The "ircv3_sts" Module (v4)
Description
This module adds support for the IRCv3 Strict Transport Security specification.
Configuration
To load this module use the following <module> tag:
<module name="ircv3_sts">
<connect>
This module extends the core <connect> tags with the following fields:
| Name | Type | Default Value | Description |
|---|---|---|---|
| usests | Boolean | Yes | Whether users in this connect class should have a STS policy advertised to them. |
Example Usage
Disables STS policy advertisement for users in the LocalIPv4 class:
<connect name="LocalIPv4"
allow="127.0.0.0/8"
...
usests="no">
<sts>
The <sts> tag defines settings about how the sts module should behave. This tag can only be defined once.
| Name | Type | Default Value | Description |
|---|---|---|---|
| host | Text | None | Required! A glob pattern for the hostname a user must send to use STS. |
| duration | Duration | 5m | The time period that the STS policy should last for. |
| port | Number | None | Required! The port that clients should connect on securely. |
| preload | Boolean | No | Whether the STS policy can be included in preload lists. |
Example Usage
<sts host="*.example.com"
duration="60d"
port="6697"
preload="yes">
Client Capabilities
| Name | Description |
|---|---|
| sts | Defines a mechanism for clients to upgrade plaintext IRC connections to TLS (SSL). |
Special Notes
The default duration of 5 minutes is a safety precaution aimed at initial implementation and testing of an STS policy. Once you're comfortable with the configuration the duration should be raised to a month or more for effective enforcement.