kopia lustrzana https://github.com/alecmuffett/eotk
commit: first cut.
rodzic
9b4b716857
commit
ecab36a964
|
@ -9,7 +9,6 @@
|
|||
|
||||
__*
|
||||
*~
|
||||
?
|
||||
.DS_Store
|
||||
|
||||
!demo.d/*.tconf
|
||||
|
|
|
@ -2,9 +2,9 @@
|
|||
# eotk (c) 2017 Alec Muffett
|
||||
|
||||
set project digital-rights
|
||||
hardmap %NEW_ONION% openrightsgroup.org
|
||||
hardmap %NEW_ONION% eff.org
|
||||
hardmap %NEW_ONION% accessnow.org
|
||||
hardmap %NEW_ONION% digitalrights.ie
|
||||
hardmap %NEW_V3_ONION% openrightsgroup.org
|
||||
hardmap %NEW_V3_ONION% eff.org
|
||||
hardmap %NEW_V3_ONION% accessnow.org
|
||||
hardmap %NEW_V3_ONION% digitalrights.ie
|
||||
|
||||
# aside: privacy international already have privacyintyqcroe.onion
|
||||
|
|
|
@ -220,12 +220,12 @@ foreignmap facebookcorewwwi.onion facebook.com
|
|||
# hardmaps use tor daemon configs with onions hard-coded in them
|
||||
|
||||
set project hardexample
|
||||
hardmap %NEW_ONION% foo.local
|
||||
hardmap %NEW_ONION% bar.local
|
||||
hardmap %NEW_V3_ONION% foo.local
|
||||
hardmap %NEW_V3_ONION% bar.local
|
||||
|
||||
# softmaps use onionbalance software to loadbalance across workers
|
||||
|
||||
set project softexample
|
||||
softmap %NEW_ONION% example.com
|
||||
softmap %NEW_ONION% example.org
|
||||
softmap %NEW_ONION% example.net
|
||||
softmap %NEW_V3_ONION% example.com
|
||||
softmap %NEW_V3_ONION% example.org
|
||||
softmap %NEW_V3_ONION% example.net
|
||||
|
|
|
@ -2,5 +2,5 @@
|
|||
# eotk (c) 2017 Alec Muffett
|
||||
|
||||
set project human-rights
|
||||
hardmap %NEW_ONION% aclu.org
|
||||
hardmap %NEW_ONION% liberty-human-rights.org.uk
|
||||
hardmap %NEW_V3_ONION% aclu.org
|
||||
hardmap %NEW_V3_ONION% liberty-human-rights.org.uk
|
||||
|
|
|
@ -2,5 +2,5 @@
|
|||
# eotk (c) 2017 Alec Muffett
|
||||
|
||||
set project journalist-safety
|
||||
hardmap %NEW_ONION% cpj.org
|
||||
hardmap %NEW_ONION% mediadefence.org
|
||||
hardmap %NEW_V3_ONION% cpj.org
|
||||
hardmap %NEW_V3_ONION% mediadefence.org
|
||||
|
|
|
@ -1,80 +0,0 @@
|
|||
# -*- conf -*-
|
||||
# eotk (c) 2017 Alec Muffett
|
||||
|
||||
# CSVs of canonical domains (eg: email) to preserve (todo: more here?)
|
||||
# nb: you must explicitly list all domains that are of preservation;
|
||||
# "foo.com" & "www.foo.com" are treated as separate, for this purpose
|
||||
set preserve_csv \
|
||||
tld-wp,wikipedia\\.org,i,wikipedia.org \
|
||||
tld-wm,wikimedia\\.org,i,wikimedia.org
|
||||
|
||||
# FIX THIS TO USE A LOCAL RESOLVER, BECAUSE PERFORMANCE
|
||||
set nginx_resolver \
|
||||
8.8.8.8 \
|
||||
8.8.4.4 \
|
||||
ipv6=off
|
||||
|
||||
# cache persistence & size; sized for RaspberryPi (256m)
|
||||
set nginx_cache_seconds 60
|
||||
set nginx_cache_size 256m
|
||||
set nginx_tmpfile_size 64m
|
||||
|
||||
# proof-of-concept: let's make this read-only:
|
||||
set suppress_methods_except_get 1
|
||||
|
||||
# proof-of-concept: block access to some hosts
|
||||
set block_host_re \
|
||||
^(login|donate)\\.
