This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
openbsd:irc:znc [2020/03/18 15:17] jrmu |
openbsd:irc:znc [2020/07/21 05:13] jrmu old revision restored (2020/07/16 05:40) |
||
|---|---|---|---|
| Line 18: | Line 18: | ||
| Shell: /sbin/nologin | Shell: /sbin/nologin | ||
| OK? (y/n) [y]: y | OK? (y/n) [y]: y | ||
| + | </code> | ||
| I am not sure if this is necessary, but in /etc/login.conf, I add the following: | I am not sure if this is necessary, but in /etc/login.conf, I add the following: | ||
| Line 39: | Line 40: | ||
| </code> | </code> | ||
| - | There should be a line with znc that looks like this (I check to make sure znc has the right login class): | + | There should be a line with znc that looks like this (I check to make sure znc has the right login class; the '1001' is the uid, which you may find to be different from this example, but it should not be changed): |
| <code> | <code> | ||
| - | znc:*:1001:1001::0:0:znc:/home/znc:/bin/sh | + | znc:*:1001:1001:znc:0:0:znc:/home/znc:/sbin/nologin |
| </code> | </code> | ||
| Line 48: | Line 49: | ||
| <code> | <code> | ||
| - | cap_mkdb /etc/login.conf | + | $ doas cap_mkdb /etc/login.conf |
| </code> | </code> | ||
| + | |||
| + | Now change znc shell to /bin/ksh , then continue with the steps below. | ||
| <code> | <code> | ||
| Line 65: | Line 68: | ||
| </code> | </code> | ||
| - | I then set the default shell to /sbin/nologin: | + | |
| + | I then set the default shell to /sbin/nologin (note: the '1001' is the uid, which you may find to be different from this example, but it should not be changed.): | ||
| <code> | <code> | ||
| Line 75: | Line 79: | ||
| </code> | </code> | ||
| - | Run this install script (tested for OpenBSD 6.6 and znc-1.7.4) as root to put znc inside the chroot at /home/znc: | + | Run this install script (tested for OpenBSD 6.7 and znc-1.7.5) as root to put znc inside the chroot at /home/znc: |
| <code> | <code> | ||
| Line 87: | Line 91: | ||
| mknod -m 644 /home/znc/dev/urandom c 45 2 | mknod -m 644 /home/znc/dev/urandom c 45 2 | ||
| mknod -m 666 /home/znc/dev/null c 2 2 | mknod -m 666 /home/znc/dev/null c 2 2 | ||
| - | cp /usr/lib/libc++.so.3.0 /home/znc/usr/lib/libc++.so.3.0 | + | cp /usr/lib/libc++.so.4.0 /home/znc/usr/lib/libc++.so.4.0 |
| - | cp /usr/lib/libc++abi.so.1.0 /home/znc/usr/lib/libc++abi.so.1.0 | + | cp /usr/lib/libc++abi.so.2.1 /home/znc/usr/lib/libc++abi.so.2.1 |
| - | cp /usr/lib/libc.so.95.1 /home/znc/usr/lib/libc.so.95.1 | + | cp /usr/lib/libc.so.96.0 /home/znc/usr/lib/libc.so.96.0 |
| - | cp /usr/lib/libcrypto.so.45.5 /home/znc/usr/lib/libcrypto.so.45.5 | + | cp /usr/lib/libcrypto.so.46.1 /home/znc/usr/lib/libcrypto.so.46.1 |
| cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1 | cp /usr/lib/libm.so.10.1 /home/znc/usr/lib/libm.so.10.1 | ||
| cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1 | cp /usr/lib/libpthread.so.26.1 /home/znc/usr/lib/libpthread.so.26.1 | ||
| - | cp /usr/lib/libssl.so.47.6 /home/znc/usr/lib/libssl.so.47.6 | + | cp /usr/lib/libssl.so.48.1 /home/znc/usr/lib/libssl.so.48.1 |
| cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0 | cp /usr/lib/libz.so.5.0 /home/znc/usr/lib/libz.so.5.0 | ||
| cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so | cp /usr/libexec/ld.so /home/znc/usr/libexec/ld.so | ||
| Line 107: | Line 111: | ||
| <code> | <code> | ||
| - | # HOME=/home/znc/ | + | # export HOME=/home/znc/ |
| # chroot -u znc -g znc /home/znc znc --makeconf | # chroot -u znc -g znc /home/znc znc --makeconf | ||
| </code> | </code> | ||
| Line 116: | Line 120: | ||
| [ ** ] -- Global settings -- | [ ** ] -- Global settings -- | ||
| [ ** ] | [ ** ] | ||
| - | [ ?? ] Listen on port (1025 to 65534): 6697 | + | [ ?? ] Listen on port (1025 to 65534): 31337 |
| [ ?? ] Listen using SSL (yes/no) [no]: yes | [ ?? ] Listen using SSL (yes/no) [no]: yes | ||
| [ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no | [ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no | ||
| Line 153: | Line 157: | ||
| <code> | <code> | ||
| - | pass in proto tcp to port {http https} | + | pass in log quick proto tcp to port {http https} keep state (max-src-conn 30, max-src-conn-rate 20/60) |
| - | pass in proto {tcp udp} to port { 6697 } #irc | + | pass in log quick proto tcp to port { 1337 31337 } keep state (max 3000, max-src-conn 200) #bnc |
