commit e59943493584cb0c704763eadffb8802c36aebdd Author: Ximin Luo infinity0@gmx.com Date: Wed Sep 11 17:21:09 2013 +0100
move appengine and facilitator docs to facilitator subtree --- appengine/README | 11 -- appengine/app.yaml | 9 -- appengine/fp-reg.go | 54 --------- doc/appengine-howto.txt | 56 ---------- doc/facilitator-howto.txt | 199 --------------------------------- doc/gmail-setup.txt | 61 ---------- facilitator/appengine/README | 11 ++ facilitator/appengine/app.yaml | 9 ++ facilitator/appengine/fp-reg.go | 54 +++++++++ facilitator/doc/appengine-howto.txt | 56 ++++++++++ facilitator/doc/facilitator-howto.txt | 199 +++++++++++++++++++++++++++++++++ facilitator/doc/gmail-setup.txt | 61 ++++++++++ 12 files changed, 390 insertions(+), 390 deletions(-)
diff --git a/appengine/README b/appengine/README deleted file mode 100644 index 00d0611..0000000 --- a/appengine/README +++ /dev/null @@ -1,11 +0,0 @@ -This is the server-side code that runs on Google App Engine for the -"appspot" registration method. - -See doc/appengine-howto.txt for information about setting up an -application. - -To run with the development server: -$ ~/google_appengine/dev_appserver.py appengine/ - -To upload a new version: -$ torify ~/google_appengine/appcfg.py update appengine/ diff --git a/appengine/app.yaml b/appengine/app.yaml deleted file mode 100644 index 3b99ada..0000000 --- a/appengine/app.yaml +++ /dev/null @@ -1,9 +0,0 @@ -application: fp-reg-a -version: 1 -runtime: go -api_version: go1 - -handlers: -- url: /.* - script: _go_app - secure: always diff --git a/appengine/fp-reg.go b/appengine/fp-reg.go deleted file mode 100644 index d4f84c2..0000000 --- a/appengine/fp-reg.go +++ /dev/null @@ -1,54 +0,0 @@ -package fp_reg - -import ( - "io" - "net" - "net/http" - "path" - - "appengine" - "appengine/urlfetch" -) - -const BASE = "https://fp-facilitator.org/reg/" - -func robotsTxtHandler(w http.ResponseWriter, r *http.Request) { - w.Header().Set("Content-Type", "text/plain; charset=utf-8") - w.Write([]byte("User-agent: *\nDisallow:\n")) -} - -func ipHandler(w http.ResponseWriter, r *http.Request) { - remoteAddr := r.RemoteAddr - if net.ParseIP(remoteAddr).To4() == nil { - remoteAddr = "[" + remoteAddr + "]" - } - w.Header().Set("Content-Type", "text/plain; charset=utf-8") - w.Write([]byte(remoteAddr)) -} - -func regHandler(w http.ResponseWriter, r *http.Request) { - dir, blob := path.Split(path.Clean(r.URL.Path)) - if dir != "/reg/" { - http.NotFound(w, r) - return - } - client := urlfetch.Client(appengine.NewContext(r)) - resp, err := client.Get(BASE + blob) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - for key, values := range resp.Header { - for _, value := range values { - w.Header().Add(key, value) - } - } - w.WriteHeader(resp.StatusCode) - io.Copy(w, resp.Body) -} - -func init() { - http.HandleFunc("/robots.txt", robotsTxtHandler) - http.HandleFunc("/ip", ipHandler) - http.HandleFunc("/reg/", regHandler) -} diff --git a/doc/appengine-howto.txt b/doc/appengine-howto.txt deleted file mode 100644 index 44c5324..0000000 --- a/doc/appengine-howto.txt +++ /dev/null @@ -1,56 +0,0 @@ -These are instructions for how to set up a Google App Engine application -to run at appspot.com. - -General links: -https://developers.google.com/appengine/ -https://developers.google.com/appengine/docs/whatisgoogleappengine -https://developers.google.com/appengine/docs/go/gettingstarted/ - -You first need to create a Google account. See gmail-howto.txt for how -to do that. - -Download the SDK: -https://developers.google.com/appengine/docs/go/gettingstarted/devenvironmen... - -Write your program and app.yaml file: -https://developers.google.com/appengine/docs/go/gettingstarted/helloworld - -When you're ready to upload, log in with your Google account and follow -the directions: -https://appengine.google.com/ -https://developers.google.com/appengine/docs/go/gettingstarted/uploading - -Enter an application ID and create the application. - -Use the appcfg.py program to upload the program. It should look -something like this: - -$ torify ./google_appengine/appcfg.py update myapp/ -07:25 PM Host: appengine.google.com -07:25 PM Application: application-id; version: 1 -07:25 PM -Starting update of app: application-id, version: 1 -07:25 PM Getting current resource limits. -Email: xxx@gmail.com -Password for xxx@gmail.com: -07:26 