feat: generate hidden services on demand
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
de9629ad95
commit
0caf3fe3e5
5 changed files with 25 additions and 64 deletions
|
@ -7,10 +7,10 @@ ENV SUTTY="sutty.nl"
|
||||||
ENV HTTP_BASIC_USER=""
|
ENV HTTP_BASIC_USER=""
|
||||||
ENV HTTP_BASIC_PASSWORD=""
|
ENV HTTP_BASIC_PASSWORD=""
|
||||||
|
|
||||||
RUN apk add --no-cache tor curl jq
|
RUN apk add --no-cache tor sutty_tor_hidden_service daemonize
|
||||||
COPY ./monit.conf /etc/monit.d/tor.conf
|
COPY ./monit.conf /etc/monit.d/tor.conf
|
||||||
COPY ./torrc /etc/tor/torrc
|
COPY ./torrc /etc/tor/torrc
|
||||||
COPY ./hidden_services.sh /usr/local/bin/hidden_services
|
COPY ./hidden_servicesd.sh /usr/local/bin/hidden_servicesd
|
||||||
RUN chmod 644 /etc/tor/torrc
|
RUN chmod 644 /etc/tor/torrc
|
||||||
|
|
||||||
VOLUME /var/lib/tor
|
VOLUME /var/lib/tor
|
||||||
|
|
|
@ -1,53 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
#
|
|
||||||
# Get every website with hidden service (HS) enabled from Sutty's API
|
|
||||||
# and generate a Tor configuration file for it. We do it this way
|
|
||||||
# because the original plan was to use Tor Control Protocol, but it only
|
|
||||||
# allows to create ephemeral hidden services if you don't store the
|
|
||||||
# private key separately. HS are lost when Tor is restarted. We don't
|
|
||||||
# want Sutty to have access to HS' private keys nor we want to device
|
|
||||||
# some algorithm to keep HS' alive when Tor restarts.
|
|
||||||
#
|
|
||||||
# So we did this that generates the persistent config file, reload Tor
|
|
||||||
# to make it generate the HS and inform Sutty of the public key / onion
|
|
||||||
# address. This way private keys are only stored in Tor.
|
|
||||||
|
|
||||||
set -e
|
|
||||||
|
|
||||||
if test "$1" = "bootstrap" ; then
|
|
||||||
install -dm 2755 -o tor -g root /var/lib/tor/hidden_services
|
|
||||||
install -dm 2755 -o root -g root /var/lib/tor/hidden_services/conf.d
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# API client
|
|
||||||
api_client () {
|
|
||||||
local _path="$1"; shift
|
|
||||||
|
|
||||||
curl --basic --user "${HTTP_BASIC_USER}:${HTTP_BASIC_PASSWORD}" \
|
|
||||||
$@ "https://api.${SUTTY}${_path}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Get all sites with HS enabled
|
|
||||||
api_client "/v1/sites/hidden_services.json" | jq --raw-output .[] | while read name; do
|
|
||||||
conf_file="/var/lib/tor/hidden_services/conf.d/${name}.conf"
|
|
||||||
hs_dir="/var/lib/tor/hidden_services/${name}"
|
|
||||||
|
|
||||||
# The config file
|
|
||||||
echo "HiddenServiceDir ${hs_dir}" > "${conf_file}"
|
|
||||||
echo "HiddenServicePort 80 nginx:80" >> "${conf_file}"
|
|
||||||
echo "HiddenServiceEnableIntroDoSDefense 1" >> "${conf_file}"
|
|
||||||
|
|
||||||
chmod 644 "${conf_file}"
|
|
||||||
|
|
||||||
# Reload Tor
|
|
||||||
cat /var/lib/tor/tor.pid | xargs -r kill -SIGHUP
|
|
||||||
|
|
||||||
# Wait for the hidden service to be created
|
|
||||||
while ! test -f "${hs_dir}/hostname"; do sleep 1 ; done
|
|
||||||
|
|
||||||
# Inform the hidden service to Sutty
|
|
||||||
api_client "/v1/sites/add_onion.json" \
|
|
||||||
--data "name=${name}" \
|
|
||||||
--data-urlencode "onion@${hs_dir}/hostname"
|
|
||||||
done
|
|
19
hidden_servicesd.sh
Executable file
19
hidden_servicesd.sh
Executable file
|
@ -0,0 +1,19 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -e
|
||||||
|
|
||||||
|
dir=/var/empty
|
||||||
|
pid=/run/hidden_services.pid
|
||||||
|
usr=${USER:-tor}
|
||||||
|
adr=${SERVICE:-nginx}
|
||||||
|
prt=${PORT:-80}
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
start)
|
||||||
|
daemonize -c ${dir} -p ${pid} -l ${pid} -u ${usr} /usr/local/bin/syslogize /usr/bin/sutty_tor_hidden_service -S ${adr} -P ${prt}
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
test -f ${pid} || exit 0
|
||||||
|
|
||||||
|
cat ${pid} | xargs -r kill
|
||||||
|
;;
|
||||||
|
esac
|
12
monit.conf
12
monit.conf
|
@ -1,13 +1,7 @@
|
||||||
check program hidden_services_bootstrap
|
|
||||||
with path "/usr/local/bin/hidden_services bootstrap"
|
|
||||||
every 1 cycle
|
|
||||||
if status = 0 then unmonitor
|
|
||||||
|
|
||||||
check process tor with pidfile /var/lib/tor/tor.pid
|
check process tor with pidfile /var/lib/tor/tor.pid
|
||||||
start program = "/usr/bin/tor"
|
start program = "/usr/bin/tor"
|
||||||
stop program = "/bin/sh -c 'cat /var/lib/tor/tor.pid | xargs -r kill'"
|
stop program = "/bin/sh -c 'cat /var/lib/tor/tor.pid | xargs -r kill'"
|
||||||
|
|
||||||
check program hidden_services
|
check process hidden_services with pidfile /run/hidden_services.pid
|
||||||
with path "/usr/local/bin/hidden_services"
|
start program = "/usr/local/bin/hidden_servicesd start"
|
||||||
every 1 cycle
|
stop program = "/usr/local/bin/hidden_servicesd stop"
|
||||||
if status != 0 then alert
|
|
||||||
|
|
1
torrc
1
torrc
|
@ -5,4 +5,5 @@ PidFile /var/lib/tor/tor.pid
|
||||||
NoExec 1
|
NoExec 1
|
||||||
Log notice syslog
|
Log notice syslog
|
||||||
DataDirectory /var/lib/tor
|
DataDirectory /var/lib/tor
|
||||||
|
ControlPort 127.0.0.1:9051
|
||||||
%include /var/lib/tor/hidden_services/conf.d/
|
%include /var/lib/tor/hidden_services/conf.d/
|
||||||
|
|
Loading…
Reference in a new issue