--- /dev/null
+# examples
+
+these example service dirctories are intended for use with s6.
+copy the relevant `httpd.execline` folder into `/etc/service`, edit the
+ environment variables in `data/env` and `log/data/env`, and create a
+ symlink in your system procces supervision directory.
+(`https-with-redirect` is the recommended example configuartion.)
+
+you may need to edit the execlineb shebang for your system
--- /dev/null
+# hidden-service only
+
+Notes:
+
+* the only listening sockets created are in the unix domain
+* configure your Tor hidden service(s) appropriately
+* these are service directories intended for supervision with s6
+* if a file in `data/env` should be nonempty, the corresponding environment
+ variable will be unset, and the script will fail
+* the shebangs expect the systemwide execline to have been installed according
+ to the [slashpackage](https://cr.yp.to/slashpackage.html) convention
+ * if installed normally instead, edit accordingly
+* the httpd user should not have write permissions on
+ any file or directory within the httpd.execline jail
--- /dev/null
+/srv/httpd.execline
\ No newline at end of file
--- /dev/null
+/run/httpd_execline/httpd.sock
\ No newline at end of file
--- /dev/null
+/var/log/httpd.execline
\ No newline at end of file
--- /dev/null
+log
\ No newline at end of file
--- /dev/null
+#!/command/execlineb -WP
+
+s6-env data/env
+multisubstitute {
+ importas -iu user httpd_execline_log_user
+ importas -iu logdir httpd_execline_log_directory
+emptyenv -p
+s6-setuidgid ${user}
+
+s6-log t ${logdir}
--- /dev/null
+#!/command/execlineb
+
+multisubstitute {
+ importas -iu socket httpd_execline_unix_domain_superserver_location
+ importas -iu httpd_execline_root
+ importas -iu user httpd_execline_user
+}
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-ipcserver -Pv -- ${socket}
+ toybox timeout -v -i --foreground --preserve-status 60
+ getpid process_id
+ ./binaries/httpd.execline
--- /dev/null
+# https with redirect and with hidden service
+
+Notes:
+
+* **onion service access does not involve your TLS certificate in any way**
+ * while onion domains *can* be listed in TLS certificates, this is
+ uncommon; Let’s Encrypt does not support it at all
+ * if you *want* HTTPS over Tor, the https-with-redirect deployment is
+ already sufficient
+ * regardless, configure your Tor to point to the unix domain httpd
+* these are service directories intended for supervision with s6
+* if a file in `data/env` should be nonempty, the corresponding environment
+ variable will be unset, and the script will fail
+* the shebangs expect the systemwide execline to have been installed according
+ to the [slashpackage](https://cr.yp.to/slashpackage.html) convention
+ * if installed normally instead, edit accordingly
+* the httpd and http-to-https users should not have write permissions on
+ any file or directory within the httpd.execline jail
+* create symlinks from the hidden service domain names to the clearnet
+ ones or vice versa, and consider configuring domain-wide Onion-Location
+ headers for the clearnet domains
--- /dev/null
+443
\ No newline at end of file
--- /dev/null
+80
\ No newline at end of file
--- /dev/null
+/srv/httpd.execline
\ No newline at end of file
--- /dev/null
+/run/httpd_execline/httpd.sock
\ No newline at end of file
--- /dev/null
+/var/log/httpd.execline
\ No newline at end of file
--- /dev/null
+log
\ No newline at end of file
--- /dev/null
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+ importas -iu user httpd_execline_log_user
+ importas -iu logdir httpd_execline_log_directory
+}
+emptyenv -p
+s6-setuidgid ${user}
+
+s6-log t ${logdir}
--- /dev/null
+#!/command/execlineb -WP
+# dynamically create and supervise services for https and http-to-https
+# redirects, both using both ipv4 and ipv6. the result will be four instances
+# of s6-tcpserver listening on the four ports
+#
+# on connection, the https services reverse proxy to a unix-domain superserver
+# for httpd.execline proper. hidden servces should target this socket;
+# configure your Tor config accordingly
+#
+# while https over tor is possible (if redundant), it would be desirable for
