-`v6.alt` domains, look at [mod_secure_interfaces](https://modules.prosody.im/mod_secure_interfaces) -and configure it with your mesh interface's address. +Prosody to disable TLS encryption for the connection. -Because of the above mechanisms in place, it is strongly recommended to keep -Prosody's default settings of `s2s_require_encryption = true` and +**Warning:** Prosody will treat connections within any configured ranges as +already totally secure, and **TLS will be disabled**. Be *very* sure you trust +the underlying network's security layer before adding an IP range to this +list, and never add IPs that use the public internet. If you want similar +behaviour for other (non-`v6.alt`) domains, look at [mod_secure_interfaces](https://modules.prosody.im/mod_secure_interfaces) +and configure it with your mesh interface's address. If in doubt, just don't +set any secure ranges, and use self-signed certificates with TLS instead. + +Finally, because of the above mechanisms in place, it is strongly recommended +to keep Prosody's default settings of `s2s_require_encryption = true` and `s2s_secure_auth = true` so that connections not covered by this module are always encrypted and authenticated properly. @@ -163,4 +163,4 @@ | `fe80::1` | `72-e.v6.alt` | | `ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff` | `77777777777777777777777774.v6.alt`| | `1111:0000:0000:1111::1111` | `ceiqaaaaaairc-rce.v6.alt` | -| `1111:0000:0000:0000:1111::1111` | `ceiq-eiraaaaaaarce.v6.alt` | \ No newline at end of file +| `1111:0000:0000:0000:1111::1111` | `ceiq-eiraaaaaaarce.v6.alt` |
