| < innd | Russ Allbery > Software > INN > INN CURRENT Documentation | rc.news > |
(NNTP server for reader clients)
nnrpd [-DfnoSt] [-6 address] [-b address] [-c configfile] [-i initial] [-I instance] [-p port] [-P prefork] [-r reason] [-s padding]
nnrpd is an NNTP server for newsreaders. It accepts commands on its standard input and responds on its standard output. It is normally invoked by innd(8) with those descriptors attached to a remote client connection. nnrpd also supports running as a standalone daemon.
Unlike innd(8) nnrpd supports all NNTP commands for user-oriented reading and posting. nnrpd uses the readers.conf file to control who is authorized to access the Usenet database.
On exit, nnrpd will report usage statistics through syslog(3).
nnrpd only reads config files (both readers.conf and inn.conf) when it is spawned. You can therefore never change the behavior of a client that's already connected. If nnrpd is run from innd (the default) or from inetd(8), xinetd(8), or some equivalent, a new nnrpd process is spawned for every connection and therefore any changes to configuration files will be immediately effective for all new connections. If you are instead running nnrpd with the -D option, any configuration changes won't take effect until nnrpd is restarted.
The inn.conf setting nnrpdflags can be used to pass any of the options below to instances of nnrpd that are spawned directly from innd. Many options only make sense when -D is used, so these options should not be used with nnrpdflags. See also the discussion of nnrpdflags in inn.conf(5).
When nnrpdloadlimit in inn.conf is not 0, it will also reject connections if the load average is greater than that value (typically 16). nnrpd can also prevent high-volume posters from abusing your resources. See the discussion of exponential backoff in inn.conf(5).
The -6 parameter instructs nnrpd to bind to the specified
IPv6 address when started as a standalone daemon using the -D flag.
This has to be a valid IPv6 address belonging to an interface of the local
host. It can also be ::0, saying to bind to all IPv6 addresses.
Only one of -6 or -b may be specified. By default,
nnrpd in daemon mode listens to only IPv4 addresses. With this
option, it will listen to the specified IPv6 addresses instead. On some
systems, a value of ::0 will cause it to listen to all IPv4
addresses as well, but on other systems, two copies of nnrpd, one
with -6 and one without it, will have to be run to accept both IPv6
and IPv4 connections.
The -b parameter instructs nnrpd to bind to the specified IPv4 address when started as a standalone daemon using the -D flag. This has to be a valid IPv4 address belonging to an interface of the local host. It can also be 0.0.0.0, saying to bind to all addresses (this is the default).
By default, nnrpd reads the readers.conf to determine how to authenticate connections. The -c flag specifies an alternate file for this purpose. If the file name isn't fully qualified, it is taken to be relative to pathetc in inn.conf (this is useful to have several instances of nnrpd running on different ports or IP addresses with different settings.)
If specified, this parameter causes nnrpd to operate as a daemon. That is, it detaches itself and runs in the background, forking a process for every connection. By default nnrpd listens on the NNTP port (119), so either innd(8) has to be started on another port or nnrpd -p parameter. Note that with this parameter, nnrpd continues running until killed. This means that it reads inn.conf once on startup and never again until restarted. nnrpd should therefore be restarted if inn.conf is changed.
When started in daemon mode, nnrpd will write its PID into a file
in the pathrun directory. The file will be named
nnrpd-%d.pid, where %d is replaced with the port
that nnrpd is configured to listen on (119 unless the -p
option is given).
If specified, nnrpd does not detach itself and runs in the foreground when started as a standalone daemon using the -D flag.
Specify an initial command to nnrpd. When used, initial is taken as if it were the first command received by nnrpd.
If specified instance is used as an additional static portion within MessageIDs generated by nnrpd; typically this option would be used where a cluster of machines exist with the same virtual hostname and must be disambiguated during posts.
The -n flag turns off resolution of IP addresses to names. If you only use IP-based restrictions in readers.conf and can handle IP addresses in your logs, using this flag may result in some additional speed.
The -o flag causes all articles to be spooled instead of sending them to innd(8). rnews with the -U flag should be invoked from cron on a regular basis to take care of these articles. This flag is useful if innd(8) in accepting articles and nnrpd is started standalone or using inetd(8).
The -p parameter instructs nnrpd to listen on port when started as a standalone daemon using the -D flag.
The -P parameter instructs nnrpd to prefork prefork children awaiting connections when started as a standalone daemon using the -D flag.
If the -r flag is used, then nnrpd will reject the incoming connection giving reason as the text. This flag is used by innd(8) when it is paused or throttled.