+# both simplifying deployment (the https-with-redirect script would be
+# perfectly usable) and for proving that the owner of the TLS certificate also
+# owns the onion service. unfortunately, Let's Encrypt does not provide certs
+# which list onion service domains, and probably do not ever plan to. Tor
+# browser's UI complains when TLS authentication fails over onion services, so
+# i prefer this setup
+#
+# if you do not want your website accessible over the clearnet, just use the
+# httpd-ipc service directory directly
+#
+# while the ip address environment variables are expected to be ipv4 and ipv6,
+# the script does not check, and will just try to use them as-is
+#
+# this script must as root; otherwise the subservices will fail
+
+s6-envdir data/env
+multisubstitute {
+ importas -i httpd_execline_ip4 httpd_execline_ip4
+ importas -i httpd_execline_ip6 httpd_execline_ip6
+ importas -i httpd_execline_port_https httpd_execline_port_https
+ importas -i httpd_execline_port_redirect httpd_execline_port_redirect
+
+}
+if {
+ forx -E ip { 4 6 }
+ forx -E service_type { https redirect }
+ define service_directory service/${service_type}-${ip}
+ if { mkdir -p ${service_directory}/data/env }
+ if {
+ redirfd -w 1 ${service_directory}/data/env/httpd_execline_ip
+ execlineb -WP -c
+ "importas -i -u output httpd_execline_ip"${ip}"
+ s6-echo -n -- ${output}"
+ }
+ if {
+ redirfd -w 1 ${service_directory}/data/env/httpd_execline_port
+ execlineb -WP -c
+ "importas -i -u output httpd_execline_port_"${service_type}"
+ s6-echo -n -- ${output}"
+ }
+ ln -sf templates/run.execline ${service_directory}/run
+}
+fdmove -c 2 1
+s6-svscan service
--- /dev/null
+#!/command/execlineb
+
+multisubstitute {
+ importas -iu socket httpd_execline_unix_domain_superserver_location
+ importas -iu httpd_execline_root
+ importas -iu user httpd_execline_unix_domain_superserver_user
+}
+emptyenv -p
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-ipcserver -Pv -- ${socket}
+ toybox timeout -v -i --foreground --preserve-status 60
+ getpid process_id
+ ./binaries/httpd.execline
--- /dev/null
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+ importas -iu ip httpd_execline_ip
+ importas -iu port httpd_execline_port
+ importas -iu httpd_execline_root httpd_execline_root
+ importas -iu user httpd_execline_user_https
+}
+emptyenv -p
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tlsserver -v -- ${ip} ${port}
+ toybox timeout -v -i --foreground --preserve-status 60
+ getpid process_id
+ ./binaries/httpd.execline
--- /dev/null
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+ importas -iu ip httpd_execline_ip
+ importas -iu port httpd_execline_port
+ importas -iu httpd_execline_root httpd_execline_root
+ importas -iu user httpd_execline_user_redirect
+}
+emptyenv -p
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tcpserver -v -- ${ip} ${port}
+ toybox timeout -v -i --foreground --preserve-status 60
+ getpid process_id
+ ./binaries/httpd-redirect.execline
--- /dev/null
+# https with redirect
+
+Notes:
+
+* these are service directories intended for supervision with s6
+* if a file in `data/env` should be nonempty, the corresponding environment
+ variable will be unset, and the script will fail
+* the shebangs expect the systemwide execline to have been installed according
+ to the [slashpackage](https://cr.yp.to/slashpackage.html) convention
+ * if installed normally instead, edit accordingly
+* the httpd and http-to-https users should not have write permissions on
+ any file or directory within the httpd.execline jail
--- /dev/null
+443
\ No newline at end of file
--- /dev/null
+80
\ No newline at end of file
--- /dev/null
+/srv/httpd.execline
\ No newline at end of file
--- /dev/null
+/var/log/httpd.execline
\ No newline at end of file
--- /dev/null
+log
\ No newline at end of file
--- /dev/null
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+ importas -iu user httpd_execline_log_user
+ importas -iu logdir httpd_execline_log_directory
+}
+emptyenv -p
+s6-setuidgid ${user}
+
+s6-log t ${logdir}
--- /dev/null
+#!/command/execlineb -WP