PM Scanning files on local disk. -07:26 PM Cloning 2 application files. -07:26 PM Uploading 1 files and blobs. -07:26 PM Uploaded 1 files and blobs -07:26 PM Compilation starting. -07:26 PM Compilation: 1 files left. -07:26 PM Compilation completed. -07:26 PM Starting deployment. -07:26 PM Checking if deployment succeeded. -07:26 PM Deployment successful. -07:26 PM Checking if updated app version is serving. -07:26 PM Completed update of app: application-id, version: 1 - -Uploading the program in this way seems to create the files -~/.appcfg_nag and ~/.appcfg_cookies. Running the update command again -doesn't require you to enter your password again. - -Once logged in, you can disable logging for the application. Click -"Logs" on the left panel. Under "Total Logs Storage", click "Change -Settings". Enter "0" in the "days of logs" box and click "Save -Settings". diff --git a/doc/facilitator-howto.txt b/doc/facilitator-howto.txt deleted file mode 100644 index 8bafce9..0000000 --- a/doc/facilitator-howto.txt +++ /dev/null @@ -1,199 +0,0 @@ -This document describes how to run a flash proxy facilitator on Debian 7. -We will use the domain name fp-facilitator.example.com. - -== Overview - -The facilitator consists of a backend server that is essentially a -dynamic database of client addresses, as well as helper programs that -receive client registrations from the Internet over various means and -pass them to the backend. There are three supported helper rendezvous -methods: HTTP, URL, and email. - -The HTTP rendezvous uses an HTTP server and a CGI program. The HTTP -server is responsible for speaking TLS and invoking the CGI program. The -CGI program receives client registrations and proxy requests for -clients, parses them, and forwards them to the backend. We use Apache 2 -as the HTTP server. The CGI script is facilitator.cgi. The backend is -facilitator. - -The email rendezvous uses the helper program facilitator-email-poller. -Clients use the flashproxy-reg-email program to send an encrypted -message to a Gmail address. The poller constantly checks for new -messages and forwards them to facilitator-reg. - -facilitator-reg is a simple program that forwards its standard input to -a locally running facilitator-reg-daemon process. - -facilitator-reg-daemon accepts connections containing encrypted client -registrations and forwards them to the facilitator. It exists as a -process of its own so that only one program requires access to the -facilitator's private key. - -The URL rendezvous uses the helper program flashproxy-reg-email. The -helper program doesn't actually make a registration; rather, it prints -out a URL which, when retrieved, makes the registration. - -fac.py is a Python module containing code common to the various -facilitator programs. - -== Basic and security setup - -Install some essential packages and configure a firewall. - - # cat >/etc/apt/apt.conf.d/90suggests<<EOF -APT::Install-Recommends "0"; -APT::Install-Suggests "0"; -EOF - # apt-get remove portmap - # apt-get update - # apt-get upgrade - # apt-get install shorewall shorewall6 - -Away from the facilitator, generate an SSH key for authentication: - - $ ssh-keygen -f ~/.ssh/fp-facilitator - $ ssh-copy-id -i ~/.ssh/fp-facilitator.pub root@fp-facilitator.example.com - -Then log in and edit /etc/ssh/sshd_config to disable password -authentication: - - PasswordAuthentication no - -Configure the firewall to allow only SSH and HTTPS. - - # cd /etc/shorewall - # cp /usr/share/doc/shorewall/examples/Universal/{interfaces,policy,rules,zones} . - Edit /etc/shorewall/rules: -SECTION NEW -SSH(ACCEPT) net $FW -HTTPS(ACCEPT) net $FW - - # cd /etc/shorewall6 - # cp /usr/share/doc/shorewall6/examples/Universal/{interfaces,policy,rules,zones} . - Edit /etc/shorewall6/rules: -SECTION NEW -SSH(ACCEPT) all $FW -HTTPS(ACCEPT) all $FW - -Edit /etc/default/shorewall and /etc/default/shorewall6 and set - - startup=1 - -Restart servers. - - # /etc/init.d/ssh restart - # /etc/init.d/shorewall start - # /etc/init.d/shorewall6 start - -== Facilitator program installation - -Create the user the daemons will run as. - - # useradd --shell /usr/sbin/nologin --system --home /nonexistent -M facilitator-nobody - -Install the programs. - - # cd - # apt-get install git python-m2crypto make - # git clone https://git.torproject.org/flashproxy.git - # cd flashproxy/facilitator - # make install - -This installs facilitator.cgi, facilitator, facilitator-email-poller, -facilitator-reg-daemon, facilitator-reg, and fac.py to /usr/local/bin. -It also installs System V init files to /etc/init.d/. - -=== Registration daemon setup - -The facilitator-reg-daemon program requires a private RSA key (used to -decrypt encrypted client registrations). - - # mkdir /etc/flashproxy - # openssl genrsa -out /etc/flashproxy/reg-daemon.key 2048 - # chmod 600 /etc/flashproxy/reg-daemon.key - # openssl rsa -pubout < /etc/flashproxy/reg-daemon.key > reg-daemon.pub - -You will have to edit flashproxy-reg-email and copy the contents of -reg-daemon.pub into the appropriate place. - -Install reg-daemon.key /etc/flashproxy to match what the init script -expects. - -=== Init script setup - - # update-rc.d facilitator defaults - # /etc/init.d/facilitator start - # update-rc.d facilitator-reg-daemon defaults - # /etc/init.d/facilitator-reg-daemon start - -== HTTP server setup - -Apache is the web server that runs the CGI program. - - # apt-get install apache2 libapache2-mod-evasive - # a2enmod ssl headers - -Edit /etc/apache2/ports.conf and comment out the port 80 configuration. - - # NameVirtualHost *:80 - # Listen 80 - -Create a new file /etc/apache2/sites-available/fp-facilitator with -these contents: - MaxClients 256 - <VirtualHost *:443> - ServerName fp-facilitator.example.com - DocumentRoot /dev/null - ScriptAliasMatch ^(.*) /usr/local/bin/facilitator.cgi$1 - CustomLog /dev/null common - ErrorLog ${APACHE_LOG_DIR}/error.log - LogLevel warn - SSLEngine on - SSLCertificateFile /etc/apache2/fp-facilitator.pem - SSLCertificateChainFile /etc/apache2/intermediate.pem - Header add Strict-Transport-Security "max-age=15768000" - </VirtualHost> -intermediate.pem is a possible intermediate certificate file provided by -the CA; if you did not get one, then leave off the -SSLCertificateChainFile line. - -Link the configured site into sites-enabled. - # a2ensite fp-facilitator - -=== HTTPS setup - -The HTTP server should serve only over HTTPS and not unencrypted HTTP. -You will need a certificate and private key from a certificate -authority. An article on making a certificate signing request and -getting it signed is here: - http://www.debian-administration.org/articles/284 -This is the basic command to generate a CSR. - $ openssl req -new -nodes -out fp-facilitator.csr.pem -The instructions below assume you have an offline private key -in fp-facilitator.key.pem and a certificate in fp-facilitator.crt.pem. - -Make a file containing both the private key and a certificate. - - $ cat fp-facilitator.key.pem fp-facilitator.crt.pem > fp-facilitator.pem - $ chmod 400 fp-facilitator.pem - -Copy the new fp-facilitator.pem to the facilitator server as -/etc/apache2/fp-facilitator.pem. - - # /etc/init.d/apache2 restart - -=== Email poller setup - -The facilitator-email-poller program requires a password that is used to -log in to the designated Gmail account. See the file gmail-setup.txt for -instructions on setting up a Gmail account. After you've set up the -account and have the password, save it to a file reg-email.pass and make -it not readable or writable by anyone but its owner. - - # chmod 600 /etc/flashproxy/reg-email.pass - -Install reg-email.pass to /etc/flashproxy to match what the init script -expects. - - # update-rc.d facilitator-email-poller defaults - # /etc/init.d/facilitator-email-poller start diff --git a/doc/gmail-setup.txt b/doc/gmail-setup.txt deleted file mode 100644 index b51ce90..0000000 --- a/doc/gmail-setup.txt +++ /dev/null @@ -1,61 +0,0 @@ -These are instructions for setting up a Gmail account for use with the -email-based rendezvous and flashproxy-reg-email. These instructions were -current as of May 2013. - -You may have trouble if you are using Tor to create the account, for two -reasons. The first is that exit nodes are a source of abuse and Google -is more suspicious of them. The second is that Gmail is suspicious and -can lock you out of the account when your IP address is changing. While -setting up the account, use a single node in your torrc ExitNodes -configuration. Choose a U.S. exit node, one with low bandwidth. - -Go to https://mail.google.com/. Allow JavaScript to run (even from -youtube.com; it seems to be necessary). Click the "CREATE