Martchus
/
syncthing
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

man: Include stdiscosrv and strelaysrv manpages 

GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3450
This commit is contained in:
aviau 2016-07-27 15:00:10 +00:00 committed by Jakob Borg
parent 66a506e72b
commit d7cb4d407b
4 changed files with 517 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build.go
View File

@ -111,6 +111,7 @@ var targets = map[string]target{
{src: "cmd/stdiscosrv/README.md", dst: "deb/usr/share/doc/stdiscosrv/README.txt", perm: 0644},
{src: "cmd/stdiscosrv/LICENSE", dst: "deb/usr/share/doc/stdiscosrv/LICENSE.txt", perm: 0644},
{src: "AUTHORS", dst: "deb/usr/share/doc/stdiscosrv/AUTHORS.txt", perm: 0644},
{src: "man/stdiscosrv.1", dst: "deb/usr/share/man/man1/stdiscosrv.1", perm: 0644},
},
tags: []string{"purego"},
},
@ -129,6 +130,7 @@ var targets = map[string]target{
{src: "cmd/strelaysrv/README.md", dst: "deb/usr/share/doc/strelaysrv/README.txt", perm: 0644},
{src: "cmd/strelaysrv/LICENSE", dst: "deb/usr/share/doc/strelaysrv/LICENSE.txt", perm: 0644},
{src: "AUTHORS", dst: "deb/usr/share/doc/strelaysrv/AUTHORS.txt", perm: 0644},
{src: "man/strelaysrv.1", dst: "deb/usr/share/man/man1/strelaysrv.1", perm: 0644},
},
},
"strelaypoolsrv": {

2
man/refresh.sh
View File

@ -3,6 +3,8 @@
base=http://docs.syncthing.net/man/
pages=(
syncthing.1
stdiscosrv.1
strelaysrv.1
syncthing-config.5
syncthing-stignore.5
syncthing-device-ids.7