+# dynamically create and supervise services for https and http-to-https
+# redirects, both using both ipv4 and ipv6. the result will be four instances
+# of s6-tcpserver listening on the four ports
+#
+# while the ip address environment variables are expected to be ipv4 and ipv6,
+# the script does not check, and will just try to use them as-is
+#
+# this script must as root; otherwise the subservices will fail
+
+s6-envdir data/env
+multisubstitute {
+ importas -i httpd_execline_ip4 httpd_execline_ip4
+ importas -i httpd_execline_ip6 httpd_execline_ip6
+ importas -i httpd_execline_port_https httpd_execline_port_https
+ importas -i httpd_execline_port_redirect httpd_execline_port_redirect
+}
+backtick -E -n pwd { pwd }
+
+if {
+ forx -E ip { 4 6 }
+ forx -E service_type { https redirect }
+ define service_directory service/${service_type}-${ip}
+ if { mkdir -p ${service_directory}/data/env }
+ if {
+ redirfd -w 1 ${service_directory}/data/env/httpd_execline_ip
+ execlineb -WP -c
+ "importas -i -u output httpd_execline_ip"${ip}"
+ s6-echo -n -- ${output}"
+ }
+ if {
+ redirfd -w 1 ${service_directory}/data/env/httpd_execline_port
+ execlineb -WP -c
+ "importas -i -u output httpd_execline_port_"${service_type}"
+ s6-echo -n -- ${output}"
+ }
+ ln -sf ${pwd}/templates/run-${service_type}.execline ${service_directory}/run
+}
+fdmove -c 2 1
+s6-svscan service
--- /dev/null
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+ importas -iu ip httpd_execline_ip
+ importas -iu port httpd_execline_port
+ importas -iu httpd_execline_root httpd_execline_root
+ importas -iu user httpd_execline_user_https
+ importas -iu CERTFILE CERTFILE
+ importas -iu KEYFILE KEYFILE
+}
+emptyenv -p
+export CERTFILE ${CERTFILE}
+export KEYFILE ${KEYFILE}
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tlsserver -v -- ${ip} ${port}
+ toybox timeout -v -i --foreground --preserve-status 60
+ getpid process_id
+ ./binaries/httpd.execline
--- /dev/null
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+ importas -iu ip httpd_execline_ip
+ importas -iu port httpd_execline_port
+ importas -iu httpd_execline_root httpd_execline_root
+ importas -iu user httpd_execline_user_redirect
+}
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tcpserver -v -- ${ip} ${port}
+ toybox timeout -v -i --foreground --preserve-status 60
+ getpid process_id
+ ./binaries/httpd-redirect.execline
+++ /dev/null
-#!/usr/local/bin/execlineb -WP
-
-s6-setuidgid log
-s6-log t /log/httpd-ipc
+++ /dev/null
-#!/bin/execlineb -WP
-#
-# example `run` script for daemontools-style process supervision
-# replace contents in `${}` and copy to `./run`
-
-# for logging: redirect standard error to standard output
-fdmove -c 2 1
-
-# clear the entire environment except for PATH
-emptyenv -p
-
-# required by `s6-tld`
-export CERTFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/fullchain.pem
-export KEYFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/privkey.pem
-
-# we run as root until very early in `./binaries/httpd.execline` and `s6-tlsd`; this sets up environment variables for dropping priveleges
-#
-# sample numerical user ID for user `s6-tlsd` runs as (after reading certificate)
-export TLS_UID ${YOUR_TLS_USER_USER_ID_HERE}
-export TLS_GID ${YOUR_TLS_USER_GROUP_ID_HERE}
-# user for ./binaries/httpd.execline (after `chroot(8)`)
-s6-envuidgid ${YOUR_HTTP_USER_NAME_HERE}
-
-cd visible-to-httpd
-
-# somewhat verbose command line to make the httpd able to log the PID reported by s6-tcpserver
-# (s6-tcpserver prints the pid of `s6-tlsd`, but `./httpd.execline` is a child of said PID)
-s6-tcpserver4
- # for logging: log beginning and end of every connection
- -v 2
- # allow 1000 simultaneous connections; allow them all to be from the same ip address
- -c 1000 -C 1000
- --
- ${YOUR_IP_ADDRESS_HERE}
- 443
- getpid process_id # for logging
- s6-tlsd
- --
- ./binaries/httpd.execline
#!/command/execlineb -WP
-importas -i httpd_execline_jail_directory httpd_execline_jail_directory
-
export PATH /binaries
-chroot ${httpd_execline_jail_directory}
+chroot .
s6-applyuidgid -U -z
export program_name redirect.execline
cat aescling's git repositories / httpd-execline.git / commitdiff