commit 14fa361ab133009f9f52c3ba89f4cb429d496388 Author: David Fifield david@bamsoftware.com Date: Thu Aug 30 14:19:14 2012 -0700
Make instructions for running a facilitator on Debian. --- README | 57 ++++------------- doc/facilitator-howto.txt | 147 +++++++++++++++++++++++++++++++++++++++++++++ facilitator/README | 3 + 3 files changed, 164 insertions(+), 43 deletions(-)
diff --git a/README b/README index 0db5973..f5654cf 100644 --- a/README +++ b/README @@ -100,12 +100,20 @@ re-register: == How to run a relay
The relay runs with a WebSocket proxy in external proxy mode. - git clone git://github.com/kanaka/websockify.git - git apply ~/flashproxy/patches/websockify-binary-default.patch -This command proxies WebSocket on port 9901 to a local ORPort on 9001. - ./websockify :9901 127.0.0.1:9001 -The init.d script described under "Installing so as to restart at boot" -does this automatically. + $ git clone git://github.com/kanaka/websockify.git + $ git apply ~/flashproxy/patches/websockify-binary-default.patch +Install websockify as a daemon that will restart at boot. These +instructions are for CentOS 5. + $ cd websockify + $ git apply ~/flashproxy/patches/websockify-binary-default.patch + $ su + # cp websockify websocket.py /usr/local/bin + # useradd -d /dev/null -s /bin/false websockify + # mkdir /var/websockify + # chown -R websockify.websockify /var/websockify + # cp ~/flashproxy/init.d/websockify /etc/init.d/websockify + # chkconfig --add websockify + # service websockify start
Add this line to torrc to make the relay use the external proxy: ServerTransportPlugin websocket proxy 127.0.0.1:9901 @@ -115,40 +123,3 @@ Add this line to torrc to make the relay use the external proxy: Paste in this HTML where you want the badge to appear:
<iframe src="//crypto.stanford.edu/flashproxy/embed.html" width="80" height="15" frameborder="0" scrolling="no"></iframe> - - -== For developers - -See design.txt for some more technical information. - -=== Running a facilitator - -On the facilitator, run - $ facilitator -r <relay-ip> -You can use "tor1.bamsoftware.com" for <relay-ip>. The facilitator runs -on port 9002 by default. - -=== Installing so as to restart at boot - -The directory init.d contains scripts to start the facilitator on -CentOS. "make install" copies files to /usr/local/bin. - - # make install - # useradd -d /dev/null -s /bin/false flashproxy - # mkdir /var/flashproxy - # chown -R flashproxy.flashproxy /var/flashproxy/ - - # cp init.d/facilitator /etc/init.d/facilitator - -- Edit /etc/init.d/facilitator to set $RELAY. - # chkconfig --add facilitator - # service facilitator start - - # cd websockify - # git apply ~/flashproxy/patches/websockify-binary-default.patch - # cp websockify websocket.py /usr/local/bin - # useradd -d /dev/null -s /bin/false websockify - # mkdir /var/websockify - # chown -R websockify.websockify /var/websockify - # cp ~/flashproxy/init.d/websockify /etc/init.d/websockify - # chkconfig --add websockify - # service websockify start diff --git a/doc/facilitator-howto.txt b/doc/facilitator-howto.txt new file mode 100644 index 0000000..c46902b --- /dev/null +++ b/doc/facilitator-howto.txt @@ -0,0 +1,147 @@ +This document describes how to run a flash proxy facilitator on Debian 6. +We will use the domain name tor-facilitator.example.com. + +== Overview + +The facilitator consists of three parts: an HTTP server, a CGI program, +and a backend. The HTTP server is responsible for speaking TLS and +invoking the CGI program. The CGI program receives client registrations +and proxy requests for clients, parses them, and forwards them to the +backend. The backend is stateful and is responsible for assigning +clients to proxies and remembering client registrations. + +We use Apache 2 as the HTTP server. The CGI script is facilitator.cgi. +The backend is facilitator. fac.py is a Python module containing code +common to facilitator.cgi and facilitator. + +== Basic