308
man/stdiscosrv.1 Normal file
View File

@ -0,0 +1,308 @@
.\" Man page generated from reStructuredText.
.
.TH "STDISCOSRV" "1" "July 24, 2016" "v0.14" "Syncthing"
.SH NAME
stdiscosrv \- Syncthing Discovery Server
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
stdiscosrv [\-cert=<file>] [\-db\-backend=<string>] [\-db\-dsn=<string>] [\-debug] [\-http] [\-key=<string>]
[\-limit\-avg=<int>] [\-limit\-burst=<int>] [\-limit\-cache=<int>] [\-listen=<address>]
[\-stats\-file=<file>]
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
Syncthing relies on a discovery server to find peers on the internet. Anyone
can run a discovery server and point its syncthing installations to it.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-cert=<file>
Certificate file (default "cert.pem").
.UNINDENT
.INDENT 0.0
.TP
.B \-db\-backend=<string>
Database backend to use (default "ql").
.UNINDENT
.INDENT 0.0
.TP
.B \-db\-dsn=<string>
Database DSN (default "memory://stdiscosrv").
.UNINDENT
.INDENT 0.0
.TP
.B \-debug
Enable debug output.
.UNINDENT
.INDENT 0.0
.TP
.B \-http
Listen on HTTP (behind an HTTPS proxy).
.UNINDENT
.INDENT 0.0
.TP
.B \-key=<file>
Key file (default "key.pem").
.UNINDENT
.INDENT 0.0
.TP
.B \-limit\-avg=<int>
Allowed average package rate, per 10 s (default 5).
.UNINDENT
.INDENT 0.0
.TP
.B \-limit\-burst=<int>
Allowed burst size, packets (default 20).
.UNINDENT
.INDENT 0.0
.TP
.B \-limit\-cache=<int>
Limiter cache entries (default 10240).
.UNINDENT
.INDENT 0.0
.TP
.B \-listen=<address>
Listen address (default ":8443").
.UNINDENT
.INDENT 0.0
.TP
.B \-stats\-file=<file>
File to write periodic operation stats to.
.UNINDENT
.SH POINTING SYNCTHING AT YOUR DISCOVERY SERVER
.sp
By default, Syncthing uses a number of global discovery servers, signified by
the entry \fBdefault\fP in the list of discovery servers. To make Syncthing use
your own instance of stdiscosrv, open up Syncthing\(aqs web GUI. Go to settings,
Global Discovery Server and add stdiscosrv\(aqs host address to the comma\-separated
list, e.g. \fBhttps://disco.example.com:8443/v2/\fP\&. Note that stdiscosrv uses port
8443 by default. For stdiscosrv to be available over the internet with a dynamic
IP address, you will need a dynamic DNS service.
.sp
If you wish to use \fIonly\fP your own discovery server, remove the \fBdefault\fP
entry from the list.
.SH SETTING UP
.SS Description
.sp
This guide assumes that you have already set up Syncthing. If you
haven\(aqt yet, head over to getting\-started first.
.SS Installing
.sp
Go to \fI\%releases\fP <\fBhttps://github.com/syncthing/stdiscosrv/releases\fP> and
download the file appropriate for your operating system. Unpacking it will
yield a binary called \fBstdiscosrv\fP (or \fBstdiscosrv.exe\fP on Windows). Start
this in whatever way you are most comfortable with; double clicking should
work in any graphical environment. At first start, stdiscosrv will generate the
directory \fB/var/stdiscosrv\fP (\fBX:\evar\estdiscosrv\fP on Windows, where X is the
partition \fBstdiscosrv.exe\fP is executed from) with configuration. If the user
running \fBstdiscosrv\fP doesn\(aqt have permission to do so, create the directory
and set the owner appropriately or use the command line switches (see below)
to select a different location.
.SS Configuring
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
If you are running an instance of syncthing on the discovery server,
you must either add that instance to other nodes using a static
address or bind the discovery server and syncthing instances to
different IP addresses.
.UNINDENT
.UNINDENT
.SS Certificates
.sp
The discovery server provides service over HTTPS. To ensure secure connections
from clients there are three options:
.INDENT 0.0
.IP \(bu 2
Use a CA\-signed certificate pair for the domain name you will use for the
discovery server. This is like any other HTTPS website; clients will
authenticate the server based on it\(aqs certificate and domain name.
.IP \(bu 2
Use any certificate pair and let clients authenticate the server based on
it\(aqs "device ID" (similar to Syncthing\-to\-Syncthing authentication). In
this case, using \fBsyncthing \-generate\fP is a good option to create a
certificate pair.
.IP \(bu 2
Pass the \fB\-http\fP flag if the discovery server is behind an SSL\-secured
reverse proxy. See below for configuration.
.UNINDENT
.sp
For the first two options, the discovery server must be given the paths to
