mirror of
https://codeberg.org/grunfink/snac2.git
synced 2024-12-25 16:53:37 +00:00
Updated documentation.
This commit is contained in:
parent
d63106cd56
commit
29ac9156e2
1 changed files with 29 additions and 0 deletions
29
doc/snac.8
29
doc/snac.8
|
@ -242,6 +242,12 @@ posts will not be direct ones, but proxied by
|
||||||
This way, remote media servers will not see the user's IP, but the server one,
|
This way, remote media servers will not see the user's IP, but the server one,
|
||||||
improving privacy. Please take note that this will increase the server's incoming
|
improving privacy. Please take note that this will increase the server's incoming
|
||||||
and outgoing traffic.
|
and outgoing traffic.
|
||||||
|
.It Ic badlogin_retries
|
||||||
|
If incorrect logins from a given IP address reach this count, subsequent attempts
|
||||||
|
from it are rejected until the lock expires (default: 5 retries).
|
||||||
|
.It Ic badlogin_expire
|
||||||
|
The number of seconds a blocked IP address is ignored in login attempts
|
||||||
|
(default: 300 seconds).
|
||||||
.El
|
.El
|
||||||
.Pp
|
.Pp
|
||||||
You must restart the server to make effective these changes.
|
You must restart the server to make effective these changes.
|
||||||
|
@ -546,6 +552,22 @@ heavily on how all the servers involved behave. Just cross your fingers and hope
|
||||||
Full instances can be blocked. This operation must be done from
|
Full instances can be blocked. This operation must be done from
|
||||||
the command-line tool. See
|
the command-line tool. See
|
||||||
.Xr snac 1 .
|
.Xr snac 1 .
|
||||||
|
.Pp
|
||||||
|
.Ss Bad login throttling
|
||||||
|
Since version 2.67, a simple logic to avoid brute force attacks against user passwords
|
||||||
|
has been implemented: if, from a given IP address, the number of failed logins reaches
|
||||||
|
a given threshold, further tries from that IP address are never successful until a timer
|
||||||
|
expires. The maximum number of retries can be configured in the
|
||||||
|
.Pa server.json
|
||||||
|
file by setting the
|
||||||
|
.Ic badlogin_retries
|
||||||
|
variable, and the number of seconds the IP address unlock timer expires, in
|
||||||
|
.Ic badlogin_expire .
|
||||||
|
Please take note that, for this system to work, you must setup your web server proxy
|
||||||
|
to pass the remote connection address in the
|
||||||
|
.Ic X-Forwarded-For
|
||||||
|
HTTP header (unless you use the FastCGI interface; if that's the case, you don't have
|
||||||
|
to do anything).
|
||||||
.Sh ENVIRONMENT
|
.Sh ENVIRONMENT
|
||||||
.Bl -tag -width Ds
|
.Bl -tag -width Ds
|
||||||
.It Ev DEBUG
|
.It Ev DEBUG
|
||||||
|
@ -603,35 +625,42 @@ example.com server section:
|
||||||
location /fedi {
|
location /fedi {
|
||||||
proxy_pass http://localhost:8001;
|
proxy_pass http://localhost:8001;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
# webfinger
|
# webfinger
|
||||||
location /.well-known/webfinger {
|
location /.well-known/webfinger {
|
||||||
proxy_pass http://localhost:8001;
|
proxy_pass http://localhost:8001;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
# Mastodon API (entry points)
|
# Mastodon API (entry points)
|
||||||
location /api/v1/ {
|
location /api/v1/ {
|
||||||
proxy_pass http://localhost:8001;
|
proxy_pass http://localhost:8001;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
location /api/v2/ {
|
location /api/v2/ {
|
||||||
proxy_pass http://localhost:8001;
|
proxy_pass http://localhost:8001;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
# Mastodon API (OAuth support)
|
# Mastodon API (OAuth support)
|
||||||
location /oauth {
|
location /oauth {
|
||||||
proxy_pass http://localhost:8001;
|
proxy_pass http://localhost:8001;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
# optional
|
# optional
|
||||||
location /.well-known/nodeinfo {
|
location /.well-known/nodeinfo {
|
||||||
proxy_pass http://localhost:8001;
|
proxy_pass http://localhost:8001;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
# optional (needed by some Mastodon API clients)
|
# optional (needed by some Mastodon API clients)
|
||||||
location /.well-known/host-meta {
|
location /.well-known/host-meta {
|
||||||
proxy_pass http://localhost:8001;
|
proxy_pass http://localhost:8001;
|
||||||
proxy_set_header Host $http_host;
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
}
|
}
|
||||||
.Ed
|
.Ed
|
||||||
.Pp
|
.Pp
|
||||||
|
|
Loading…
Reference in a new issue