Merge branch 'v0.3.0' of github.com:michael-lazar/jetforce into v0.3.0
This commit is contained in:
commit
b92574c662
28
README.md
28
README.md
|
@ -10,7 +10,7 @@ Learn more about Gemini [here](https://portal.mozz.us/).
|
||||||
- A built-in static file server with support for gemini directories and CGI scripts.
|
- A built-in static file server with support for gemini directories and CGI scripts.
|
||||||
- An extendable application framework that loosely mimics the [WSGI](https://en.wikipedia.org/wiki/Web_Server_Gateway_Interface) interface.
|
- An extendable application framework that loosely mimics the [WSGI](https://en.wikipedia.org/wiki/Web_Server_Gateway_Interface) interface.
|
||||||
- A lean, modern python codebase with type hints and black formatting.
|
- A lean, modern python codebase with type hints and black formatting.
|
||||||
- A solid networking foundation built on top of the [twisted](https://twistedmatrix.com/trac/) engine.
|
- A solid foundation built on top of the [twisted](https://twistedmatrix.com/trac/) networking engine.
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
|
@ -22,12 +22,12 @@ The latest release can be installed from [PyPI](https://pypi.org/project/Jetforc
|
||||||
$ pip install jetforce
|
$ pip install jetforce
|
||||||
```
|
```
|
||||||
|
|
||||||
Or, clone the repository and run the script directly:
|
Or, install from source:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ git clone https://github.com/michael-lazar/jetforce
|
$ git clone https://github.com/michael-lazar/jetforce
|
||||||
$ cd jetforce
|
$ cd jetforce
|
||||||
$ python3 jetforce.py
|
$ python setup.py install
|
||||||
```
|
```
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
@ -88,30 +88,28 @@ The gemini specification *requires* that all connections be sent over TLS.
|
||||||
If you do not provide a TLS certificate file using the ``--tls-certfile`` flag,
|
If you do not provide a TLS certificate file using the ``--tls-certfile`` flag,
|
||||||
jetforce will automatically generate a temporary cert for you to use. This is
|
jetforce will automatically generate a temporary cert for you to use. This is
|
||||||
great for making development easier, but before you expose your server to the
|
great for making development easier, but before you expose your server to the
|
||||||
public internet you should configure something more permanent. You can generate
|
public internet you should setup something more permanent. You can generate
|
||||||
your own self-signed server certificate, or obtain one from a Certificate
|
your own self-signed server certificate, or obtain one from a Certificate
|
||||||
Authority like [Let's Encrypt](https://letsencrypt.org).
|
Authority like [Let's Encrypt](https://letsencrypt.org).
|
||||||
|
|
||||||
Here's the OpenSSL command that jetforce uses to generate a self-signed cert:
|
Here's an example `openssl` command that you can use to generate a self-signed certificate:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ openssl req -newkey rsa:2048 -nodes -keyout {hostname}.key \
|
$ openssl req -newkey rsa:2048 -nodes -keyout {hostname}.key \
|
||||||
-nodes -x509 -out {hostname}.crt -subj "/CN={hostname}"
|
-nodes -x509 -out {hostname}.crt -subj "/CN={hostname}"
|
||||||
```
|
```
|
||||||
|
|
||||||
Jetforce also supports verified client TLS certificates. You can specify your
|
Jetforce also supports TLS client certificates (both self-signed and CA verified).
|
||||||
client CA with the ``--tls-cafile`` or ``--tls-capath`` flags. Verified
|
Connections made with a client certificate will have additional metadata included
|
||||||
connections will have the ``REMOTE_USER`` variable added to their environment,
|
in the request environment. ``REMOTE_USER`` will contain the subject common name,
|
||||||
which contains the client certificate's CN attribute. Instructions on how to
|
and ``TLS_CLIENT_HASH`` will contain a fingerprint that can be used for TOFU pinning.
|
||||||
generate TLS client certificates are outside of the scope of this readme, but
|
|
||||||
|
You can specify a CA for client validation with the ``--tls-cafile`` or ``--tls-capath``
|
||||||
|
flags. Connections validated by the CA will have the ``TLS_CLIENT_VERIFIED`` flag set to
|
||||||
|
True. Instructions on how to generate CA's are outside of the scope of this readme, but
|
||||||
you can find many helpful tutorials
|
you can find many helpful tutorials
|
||||||
[online](https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/).
|
[online](https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/).
|
||||||
|
|
||||||
There are currently no plans to support unverified (transient) client
|
|
||||||
certificates. This is due to a technical limitation of the python standard
|
|
||||||
library's ``ssl`` module, which is described in detail
|
|
||||||
[here](https://portal.mozz.us/gemini/mozz.us/journal/2019-08-21_transient_tls_certs.gmi).
|
|
||||||
|
|
||||||
### Static Files
|
### Static Files
|
||||||
|
|
||||||
Jetforce will serve static files in the ``/var/gemini/`` directory:
|
Jetforce will serve static files in the ``/var/gemini/`` directory:
|
||||||
|
|
Loading…
Reference in New Issue