the certificate and key at startup. This isn\(aqt necessary with the \fBhttp\fP flag:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
$ stdiscosrv \-cert /path/to/cert.pem \-key /path/to/key.pem
Server device ID is 7DDRT7J\-UICR4PM\-PBIZYL3\-MZOJ7X7\-EX56JP6\-IK6HHMW\-S7EK32W\-G3EUPQA
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
The discovery server prints it\(aqs device ID at startup. In the case where you
are using a non CA signed certificate, this device ID (fingerprint) must be
given to the clients in the discovery server URL:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
https://disco.example.com:8443/v2/?id=7DDRT7J\-UICR4PM\-PBIZYL3\-MZOJ7X7\-EX56JP6\-IK6HHMW\-S7EK32W\-G3EUPQA
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Otherwise, the URL (note the trailing slash after the \fBv2\fP) will be:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
https://disco.example.com:8443/v2/
.ft P
.fi
.UNINDENT
.UNINDENT
.SS Reverse Proxy Setup
.sp
The discovery server can be run behind an SSL\-secured reverse proxy. This
allows:
.INDENT 0.0
.IP \(bu 2
Use of a subdomain name without requiring a port number added to the URL
.IP \(bu 2
Sharing an SSL certificate with multiple services on the same server
.UNINDENT
.SS Requirements
.INDENT 0.0
.IP \(bu 2
Run the discovery server using the \-http flag \fBstdiscosrv \-http\fP\&.
.IP \(bu 2
SSL certificate/key configured for the reverse proxy
.IP \(bu 2
The "X\-Forwarded\-For" http header must be passed through with the client\(aqs
real IP address
.IP \(bu 2
The "X\-SSL\-Cert" must be passed through with the PEM\-encoded client SSL
certificate
.IP \(bu 2
The proxy must request the client SSL certificate but not require it to be
signed by a trusted CA.
.UNINDENT
.SS Nginx
.sp
These three lines in the configuration take care of the last three requirements
listed above:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
proxy_set_header X\-Forwarded\-For $proxy_add_x_forwarded_for;
proxy_set_header X\-SSL\-Cert $ssl_client_cert;
ssl_verify_client optional_no_ca;
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
The following is a complete example Nginx configuration file. With this setup,
clients can use \fI\%https://discovery.mydomain.com\fP as the discovery server URL in
the Syncthing settings.
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X\-Real\-IP $remote_addr;
proxy_set_header X\-Forwarded\-For $proxy_add_x_forwarded_for;
proxy_set_header X\-Forwarded\-Proto $proxy_x_forwarded_proto;
proxy_set_header X\-SSL\-Cert $ssl_client_cert;
upstream discovery.mydomain.com {
# Local IP address:port for discovery server
server 172.17.0.6:8443;
}
server {
server_name discovery.mydomain.com;
listen 80;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name discovery.mydomain.com;
listen 443 ssl http2;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-AES256\-GCM\-SHA384: DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-DSS\-AES128\-GCM\-SHA256:kEDH+AESGCM:ECDHE\-RSA\-AES128\-SHA256:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA:E CDHE\-ECDSA\-AES128\-SHA:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-RSA\-AES256\-SHA:ECDHE\-ECDSA\-AES256\-SHA:DHE\-RSA\-AES128\-SHA25 6:DHE\-RSA\-AES128\-SHA:DHE\-DSS\-AES128\-SHA256:DHE\-RSA\-AES256\-SHA256:DHE\-DSS\-AES256\-SHA:DHE\-RSA\-AES256\-SHA:AES128\-GCM\-SHA256:AES256\-GCM\-SHA3 84:AES128\-SHA256:AES256\-SHA256:AES128\-SHA:AES256\-SHA:AES:CAMELLIA:DES\-CBC3\-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH\-DSS \-DES\-CBC3\-SHA:!EDH\-RSA\-DES\-CBC3\-SHA:!KRB5\-DES\-CBC3\-SHA;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_certificate /etc/nginx/certs/discovery.mydomain.com.crt;
ssl_certificate_key /etc/nginx/certs/discovery.mydomain.com.key;
ssl_dhparam /etc/nginx/certs/discovery.mydomain.com.dhparam.pem;
add_header Strict\-Transport\-Security "max\-age=31536000";
ssl_verify_client optional_no_ca;
location / {
proxy_pass http://discovery.mydomain.com;
}
}
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
An example of automating the SSL certificates and reverse\-proxying the Discovery
Server and Syncthing using Nginx, \fI\%Let\(aqs Encrypt\fP <\fBhttps://letsencrypt.org/\fP> and Docker can be found \fI\%here\fP <\fBhttps://forum.syncthing.net/t/docker-syncthing-and-syncthing-discovery-behind-nginx-reverse-proxy-with-lets-encrypt/6880\fP>\&.
.SH SEE ALSO
.sp
\fIsyncthing\-networking(7)\fP, \fIsyncthing\-faq(7)\fP
.SH AUTHOR
The Syncthing Authors
.SH COPYRIGHT
2015, The Syncthing Authors
.\" Generated by docutils manpage writer.
.