| </code> | </code> | ||
| Line 166: | Line 170: | ||
| <code> | <code> | ||
| - | # HOME=/home/znc && /usr/sbin/chroot -u znc -g znc /home/znc znc >/var/log/znc.log 2>&1 & | + | # HOME=/home/znc && /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 & |
| </code> | </code> | ||
| Line 178: | Line 182: | ||
| <code> | <code> | ||
| - | AnonIPLimit = 1000 | + | AnonIPLimit = 10000 |
| AuthOnlyViaModule = false | AuthOnlyViaModule = false | ||
| ConfigWriteDelay = 0 | ConfigWriteDelay = 0 | ||
| Line 189: | Line 193: | ||
| LoadModule = webadmin | LoadModule = webadmin | ||
| LoadModule = certauth | LoadModule = certauth | ||
| - | LoadModule = partyline | ||
| MaxBufferSize = 10000 | MaxBufferSize = 10000 | ||
| ProtectWebSessions = true | ProtectWebSessions = true | ||
| Line 196: | Line 199: | ||
| SSLKeyFile = /home/znc/.znc/my.example.com.key | SSLKeyFile = /home/znc/.znc/my.example.com.key | ||
| ServerThrottle = 30 | ServerThrottle = 30 | ||
| - | Version = 1.7.4 | + | Version = 1.7.5 |
| <Listener listener0> | <Listener listener0> | ||
| Line 204: | Line 207: | ||
| IPv4 = true | IPv4 = true | ||
| IPv6 = false | IPv6 = false | ||
| - | Port = 6697 | + | Port = 1337 |
| - | SSL = true | + | SSL = false |
| URIPrefix = / | URIPrefix = / | ||
| </Listener> | </Listener> | ||
| <Listener listener1> | <Listener listener1> | ||
| + | AllowIRC = true | ||
| + | AllowWeb = false | ||
| + | Host = 192.168.1.1 | ||
| + | IPv4 = true | ||
| + | IPv6 = false | ||
| + | Port = 31337 | ||
| + | SSL = true | ||
| + | URIPrefix = / | ||
| + | </Listener> | ||
| + | |||
| + | <Listener listener2> | ||
| AllowIRC = true | AllowIRC = true | ||
| AllowWeb = false | AllowWeb = false | ||
| Line 215: | Line 229: | ||
| IPv4 = false | IPv4 = false | ||
| IPv6 = true | IPv6 = true | ||
| - | Port = 6697 | + | Port = 1337 |
| + | SSL = false | ||
| + | URIPrefix = / | ||
| + | </Listener> | ||
| + | |||
| + | <Listener listener3> | ||
| + | AllowIRC = true | ||
| + | AllowWeb = false | ||
| + | Host = 2001:db8:: | ||
| + | IPv4 = false | ||
| + | IPv6 = true | ||
| + | Port = 31337 | ||
| SSL = true | SSL = true | ||
| URIPrefix = / | URIPrefix = / | ||
| </Listener> | </Listener> | ||
| - | <Listener listener2> | + | <Listener listener4> |
| + | AllowIRC = true | ||
| + | AllowWeb = false | ||
| + | Host = 127.0.0.1 | ||
| + | IPv4 = true | ||
| + | IPv6 = false | ||
| + | Port = 1337 | ||
| + | SSL = false | ||
| + | URIPrefix = / | ||
| + | </Listener> | ||
| + | |||
| + | <Listener listener5> | ||
| AllowIRC = false | AllowIRC = false | ||
| AllowWeb = true | AllowWeb = true | ||
| Line 226: | Line 262: | ||
| IPv4 = true | IPv4 = true | ||
| IPv6 = false | IPv6 = false | ||
| - | Port = 6669 | + | Port = 1338 |
| SSL = false | SSL = false | ||
| URIPrefix = / | URIPrefix = / | ||
| Line 234: | Line 270: | ||
| We will load the identfile module by default. This is necessary to provide proper ident using [[openbsd:irc:oidentd|oidentd]]. Please follow the instructions in the link to configure ident. | We will load the identfile module by default. This is necessary to provide proper ident using [[openbsd:irc:oidentd|oidentd]]. Please follow the instructions in the link to configure ident. | ||
| - | I have znc bind to port 6669 without SSL for the web server. I will later use [[openbsd:net:relayd|relayd]] to provide TLS acceleration on port 443. | + | I have znc bind to port 1338 without SSL for the web server. I will later use [[openbsd:net:relayd|relayd]] to provide TLS acceleration on port 443. |
| Replace with your own IP addresses. Then, on your irc client logged into the bouncer: | Replace with your own IP addresses. Then, on your irc client logged into the bouncer: | ||
| Line 250: | Line 286: | ||
| <code> | <code> | ||
| HOME=/home/znc | HOME=/home/znc | ||
| - | */5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >/var/log/znc.log 2>&1 & | + | */5 * * * * /usr/sbin/chroot -u znc -g znc /home/znc znc >>/var/log/znc.log 2>&1 & |
| </code> | </code> | ||
| Line 256: | Line 292: | ||
| <code> | <code> | ||
| - | $ openssl s_client -connect my.example.com:6697 | + | $ openssl s_client -connect my.example.com:31337 |
| </code> | </code> | ||