]> cat aescling's git repositories - httpd-execline.git/commitdiff
Add example advanced deployments
authorcat æscling <11325618-aescling@users.noreply.gitlab.com>
Wed, 2 Aug 2023 10:03:41 +0000 (06:03 -0400)
committercat æscling <11325618-aescling@users.noreply.gitlab.com>
Thu, 3 Aug 2023 01:11:19 +0000 (21:11 -0400)
I say "advanced", but the http-to-https redirect is so essential, an
example deployment needed to be provided

The dynamic service creation is certainly an eyebrow raiser.
s6-instance-maker was considered but it not seem to support enough of
the functionality the current run script has

The fact that both redirect deployments use the same run script is a
code smell

s6-ipcserver was not explicitly created for this purpose. it is actually
distributed with s6 instead of s6-networking. the privelege escalation
functionality of s6-ipcserver, while entirely reasonable for its
intended purpose, might raise an eyebrow, but you need to run it (and
httpd.execline) as root anyway, so it's not the obvious potential
exploit of this system

* Add hidden service--only deployment
* Implement suggestions from self-review
* /srv/httpd-execline -> /srv/httpd.execline
* Fix many mistakes

50 files changed:
examples/README.md [new file with mode: 0644]
examples/hidden-service-only/README.md [new file with mode: 0644]
examples/hidden-service-only/httpd.execline/data/env/httpd_execline_root [new file with mode: 0644]
examples/hidden-service-only/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location [new file with mode: 0644]
examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_directory [new file with mode: 0644]
examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_user [new file with mode: 0644]
examples/hidden-service-only/httpd.execline/log/run [new file with mode: 0644]
examples/hidden-service-only/httpd.execline/run [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/README.md [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/CERTFILE [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/KEYFILE [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_GID [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_UID [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip4 [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip6 [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_https [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_redirect [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_root [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_user [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_https [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_redirect [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_directory [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_user [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/run [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/run [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/service/httpd-ipc/run [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-https.execline [new file with mode: 0644]
examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-redirect.execline [new file with mode: 0644]
examples/https-with-redirect/README.md [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/CERTFILE [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/KEYFILE [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/TLS_GID [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/TLS_UID [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip4 [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip6 [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_https [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_redirect [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/httpd_execline_root [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_https [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_redirect [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_directory [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_user [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/log/run [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/run [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/templates/run-https.execline [new file with mode: 0644]
examples/https-with-redirect/httpd.execline/templates/run-redirect.execline [new file with mode: 0644]
log/run.example [deleted file]
run.template [deleted file]
visible-to-httpd/binaries/httpd-redirect.execline [moved from visible-to-httpd/binaries/redirect.execline with 93% similarity]

diff --git a/examples/README.md b/examples/README.md
new file mode 100644 (file)
index 0000000..296c4dd
--- /dev/null
@@ -0,0 +1,9 @@
+# examples
+
+these example service dirctories are intended for use with s6.
+copy the relevant `httpd.execline` folder into `/etc/service`, edit the
+    environment variables in `data/env` and `log/data/env`, and create a
+    symlink in your system procces supervision directory.
+(`https-with-redirect` is the recommended example configuartion.)
+
+you may need to edit the execlineb shebang for your system
diff --git a/examples/hidden-service-only/README.md b/examples/hidden-service-only/README.md
new file mode 100644 (file)
index 0000000..e7e5cab
--- /dev/null
@@ -0,0 +1,14 @@
+# hidden-service only
+
+Notes:
+
+* the only listening sockets created are in the unix domain
+* configure your Tor hidden service(s) appropriately
+* these are service directories intended for supervision with s6
+* if a file in `data/env` should be nonempty, the corresponding environment
+    variable will be unset, and the script will fail
+* the shebangs expect the systemwide execline to have been installed according
+    to the [slashpackage](https://cr.yp.to/slashpackage.html) convention
