s6-networking
Software
skarnet.org
The s6-tlsserver program
s6-tlsserver is an
UCSPI server tool for
TLS/SSL connections over INET domain sockets. It acts as a TCP super-server
that listens to connections, accepts them, and for each connection,
establishes a TLS transport over it, then executes into a program.
Interface
s6-tlsserver [ options ] [ -- ] ip port prog...
- s6-tlsserver rewrites itself into a command line
involving:
- s6-tcpserver, which
listens to TCP connections on IP address ip port port
and forks a command line for every connection. Note that
s6-tcpserver also rewrites
itself into a more complex command line (the final long-lived
process being s6-tcpserverd),
so your end command line may look a lot longer in ps
than what you originally wrote. This is normal and healthy.
- (if applicable) s6-tcpserver-access,
which performs TCP access control and various operations on the
TCP connection.
- s6-tlsd, which establishes
a TLS transport (server-side) over a connection, via an
s6-tlsd-io child process.
- (if applicable)
s6-applyuidgid,
which drops root privileges.
- prog..., your client program, which is run with the
same pid as s6-tlsd.
- It runs until it is killed by a signal.
prog is expected to read from its peer on its
standard input and write to its peer on its standard output.
Since there will be an s6-tlsd-io
program between prog and the network to perform
the SSL encryption/decryption, those descriptors will not
be a network socket - they will be pipes.
Signals
s6-tlsserver reacts to the same signals as
s6-tcpserverd,
which is the long-lived process hanging around.
Environment variables
Read
The following variables should be set before invoking
s6-tlsserver, because they will be used by
every s6-tlsd invocation:
- KEYFILE
- CERTFILE
- TLS_UID and TLS_GID (if you run s6-tlsserver as root)
- CADIR (if you want client certificates)
- CAFILE (if you want client certificates, alternative to CADIR)
Setting both KEYFILE and CERTFILE is mandatory.
Written
prog... is run with the following variables added to,
or removed from, its environment by s6-tcpserverd
and possibly by s6-tcpserver-access:
- PROTO
- TCPREMOTEIP
- TCPREMOTEPORT
- TCPCONNNUM
- TCPLOCALIP
- TCPLOCALPORT
- TCPREMOTEHOST
- TCPLOCALHOST
- TCPREMOTEINFO
Depending on TCP access rules (if the -i or -x
option has been given), it is possible that prog's
environment undergoes more modifications. Also, since
s6-tlsd is always run
after s6-tcpserver-access,
it is possible to set different TLS/SSL parameters (typically
a different KEYFILE and CERTFILE) depending on the client
connection, by writing the correct set of TCP access rules.
Unless the -Z option is given to s6-tlsserver,
the CADIR, CAFILE, KEYFILE, CERTFILE, TLS_UID and TLS_GID
variables will not appear in prog's environment.
Options
s6-tlsserver accepts a myriad of options, all of which are
passed as is to the correct executable. Not giving any options will
generally work, but unless you're running a very public server
(such as a Web server) or base your access control on client
certificates, you probably still want TCP access rules.
Options passed as is to s6-tcpserver
- -q, -Q, -v
- -1
- -c maxconn
- -C localmaxconn
- -b backlog
Options passed as is to s6-tcpserver-access
- The verbosity level, if not default, as -v0 or -v2
- -w, -W : be strict or tolerant with DNS or IDENT resolution errors
- -d, -D : enable or disable Nagle's algorithm
- -r, -R : enable or disable IDENT lookups
- -p, -P : enable or disable paranoid DNS cross-checking
- -h, -H : enable or disable DNS lookups
- -l localname : get the local name from the command line, not from DNS
- -B banner : initial server-side banner
- -t timeout : set a timeout for all the lookups
- -i rulesdir, -x rulesfile : TCP access control
Options passed as is to s6-tlsd
- -Z, -z : keep or remove the s6-tlsd-io-specific
variables from the application's environment
- -S, -s : use close_notify or EOF to signal the end of a TLS connection
- -J, -j : exit nonzero with an error message when the peer fails to close_notify, or ignore it
- -Y, -y : request an optional or a mandatory client certificate
- -K kimeout : set a timeout for the TLS handshake
- -k snilevel : support SNI-based certificate chains
Options passed to s6-applyuidgid
- -u uid, -g gid, -G gidlist : set uid, gid, or supplementary group list
- -U (passed as -Uz) : get the uid, gid and supplementary group list from the UID, GID and GIDLIST variables,
and remove these variables from the application's environment
Example
As root:
env KEYFILE=/etc/ssl/private/mykey.der CERTFILE=/etc/ssl/public/mycert.pem \
TLS_UID=65534 TLS_GID=65534 \
s6-envuidgid www \
s6-tlsserver -U -- 1.2.3.4 443 httpd
This will start a server listening to 1.2.3.4 on TCP port 443,
and for every connection, spawn the httpd program
reading queries on stdin and replying on stdout, as user www,
with a TLS layer protecting the connection, the TLS engine running
as user nobody (65534:65534). The server is
authenticated by the certificate in /etc/ssl/public/mycert.pem
that it sends to the client, and the private key in
/etc/ssl/private/mykey.der that it keeps to itself.