|
||||
|
||||
# proof-of-concept: block access to some paths
|
||||
set block_path_re \
|
||||
/User: \
|
||||
/Special:(UserLogin|(Create|Merge)Account|RenameRequest)\\b
|
||||
|
||||
# proof-of-concept: block requests where parameters have certain values
|
||||
set block_param_re \
|
||||
title,^User: \
|
||||
title,^Special:(UserLogin|(Create|Merge)Account|RenameRequest)\\b
|
||||
|
||||
# proof-of-concept: blacklist requests to some paths
|
||||
set path_blacklist_re \
|
||||
^\\. \
|
||||
^\\w+\\.php$ \
|
||||
\\.(sql|gz|tgz|zip|bz2)$ \
|
||||
^server-status$
|
||||
|
||||
# proof-of-concept: whitelist reasonable user-agents (anything else => ded)
|
||||
set user_agent_whitelist_re \
|
||||
^Mozilla.*Gecko
|
||||
|
||||
# suggestion: you might want to investigate "no_cache_content_type" or
|
||||
# "no_cache_host" if you want limitations on caching...
|
||||
|
||||
# demo: CSV list to implement ownership proof URIs for EV SSL issuance
|
||||
# set hardcoded_endpoint_csv \
|
||||
# ^/proof/foo/?$,"FOOPROOF" \
|
||||
# ^/proof/bar/?$,"BARPROOF"
|
||||
|
||||
# demo: magic cookie-issuing URL to restrict access until ready to launch
|
||||
# set cookie_lock /open-sesame
|
||||
|
||||
# index of other onion sites ("what happens in onion, should stay in onion")
|
||||
foreignmap facebookcorewwwi facebook.com
|
||||
foreignmap nytimes3xbfgragh nytimes.com
|
||||
|
||||
# the Wikimedia Foundation have lots of sites
|
||||
set project wikipedia
|
||||
hardmap %NEW_V3_ONION% mediawiki.org
|
||||
hardmap %NEW_V3_ONION% wikidata.org
|
||||
hardmap %NEW_V3_ONION% wikimedia.org
|
||||
hardmap %NEW_V3_ONION% wikimediafoundation.org
|
||||
# the following have an `m` subdomain
|
||||
hardmap %NEW_V3_ONION% wikibooks.org m
|
||||
hardmap %NEW_V3_ONION% wikinews.org m
|
||||
hardmap %NEW_V3_ONION% wikipedia.org m
|
||||
hardmap %NEW_V3_ONION% wikiquote.org m
|
||||
hardmap %NEW_V3_ONION% wikisource.org m
|
||||
hardmap %NEW_V3_ONION% wikiversity.org m
|
||||
hardmap %NEW_V3_ONION% wikivoyage.org m
|
||||
hardmap %NEW_V3_ONION% wiktionary.org m
|
||||
# nb: by subdomain we mean FOO in en.FOO.wikipedia.org, etc.
|
|
@ -64,17 +64,17 @@ foreignmap nytimes3xbfgragh nytimes.com
|
|||
|
||||
# the Wikimedia Foundation have lots of sites
|
||||
set project wikipedia
|
||||
hardmap %NEW_ONION% mediawiki.org
|
||||
hardmap %NEW_ONION% wikidata.org
|
||||
hardmap %NEW_ONION% wikimedia.org
|
||||
hardmap %NEW_ONION% wikimediafoundation.org
|
||||
hardmap %NEW_V3_ONION% mediawiki.org
|
||||
hardmap %NEW_V3_ONION% wikidata.org
|
||||
hardmap %NEW_V3_ONION% wikimedia.org
|
||||
hardmap %NEW_V3_ONION% wikimediafoundation.org
|
||||
# the following have an `m` subdomain
|
||||
hardmap %NEW_ONION% wikibooks.org m
|
||||
hardmap %NEW_ONION% wikinews.org m
|
||||
hardmap %NEW_ONION% wikipedia.org m
|
||||
hardmap %NEW_ONION% wikiquote.org m
|
||||
hardmap %NEW_ONION% wikisource.org m
|
||||
hardmap %NEW_ONION% wikiversity.org m
|
||||
hardmap %NEW_ONION% wikivoyage.org m
|
||||
hardmap %NEW_ONION% wiktionary.org m
|
||||
hardmap %NEW_V3_ONION% wikibooks.org m
|
||||
hardmap %NEW_V3_ONION% wikinews.org m
|
||||
hardmap %NEW_V3_ONION% wikipedia.org m
|
||||
hardmap %NEW_V3_ONION% wikiquote.org m
|
||||
hardmap %NEW_V3_ONION% wikisource.org m
|
||||
hardmap %NEW_V3_ONION% wikiversity.org m
|
||||
hardmap %NEW_V3_ONION% wikivoyage.org m
|
||||
hardmap %NEW_V3_ONION% wiktionary.org m
|
||||
# nb: by subdomain we mean FOO in en.FOO.wikipedia.org, etc.
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
exec perl -wx $0 "$@";
