diff --git a/.gitignore b/.gitignore index 544098c..d2c93bb 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,6 @@ __* *~ -? .DS_Store !demo.d/*.tconf diff --git a/demo.d/digital-rights.tconf b/demo.d/digital-rights.tconf index 22ef23d..3adb818 100644 --- a/demo.d/digital-rights.tconf +++ b/demo.d/digital-rights.tconf @@ -2,9 +2,9 @@ # eotk (c) 2017 Alec Muffett set project digital-rights -hardmap %NEW_ONION% openrightsgroup.org -hardmap %NEW_ONION% eff.org -hardmap %NEW_ONION% accessnow.org -hardmap %NEW_ONION% digitalrights.ie +hardmap %NEW_V3_ONION% openrightsgroup.org +hardmap %NEW_V3_ONION% eff.org +hardmap %NEW_V3_ONION% accessnow.org +hardmap %NEW_V3_ONION% digitalrights.ie # aside: privacy international already have privacyintyqcroe.onion diff --git a/demo.d/example.tconf b/demo.d/example.tconf index 2fe0633..6b58eb9 100644 --- a/demo.d/example.tconf +++ b/demo.d/example.tconf @@ -220,12 +220,12 @@ foreignmap facebookcorewwwi.onion facebook.com # hardmaps use tor daemon configs with onions hard-coded in them set project hardexample -hardmap %NEW_ONION% foo.local -hardmap %NEW_ONION% bar.local +hardmap %NEW_V3_ONION% foo.local +hardmap %NEW_V3_ONION% bar.local # softmaps use onionbalance software to loadbalance across workers set project softexample -softmap %NEW_ONION% example.com -softmap %NEW_ONION% example.org -softmap %NEW_ONION% example.net +softmap %NEW_V3_ONION% example.com +softmap %NEW_V3_ONION% example.org +softmap %NEW_V3_ONION% example.net diff --git a/demo.d/human-rights.tconf b/demo.d/human-rights.tconf index 2a79d58..f960e81 100644 --- a/demo.d/human-rights.tconf +++ b/demo.d/human-rights.tconf @@ -2,5 +2,5 @@ # eotk (c) 2017 Alec Muffett set project human-rights -hardmap %NEW_ONION% aclu.org -hardmap %NEW_ONION% liberty-human-rights.org.uk +hardmap %NEW_V3_ONION% aclu.org +hardmap %NEW_V3_ONION% liberty-human-rights.org.uk diff --git a/demo.d/journalist-safety.tconf b/demo.d/journalist-safety.tconf index 8300446..9b8803a 100644 --- a/demo.d/journalist-safety.tconf +++ b/demo.d/journalist-safety.tconf @@ -2,5 +2,5 @@ # eotk (c) 2017 Alec Muffett set project journalist-safety -hardmap %NEW_ONION% cpj.org -hardmap %NEW_ONION% mediadefence.org +hardmap %NEW_V3_ONION% cpj.org +hardmap %NEW_V3_ONION% mediadefence.org diff --git a/demo.d/wikipedia-v3.tconf b/demo.d/wikipedia-v3.tconf deleted file mode 100644 index 1b89bc8..0000000 --- a/demo.d/wikipedia-v3.tconf +++ /dev/null @@ -1,80 +0,0 @@ -# -*- conf -*- -# eotk (c) 2017 Alec Muffett - -# CSVs of canonical domains (eg: email) to preserve (todo: more here?) -# nb: you must explicitly list all domains that are of preservation; -# "foo.com" & "www.foo.com" are treated as separate, for this purpose -set preserve_csv \ - tld-wp,wikipedia\\.org,i,wikipedia.org \ - tld-wm,wikimedia\\.org,i,wikimedia.org - -# FIX THIS TO USE A LOCAL RESOLVER, BECAUSE PERFORMANCE -set nginx_resolver \ - 8.8.8.8 \ - 8.8.4.4 \ - ipv6=off - -# cache persistence & size; sized for RaspberryPi (256m) -set nginx_cache_seconds 60 -set nginx_cache_size 256m -set nginx_tmpfile_size 64m - -# proof-of-concept: let's make this read-only: -set suppress_methods_except_get 1 - -# proof-of-concept: block access to some hosts -set block_host_re \ - ^(login|donate)\\. - -# proof-of-concept: block access to some paths -set block_path_re \ - /User: \ - /Special:(UserLogin|(Create|Merge)Account|RenameRequest)\\b - -# proof-of-concept: block requests where parameters have certain values -set block_param_re \ - title,^User: \ - title,^Special:(UserLogin|(Create|Merge)Account|RenameRequest)\\b - -# proof-of-concept: blacklist requests to some paths -set path_blacklist_re \ - ^\\. \ - ^\\w+\\.php$ \ - \\.