2017-02-01 08:19:33 +00:00
|
|
|
# The Enterprise Onion Toolkit
|
2017-02-01 08:38:03 +00:00
|
|
|
## eotk (c) 2017 Alec Muffett
|
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
# Status - ALPHA
|
2017-02-01 11:56:52 +00:00
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
The EOTK goal is to provide a tool for prototyping, and deploying at
|
|
|
|
scale, HTTP and HTTPS onion sites to provide official presence for
|
|
|
|
popular websites.
|
2017-02-01 11:39:26 +00:00
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
The results are essentially a "man in the middle" proxy; set them up
|
|
|
|
only for your own sites or for sites which do not require login
|
|
|
|
credentials of any kind.
|
2017-02-01 13:02:24 +00:00
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
The resulting NGINX configs are probably both buggy and not terribly
|
|
|
|
well tuned; please consider this project to be very much "early days",
|
|
|
|
but I shall try not to modify the configuration file format.
|
2017-02-01 11:59:52 +00:00
|
|
|
|
2017-02-01 12:01:29 +00:00
|
|
|
The `softmap` support is untested, and needs some more work to make it
|
|
|
|
nice to launch and integrate with OnionBalance; please avoid it for
|
|
|
|
the moment.
|
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
## Usage Notes
|
2017-02-01 11:39:26 +00:00
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
When connecting to the resulting onions over HTTP/SSL, you will be
|
|
|
|
using wildcard self-signed SSL certificates - you *will* encounter
|
|
|
|
many "broken links" which are due to the SSL certificate not being
|
|
|
|
valid. This is *expected* and *proper* behaviour.
|
2017-02-01 11:39:26 +00:00
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
To help cope with this, for any domain (eg:
|
|
|
|
www.foofoofoofoofoof.onion) the EOTK provides a fixed url:
|
2017-02-01 11:39:26 +00:00
|
|
|
|
|
|
|
* `https://www.foofoofoofoofoof.onion/hello-onion/`
|
|
|
|
|
2017-02-04 10:49:47 +00:00
|
|
|
...which (`/hello-onion/`) is internally served by the NGINX proxy and
|
|
|
|
provides a stable, fixed URL for SSL certificate acceptance; inside
|
|
|
|
TorBrowser another effective solution is to open all the broken links,
|
|
|
|
images and resources "in a new Tab" and accept the certificate there.
|
2017-02-01 11:39:26 +00:00
|
|
|
|
|
|
|
In production, of course, one would expect to use an SSL EV
|
2017-02-04 10:49:03 +00:00
|
|
|
certificate to provide identity and assurance to an onion site,
|
|
|
|
rendering these issues moot.
|
2017-02-01 11:39:26 +00:00
|
|
|
|
|
|
|
# Requirements
|
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
* `tor` 2.9.8 or later
|
|
|
|
* ideally, the latest stable version
|
2017-02-01 11:39:26 +00:00
|
|
|
* `nginx`
|
|
|
|
* with `ngx_http_sub_module`
|
2017-02-02 23:17:10 +00:00
|
|
|
* https://nginx.org/en/docs/http/ngx_http_sub_module.html
|
2017-02-01 11:39:26 +00:00
|
|
|
* with `headers_more`
|
|
|
|
* https://www.nginx.com/resources/wiki/modules/headers_more/
|
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
# commands
|
|
|
|
|
|
|
|
* `eotk config [filename]` # default `onions.conf`
|
|
|
|
* synonyms: `conf`, `configure`
|
|
|
|
* `eotk start projectname ...` # or: `-a` for all
|
|
|
|
* `eotk stop projectname ...` # or: `-a` for all
|
|
|
|
* `eotk bounce projectname ...` # or: `-a` for all
|
|
|
|
* synonyms: `restart`, `reload`
|
|
|
|
* `eotk debugon projectname ...` # or: `-a` for all
|
|
|
|
* `eotk debugoff projectname ...` # or: `-a` for all
|
|
|
|
* `eotk harvest projectname ...` # or: `-a` for all
|
|
|
|
* synonyms: `onions`
|
|
|
|
* `eotk status projectname ...` # or: `-a` for all
|
|
|
|
|
2017-02-01 11:39:26 +00:00
|
|
|
# Installation: OSX
|
|
|
|
|
|
|
|
Currently works on OSX with Homebrew:
|
|
|
|
|
|
|
|
* install homebrew - http://brew.sh/
|
|
|
|
* `git clone https://github.com/alecmuffett/eotk.git`
|
|
|
|
* `cd eotk`
|
|
|
|
* `sh ./000-setup-osx.sh` # installs required software; if you're worried, check it first
|
|
|
|
* `sh ./001-configure-demo.sh` # creates a working config file
|
2017-02-04 10:06:42 +00:00
|
|
|
* `./eotk config` # creates tor & onion configuration files; lists onion sites
|
2017-02-04 10:49:03 +00:00
|
|
|
* (review your config file - `onion-tk.conf` for interest)
|
2017-02-04 10:06:42 +00:00
|
|
|
* `./eotk start default`
|
2017-02-04 10:49:03 +00:00
|
|
|
* (connect to one of the onion sites cited in the `default` project)
|
|
|
|
* (play SSL-Certificate-Whackamole)
|
|
|
|
* (browse a little)
|
2017-02-04 10:06:42 +00:00
|
|
|
* `./eotk stop default`
|
2017-02-01 11:39:26 +00:00
|
|
|
|
|
|
|
# Installation: Debian/Raspbian/Ubuntu
|
|
|
|
|
|
|
|
Work in progress. Feedback welcome.
|
2017-02-01 13:02:24 +00:00
|
|
|
|
2017-02-04 10:49:03 +00:00
|
|
|
|
2017-02-01 13:02:24 +00:00
|
|
|
# I want to create a new project / my own configuration!
|
|
|
|
|
|
|
|
You can either add a new project to the demo config file, or you can
|
|
|
|
create a new config for yourself.
|
|
|
|
|
|
|
|
The simplest configuration file probably looks like this:
|
|
|
|
|
|
|
|
```
|
|
|
|
set project myproject
|
|
|
|
hardmap secrets.d/xxxxxxxxxxxxxxxx.key foo.com
|
|
|
|
```
|
|
|
|
|
2017-02-04 10:06:42 +00:00
|
|
|
...and if you create a file called `project.conf` containing those
|
2017-02-01 13:09:53 +00:00
|
|
|
lines, then you should be able to do:
|
2017-02-01 13:02:24 +00:00
|
|
|
|
|
|
|
```
|
2017-02-04 10:06:42 +00:00
|
|
|
./eotk configure project.conf
|
|
|
|
./eotk start myproject
|
2017-02-01 13:02:24 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
## But how do I create my own "secrets.d/xxxxxxxxxxxxxxxx.key"?
|
|
|
|
|
|
|
|
```
|
|
|
|
cd secrets.d
|
|
|
|
./generate-onion-key.sh
|
|
|
|
```
|
|
|
|
|
|
|
|
Do this as many times as you wish/need.
|