Comparison

mod_firewall/README.markdown @ 4127:e9e10ec1b91c

mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported This provides a balance between security and usability. SNI is supported in Prosody trunk and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7).
author Matthew Wild <mwild1@gmail.com>
date Tue, 15 Sep 2020 11:49:55 +0100
parent 4126:68ceb7e0cfe6
child 4152:87daef9ed4e7
comparison
equal deleted inserted replaced
4126:68ceb7e0cfe6 4127:e9e10ec1b91c
156 Option Description 156 Option Description
157 ------- ----------- 157 ------- -----------
158 ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour). 158 ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour).
159 pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item. 159 pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item.
160 hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256. 160 hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256.
161 checkcert Whether to verify HTTPS certificates. May be "always", "never" or "when-sni". Default "when-sni".
162
163 The "when-sni" default disables certificate verification when Prosody's HTTP client API doesn't support SNI,
164 as in Prosody 0.11.6 and earlier.
161 165
162 #### CHECK LIST 166 #### CHECK LIST
163 167
164 Checks whether a simple expression is found in a given list. 168 Checks whether a simple expression is found in a given list.
165 169