(sql|gz|tgz|zip|bz2)$ \ - ^server-status$ - -# proof-of-concept: whitelist reasonable user-agents (anything else => ded) -set user_agent_whitelist_re \ - ^Mozilla.*Gecko - -# suggestion: you might want to investigate "no_cache_content_type" or -# "no_cache_host" if you want limitations on caching... - -# demo: CSV list to implement ownership proof URIs for EV SSL issuance -# set hardcoded_endpoint_csv \ -# ^/proof/foo/?$,"FOOPROOF" \ -# ^/proof/bar/?$,"BARPROOF" - -# demo: magic cookie-issuing URL to restrict access until ready to launch -# set cookie_lock /open-sesame - -# index of other onion sites ("what happens in onion, should stay in onion") -foreignmap facebookcorewwwi facebook.com -foreignmap nytimes3xbfgragh nytimes.com - -# the Wikimedia Foundation have lots of sites -set project wikipedia -hardmap %NEW_V3_ONION% mediawiki.org -hardmap %NEW_V3_ONION% wikidata.org -hardmap %NEW_V3_ONION% wikimedia.org -hardmap %NEW_V3_ONION% wikimediafoundation.org -# the following have an `m` subdomain -hardmap %NEW_V3_ONION% wikibooks.org m -hardmap %NEW_V3_ONION% wikinews.org m -hardmap %NEW_V3_ONION% wikipedia.org m -hardmap %NEW_V3_ONION% wikiquote.org m -hardmap %NEW_V3_ONION% wikisource.org m -hardmap %NEW_V3_ONION% wikiversity.org m -hardmap %NEW_V3_ONION% wikivoyage.org m -hardmap %NEW_V3_ONION% wiktionary.org m -# nb: by subdomain we mean FOO in en.FOO.wikipedia.org, etc. diff --git a/demo.d/wikipedia.tconf b/demo.d/wikipedia.tconf index 1f15e6c..1b89bc8 100644 --- a/demo.d/wikipedia.tconf +++ b/demo.d/wikipedia.tconf @@ -64,17 +64,17 @@ foreignmap nytimes3xbfgragh nytimes.com # the Wikimedia Foundation have lots of sites set project wikipedia -hardmap %NEW_ONION% mediawiki.org -hardmap %NEW_ONION% wikidata.org -hardmap %NEW_ONION% wikimedia.org -hardmap %NEW_ONION% wikimediafoundation.org +hardmap %NEW_V3_ONION% mediawiki.org +hardmap %NEW_V3_ONION% wikidata.org +hardmap %NEW_V3_ONION% wikimedia.org +hardmap %NEW_V3_ONION% wikimediafoundation.org # the following have an `m` subdomain -hardmap %NEW_ONION% wikibooks.org m -hardmap %NEW_ONION% wikinews.org m -hardmap %NEW_ONION% wikipedia.org m -hardmap %NEW_ONION% wikiquote.org m -hardmap %NEW_ONION% wikisource.org m -hardmap %NEW_ONION% wikiversity.org m -hardmap %NEW_ONION% wikivoyage.org m -hardmap %NEW_ONION% wiktionary.org m +hardmap %NEW_V3_ONION% wikibooks.org m +hardmap %NEW_V3_ONION% wikinews.org m +hardmap %NEW_V3_ONION% wikipedia.org m +hardmap %NEW_V3_ONION% wikiquote.org m +hardmap %NEW_V3_ONION% wikisource.org m +hardmap %NEW_V3_ONION% wikiversity.org m +hardmap %NEW_V3_ONION% wikivoyage.org m +hardmap %NEW_V3_ONION% wiktionary.org m # nb: by subdomain we mean FOO in en.FOO.wikipedia.org, etc. diff --git a/lib.d/do-configure.pl b/lib.d/do-configure.pl index 32936ef..6743f34 100755 --- a/lib.d/do-configure.pl +++ b/lib.d/do-configure.pl @@ -1,7 +1,7 @@ #!