[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [flashproxy/master] Make instructions for running a facilitator on Debian.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [flashproxy/master] Make instructions for running a facilitator on Debian.
From: dcf@xxxxxxxxxxxxxx
Date: Fri, 31 Aug 2012 11:39:36 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 31 Aug 2012 07:40:45 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: David Fifield <david@xxxxxxxxxxxxxxx>
Sender: tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx

commit 14fa361ab133009f9f52c3ba89f4cb429d496388
Author: David Fifield <david@xxxxxxxxxxxxxxx>
Date:   Thu Aug 30 14:19:14 2012 -0700

    Make instructions for running a facilitator on Debian.
---
 README                    |   57 ++++-------------
 doc/facilitator-howto.txt |  147 +++++++++++++++++++++++++++++++++++++++++++++
 facilitator/README        |    3 +
 3 files changed, 164 insertions(+), 43 deletions(-)

diff --git a/README b/README
index 0db5973..f5654cf 100644
--- a/README
+++ b/README
@@ -100,12 +100,20 @@ re-register:
 == How to run a relay
 
 The relay runs with a WebSocket proxy in external proxy mode.
-	git clone git://github.com/kanaka/websockify.git
-	git apply ~/flashproxy/patches/websockify-binary-default.patch
-This command proxies WebSocket on port 9901 to a local ORPort on 9001.
-	./websockify :9901 127.0.0.1:9001
-The init.d script described under "Installing so as to restart at boot"
-does this automatically.
+	$ git clone git://github.com/kanaka/websockify.git
+	$ git apply ~/flashproxy/patches/websockify-binary-default.patch
+Install websockify as a daemon that will restart at boot. These
+instructions are for CentOS 5.
+	$ cd websockify
+	$ git apply ~/flashproxy/patches/websockify-binary-default.patch
+	$ su
+	# cp websockify websocket.py /usr/local/bin
+	# useradd -d /dev/null -s /bin/false websockify
+	# mkdir /var/websockify
+	# chown -R websockify.websockify /var/websockify
+	# cp ~/flashproxy/init.d/websockify /etc/init.d/websockify
+	# chkconfig --add websockify
+	# service websockify start
 
 Add this line to torrc to make the relay use the external proxy:
 	ServerTransportPlugin websocket proxy 127.0.0.1:9901
@@ -115,40 +123,3 @@ Add this line to torrc to make the relay use the external proxy:
 Paste in this HTML where you want the badge to appear:
 