AN ACCOUNT" -button. - -Enter the account details. You don't need to fill in "Your current email -address". Enter a mobile phone number for later activation of two-factor -authentication. Solve the captcha. Click "Next Step". You may have to do -a phone SMS verification here. - -At this point the Gmail account is created. If you are pushed into -joining Google+, close everything out and go back to -https://mail.google.com/. - -Log out of the account and then back in again. There will be new text in -the lower right reading "Last account activity". Click "Details" and -turn off the unusual activity alerts. This will keep you from getting -locked out when you come from different IP addresses. At this point you -should remove the temporary ExitNodes configuration from torrc. - -Add a filter to prevent registrations from being marked as spam. Click -on the gear icon and select "Settings". Select "Filters" then "Create a -new filter". For "Has the words" type "in:spam", then "Create filter -with this search". There will be a warning that filters using "in:" will -never match incoming mail; this appears to be false and you can just -click OK. Check "Never send it to Spam" and click "Create filter". - -Enable IMAP. Click the gear icon, then "Settings", then "Forwarding and -POP/IMAP". - * Disable POP - * Enable IMAP - * Auto-Expunge on -Click "Save Changes". - -Enable two-factor authentication. We do this not so much for the -two-factor, but because it allows creating an independent password that -is used only for IMAP and does not have access to the web interface of -Gmail. Click the email address in the upper right, then "Account". Click -"Security". By "2-step verification" click "Edit". Click through until -it lets you set up. The phone number you provided when the account was -created will be automatically filled in. Choose "Text message (SMS)" -then click "Send code". Get your text message, type it in, and hit -"Verify". Uncheck "Trust this computer" on the next screen. Finally -"Confirm". On the following summary page, click "Show backup codes" and -save the codes to encrypted storage. Future codes can be generated at -https://www.google.com/accounts/SmsAuthConfig. - -Still on the 2-step summary page, click "Manage application-specific -passwords". Enter "IMAP" for the name and click "Generate password". -Save the password to encrypted storage. This is the password that will -be used with the --pass option of facilitator-email-poller. diff --git a/facilitator/appengine/README b/facilitator/appengine/README new file mode 100644 index 0000000..00d0611 --- /dev/null +++ b/facilitator/appengine/README @@ -0,0 +1,11 @@ +This is the server-side code that runs on Google App Engine for the +"appspot" registration method. + +See doc/appengine-howto.txt for information about setting up an +application. + +To run with the development server: +$ ~/google_appengine/dev_appserver.py appengine/ + +To upload a new version: +$ torify ~/google_appengine/appcfg.py update appengine/ diff --git a/facilitator/appengine/app.yaml b/facilitator/appengine/app.yaml new file mode 100644 index 0000000..3b99ada --- /dev/null +++ b/facilitator/appengine/app.yaml @@ -0,0 +1,9 @@ +application: fp-reg-a +version: 1 +runtime: go +api_version: go1 + +handlers: +- url: /.* + script: _go_app + secure: always diff --git a/facilitator/appengine/fp-reg.go b/facilitator/appengine/fp-reg.go new file mode 100644 index 0000000..d4f84c2 --- /dev/null +++ b/facilitator/appengine/fp-reg.go @@ -0,0 +1,54 @@ +package fp_reg + +import ( + "io" + "net" + "net/http" + "path" + + "appengine" + "appengine/urlfetch" +) + +const BASE = "https://fp-facilitator.org/reg/" + +func robotsTxtHandler(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "text/plain; charset=utf-8") + w.Write([]byte("User-agent: *\nDisallow:\n")) +} + +func ipHandler(w http.ResponseWriter, r *http.Request) { + remoteAddr := r.RemoteAddr + if net.ParseIP(remoteAddr).To4() == nil { + remoteAddr = "[" + remoteAddr + "]" + } + w.Header().Set("Content-Type", "text/plain; charset=utf-8") + w.Write([]byte(remoteAddr)) +} + +func regHandler(w http.ResponseWriter, r *http.Request) { + dir, blob := path.Split(path.Clean(r.URL.Path)) + if dir != "/reg/" { + http.NotFound(w, r) + return + } + client := urlfetch.Client(appengine.NewContext(r)) + resp, err := client.Get(BASE + blob) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + for key, values := range resp.Header { + for _, value := range values { + w.Header().Add(key, value) + } + } + w.WriteHeader(resp.StatusCode) + io.Copy(w, resp.Body) +} + +func init() { + http.HandleFunc("/robots.txt", robotsTxtHandler) + http.HandleFunc("/ip", ipHandler) + http.HandleFunc("/reg/", regHandler) +} diff --git a/facilitator/doc/appengine-howto.txt b/facilitator/doc/appengine-howto.txt new file mode 100644 index 0000000..44c5324 --- /dev/null +++ b/facilitator/doc/appengine-howto.txt @@ -0,0 +1,56 @@ +These are instructions for how to set up a Google App Engine application +to run at appspot.com. + +General links: +https://developers.google.com/appengine/ +https://developers.google.com/appengine/docs/whatisgoogleappengine +https://developers.google.com/appengine/docs/go/gettingstarted/ + +You first need to create a Google account. See gmail-howto.txt for how +to do that. + +Download the SDK: +https://developers.google.com/appengine/docs/go/gettingstarted/devenvironmen... + +Write your program and app.yaml file: +https://developers.google.com/appengine/docs/go/gettingstarted/helloworld + +When you're ready to upload, log in with your Google account and follow +the directions: +https://appengine.google.com/ +https://developers.google.com/appengine/docs/go/gettingstarted/uploading + +Enter an application ID and create the application. + +Use the appcfg.py program to upload the program. It should look +something like this: + +$ torify ./google_appengine/appcfg.py update myapp/ +07:25 PM Host: appengine.google.com +07:25 PM Application: application-id; version: 1 +07:25 PM +Starting update of app: application-id, version: 1 +07:25 PM Getting current resource limits. +Email: xxx@gmail.com +Password for xxx@gmail.com: +07:26 PM Scanning files on local disk. +07:26 PM Cloning 2 application files. +07:26 PM Uploading 1 files and blobs. +07:26 PM Uploaded 1 files and blobs +07:26 PM Compilation starting. +07:26 PM Compilation: 1 files left. +07:26 PM Compilation completed. +07:26 PM Starting deployment. +07:26 PM Checking if deployment succeeded. +07:26 PM Deployment successful. +07:26 PM Checking if updated app version is serving. +07:26 PM Completed update of app: application-id, version: 1 + +Uploading the program in this way seems to create the files +~/.appcfg_nag and ~/.appcfg_cookies. Running the update command again +doesn't require you to enter your password again. + +Once logged in, you can disable logging for the application. Click +"Logs" on the left panel. Under "Total Logs Storage", click "Change +Settings". Enter "0" in the "days of logs" box and click "Save +Settings". diff --git a/facilitator/doc/facilitator-howto.txt b/facilitator/doc/facilitator-howto.txt new file mode 100644 index 0000000..8bafce9 --- /dev/null +++ b/facilitator/doc/facilitator-howto.txt @@ -0,0 +1,199 @@ +This document describes how to run a flash proxy facilitator on Debian 7. +We will use the domain name fp-facilitator.example.com. + +== Overview + +The facilitator consists of a backend server that is essentially a +dynamic database of client addresses, as well as helper programs that +receive client registrations from the Internet over various means and +pass them to the backend. There are three supported helper rendezvous +methods: HTTP, URL, and email. + +The HTTP rendezvous uses an HTTP server and a CGI program. The HTTP +server is responsible for speaking TLS and invoking the CGI program. The +CGI program receives client registrations and proxy requests for +clients, parses them, and forwards them to the backend. We use Apache 2 +as the HTTP server. The CGI script is facilitator.cgi. The backend is +facilitator. + +The email rendezvous uses the helper program facilitator-email-poller. +Clients use the flashproxy-reg-email program to send an encrypted +message to a Gmail address. The poller constantly checks for new +messages and forwards them to facilitator-reg. + +facilitator-reg is a simple program that forwards its standard input to +a locally running facilitator-reg-daemon process. + +facilitator-reg-daemon accepts connections containing encrypted client +registrations and forwards them to the facilitator. It exists as a +process of its own so that only one program requires access to the +facilitator's private key. + +The