Mercurial > prosody-modules
comparison mod_firewall/README.markdown @ 4127:e9e10ec1b91c
mod_firewall: Add checkcerts option for HTTP lists, cert verification disabled when SNI unsupported
This provides a balance between security and usability. SNI is supported in Prosody trunk
and in Prosody 0.11 from commit 30d3f6f85eb8 (scheduled for 0.11.7).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 15 Sep 2020 11:49:55 +0100 |
| parents | 68ceb7e0cfe6 |
| children | 87daef9ed4e7 |
comparison
equal
deleted
inserted
replaced
| 4126:68ceb7e0cfe6 | 4127:e9e10ec1b91c |
|---|---|
| 156 Option Description | 156 Option Description |
| 157 ------- ----------- | 157 ------- ----------- |
| 158 ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour). | 158 ttl Seconds to cache the list for. After expiry, it will be refetched. Default 3600 (1 hour). |
| 159 pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item. | 159 pattern Optional pattern used to extract list entries from the response. Default is to treat each line as a single item. |
| 160 hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256. | 160 hash Optional hash to be applied to items before looking them up in the list, e.g. sha1 or sha256. |
| 161 checkcert Whether to verify HTTPS certificates. May be "always", "never" or "when-sni". Default "when-sni". | |
| 162 | |
| 163 The "when-sni" default disables certificate verification when Prosody's HTTP client API doesn't support SNI, | |
| 164 as in Prosody 0.11.6 and earlier. | |
| 161 | 165 |
| 162 #### CHECK LIST | 166 #### CHECK LIST |
| 163 | 167 |
| 164 Checks whether a simple expression is found in a given list. | 168 Checks whether a simple expression is found in a given list. |
| 165 | 169 |