 <iframe src="//crypto.stanford.edu/flashproxy/embed.html" width="80" height="15" frameborder="0" scrolling="no"></iframe>
-
-
-== For developers
-
-See design.txt for some more technical information.
-
-=== Running a facilitator
-
-On the facilitator, run
-	$ facilitator -r <relay-ip>
-You can use "tor1.bamsoftware.com" for <relay-ip>. The facilitator runs
-on port 9002 by default.
-
-=== Installing so as to restart at boot
-
-The directory init.d contains scripts to start the facilitator on
-CentOS. "make install" copies files to /usr/local/bin.
-
-	# make install
-	# useradd -d /dev/null -s /bin/false flashproxy
-	# mkdir /var/flashproxy
-	# chown -R flashproxy.flashproxy /var/flashproxy/
-
-	# cp init.d/facilitator /etc/init.d/facilitator
-	-- Edit /etc/init.d/facilitator to set $RELAY.
-	# chkconfig --add facilitator
-	# service facilitator start
-
-	# cd websockify
-	# git apply ~/flashproxy/patches/websockify-binary-default.patch
-	# cp websockify websocket.py /usr/local/bin
-	# useradd -d /dev/null -s /bin/false websockify
-	# mkdir /var/websockify
-	# chown -R websockify.websockify /var/websockify
-	# cp ~/flashproxy/init.d/websockify /etc/init.d/websockify
-	# chkconfig --add websockify
-	# service websockify start
diff --git a/doc/facilitator-howto.txt b/doc/facilitator-howto.txt
new file mode 100644
index 0000000..c46902b
--- /dev/null
+++ b/doc/facilitator-howto.txt
@@ -0,0 +1,147 @@
+This document describes how to run a flash proxy facilitator on Debian 6.
+We will use the domain name tor-facilitator.example.com.
+
+== Overview
+
+The facilitator consists of three parts: an HTTP server, a CGI program,
+and a backend. The HTTP server is responsible for speaking TLS and
+invoking the CGI program. The CGI program receives client registrations
+and proxy requests for clients, parses them, and forwards them to the
+backend. The backend is stateful and is responsible for assigning
+clients to proxies and remembering client registrations.
+
+We use Apache 2 as the HTTP server. The CGI script is facilitator.cgi.
+The backend is facilitator. fac.py is a Python module containing code
+common to facilitator.cgi and facilitator.
+
+== Basic and security setup
+
+Install some essential packages and configure a firewall.
+
+	# cat >/etc/apt/apt.conf.d/90suggests<<EOF
+APT::Install-Recommends "0";
+APT::Install-Suggests "0";
+EOF
+	# apt-get remove nfs-common portmap
+	# apt-get update
+	# apt-get upgrade
+	# apt-get install shorewall shorewall6
+
+Away from the facilitator, generate an SSH key for authentication:
+
+	$ ssh-keygen -f ~/.ssh/tor-facilitator
+	$ ssh-copy-id -i ~/.ssh/tor-facilitator.pub root@xxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+Then log in and edit /etc/ssh/sshd_config to disable password
+authentication:
+
+	PasswordAuthentication no
+
+Configure the firewall to allow only SSH and HTTPS.
+
+	# cd /etc/shorewall
+	# cp /usr/share/doc/shorewall/default-config/{interfaces,policy,rules,zones} .
+	Edit /etc/shorewall/interfaces:
+net	eth0		-	tcpflags,norfc1918,routefilter,nosmurfs,logmartians
+	Edit /etc/shorewall/policy:
+$FW		all		ACCEPT
+net		$FW		DROP
+all		all		DROP
+	Edit /etc/shorewall/rules:
+SECTION NEW
+SSH/ACCEPT	all	$FW
+HTTPS/ACCEPT	all	$FW
+	Edit /etc/shorewall/zones:
+fw	firewall
+net	ipv4
+
+	# cd /etc/shorewall6
+	# cp /usr/share/doc/shorewall6/default-config/{interfaces,policy,rules,zones} .
+	Edit /etc/shorewall/interfaces:
+net	eth0		-	tcpflags
+	Edit /etc/shorewall/policy:
+$FW		all		ACCEPT
+net		$FW		DROP
+all		all		DROP
+	Edit /etc/shorewall/rules:
+SECTION NEW
+SSH/ACCEPT	all	$FW
+HTTPS/ACCEPT	all	$FW
+	Edit /etc/shorewall/zones:
+fw	firewall
+net	ipv6
+
+Edit /etc/default/shorewall and /etc/default/shorewall6 and set
+
+	startup=1
+
+Restart servers.
+
+	# /etc/init.d/ssh restart
+	# /etc/init.d/shorewall start
+	# /etc/init.d/shorewall6 start
+
+== Facilitator program installation
+
+	# apt-get install git
+	# git clone https://git.torproject.org/flashproxy.git
+	# cd flashproxy/facilitator
+	# make install
+
+This installs facilitator.cgi, facilitator, and fac.py to
+/usr/local/bin. It also installs a System V init file to
+/etc/init.d/facilitator.
+
+	# update-rc.d facilitator defaults
+	# /etc/init.d/facilitator start
+
+== HTTP server setup
+
+Apache is the web server that runs the CGI program.
+
+	# apt-get install apache2
+	# a2enmod ssl
+
+Edit /etc/apache2/ports.conf and comment out the port 80 configuration.
+
+	# NameVirtualHost *:80
+	# Listen 80
+
+Create a new file /etc/apache2/sites-available/tor-facilitator with
+these contents:
+	<VirtualHost *:443>
+		ServerName tor-facilitator.bamsoftware.com
+		DocumentRoot /dev/null
+		ScriptAliasMatch ^(.*) /usr/local/bin/facilitator.cgi$1
+		ErrorLog ${APACHE_LOG_DIR}/error.log
+		LogLevel warn
+		SSLEngine on
+		SSLCertificateFile /etc/apache2/tor-facilitator.pem
+	</VirtualHost>
+
+We purposely do not include a CustomLog directive so as to not to log
+client and proxy IP addresses.
+
+=== HTTPS setup
+
+The HTTP server should serve only over HTTPS and not unencrypted HTTP.
+You will need a certificate and private key from a certificate
+authority. An article on making a certificate signing request and
+getting it signed is here:
+	http://www.debian-administration.org/articles/284
+The instructions below assume you have an offline private key
+in tor-facilitator.key and a certificate in tor-facilitator.crt.
+
+Remove any passphrase from the private key.
+
+	$ openssl rsa -in tor-facilitator.key -out tor-facilitator.pem
+
+Make a file containing both the private key and a certificate.
+
+	$ cat tor-facilitator.crt >> tor-facilitator.pem
+	$ chmod 400 tor-facilitator.pem
+
+Copy the new tor-facilitator.pem to the facilitator server as
+/etc/apache2/tor-facilitator.pem.
+
+	# /etc/init.d/apache2 restart
diff --git a/facilitator/README b/facilitator/README
new file mode 100644
index 0000000..d3c5593
--- /dev/null
+++ b/facilitator/README
@@ -0,0 +1,3 @@
+This directory contains files needed to run a flash proxy facilitator.
+Normal users don't need any of these files. For instructions on setting
+up a facilitator, see doc/faciliator.txt.



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [flashproxy/master] Move facilitator files into a subdirectory.
Next by Author: [tor-commits] [flashproxy/master] Increase version to 0.4.
Previous by thread: [tor-commits] [flashproxy/master] Move facilitator files into a subdirectory.
Next by thread: [tor-commits] [flashproxy/master] Increase version to 0.4.
Index(es):
- Author
- Thread