As each command is received, nnrpd tries to change its argv
array so that ps(1) will print out the command being executed. To get a
full display, the -s flag may be used with a long string as its
argument, which will be overwritten when the program changes its title.
If specified, nnrpd will start a negotiation for SSL session as soon as connected. To use this flag, --with-openssl must have been specified at configure time. For more information on running nnrpd with SSL support, see SSL SUPPORT.
If the -t flag is used then all client commands and initial
responses will be traced by reporting them in syslog. This flag is set by
innd(8) under the control of the ctlinnd(8) trace command, and is
toggled upon receipt of a SIGHUP; see signal(2).
If INN is built with --with-openssl, nnrpd will support news reading over TLS (also known as SSL). For clients that use the STARTTLS command, no special configuration is needed beyond creating a TLS/SSL certificate for the server. You should do this in exactly the same way that you would generate a certificate for a web server.
If you're happy with a self-signed certificate (which will generate
warnings with some news reader clients), you can create and install one in
the default path by running make cert after make install
when installing INN, or by running the following commands:
openssl req -new -x509 -nodes -out <pathnews>/lib/cert.pem \
-days 366 -keyout <pathnews>/lib/key.pem
chown news:news <pathnews>/lib/cert.pem
chmod 640 <pathnews>/lib/cert.pem
chown news:news <pathnews>/lib/key.pem
chmod 600 <pathnews>/lib/key.pem
Replace the paths with something appropriate to your INN installation. This will create a self-signed certificate that will expire in a year. The openssl program will ask you a variety of questions about your organization. Enter the fully qualified domain name of the server as the name the certificate is for.
Most news clients currently do not use the STARTTLS command, however, and
instead expect to connect to a separate port (563) and start an SSL
negotiation immediately. innd does not, however, know how to
listen for connections to that port and then spawn nnrpd the way
that it does for regular reader connections. You will therefore need to
arrange for nnrpd to listen on that port through some other means.
This can be done with the -D flag (and -p 563) and put into
your init scripts:
su news -c '<pathbin>/nnrpd -D -p 563 -S'
but the easiest way is probably to add a line like:
nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S
to /etc/inetd.conf or the equivalent on your system and let
inetd run nnrpd. (Change the path to nnrpd to match
your installation.) You may need to replace nntps with 563
if nntps isn't defined in /etc/services on your
system.
nnrpd implements the NNTP commands defined in RFC 977, with the following differences:
The slave command is not implemented. This command has never been
fully defined.
The list command may be followed by the optional word
active.times, distrib.pats, distributions,
moderators, motd, newsgroups, overview.fmt, or
subscriptions to get a list of when newsgroups where created, a
file specifying default distribution patterns, a list of valid
distributions, the moderators list, the message of the day information for
readers, a one-per-line description of the current set of newsgroups, a
listing of the overview.fmt file, or a list of the
automatic group subscriptions.
The command list active is equivalent to the list command.
This is a common extension.
The xhdr, authinfo user and authinfo pass commands
are implemented. These are based on the reference Unix implementation.
See RFC 2980.
A new command, xpat header range|MessageID pat
[morepat...], is provided. The first argument is the
case-insensitive name of the header to be searched. The second argument
is either an article range or a single Message-ID, as specified in RFC
977. The third argument is a uwildmat(3)-style pattern; if there
are additional arguments they are joined together separated by a single
space to form the complete pattern. This command is similar to the
xhdr command. It returns a 221 response code, followed by
the text response of all article numbers that match the pattern.
The listgroup group command is provided. This is a comment
extension. It is equivalent to the group command, except that the
reply is a multi-line response containing the list of all article numbers
in the group.
The xgtitle [group] command is provided. This
extension is used by ANU-News. It returns a 282 reply code,
followed by a one-line description of all newsgroups thatmatch the
pattern. The default is the current group.
The xover [range] command is provided. It
returns a 224 reply code, followed by the overview data for the
specified range; the default is to return the data for the current
article.
The xpath MessageID command is provided; see innd(8).
The date command is provided; this is based on the draft NNTP
protocol revision (draft-ietf-nntpext-imp-04.txt). It returns a one-line
response code of 111 followed by the GMT date and time on the
server in the form YYYYMMDDhhmmss.
Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews. Overview support added by Rob Robertston <rob@violet.berkeley.edu> and Rich in January, 1993. Exponential backoff (for posting) added by Dave Hayes in Febuary 1998.
$Id: nnrpd.pod 7894 2008-06-22 17:51:05Z iulius $
ctlinnd(8), innd(8), inn.conf(5), signal(2), uwildmat(3).
| < innd | Russ Allbery > Software > INN > INN CURRENT Documentation | rc.news > |