[tor-bugs] #32532 [Internal Services/Tor Sysadmin Team]: Install ZNC on Chives, make pastly admin it

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 19 02:17:12 UTC 2019


#32532: Install ZNC on Chives, make pastly admin it
-------------------------------------------------+-------------------------
 Reporter:  pastly                               |          Owner:  pastly
     Type:  defect                               |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by pastly):

 - [x] systemd.service config (pastly)

 Extremely basic service file to run znc. Plus unfortunately fell back to
 copying the certs out of /etc and putting them in ~/.znc/znc.pem once a
 week with a cron job due to what seems like a systemd security thing
 preventing me from reading /etc/ssl/private/ files.

 - [x] znc configuration (pastly)
 - [x] web interface configuration (pastly)

 Uhh ... done I think. I have IRC and HTTP on 2000 as well as IRC-over-TLS
 and HTTPS on 2001. I have an account for myself and can make/migrate
 additional accounts later without help.

 Speaking of the nginx proxy and these ports ...

 We can probably skip nginx. Our users can be expected to use Tor Browser
 in the rare instance they want to access the web interface. Thus
 `HiddenServicePort 80 2000` gets them secure access to the web interface.

 For their IRC client, opening 2001 in the firewall gets them IRC over TLS.
 I guess for completeness we should open 2000 for plaintext IRC. Finally,
 for the cool kids `HiddenServicePort 2000` gets them IRC over Tor.

 PS: why not v3 onion service? :p

 If what I'm saying sounds reasonable, then in lieu of the "nginx proxy"
 step, I would request the following lines in the torrc:

 {{{
 HiddenServiceVersion 3
 HiddenServicePort 80 2000
 HiddenServicePort 2000
 }}}

 And the firewall to allow inbound 2000 and 2001.

 And to be notified about what the new onion service is if you actually
 bump to v3.

 Thanks!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32532#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list