From 19f4580acab7938a436fc2f079be0d84e9e4d28a Mon Sep 17 00:00:00 2001 From: albertony <12441419+albertony@users.noreply.github.com> Date: Fri, 6 Dec 2024 22:08:17 +0100 Subject: [PATCH] docs: mention in serve tls options when value is path to file - fixes #8232 --- docs/content/rc.md | 22 ++++++++++++---------- lib/http/server.go | 33 +++++++++++++++++---------------- 2 files changed, 29 insertions(+), 26 deletions(-) diff --git a/docs/content/rc.md b/docs/content/rc.md index 7a8ef34e4..cc3b8329f 100644 --- a/docs/content/rc.md +++ b/docs/content/rc.md @@ -18,29 +18,31 @@ If you just want to run a remote control then see the [rcd](/commands/rclone_rcd ### --rc -Flag to start the http server listen on remote requests +Flag to start the http server listen on remote requests. ### --rc-addr=IP -IPaddress:Port or :Port to bind server to. (default "localhost:5572") +IPaddress:Port or :Port to bind server to. (default "localhost:5572"). ### --rc-cert=KEY -SSL PEM key (concatenation of certificate and CA certificate) + +SSL PEM key (concatenation of certificate and CA certificate). ### --rc-client-ca=PATH -Client certificate authority to verify clients with + +Client certificate authority to verify clients with. ### --rc-htpasswd=PATH -htpasswd file - if not provided no authentication is done +htpasswd file - if not provided no authentication is done. ### --rc-key=PATH -SSL PEM Private key +TLS PEM private key file. ### --rc-max-header-bytes=VALUE -Maximum size of request header (default 4096) +Maximum size of request header (default 4096). ### --rc-min-tls-version=VALUE @@ -57,15 +59,15 @@ Password for authentication. ### --rc-realm=VALUE -Realm for authentication (default "rclone") +Realm for authentication (default "rclone"). ### --rc-server-read-timeout=DURATION -Timeout for server reading data (default 1h0m0s) +Timeout for server reading data (default 1h0m0s). ### --rc-server-write-timeout=DURATION -Timeout for server writing data (default 1h0m0s) +Timeout for server writing data (default 1h0m0s). ### --rc-serve diff --git a/lib/http/server.go b/lib/http/server.go index 9964c297e..ce13b82b6 100644 --- a/lib/http/server.go +++ b/lib/http/server.go @@ -66,20 +66,21 @@ https. You will need to supply the ` + "`--{{ .Prefix }}cert` and `--{{ .Prefix If you wish to do client side certificate validation then you will need to supply ` + "`--{{ .Prefix }}client-ca`" + ` also. -` + "`--{{ .Prefix }}cert`" + ` should be a either a PEM encoded certificate or a concatenation -of that with the CA certificate. ` + "`--k{{ .Prefix }}ey`" + ` should be the PEM encoded -private key and ` + "`--{{ .Prefix }}client-ca`" + ` should be the PEM encoded client -certificate authority certificate. +` + "`--{{ .Prefix }}cert`" + ` must be set to the path of a file containing +either a PEM encoded certificate, or a concatenation of that with the CA +certificate. ` + "`--{{ .Prefix }}key`" + ` must be set to the path of a file +with the PEM encoded private key. ` + "If setting `--{{ .Prefix }}client-ca`" + `, +it should be set to the path of a file with PEM encoded client certificate +authority certificates. ` + "`--{{ .Prefix }}min-tls-version`" + ` is minimum TLS version that is acceptable. Valid - values are "tls1.0", "tls1.1", "tls1.2" and "tls1.3" (default - "tls1.0"). +values are "tls1.0", "tls1.1", "tls1.2" and "tls1.3" (default "tls1.0"). ### Socket activation Instead of the listening addresses specified above, rclone will listen to all -FDs passed by the service manager, if any (and ignore any arguments passed by ` + - "--{{ .Prefix }}addr`" + `). +FDs