From d772215dc8be19a1a93b218278bce28eef9e5f45 Mon Sep 17 00:00:00 2001 From: Yujia Qiao Date: Sun, 2 Jan 2022 15:48:28 +0800 Subject: [PATCH] docs: add about TLS --- README.md | 2 +- docs/security.md | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 32a0daf..8e09965 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,7 @@ But the `[client]` and `[server]` block can also be put in one file. Then on the Some configuration examples are provided under [examples](./examples). -The Noise Protocol can be easily used to secure the traffic, see [Security](./docs/security.md). +The Noise Protocol can be easily used to secure the traffic. TLS can also be used. See [Security](./docs/security.md). Here is the full configuration specification: ```toml diff --git a/docs/security.md b/docs/security.md index f59f6c8..9b0bd7f 100644 --- a/docs/security.md +++ b/docs/security.md @@ -1,5 +1,26 @@ # Security +By default, `rathole` forwards traffic as it is. Different options can be enabled to secure the traffic. + +## TLS +Checkout the [example](../examples/tls) +### Client +Normally, a self-signed certificate is used. In this case, the client needs to trust the CA. `trusted_root` is the path to the root CA's certificate PEM file. +`hostname` is the hostname that the client used to validate aginst the certificate that the server presents. +``` +[client.transport.tls] +trusted_root = "example/tls/ca-cert.pem" +hostname = "0.0.0.0" +``` + +### Server +PKCS#12 archives are needed to run the server. + +It can be created using openssl like: +``` +openssl pkcs12 -export -out identity.pfx -inkey server-key.pem -in server-cert.pem -certfile ca_chain_certs.pem +``` + ## Noise Protocol ### Quickstart for the Noise Protocl In one word, the [Noise Protocol](http://noiseprotocol.org/noise.html) is a lightweigt, easy to configure and drop-in replacement of TLS. No need to create a self-sign certificate to secure the connection.