|
||||
#!perl
|
||||
# eotk (c) 2017-2020 Alec Muffett
|
||||
# eotk (c) 2017-2021 Alec Muffett
|
||||
|
||||
use Data::Dumper;
|
||||
|
||||
|
@ -532,7 +532,7 @@ sub DoProject {
|
|||
&SetEnv("nginx_timeout", 15);
|
||||
&SetEnv("nginx_tmpfile_size", "256m");
|
||||
&SetEnv("nginx_workers", "auto");
|
||||
&SetEnv("onion_version", "2");
|
||||
&SetEnv("onion_version", "3");
|
||||
&SetEnv("preserve_before", "~".&Nonce(128)."~");
|
||||
&SetEnv("preserve_after", "~");
|
||||
&SetEnv("preserve_preamble_re", "[>@\\\\s]");
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
exec perl -wx $0 "$@";
|
||||
#!perl
|
||||
# eotk (c) 2017-2020 Alec Muffett
|
||||
# eotk (c) 2017-2021 Alec Muffett
|
||||
|
||||
if (-t STDIN) { # stderr is already redirected...
|
||||
if (open(DOTS, ">/dev/tty")) {
|
||||
|
@ -18,14 +18,13 @@ sub GenOnion {
|
|||
sub Lookup {
|
||||
my $var = shift;
|
||||
|
||||
foreach $deprecated (qw(NEW_HARD_ONION NEW_SOFT_ONION)) {
|
||||
foreach $deprecated (qw(NEW_HARD_ONION NEW_SOFT_ONION NEW_ONION)) {
|
||||
die "Lookup: $deprecated is no longer supported syntax\n"
|
||||
if $var =~ /$deprecated/;
|
||||
if $var eq $deprecated;
|
||||
}
|
||||
|
||||
if ($var =~ /^NEW_(V3_)?ONION$/) {
|
||||
my $version = $1 ? 3 : 2;
|
||||
return &GenOnion($version);
|
||||
if ($var eq "NEW_V3_ONION") {
|
||||
return &GenOnion(3); # old syntax now deprecated
|
||||
}
|
||||
|
||||
if (defined($ENV{$var})) {
|
||||
|
|
|
@ -17,11 +17,10 @@ HiddenServiceDir $dir
|
|||
HiddenServicePort 1 127.0.0.1:1
|
||||
EOF
|
||||
|
||||
if [ x$ONION_VERSION = x3 ] ; then
|
||||
echo HiddenServiceVersion 3 >> $dir/config
|
||||
else
|
||||
echo HiddenServiceVersion 2 >> $dir/config
|
||||
fi
|
||||
case "$ONION_VERSION" in
|
||||
3) echo HiddenServiceVersion 3 >> $dir/config ;;
|
||||
*) echo error: the only supported value for ONION_VERSION is 3 ; exit 1 ;;
|
||||
esac
|
||||
|
||||
tor -f $dir/config >$log 2>&1
|
||||
|
||||
|
@ -40,15 +39,10 @@ kill -TERM `cat $dir/tor.pid` # shut it down
|
|||
onion=`cat $dir/hostname`
|
||||
onion=`basename $onion .onion`
|
||||
|
||||
if [ x$ONION_VERSION = x3 ] ; then
|
||||
pfile=$onion.v3pub.key
|
||||
sfile=$onion.v3sec.key
|
||||
mv $dir/hs_ed25519_public_key $pfile || exit 1
|
||||
mv $dir/hs_ed25519_secret_key $sfile || exit 1
|
||||
else
|
||||
file=$onion.key
|
||||
mv $dir/private_key $file || exit 1
|
||||
fi
|
||||
pfile=$onion.v3pub.key
|
||||
sfile=$onion.v3sec.key
|
||||
mv $dir/hs_ed25519_public_key $pfile || exit 1
|
||||
mv $dir/hs_ed25519_secret_key $sfile || exit 1
|
||||
rm -r $dir $log || exit 1
|
||||
|
||||
echo $onion
|
||||
|
|
|
@ -15,7 +15,7 @@
|
|||
# X-DNS-Prefetch-Control - response security risk?
|
||||
# Via - request/response?
|
||||
|
||||
# eotk (c) 2019-2020 Alec Muffett
|
||||
# eotk (c) 2019-2021 Alec Muffett
|
||||
|
||||
# SECURITY NOTE: the contents of this file, when actualised, should
|
||||
# not be made world-readable nor published without redaction;
|
||||
|
@ -331,7 +331,7 @@ http {
|
|||
|
||||
o2d_search_and_replace = function (i)
|
||||
-- because onion addresses are matchable, this can be done in one pass...
|
||||
local o, num, errs = ngx.re.gsub(i, "(%LEFT_TLD_RE%)([a-z2-7]{16}(?:[a-z2-7]{40})?\\.onion)\\b", o2d_re_helper, "io")
|
||||
local o, num, errs = ngx.re.gsub(i, "(%LEFT_TLD_RE%)([a-z2-7]{56}\\.onion)\\b", o2d_re_helper, "io")
|
||||
if errs == nil and num == 0 then
|
||||
return i -- nothing was changed, so return the original
|
||||
end
|
||||
|
|
Ładowanie…
Reference in New Issue