passed by the service manager, if any (and ignore any arguments passed +by ` + "`--{{ .Prefix }}addr`" + `). This allows rclone to be a socket-activated service. It can be configured with .socket and .service unit files as described in @@ -162,11 +163,11 @@ type Config struct { ServerReadTimeout time.Duration `config:"server_read_timeout"` // Timeout for server reading data ServerWriteTimeout time.Duration `config:"server_write_timeout"` // Timeout for server writing data MaxHeaderBytes int `config:"max_header_bytes"` // Maximum size of request header - TLSCert string `config:"cert"` // Path to TLS PEM key (concatenation of certificate and CA certificate) - TLSKey string `config:"key"` // Path to TLS PEM Private key - TLSCertBody []byte `config:"-"` // TLS PEM key (concatenation of certificate and CA certificate) body, ignores TLSCert - TLSKeyBody []byte `config:"-"` // TLS PEM Private key body, ignores TLSKey - ClientCA string `config:"client_ca"` // Client certificate authority to verify clients with + TLSCert string `config:"cert"` // Path to TLS PEM public key certificate file (can also include intermediate/CA certificates) + TLSKey string `config:"key"` // Path to TLS PEM private key file + TLSCertBody []byte `config:"-"` // TLS PEM public key certificate body (can also include intermediate/CA certificates), ignores TLSCert + TLSKeyBody []byte `config:"-"` // TLS PEM private key body, ignores TLSKey + ClientCA string `config:"client_ca"` // Path to TLS PEM CA file with certificate authorities to verify clients with MinTLSVersion string `config:"min_tls_version"` // MinTLSVersion contains the minimum TLS version that is acceptable. AllowOrigin string `config:"allow_origin"` // AllowOrigin sets the Access-Control-Allow-Origin header } @@ -177,9 +178,9 @@ func (cfg *Config) AddFlagsPrefix(flagSet *pflag.FlagSet, prefix string) { flags.DurationVarP(flagSet, &cfg.ServerReadTimeout, prefix+"server-read-timeout", "", cfg.ServerReadTimeout, "Timeout for server reading data", prefix) flags.DurationVarP(flagSet, &cfg.ServerWriteTimeout, prefix+"server-write-timeout", "", cfg.ServerWriteTimeout, "Timeout for server writing data", prefix) flags.IntVarP(flagSet, &cfg.MaxHeaderBytes, prefix+"max-header-bytes", "", cfg.MaxHeaderBytes, "Maximum size of request header", prefix) - flags.StringVarP(flagSet, &cfg.TLSCert, prefix+"cert", "", cfg.TLSCert, "TLS PEM key (concatenation of certificate and CA certificate)", prefix) - flags.StringVarP(flagSet, &cfg.TLSKey, prefix+"key", "", cfg.TLSKey, "TLS PEM Private key", prefix) - flags.StringVarP(flagSet, &cfg.ClientCA, prefix+"client-ca", "", cfg.ClientCA, "Client certificate authority to verify clients with", prefix) + flags.StringVarP(flagSet, &cfg.TLSCert, prefix+"cert", "", cfg.TLSCert, "Path to TLS PEM public key certificate file (can also include intermediate/CA certificates)", prefix) + flags.StringVarP(flagSet, &cfg.TLSKey, prefix+"key", "", cfg.TLSKey, "Path to TLS PEM private key file", prefix) + flags.StringVarP(flagSet, &cfg.ClientCA, prefix+"client-ca", "", cfg.ClientCA, "Path to TLS PEM CA file with certificate authorities to verify clients with", prefix) flags.StringVarP(flagSet, &cfg.BaseURL, prefix+"baseurl", "", cfg.BaseURL, "Prefix for URLs - leave blank for root", prefix) flags.StringVarP(flagSet, &cfg.MinTLSVersion, prefix+"min-tls-version", "", cfg.MinTLSVersion, "Minimum TLS version that is acceptable", prefix) flags.StringVarP(flagSet, &cfg.AllowOrigin, prefix+"allow-origin", "", cfg.AllowOrigin, "Origin which cross-domain request (CORS) can be executed from", prefix)