/bin/sh exec perl -wx $0 "$@"; #!perl -# eotk (c) 2017-2020 Alec Muffett +# eotk (c) 2017-2021 Alec Muffett use Data::Dumper; @@ -532,7 +532,7 @@ sub DoProject { &SetEnv("nginx_timeout", 15); &SetEnv("nginx_tmpfile_size", "256m"); &SetEnv("nginx_workers", "auto"); -&SetEnv("onion_version", "2"); +&SetEnv("onion_version", "3"); &SetEnv("preserve_before", "~".&Nonce(128)."~"); &SetEnv("preserve_after", "~"); &SetEnv("preserve_preamble_re", "[>@\\\\s]"); diff --git a/lib.d/expand-config.pl b/lib.d/expand-config.pl index 3498e01..c8f0304 100755 --- a/lib.d/expand-config.pl +++ b/lib.d/expand-config.pl @@ -1,7 +1,7 @@ #!/bin/sh exec perl -wx $0 "$@"; #!perl -# eotk (c) 2017-2020 Alec Muffett +# eotk (c) 2017-2021 Alec Muffett if (-t STDIN) { # stderr is already redirected... if (open(DOTS, ">/dev/tty")) { @@ -18,14 +18,13 @@ sub GenOnion { sub Lookup { my $var = shift; - foreach $deprecated (qw(NEW_HARD_ONION NEW_SOFT_ONION)) { + foreach $deprecated (qw(NEW_HARD_ONION NEW_SOFT_ONION NEW_ONION)) { die "Lookup: $deprecated is no longer supported syntax\n" - if $var =~ /$deprecated/; + if $var eq $deprecated; } - if ($var =~ /^NEW_(V3_)?ONION$/) { - my $version = $1 ? 3 : 2; - return &GenOnion($version); + if ($var eq "NEW_V3_ONION") { + return &GenOnion(3); # old syntax now deprecated } if (defined($ENV{$var})) { diff --git a/lib.d/generate-onion-key.sh b/lib.d/generate-onion-key.sh index 180aa2e..8202cac 100755 --- a/lib.d/generate-onion-key.sh +++ b/lib.d/generate-onion-key.sh @@ -17,11 +17,10 @@ HiddenServiceDir $dir HiddenServicePort 1 127.0.0.1:1 EOF -if [ x$ONION_VERSION = x3 ] ; then - echo HiddenServiceVersion 3 >> $dir/config -else - echo HiddenServiceVersion 2 >> $dir/config -fi +case "$ONION_VERSION" in + 3) echo HiddenServiceVersion 3 >> $dir/config ;; + *) echo error: the only supported value for ONION_VERSION is 3 ; exit 1 ;; +esac tor -f $dir/config >$log 2>&1 @@ -40,15 +39,10 @@ kill -TERM `cat $dir/tor.pid` # shut it down onion=`cat $dir/hostname` onion=`basename $onion .onion` -if [ x$ONION_VERSION = x3 ] ; then - pfile=$onion.v3pub.key - sfile=$onion.v3sec.key - mv $dir/hs_ed25519_public_key $pfile || exit 1 - mv $dir/hs_ed25519_secret_key $sfile || exit 1 -else - file=$onion.key - mv $dir/private_key $file || exit 1 -fi +pfile=$onion.v3pub.key +sfile=$onion.v3sec.key +mv $dir/hs_ed25519_public_key $pfile || exit 1 +mv $dir/hs_ed25519_secret_key $sfile || exit 1 rm -r $dir $log || exit 1 echo $onion diff --git a/templates.d/nginx.conf.txt b/templates.d/nginx.conf.txt index b83d23f..51896a5 100644 --- a/templates.d/nginx.conf.txt +++ b/templates.d/nginx.conf.txt @@ -15,7 +15,7 @@ # X-DNS-Prefetch-Control - response security risk? # Via - request/response? -# eotk (c) 2019-2020 Alec Muffett +# eotk (c) 2019-2021 Alec Muffett # SECURITY NOTE: the contents of this file, when actualised, should # not be made world-readable nor published without redaction; @@ -331,7 +331,7 @@ http { o2d_search_and_replace = function (i) -- because onion addresses are matchable, this can be done in one pass... - local o, num, errs = ngx.re.gsub(i, "(%LEFT_TLD_RE%)([a-z2-7]{16}(?:[a-z2-7]{40})?\\.onion)\\b", o2d_re_helper, "io") + local o, num, errs = ngx.re.gsub(i, "(%LEFT_TLD_RE%)([a-z2-7]{56}\\.onion)\\b", o2d_re_helper, "io") if errs == nil and num == 0 then return i -- nothing was changed, so return the original end