version=pmwiki-2.2.130 ordered=1 urlencoded=1 agent=w3m/0.5.3+git20210102 author=jrmu charset=UTF-8 csum= ctime=1635934692 host=38.87.162.47 name=Znc.Relayd rev=1 targets=Relayd.Acceleration,Openhttpd.Configure,Acme-client.Configure,IP.Myaddress,Localhost.Intro,Openbsd.Relayd,Pf.Intro,Znc.Usage text=For now, avoid setting up the web server on port 31337. We will instead use [[relayd/acceleration|relayd]] so that the web server can viewed on the default port for https: port 443.%0a%0a!! Configuring SSL%0a%0aIn order to provide SSL for the bouncer, you must first configure [[openhttpd/configure|OpenHTTPd]] and request a certificate with [[acme-client/configure|acme-client]].%0a%0a%3cListener listener5>%0a AllowIRC = false%0a AllowWeb = true%0a Host = 127.0.0.1%0a IPv4 = true%0a IPv6 = false%0a Port = 1338%0a SSL = false%0a URIPrefix = /%0a%3c/Listener>%0a%0aPlease read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a%0aYou will need to replace @@bnc.example.com@@ with your actual hostname.%0a%0aIn the listeners, you need to replace @@192.168.1.1@@ and @@2001:db8::@@ with your server's [[IP/myaddress|public IPv4 and IPv6 address]].%0a%0a'''NOTE''': Do '''not''' replace @@127.0.0.1@@. This is [[localhost/intro|localhost]] and must not be changed.%0a%0aIt's recommended to keep the ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a%0a!! Packet Filter%0a%0aIf [[pf/intro|packet filter]] is set to deny all incoming connects, you can add this rule to /etc/pf.conf:%0a%0a[@%0apass in log quick proto tcp to port {http https} keep state (max-src-conn 300, max-src-conn-rate 300/60) #relayd web%0apass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 300) #bnc%0a@]%0a%0aTo load the new ruleset:%0a%0a[@%0a# pfctl -f /etc/pf.conf%0a@]%0a%0a!! Web Panel%0a%0aWhile you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:%0a%0a[@%0aserver "bnc.example.com" {%0a listen on * port 80%0a location "/.well-known/acme-challenge/*" {%0a root "/acme"%0a request strip 2%0a }%0a location * {%0a block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a }%0a}%0a@]%0a%0aGo ahead and reboot the web server:%0a%0a[@%0a$ doas rcctl restart httpd%0a@]%0a%0a!! Control Panel%0a%0aSee [[znc/usage]] for help on how to use the controlpanel.%0a%0a!! Troubleshooting%0a time=1635934692 author:1635934692=jrmu diff:1635934692:1635934692:=1,70d0%0a%3c For now, avoid setting up the web server on port 31337. We will instead use [[relayd/acceleration|relayd]] so that the web server can viewed on the default port for https: port 443.%0a%3c %0a%3c !! Configuring SSL%0a%3c %0a%3c In order to provide SSL for the bouncer, you must first configure [[openhttpd/configure|OpenHTTPd]] and request a certificate with [[acme-client/configure|acme-client]].%0a%3c %0a%3c %3cListener listener5>%0a%3c AllowIRC = false%0a%3c AllowWeb = true%0a%3c Host = 127.0.0.1%0a%3c IPv4 = true%0a%3c IPv6 = false%0a%3c Port = 1338%0a%3c SSL = false%0a%3c URIPrefix = /%0a%3c %3c/Listener>%0a%3c %0a%3c Please read the [[https://wiki.znc.in/Configuration|ZNC wiki]] to understand the meaning of each option.%0a%3c %0a%3c You will need to replace @@bnc.example.com@@ with your actual hostname.%0a%3c %0a%3c In the listeners, you need to replace @@192.168.1.1@@ and @@2001:db8::@@ with your server's [[IP/myaddress|public IPv4 and IPv6 address]].%0a%3c %0a%3c '''NOTE''': Do '''not''' replace @@127.0.0.1@@. This is [[localhost/intro|localhost]] and must not be changed.%0a%3c %0a%3c It's recommended to keep the ports 1337 for plaintext, 31337 for SSL, and 1338 for web. This convention is followed on the public servers on IRCNow. Note that znc binds to port 1338 without SSL for the web server. We later use [[openbsd/relayd|relayd]] to provide TLS acceleration on port 443.%0a%3c %0a%3c !! Packet Filter%0a%3c %0a%3c If [[pf/intro|packet filter]] is set to deny all incoming connects, you can add this rule to /etc/pf.conf:%0a%3c %0a%3c [@%0a%3c pass in log quick proto tcp to port {http https} keep state (max-src-conn 300, max-src-conn-rate 300/60) #relayd web%0a%3c pass in log quick proto tcp to port {1337 31337} keep state (max 3000, max-src-conn 300) #bnc%0a%3c @]%0a%3c %0a%3c To load the new ruleset:%0a%3c %0a%3c [@%0a%3c # pfctl -f /etc/pf.conf%0a%3c @]%0a%3c %0a%3c !! Web Panel%0a%3c %0a%3c While you are at it, you will want to redirect any plaintext requests to the webpanel on port 80 to use SSL on port 443. Add this to /etc/httpd.conf:%0a%3c %0a%3c [@%0a%3c server "bnc.example.com" {%0a%3c listen on * port 80%0a%3c location "/.well-known/acme-challenge/*" {%0a%3c root "/acme"%0a%3c request strip 2%0a%3c }%0a%3c location * {%0a%3c block return 302 "https://$HTTP_HOST$REQUEST_URI"%0a%3c }%0a%3c }%0a%3c @]%0a%3c %0a%3c Go ahead and reboot the web server:%0a%3c %0a%3c [@%0a%3c $ doas rcctl restart httpd%0a%3c @]%0a%3c %0a%3c !! Control Panel%0a%3c %0a%3c See [[znc/usage]] for help on how to use the controlpanel.%0a%3c %0a%3c !! Troubleshooting%0a host:1635934692=38.87.162.47