Installation docs: Say we don't do TLS ourselves in the server

And explain how to do TLS.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/docs/install.md b/docs/install.md
index 6094ff1aeb79d119c55bd9b5f4e40e6ec927aba0..c5dc7c5d18c92af3b74cdb78b0a232a38b623606 100644 (file)
--- a/docs/install.md
+++ b/docs/install.md
@@ -89,9 +89,9 @@ Configuration
 You will need to:
 
  1. Choose a suitable URL that Hippotat will be able to listen on.
-    This should be port 80, or 443 with TLS.
     You can use a reverse proxy
     (but you may want to suppress some of the logging).
+    The URL should be port 80, or 443 with TLS (with a reverse proxy).
     If using a reverse proxy,
     you must choose an internal IP port for the Hippotat server to use.
 

diff --git a/docs/settings.md b/docs/settings.md
index 107b4d056d666c3884577466ce24231d3d89bf82..fc7fbc73e79132a9f9bb85531f26c9be11053502 100644 (file)
--- a/docs/settings.md
+++ b/docs/settings.md
@@ -161,6 +161,17 @@ sections.
   On client: used only to construct default url.
   [`80`]
 
+  Do not set this to `443` -
+  the server will speak plain unencrypted HTTP on the port you specify,
+  which would be wrong for `443`.
+  While the client has integrated TLS support, the server does not.
+  To use hippotat with TLS:
+   - Set up a TLS reverse proxy (such as apache or nginx),
+     probably with a certificate from Let's Encrypt.
+   - Configure `port` and `addrs` to the internal address and port
+     (to which the reverse proxy forwards the requests).
+   - Configure `url` to the public URL of the reverse proxy.
+
 * `mtu`
 
   Of virtual interface.