Mercurial > prosody-modules

diff mod_host_guard/README.markdown @ 1803:4d73a1a6ba68

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Convert all wiki pages to Markdown
author Kim Alvefur <zash@zash.se>
date Fri, 28 Aug 2015 18:03:58 +0200
parents mod_host_guard/README.wiki@29f3d6b7ad16
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_host_guard/README.markdown	Fri Aug 28 18:03:58 2015 +0200
@@ -0,0 +1,53 @@
+---
+labels:
+- 'Stage-Stable'
+summary: Granular remote host blacklisting plugin
+...
+
+Details
+=======
+
+As often it's undesiderable to employ only whitelisting logics in public
+environments, this module let's you more selectively restrict access to
+your hosts (component or server host) either disallowing access
+completely (with optional exceptions) or blacklisting certain sources.
+
+Usage
+=====
+
+Copy the plugin into your prosody's modules directory. And add it
+between your enabled modules into the global section (modules\_enabled):
+
+-   The plugin can work either by blocking all remote access (s2s) to a
+    certain resource with optional exceptions (useful for components)
+-   Or by selectively blocking certain remote hosts through blacklisting
+    (by using host\_guard\_selective and host\_guard\_blacklisting)
+
+Configuration
+=============
+
+  Option name                         Description
+  ----------------------------------- ---------------------------------------------------------------------------------------------------
+  host\_guard\_blockall               A list of local hosts to protect from incoming s2s
+  host\_guard\_blockall\_exceptions   A list of remote hosts that are always allowed to access hosts listed in host\_guard\_blockall
+  host\_guard\_selective              A list of local hosts to allow selective filtering (blacklist) of incoming s2s connections
+  host\_guard\_blacklist              A blacklist of remote hosts that are not allowed to access hosts listed in host\_guard\_selective
+
+Example
+-------
+
+``` {.lua}
+
+host_guard_blockall = { "no_access.yourhost.com", "no_access2.yourhost.com" } -- insert here the local hosts where you want to forbid all remote traffic to.
+host_guard_blockall_exceptions = { "i_can_access.no_access.yourhost.com" } -- optional exceptions for the above.
+host_guard_selective = { "no_access_from_blsted.myhost.com", "no_access_from_blsted.mycomponent.com" } -- insert here the local hosts where you want to employ blacklisting.
+host_guard_blacklist = { "remoterogueserver.com", "remoterogueserver2.com" } -- above option/mode mandates the use of a blacklist, you may blacklist remote servers here.
+```
+
+The above is updated when the server configuration is reloaded so that
+you don't need to restart the server.
+
+Compatibility
+=============
+
+-   Works with 0.8.x, successive versions and trunk.