Subj : 21:1/100 To : Avon From : Oli Date : Fri Oct 15 2021 08:12 am Avon wrote (2021-10-15): Ol>> then add the following to /etc/nginx.conf Ol>> stream { Ol>> server { Ol>> listen 24553 ssl; Ol>> listen [::]:24553 ssl; Ol>> ssl_protocols TLSv1.2 TLSv1.3; Ol>> ssl_certificate /srv/certs/fidonet-rsa.key; Ol>> ssl_certificate_key /srv/certs/fidonet-rsa.crt; Ol>> ssl_certificate /srv/certs/fidonet-ed25519.key; Ol>> ssl_certificate_key /srv/certs/fidonet-ed25519.crt; Ol>> proxy_pass 127.0.0.1:24554; Ol>> } Ol>> } A> OK done, but commented out for now while I sort the certs. Without TLS it would look like this (for testing purposes): stream { server { listen 24553; listen [::]:24553; proxy_pass 127.0.0.1:24554; } } A> Question, what is /srv dir for? This sort of stuff? Ol>> You also need to create a cert (can be self-signed). Of course you Ol>> can put the certs in any path you like. A> OK, so not /srv necessarily? This was just the path were I put my certs. You could use /etc/nginx/certs or /etc/ssl ... A> I know little about this (yet) but am I correct to assume a Lets Encrypt A> cert would be better / more well known? Not sure I am stating this A> correctly. Yes and no. AFAIK none of the Fidonet mailers check if it's Letsencrypt or self-signed. A> Why for the self signed stuff 1200 days? No particular reason. A> If I created self signed stuff A> how could anyone trust it compared to something like Lets Encrypt that is A> third party? TOFU, trust on first use. It's also not that important, if you make CRAM-MD5 and CRYPT mandatory, because the password is not transmitted in cleartext and CRYPT is kind of authentication of the remote site. Ol>> Alternatively use a letsencrypt cert. A> Something I'm thinking (will wait until I hear from you) may be the A> better way to go? Also something I have not ever done but would like to A> learn how etc. :) There is nothing wrong with using letsencrypt, if you want to. Self-signed also will work fine. Just choose one and don't overthink it ... ;P I will write more later why I prefer self-signed certs. Ol>> restart nginx: Ol>> $ systemctl restart nginx A> OK will hold off that until I sort the certs. $ nginx -t is also very helpful for testing the config (it doesn't start nginx). A> Will I also need to have something configured in BinkD to talk to nginx? No. nginx talks to binkd. Or do you mean to make a poll from binkd to another TLS node? A> I'd better read the nginx man. and maybe disable the default http server by deleting /etc/nginx/sites-enabled/default, which is just a symlink to /etc/nginx/sites-available/default. --- * Origin: 1995| Invention of the Cookie. The End. (21:3/102) .