From fc4f7354bf07a0639a29ee0204e5b42d3239b7f3 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 8 Jan 2023 22:56:11 +0000
Subject: [PATCH] Installation docs: Say we don't do TLS ourselves in the
 server

And explain how to do TLS.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 docs/install.md  |  2 +-
 docs/settings.md | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/install.md b/docs/install.md
index 6094ff1..c5dc7c5 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -89,9 +89,9 @@ Configuration
 You will need to:
 
  1. Choose a suitable URL that Hippotat will be able to listen on.
-    This should be port 80, or 443 with TLS.
     You can use a reverse proxy
     (but you may want to suppress some of the logging).
+    The URL should be port 80, or 443 with TLS (with a reverse proxy).
     If using a reverse proxy,
     you must choose an internal IP port for the Hippotat server to use.
 
diff --git a/docs/settings.md b/docs/settings.md
index 107b4d0..fc7fbc7 100644
--- a/docs/settings.md
+++ b/docs/settings.md
@@ -161,6 +161,17 @@ sections.
   On client: used only to construct default url.
   [`80`]
 
+  Do not set this to `443` -
+  the server will speak plain unencrypted HTTP on the port you specify,
+  which would be wrong for `443`.
+  While the client has integrated TLS support, the server does not.
+  To use hippotat with TLS:
+   - Set up a TLS reverse proxy (such as apache or nginx),
+     probably with a certificate from Let's Encrypt.
+   - Configure `port` and `addrs` to the internal address and port
+     (to which the reverse proxy forwards the requests).
+   - Configure `url` to the public URL of the reverse proxy.
+
 * `mtu`
 
   Of virtual interface.
-- 
2.30.2