URL rendezvous uses the helper program flashproxy-reg-email. The +helper program doesn't actually make a registration; rather, it prints +out a URL which, when retrieved, makes the registration. + +fac.py is a Python module containing code common to the various +facilitator programs. + +== Basic and security setup + +Install some essential packages and configure a firewall. + + # cat >/etc/apt/apt.conf.d/90suggests<<EOF +APT::Install-Recommends "0"; +APT::Install-Suggests "0"; +EOF + # apt-get remove portmap + # apt-get update + # apt-get upgrade + # apt-get install shorewall shorewall6 + +Away from the facilitator, generate an SSH key for authentication: + + $ ssh-keygen -f ~/.ssh/fp-facilitator + $ ssh-copy-id -i ~/.ssh/fp-facilitator.pub root@fp-facilitator.example.com + +Then log in and edit /etc/ssh/sshd_config to disable password +authentication: + + PasswordAuthentication no + +Configure the firewall to allow only SSH and HTTPS. + + # cd /etc/shorewall + # cp /usr/share/doc/shorewall/examples/Universal/{interfaces,policy,rules,zones} . + Edit /etc/shorewall/rules: +SECTION NEW +SSH(ACCEPT) net $FW +HTTPS(ACCEPT) net $FW + + # cd /etc/shorewall6 + # cp /usr/share/doc/shorewall6/examples/Universal/{interfaces,policy,rules,zones} . + Edit /etc/shorewall6/rules: +SECTION NEW +SSH(ACCEPT) all $FW +HTTPS(ACCEPT) all $FW + +Edit /etc/default/shorewall and /etc/default/shorewall6 and set + + startup=1 + +Restart servers. + + # /etc/init.d/ssh restart + # /etc/init.d/shorewall start + # /etc/init.d/shorewall6 start + +== Facilitator program installation + +Create the user the daemons will run as. + + # useradd --shell /usr/sbin/nologin --system --home /nonexistent -M facilitator-nobody + +Install the programs. + + # cd + # apt-get install git python-m2crypto make + # git clone https://git.torproject.org/flashproxy.git + # cd flashproxy/facilitator + # make install + +This installs facilitator.cgi, facilitator, facilitator-email-poller, +facilitator-reg-daemon, facilitator-reg, and fac.py to /usr/local/bin. +It also installs System V init files to /etc/init.d/. + +=== Registration daemon setup + +The facilitator-reg-daemon program requires a private RSA key (used to +decrypt encrypted client registrations). + + # mkdir /etc/flashproxy + # openssl genrsa -out /etc/flashproxy/reg-daemon.key 2048 + # chmod 600 /etc/flashproxy/reg-daemon.key + # openssl rsa -pubout < /etc/flashproxy/reg-daemon.key > reg-daemon.pub + +You will have to edit flashproxy-reg-email and copy the contents of +reg-daemon.pub into the appropriate place. + +Install reg-daemon.key /etc/flashproxy to match what the init script +expects. + +=== Init script setup + + # update-rc.d facilitator defaults + # /etc/init.d/facilitator start + # update-rc.d facilitator-reg-daemon defaults + # /etc/init.d/facilitator-reg-daemon start + +== HTTP server setup + +Apache is the web server that runs the CGI program. + + # apt-get install apache2 libapache2-mod-evasive + # a2enmod ssl headers + +Edit /etc/apache2/ports.conf and comment out the port 80 configuration. + + # NameVirtualHost *:80 + # Listen 80 + +Create a new file /etc/apache2/sites-available/fp-facilitator with +these contents: + MaxClients 256 + <VirtualHost *:443> + ServerName fp-facilitator.example.com + DocumentRoot /dev/null + ScriptAliasMatch ^(.*) /usr/local/bin/facilitator.cgi$1 + CustomLog /dev/null common + ErrorLog ${APACHE_LOG_DIR}/error.log + LogLevel warn + SSLEngine on + SSLCertificateFile /etc/apache2/fp-facilitator.pem + SSLCertificateChainFile /etc/apache2/intermediate.pem + Header add Strict-Transport-Security "max-age=15768000" + </VirtualHost> +intermediate.pem is a possible intermediate certificate file provided by +the CA; if you did not get one, then leave off the +SSLCertificateChainFile line. + +Link the configured site into sites-enabled. + # a2ensite fp-facilitator + +=== HTTPS setup + +The HTTP server should serve only over HTTPS and not unencrypted HTTP. +You will need a certificate and private key from a certificate +authority. An article on making a certificate signing request and +getting it signed is here: + http://www.debian-administration.org/articles/284 +This is the basic command to generate a CSR. + $ openssl req -new -nodes -out fp-facilitator.csr.pem +The instructions below assume you have an offline private key +in fp-facilitator.key.pem