+    * if installed normally instead, edit accordingly
+* the httpd user should not have write permissions on
+    any file or directory within the httpd.execline jail
diff --git a/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_root b/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_root
new file mode 100644 (file)
index 0000000..1c8f062
--- /dev/null
@@ -0,0 +1 @@
+/srv/httpd.execline
\ No newline at end of file
diff --git a/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location b/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location
new file mode 100644 (file)
index 0000000..addb9b9
--- /dev/null
@@ -0,0 +1 @@
+/run/httpd_execline/httpd.sock
\ No newline at end of file
diff --git a/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_directory b/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_directory
new file mode 100644 (file)
index 0000000..741dbaf
--- /dev/null
@@ -0,0 +1 @@
+/var/log/httpd.execline
\ No newline at end of file
diff --git a/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_user b/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_user
new file mode 100644 (file)
index 0000000..fbf828d
--- /dev/null
@@ -0,0 +1 @@
+log
\ No newline at end of file
diff --git a/examples/hidden-service-only/httpd.execline/log/run b/examples/hidden-service-only/httpd.execline/log/run
new file mode 100644 (file)
index 0000000..59db39b
--- /dev/null
@@ -0,0 +1,10 @@
+#!/command/execlineb -WP
+
+s6-env data/env
+multisubstitute {
+    importas -iu user httpd_execline_log_user
+    importas -iu logdir httpd_execline_log_directory
+emptyenv -p
+s6-setuidgid ${user}
+
+s6-log t ${logdir}
diff --git a/examples/hidden-service-only/httpd.execline/run b/examples/hidden-service-only/httpd.execline/run
new file mode 100644 (file)
index 0000000..5b02e87
--- /dev/null
@@ -0,0 +1,14 @@
+#!/command/execlineb
+
+multisubstitute {
+    importas -iu socket httpd_execline_unix_domain_superserver_location
+    importas -iu httpd_execline_root
+    importas -iu user httpd_execline_user
+}
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-ipcserver -Pv -- ${socket}
+    toybox timeout -v -i --foreground --preserve-status 60
+        getpid process_id
+        ./binaries/httpd.execline
diff --git a/examples/https-with-redirect-and-with-hidden-service/README.md b/examples/https-with-redirect-and-with-hidden-service/README.md
new file mode 100644 (file)
index 0000000..4eaaeec
--- /dev/null
@@ -0,0 +1,21 @@
+# https with redirect and with hidden service
+
+Notes:
+
+* **onion service access does not involve your TLS certificate in any way**
+    * while onion domains *can* be listed in TLS certificates, this is
+        uncommon; Let&#x2019;s Encrypt does not support it at all
+    * if you *want* HTTPS over Tor, the https-with-redirect deployment is
+        already sufficient
+    * regardless, configure your Tor to point to the unix domain httpd
+* these are service directories intended for supervision with s6
+* if a file in `data/env` should be nonempty, the corresponding environment
+    variable will be unset, and the script will fail
+* the shebangs expect the systemwide execline to have been installed according
+    to the [slashpackage](https://cr.yp.to/slashpackage.html) convention
+    * if installed normally instead, edit accordingly
+* the httpd and http-to-https users should not have write permissions on
+    any file or directory within the httpd.execline jail
+* create symlinks from the hidden service domain names to the clearnet
+    ones or vice versa, and consider configuring domain-wide Onion-Location
+    headers for the clearnet domains
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/CERTFILE b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/CERTFILE
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/KEYFILE b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/KEYFILE
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_GID b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_GID
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_UID b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_UID
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip4 b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip4
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip6 b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip6
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_https b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_https
new file mode 100644 (file)
index 0000000..8f6e441
--- /dev/null
@@ -0,0 +1 @@
+443
\ No newline at end of file
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_redirect b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_redirect
new file mode 100644 (file)
index 0000000..e3f1e9b
--- /dev/null
@@ -0,0 +1 @@
+80
\ No newline at end of file
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_root b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_root
new file mode 100644 (file)
index 0000000..1c8f062
--- /dev/null
@@ -0,0 +1 @@
+/srv/httpd.execline
\ No newline at end of file
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location
new file mode 100644 (file)
index 0000000..addb9b9
--- /dev/null
@@ -0,0 +1 @@
+/run/httpd_execline/httpd.sock
\ No newline at end of file
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_user b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_user
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_https b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_https
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_redirect b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_redirect
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_directory b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_directory