and security setup + +Install some essential packages and configure a firewall. + + # cat >/etc/apt/apt.conf.d/90suggests<<EOF +APT::Install-Recommends "0"; +APT::Install-Suggests "0"; +EOF + # apt-get remove nfs-common portmap + # apt-get update + # apt-get upgrade + # apt-get install shorewall shorewall6 + +Away from the facilitator, generate an SSH key for authentication: + + $ ssh-keygen -f ~/.ssh/tor-facilitator + $ ssh-copy-id -i ~/.ssh/tor-facilitator.pub root@tor-facilitator.example.com + +Then log in and edit /etc/ssh/sshd_config to disable password +authentication: + + PasswordAuthentication no + +Configure the firewall to allow only SSH and HTTPS. + + # cd /etc/shorewall + # cp /usr/share/doc/shorewall/default-config/{interfaces,policy,rules,zones} . + Edit /etc/shorewall/interfaces: +net eth0 - tcpflags,norfc1918,routefilter,nosmurfs,logmartians + Edit /etc/shorewall/policy: +$FW all ACCEPT +net $FW DROP +all all DROP + Edit /etc/shorewall/rules: +SECTION NEW +SSH/ACCEPT all $FW +HTTPS/ACCEPT all $FW + Edit /etc/shorewall/zones: +fw firewall +net ipv4 + + # cd /etc/shorewall6 + # cp /usr/share/doc/shorewall6/default-config/{interfaces,policy,rules,zones} . + Edit /etc/shorewall/interfaces: +net eth0 - tcpflags + Edit /etc/shorewall/policy: +$FW all ACCEPT +net $FW DROP +all all DROP + Edit /etc/shorewall/rules: +SECTION NEW +SSH/ACCEPT all $FW +HTTPS/ACCEPT all $FW + Edit /etc/shorewall/zones: +fw firewall +net ipv6 + +Edit /etc/default/shorewall and /etc/default/shorewall6 and set + + startup=1 + +Restart servers. + + # /etc/init.d/ssh restart + # /etc/init.d/shorewall start + # /etc/init.d/shorewall6 start + +== Facilitator program installation + + # apt-get install git + # git clone https://git.torproject.org/flashproxy.git + # cd flashproxy/facilitator + # make install + +This installs facilitator.cgi, facilitator, and fac.py to +/usr/local/bin. It also installs a System V init file to +/etc/init.d/facilitator. + + # update-rc.d facilitator defaults + # /etc/init.d/facilitator start + +== HTTP server setup + +Apache is the web server that runs the CGI program. + + # apt-get install apache2 + # a2enmod ssl + +Edit /etc/apache2/ports.conf and comment out the port 80 configuration. + + # NameVirtualHost *:80 + # Listen 80 + +Create a new file /etc/apache2/sites-available/tor-facilitator with +these contents: + <VirtualHost *:443> + ServerName tor-facilitator.bamsoftware.com + DocumentRoot /dev/null + ScriptAliasMatch ^(.*) /usr/local/bin/facilitator.cgi$1 + ErrorLog ${APACHE_LOG_DIR}/error.log + LogLevel warn + SSLEngine on + SSLCertificateFile /etc/apache2/tor-facilitator.pem + </VirtualHost> + +We purposely do not include a CustomLog directive so as to not to log +client and proxy IP addresses. + +=== HTTPS setup + +The HTTP server should serve only over HTTPS and not unencrypted HTTP. +You will need a certificate and private key from a certificate +authority. An article on making a certificate signing request and +getting it signed is here: + http://www.debian-administration.org/articles/284 +The instructions below assume you have an offline private key +in tor-facilitator.key and a certificate in tor-facilitator.crt. + +Remove any passphrase from the private key. + + $ openssl rsa -in tor-facilitator.key -out tor-facilitator.pem + +Make a file containing both the private key and a certificate. + + $ cat tor-facilitator.crt >> tor-facilitator.pem + $ chmod 400 tor-facilitator.pem + +Copy the new tor-facilitator.pem to the facilitator server as +/etc/apache2/tor-facilitator.pem. + + # /etc/init.d/apache2 restart diff --git a/facilitator/README b/facilitator/README new file mode 100644 index 0000000..d3c5593 --- /dev/null +++ b/facilitator/README @@ -0,0 +1,3 @@ +This directory contains files needed to run a flash proxy facilitator. +Normal users don't need any of these files. For instructions on setting +up a facilitator, see doc/faciliator.txt.