and a certificate in fp-facilitator.crt.pem. + +Make a file containing both the private key and a certificate. + + $ cat fp-facilitator.key.pem fp-facilitator.crt.pem > fp-facilitator.pem + $ chmod 400 fp-facilitator.pem + +Copy the new fp-facilitator.pem to the facilitator server as +/etc/apache2/fp-facilitator.pem. + + # /etc/init.d/apache2 restart + +=== Email poller setup + +The facilitator-email-poller program requires a password that is used to +log in to the designated Gmail account. See the file gmail-setup.txt for +instructions on setting up a Gmail account. After you've set up the +account and have the password, save it to a file reg-email.pass and make +it not readable or writable by anyone but its owner. + + # chmod 600 /etc/flashproxy/reg-email.pass + +Install reg-email.pass to /etc/flashproxy to match what the init script +expects. + + # update-rc.d facilitator-email-poller defaults + # /etc/init.d/facilitator-email-poller start diff --git a/facilitator/doc/gmail-setup.txt b/facilitator/doc/gmail-setup.txt new file mode 100644 index 0000000..b51ce90 --- /dev/null +++ b/facilitator/doc/gmail-setup.txt @@ -0,0 +1,61 @@ +These are instructions for setting up a Gmail account for use with the +email-based rendezvous and flashproxy-reg-email. These instructions were +current as of May 2013. + +You may have trouble if you are using Tor to create the account, for two +reasons. The first is that exit nodes are a source of abuse and Google +is more suspicious of them. The second is that Gmail is suspicious and +can lock you out of the account when your IP address is changing. While +setting up the account, use a single node in your torrc ExitNodes +configuration. Choose a U.S. exit node, one with low bandwidth. + +Go to https://mail.google.com/. Allow JavaScript to run (even from +youtube.com; it seems to be necessary). Click the "CREATE AN ACCOUNT" +button. + +Enter the account details. You don't need to fill in "Your current email +address". Enter a mobile phone number for later activation of two-factor +authentication. Solve the captcha. Click "Next Step". You may have to do +a phone SMS verification here. + +At this point the Gmail account is created. If you are pushed into +joining Google+, close everything out and go back to +https://mail.google.com/. + +Log out of the account and then back in again. There will be new text in +the lower right reading "Last account activity". Click "Details" and +turn off the unusual activity alerts. This will keep you from getting +locked out when you come from different IP addresses. At this point you +should remove the temporary ExitNodes configuration from torrc. + +Add a filter to prevent registrations from being marked as spam. Click +on the gear icon and select "Settings". Select "Filters" then "Create a +new filter". For "Has the words" type "in:spam", then "Create filter +with this search". There will be a warning that filters using "in:" will +never match incoming mail; this appears to be false and you can just +click OK. Check "Never send it to Spam" and click "Create filter". + +Enable IMAP. Click the gear icon, then "Settings", then "Forwarding and +POP/IMAP". + * Disable POP + * Enable IMAP + * Auto-Expunge on +Click "Save Changes". + +Enable two-factor authentication. We do this not so much for the +two-factor, but because it allows creating an independent password that +is used only for IMAP and does not have access to the web interface of +Gmail. Click the email address in the upper right, then "Account". Click +"Security". By "2-step verification" click "Edit". Click through until +it lets you set up. The phone number you provided when the account was +created will be automatically filled in. Choose "Text message (SMS)" +then click "Send code". Get your text message, type it in, and hit +"Verify". Uncheck "Trust this computer" on the next screen. Finally +"Confirm". On the following summary page, click "Show backup codes" and +save the codes to encrypted storage. Future codes can be generated at +https://www.google.com/accounts/SmsAuthConfig. + +Still on the 2-step summary page, click "Manage application-specific +passwords". Enter "IMAP" for the name and click "Generate password". +Save the password to encrypted storage. This is the password that will +be used with the --pass option of facilitator-email-poller.