new file mode 100644 (file)
index 0000000..741dbaf
--- /dev/null
@@ -0,0 +1 @@
+/var/log/httpd.execline
\ No newline at end of file
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_user b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_user
new file mode 100644 (file)
index 0000000..fbf828d
--- /dev/null
@@ -0,0 +1 @@
+log
\ No newline at end of file
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/run b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/run
new file mode 100644 (file)
index 0000000..7042127
--- /dev/null
@@ -0,0 +1,11 @@
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+    importas -iu user httpd_execline_log_user
+    importas -iu logdir httpd_execline_log_directory
+}
+emptyenv -p
+s6-setuidgid ${user}
+
+s6-log t ${logdir}
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/run b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/run
new file mode 100644 (file)
index 0000000..788297e
--- /dev/null
@@ -0,0 +1,54 @@
+#!/command/execlineb -WP
+# dynamically create and supervise services for https and http-to-https
+# redirects, both using both ipv4 and ipv6. the result will be four instances
+# of s6-tcpserver listening on the four ports
+#
+# on connection, the https services reverse proxy to a unix-domain superserver
+# for httpd.execline proper. hidden servces should target this socket;
+# configure your Tor config accordingly
+#
+# while https over tor is possible (if redundant), it would be desirable for
+# both simplifying deployment (the https-with-redirect script would be
+# perfectly usable) and for proving that the owner of the TLS certificate also
+# owns the onion service. unfortunately, Let's Encrypt does not provide certs
+# which list onion service domains, and probably do not ever plan to. Tor
+# browser's UI complains when TLS authentication fails over onion services, so
+# i prefer this setup
+#
+# if you do not want your website accessible over the clearnet, just use the
+# httpd-ipc service directory directly
+#
+# while the ip address environment variables are expected to be ipv4 and ipv6,
+# the script does not check, and will just try to use them as-is
+#
+# this script must as root; otherwise the subservices will fail
+
+s6-envdir data/env
+multisubstitute {
+    importas -i httpd_execline_ip4 httpd_execline_ip4
+    importas -i httpd_execline_ip6 httpd_execline_ip6
+    importas -i httpd_execline_port_https httpd_execline_port_https
+    importas -i httpd_execline_port_redirect httpd_execline_port_redirect
+
+}
+if {
+    forx -E ip { 4 6 }
+        forx -E service_type { https redirect }
+            define service_directory service/${service_type}-${ip}
+            if { mkdir -p ${service_directory}/data/env }
+            if {
+                redirfd -w 1 ${service_directory}/data/env/httpd_execline_ip
+                    execlineb -WP -c
+                        "importas -i -u output httpd_execline_ip"${ip}"
+                        s6-echo -n -- ${output}"
+            }
+            if {
+                redirfd -w 1 ${service_directory}/data/env/httpd_execline_port
+                    execlineb -WP -c
+                        "importas -i -u output httpd_execline_port_"${service_type}"
+                        s6-echo -n -- ${output}"
+            }
+            ln -sf templates/run.execline ${service_directory}/run
+}
+fdmove -c 2 1
+s6-svscan service
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/service/httpd-ipc/run b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/service/httpd-ipc/run
new file mode 100644 (file)
index 0000000..2ce777a
--- /dev/null
@@ -0,0 +1,15 @@
+#!/command/execlineb
+
+multisubstitute {
+    importas -iu socket httpd_execline_unix_domain_superserver_location
+    importas -iu httpd_execline_root
+    importas -iu user httpd_execline_unix_domain_superserver_user
+}
+emptyenv -p
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-ipcserver -Pv -- ${socket}
+    toybox timeout -v -i --foreground --preserve-status 60
+        getpid process_id
+        ./binaries/httpd.execline
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-https.execline b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-https.execline
new file mode 100644 (file)
index 0000000..771f4a7
--- /dev/null
@@ -0,0 +1,17 @@
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+    importas -iu ip httpd_execline_ip
+    importas -iu port httpd_execline_port
+    importas -iu httpd_execline_root httpd_execline_root
+    importas -iu user httpd_execline_user_https
+}
+emptyenv -p
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tlsserver -v -- ${ip} ${port}
+    toybox timeout -v -i --foreground --preserve-status 60
+        getpid process_id
+        ./binaries/httpd.execline
diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-redirect.execline b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-redirect.execline
new file mode 100644 (file)
index 0000000..653152b
--- /dev/null
@@ -0,0 +1,17 @@
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+    importas -iu ip httpd_execline_ip
+    importas -iu port httpd_execline_port
+    importas -iu httpd_execline_root httpd_execline_root
+    importas -iu user httpd_execline_user_redirect
+}
+emptyenv -p
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tcpserver -v -- ${ip} ${port}
+    toybox timeout -v -i --foreground --preserve-status 60
+        getpid process_id
+        ./binaries/httpd-redirect.execline
diff --git a/examples/https-with-redirect/README.md b/examples/https-with-redirect/README.md
new file mode 100644 (file)
index 0000000..518c37c
--- /dev/null
@@ -0,0 +1,12 @@
+# https with redirect
+
+Notes:
+
+* these are service directories intended for supervision with s6