205
man/strelaysrv.1 Normal file
View File

@ -0,0 +1,205 @@
.\" Man page generated from reStructuredText.
.
.TH "STRELAYSRV" "1" "July 24, 2016" "v0.14" "Syncthing"
.SH NAME
strelaysrv \- Syncthing Relay Server
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
strelaysrv [\-debug] [\-ext\-address=<address>] [\-global\-rate=<bytes/s>] [\-keys=<dir>] [\-listen=<listen addr>]
[\-message\-timeout=<duration>] [\-network\-timeout=<duration>] [\-per\-session\-rate=<bytes/s>]
[\-ping\-interval=<duration>] [\-pools=<pool addresses>] [\-provided\-by=<string>] [\-status\-srv=<listen addr>]
.ft P
.fi
.UNINDENT
.UNINDENT
.SH DESCRIPTION
.sp
Syncthing relies on a network of community\-contributed relay servers. Anyone
can run a relay server, and it will automatically join the relay pool and be
available to Syncthing users. The current list of relays can be found at
\fI\%https://relays.syncthing.net\fP\&.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-debug
Enable debug output.
.UNINDENT
.INDENT 0.0
.TP
.B \-ext\-address=<address>
An optional address to advertising as being available on. Allows listening
on an unprivileged port with port forwarding from e.g. 443, and be
connected to on port 443.
.UNINDENT
.INDENT 0.0
.TP
.B \-global\-rate=<bytes/s>
Global rate limit, in bytes/s.
.UNINDENT
.INDENT 0.0
.TP
.B \-keys=<dir>
Directory where cert.pem and key.pem is stored (default ".").
.UNINDENT
.INDENT 0.0
.TP
.B \-listen=<listen addr>
Protocol listen address (default ":22067").
.UNINDENT
.INDENT 0.0
.TP
.B \-message\-timeout=<duration>
Maximum amount of time we wait for relevant messages to arrive (default 1m0s).
.UNINDENT
.INDENT 0.0
.TP
.B \-network\-timeout=<duration>
Timeout for network operations between the client and the relay. If no data
is received between the client and the relay in this period of time, the
connection is terminated. Furthermore, if no data is sent between either
clients being relayed within this period of time, the session is also
terminated. (default 2m0s)
.UNINDENT
.INDENT 0.0
.TP
.B \-per\-session\-rate=<bytes/s>
Per session rate limit, in bytes/s.
.UNINDENT
.INDENT 0.0
.TP
.B \-ping\-interval=<duration>
How often pings are sent (default 1m0s).
.UNINDENT
.INDENT 0.0
.TP
.B \-pools=<pool addresses>
Comma separated list of relay pool addresses to join (default
"\fI\%https://relays.syncthing.net/endpoint\fP"). Blank to disable announcement to
a pool, thereby remaining a private relay.
.UNINDENT
.INDENT 0.0
.TP
.B \-provided\-by=<string>
An optional description about who provides the relay.
.UNINDENT
.INDENT 0.0
.TP
.B \-status\-srv=<listen addr>
Listen address for status service (blank to disable) (default ":22070").
.UNINDENT
.SH SETTING UP
.sp
Primarily, you need to decide on a directory to store the TLS key and
certificate and a listen port. The default listen port of 22067 works, but for
optimal compatibility a well known port for encrypted traffic such as 443 is
recommended. This may require additional setup to work without running
as root or a privileged user, see \fI\%Running on port 443 as an unprivileged user\fP
below. In principle something similar to this should work on a Linux/Unix
system:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
$ sudo useradd relaysrv
$ sudo mkdir /etc/relaysrv
$ sudo chown relaysrv /etc/relaysrv
$ sudo \-u relaysrv /usr/local/bin/relaysrv \-keys /etc/relaysrv
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
This creates a user \fBrelaysrv\fP and a directory \fB/etc/relaysrv\fP to store
the keys. The keys are generated on first startup. The relay will join the
global relay pool, unless a \fB\-pools=""\fP argument is given.
.sp
To make the relay server start automatically at boot, use the recommended
procedure for your operating system.
.SS Running on port 443 as an unprivileged user
.sp
It is recommended that you run the relay on port 443 (or another port which is
commonly allowed through corporate firewalls), in order to maximise the chances
that people are able to connect. However, binding to ports below 1024 requires
root privileges, and running a relay as root is not recommended. Thankfully
there are a couple of approaches available to you.
.sp
One option is to run the relay on port 22067, and use an \fBiptables\fP rule
to forward traffic from port 443 to port 22067, for example:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
iptables \-t nat \-A PREROUTING \-i eth0 \-p tcp \-\-dport 443 \-j REDIRECT \-\-to\-port 22067
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
Or, if you\(aqre using \fBufw\fP, add the following to \fB/etc/ufw/before.rules\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
\-A PREROUTING \-i eth0 \-p tcp \-\-dport 443 \-j REDIRECT \-\-to\-port 22067
COMMIT
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
You will need to start \fBrelaysrv\fP with \fB\-ext\-address ":443"\fP\&. This tells
\fBrelaysrv\fP that it can be contacted on port 443, even though it is listening
on port 22067. You will also need to let both port 443 and 22067 through your
firewall.
.sp
Another option is \fI\%described here\fP <\fBhttps://wiki.apache.org/httpd/NonRootPortBinding\fP>,
although your milage may vary.
.SH SEE ALSO
.sp
\fIsyncthing\-relay(7)\fP, \fIsyncthing\-faq(7)\fP,
\fIsyncthing\-networking(7)\fP
.SH AUTHOR
The Syncthing Authors
.SH COPYRIGHT
2015, The Syncthing Authors
.\" Generated by docutils manpage writer.
.