diff mod_s2s_v6mesh/README.md @ 6478:bd785f524fd2

mod_s2s_v6mesh: Fix various bugs, s2s auth policies now work as expected
author Matthew Wild <mwild1@gmail.com>
date Wed, 18 Mar 2026 18:54:30 +0000
parents 9f43226c7de1
children 771944f2a7c7
line wrap: on
line diff
--- a/mod_s2s_v6mesh/README.md	Tue Mar 17 23:08:39 2026 +0000
+++ b/mod_s2s_v6mesh/README.md	Wed Mar 18 18:54:30 2026 +0000
@@ -49,14 +49,10 @@
 IP address `2a00:1098:3a0::1` but you should replace it with your own):
 
 ```
-$ prosodyctl shell v6alt get_domain localhost 2a00:1098:3a0::1
+$ prosodyctl shell v6alt get_domain 2a00:1098:3a0::1
 OK: Encoded hostname: fiabbgadu-e.v6.alt
 ```
 
-In this command, "localhost" must be an existing domain in your Prosody config
-("localhost" is in the default config), however it's required just to make the
-command work and has no effect on the output.
-
 You can then use this domain name in your config file, for example:
 
 ```lua
@@ -76,14 +72,18 @@
 
 Additionally, if the IP is within one of the CIDR ranges listed in the
 `s2s_v6mesh_secure_ranges` configuration option, then the module will tell
-Prosody to not even perform TLS for the connection. Prosody will treat the
-connections as totally secure, so be very sure you trust the underlying
-network's security layer before adding an IP range to this list. If you want
-similar behaviour for non-`v6.alt` domains, look at [mod_secure_interfaces](https://modules.prosody.im/mod_secure_interfaces)
-and configure it with your mesh interface's address.
+Prosody to disable TLS encryption for the connection.
 
-Because of the above mechanisms in place, it is strongly recommended to keep
-Prosody's default settings of `s2s_require_encryption = true` and
+**Warning:** Prosody will treat connections within any configured ranges as
+already totally secure, and **TLS will be disabled**. Be *very* sure you trust
+the underlying network's security layer before adding an IP range to this
+list, and never add IPs that use the public internet. If you want similar
+behaviour for other (non-`v6.alt`) domains, look at [mod_secure_interfaces](https://modules.prosody.im/mod_secure_interfaces)
+and configure it with your mesh interface's address. If in doubt, just don't
+set any secure ranges, and use self-signed certificates with TLS instead.
+
+Finally, because of the above mechanisms in place, it is strongly recommended
+to keep Prosody's default settings of `s2s_require_encryption = true` and
 `s2s_secure_auth = true` so that connections not covered by this module are
 always encrypted and authenticated properly.
 
@@ -163,4 +163,4 @@
 | `fe80::1`                                 | `72-e.v6.alt`                      |
 | `ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff` | `77777777777777777777777774.v6.alt`|
 | `1111:0000:0000:1111::1111`               | `ceiqaaaaaairc-rce.v6.alt`         |
-| `1111:0000:0000:0000:1111::1111`          | `ceiq-eiraaaaaaarce.v6.alt`        |
\ No newline at end of file
+| `1111:0000:0000:0000:1111::1111`          | `ceiq-eiraaaaaaarce.v6.alt`        |