idk/reseed-tools
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

HTTPS-enabled onion reseeds

Browse Source
This commit is contained in:
idk
2019-06-27 19:49:05 -04:00
parent 6a606bda4d
commit 57065323c4
6 changed files with 144 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@@ -32,6 +32,12 @@ i2p-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --tlsHost=yo
i2p-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion
```
### Without a webserver, standalone, automatic OnionV3 with TLS support
```
i2p-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --tlsHost=your-domain.tld --onion
```
If this is your first time running a reseed server (ie. you don't have any existing keys),
you can simply run the command and follow the prompts to create the appropriate keys, crl and certificates.
Afterwards an HTTPS reseed server will start on the default port and generate 6 files in your current directory

39
cmd/reseed.go
View File

@@ -124,6 +124,10 @@ func reseedAction(c *cli.Context) {
var tlsCert, tlsKey string
tlsHost := c.String("tlsHost")
if c.Bool("onion") {
tlsHost = "onion"
}
if tlsHost != "" {
tlsKey = c.String("tlsKey")
// if no key is specified, default to the host.pem in the current dir
@@ -208,6 +212,23 @@ func reseedAction(c *cli.Context) {
if err != nil {
log.Fatalln(err.Error())
} else {
if tlsCert != "" && tlsKey != "" {
log.Fatalln(
server.ListenAndServeOnionTLS(
nil,
&tor.ListenConf{
LocalPort: port,
Key: ed25519.PrivateKey(ok),
RemotePorts: []int{443},
Version3: true,
NonAnonymous: c.Bool("singleOnion"),
DiscardKey: false,
},
tlsCert, tlsKey,
c.String("onionKey"),
),
)
}else{
log.Fatalln(
server.ListenAndServeOnion(
nil,
@@ -223,7 +244,24 @@ func reseedAction(c *cli.Context) {
),
)
}
}
} else if os.IsNotExist(err) {
if tlsCert != "" && tlsKey != "" {
log.Fatalln(
server.ListenAndServeOnionTLS(
nil,
&tor.ListenConf{
LocalPort: port,
RemotePorts: []int{443},
Version3: true,
NonAnonymous: c.Bool("singleOnion"),
DiscardKey: false,
},
tlsCert, tlsKey,
c.String("onionKey"),
),
)
}else{
log.Fatalln(
server.ListenAndServeOnion(
nil,
@@ -237,6 +275,7 @@ func reseedAction(c *cli.Context) {
c.String("onionKey"),
),
)
}
} else {
}

3
history.txt
View File

@@ -1,3 +1,6 @@
2019-06-27
* automatically configuring Tor Onionv3 Server
2019-04-21
* app.Version = "0.1.7"
* enabling TLS 1.3 *only*

72
reseed/server.go
View File

@@ -15,10 +15,10 @@ import (
"github.com/cretz/bine/tor"
"github.com/cretz/bine/torutil/ed25519"
"github.com/throttled/throttled"
"github.com/throttled/throttled/store"
"github.com/gorilla/handlers"
"github.com/justinas/alice"
"github.com/throttled/throttled"
"github.com/throttled/throttled/store"
)
const (
@@ -34,18 +34,18 @@ type Server struct {
func NewServer(prefix string, trustProxy bool) *Server {
config := &tls.Config{
// MinVersion: tls.VersionTLS10,
// PreferServerCipherSuites: true,
// CipherSuites: []uint16{
// tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
// tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
// tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
// tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
// tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
// tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
// tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
// tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
// },
// MinVersion: tls.VersionTLS10,
// PreferServerCipherSuites: true,
// CipherSuites: []uint16{
// tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
// tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
// tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
// tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
// tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
// tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
// tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
// tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
// },
MinVersion: tls.VersionTLS13,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
@@ -122,8 +122,50 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error {
return srv.Serve(tlsListener)
}
func (srv *Server) ListenAndServeOnionTLS(startConf *tor.StartConf, listenConf *tor.ListenConf, certFile, keyFile, onionKey string) error {
log.Println("Starting and registering OnionV3 HTTPS service, please wait a couple of minutes...")
tor, err := tor.Start(nil, startConf)
if err != nil {
return err
}
defer tor.Close()
listenCtx, listenCancel := context.WithTimeout(context.Background(), 3*time.Minute)
defer listenCancel()
if srv.TLSConfig == nil {
srv.TLSConfig = &tls.Config{}
}
if srv.TLSConfig.NextProtos == nil {
srv.TLSConfig.NextProtos = []string{"http/1.1"}
}
srv.OnionListener, err = tor.Listen(listenCtx, listenConf)
if err != nil {
return err
}
srv.Addr = srv.OnionListener.ID
// var err error
srv.TLSConfig.Certificates = make([]tls.Certificate, 1)
srv.TLSConfig.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return err
}
err = ioutil.WriteFile(onionKey, []byte(srv.OnionListener.Key.(ed25519.KeyPair).PrivateKey()), 0644)
if err != nil {
return err
}
log.Printf("Onionv3 server started on https://%v.onion\n", srv.OnionListener.ID)
tlsListener := tls.NewListener(srv.OnionListener, srv.TLSConfig)
return srv.Serve(tlsListener)
}
func (srv *Server) ListenAndServeOnion(startConf *tor.StartConf, listenConf *tor.ListenConf, onionKey string) error {
log.Println("Starting and registering onion service, please wait a couple of minutes...")
log.Println("Starting and registering OnionV3 service, please wait a couple of minutes...")
tor, err := tor.Start(nil, startConf)
if err != nil {
return err