Skip to content

Commit

Permalink
Update Documentation
Browse files Browse the repository at this point in the history
  • Loading branch information
@dwd
dwd authored and Dave Cridland committed Dec 16, 2016
1 parent 254582c commit ae95064
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 11 deletions.
55 changes: 46 additions & 9 deletions FAQ.md
View file
Expand Up @@ -13,6 +13,12 @@ Who is "I"?
I am Dave Cridland. You can find me in various places. If you're using Metre, or interested in doing so,
please drop me a line, or an IM, or whatever.

Can I get support from you?
----

[Surevine Ltd](https://www.surevine.com/) can do support contracts, and the actual person providing
support will often be me. Writing and deploying this kind of thing is what we do.

Is this an XMPP server?
----

Expand Down Expand Up @@ -71,14 +77,15 @@ The defaults look complex!
----

Yes, they are - Metre tries to be smart about what defaults to use for a domain given
previous configuration. Loosely, if it's set to fetch status information (a global), it'll also
check it (a per-domain option).
previous configuration. For example, if it's set to fetch certificate status information (a global), it'll also
check a per-domain option for it. The per-domain option will default to what makes sense - if
it's set to fetch certificate status globally, the per-domain option defaults to true.

Domains should inherit defaults from the `<any/>` domain, too.

If you're confused, check the config dump that'll be created in the data directory - it'll
contain all the configuration, including defaults, and is an accurate snapshot of the
running config (very useful for debugging and support!)
contain all the configuration, including defaults, and should be an accurate snapshot of the
running config (very useful for debugging and support!).

SIGHUP doesn't do a reload!
----
Expand Down Expand Up @@ -172,7 +179,7 @@ How are XEP-0114 components hosted?

XEP-0114 components are, to Metre, just another kind of remote server, albeit one it
cannot initiate a connection to. The difference is that you'll need to define the `<transport/>` type as "114",
and set a secret for the authentication with a child element of `<auth type='secret'/>`, containing the dialback secret, like so:
and set a secret for the authentication with a child element of `<auth type='secret'/>`, containing the authentication secret, like so:

```xml
<domain name='component.example.com'>
Expand All @@ -184,11 +191,22 @@ and set a secret for the authentication with a child element of `<auth type='sec

Most component libraries will not negotiate TLS, so Metre will change the default for the `sec` attribute to false here,
but you can override it. Similarly, it will change the default for the `forward` attribute on the domain, since most people
will want components available to external servers - but you can change this if you want.
will want components available to external servers - but again, you can change this if you want.

As ever, if you're confused, take a look at the running config in the data directory, and you'll see everything set explicitly.

There's actually code present for connecting to another server as a component - if anyone would find that useful
let me know.

What other transports are supported?
----

All the transports:

* 's2s' - Traditional, DNS-driven, XMPP. DNS records may be overridden, and it can use XEP-0368 if available.
* 'x2x' - XEP-0361 lightweight XMPP, designed for high-latency links such as SATCOM.
* '114' - XEP-0114 Components, for simplified domain-level services.

I use DNSSEC! What does Metre do?
----

Expand All @@ -198,7 +216,7 @@ That's great. Metre will:
* Use DNSSEC-signed SRV records to gather more reference identifiers for certificates.
* You can also throw away all unsigned records for some server lookups.

To do the latter, add a `<dns dnssec='true'/>` element to the domain stanza (or any
To do the latter, add a `<dns dnssec='true'/>` element to the domain stanza (or `<any/>`
stanza, if you're in an all-DNSSEC environment).

I want to override DNS / my peer doesn't do DNS properly.
Expand All @@ -211,7 +229,7 @@ both SRV and A records, typically.

```xml
<domain name='no-dns.example.com'>
<dns>
<dns dnssec="true">
<srv host='xmpp-server.example.com' port='5269'/>
<host name='xmpp-server.example.com' a='192.168.0.1'/>
</dns>
Expand All @@ -221,10 +239,23 @@ both SRV and A records, typically.
DNS overrides only affect those lookups performed for that domain. Loosely,
the internal API uses the remote domain as context for all lookups.

As a bit of a curve ball, that `a` attribute on `host` can have an IPv6 address in instead
of just IPv4... And the `srv` can have a `tls` attribute giving a boolean of whether it's a
XEP-0368 record or just a traditional one.

Wait... XEP-0368?
----

This is a spec for immediate-mode TLS. Servers lookup `_xmpps-server` and connect to
the result, and instead of using `<starttls/>` they just negotiate TLS straight away. Metre
supports both listening for, and connecting to, XEP-0368 services.

If you want this, you'll need to publish additional SRV records.

I hate CAs! Tell me it does DANE! Please, tell me it does DANE!
----

OK, than. It does DANE.
OK, then. It does DANE.

No, really, it does, but it's poorly tested, particularly for the DomainCert and
TrustAnchorAssertion. As a CA-hating person, therefore, you may be out of luck.
Expand Down Expand Up @@ -258,10 +289,16 @@ For the two hashes, you can just put the hash in hex form. Colons optional.
</domain>
```

Note that the moment you have a TLSA override, certificates must pass it. You can have
multiple TLSA records to handle multiple certificates, or rollover - just like normal TLSA
records, only one is required to match.

Does Metre pass through all traffic unchanged?
----

Currently, yes - although the outer stanza element itself is re-rendered.

However, this will change - it's intended to ultimately filter traffic and even respond
to some on behalf of internal servers.

There is limited support for this now, see [FILTERS](FILTERS.md)
4 changes: 2 additions & 2 deletions FILTERS.md
View file
Expand Up @@ -8,14 +8,14 @@ links (ie, not XEP-0114).

Filters may have global configuration, within a `<filters/>` inside the `<globals/>` section,
and must have per-domain configuration within the domain's `<filter-in/>` section. Ordering
is signficiant here, since filters are applied in order.
is significant here, since filters are applied in order.

Filters may DROP, or PASS - and if they pass a stanza may have changed it.

Existing Filters
========

The only existing filter is the disco-cache filter. It is a non-mutating filter which intercepts
The only existing (working) filter is the disco-cache filter. It is a non-mutating filter which intercepts
and caches disco responses from clients (which themselves do not change) and intercepts and
responds to those disco requests to nodes it has cached.

Expand Down

0 comments on commit ae95064

Please sign in to comment.