+* if a file in `data/env` should be nonempty, the corresponding environment
+    variable will be unset, and the script will fail
+* the shebangs expect the systemwide execline to have been installed according
+    to the [slashpackage](https://cr.yp.to/slashpackage.html) convention
+    * if installed normally instead, edit accordingly
+* the httpd and http-to-https users should not have write permissions on
+    any file or directory within the httpd.execline jail
diff --git a/examples/https-with-redirect/httpd.execline/data/env/CERTFILE b/examples/https-with-redirect/httpd.execline/data/env/CERTFILE
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/data/env/KEYFILE b/examples/https-with-redirect/httpd.execline/data/env/KEYFILE
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/data/env/TLS_GID b/examples/https-with-redirect/httpd.execline/data/env/TLS_GID
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/data/env/TLS_UID b/examples/https-with-redirect/httpd.execline/data/env/TLS_UID
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip4 b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip4
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip6 b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip6
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_https b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_https
new file mode 100644 (file)
index 0000000..8f6e441
--- /dev/null
@@ -0,0 +1 @@
+443
\ No newline at end of file
diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_redirect b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_redirect
new file mode 100644 (file)
index 0000000..e3f1e9b
--- /dev/null
@@ -0,0 +1 @@
+80
\ No newline at end of file
diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_root b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_root
new file mode 100644 (file)
index 0000000..1c8f062
--- /dev/null
@@ -0,0 +1 @@
+/srv/httpd.execline
\ No newline at end of file
diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_https b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_https
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_redirect b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_redirect
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_directory b/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_directory
new file mode 100644 (file)
index 0000000..741dbaf
--- /dev/null
@@ -0,0 +1 @@
+/var/log/httpd.execline
\ No newline at end of file
diff --git a/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_user b/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_user
new file mode 100644 (file)
index 0000000..fbf828d
--- /dev/null
@@ -0,0 +1 @@
+log
\ No newline at end of file
diff --git a/examples/https-with-redirect/httpd.execline/log/run b/examples/https-with-redirect/httpd.execline/log/run
new file mode 100644 (file)
index 0000000..7042127
--- /dev/null
@@ -0,0 +1,11 @@
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+    importas -iu user httpd_execline_log_user
+    importas -iu logdir httpd_execline_log_directory
+}
+emptyenv -p
+s6-setuidgid ${user}
+
+s6-log t ${logdir}
diff --git a/examples/https-with-redirect/httpd.execline/run b/examples/https-with-redirect/httpd.execline/run
new file mode 100644 (file)
index 0000000..9a5e52d
--- /dev/null
@@ -0,0 +1,40 @@
+#!/command/execlineb -WP
+# dynamically create and supervise services for https and http-to-https
+# redirects, both using both ipv4 and ipv6. the result will be four instances
+# of s6-tcpserver listening on the four ports
+#
+# while the ip address environment variables are expected to be ipv4 and ipv6,
+# the script does not check, and will just try to use them as-is
+#
+# this script must as root; otherwise the subservices will fail
+
+s6-envdir data/env
+multisubstitute {
+    importas -i httpd_execline_ip4 httpd_execline_ip4
+    importas -i httpd_execline_ip6 httpd_execline_ip6
+    importas -i httpd_execline_port_https httpd_execline_port_https
+    importas -i httpd_execline_port_redirect httpd_execline_port_redirect
+}
+backtick -E -n pwd { pwd }
+
+if {
+    forx -E ip { 4 6 }
+        forx -E service_type { https redirect }
+            define service_directory service/${service_type}-${ip}
+            if { mkdir -p ${service_directory}/data/env }
+            if {
+                redirfd -w 1 ${service_directory}/data/env/httpd_execline_ip
+                    execlineb -WP -c
+                        "importas -i -u output httpd_execline_ip"${ip}"
+                        s6-echo -n -- ${output}"
+            }
+            if {
+                redirfd -w 1 ${service_directory}/data/env/httpd_execline_port
+                    execlineb -WP -c
+                        "importas -i -u output httpd_execline_port_"${service_type}"
+                        s6-echo -n -- ${output}"
+            }
+            ln -sf ${pwd}/templates/run-${service_type}.execline ${service_directory}/run
+}
+fdmove -c 2 1
+s6-svscan service
diff --git a/examples/https-with-redirect/httpd.execline/templates/run-https.execline b/examples/https-with-redirect/httpd.execline/templates/run-https.execline
new file mode 100644 (file)
index 0000000..19494c4
--- /dev/null
@@ -0,0 +1,21 @@
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+    importas -iu ip httpd_execline_ip
+    importas -iu port httpd_execline_port
+    importas -iu httpd_execline_root httpd_execline_root
+    importas -iu user httpd_execline_user_https
+    importas -iu CERTFILE CERTFILE
+    importas -iu KEYFILE KEYFILE
+}
+emptyenv -p
+export CERTFILE ${CERTFILE}
+export KEYFILE ${KEYFILE}
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tlsserver -v -- ${ip} ${port}
+    toybox timeout -v -i --foreground --preserve-status 60
+        getpid process_id
+        ./binaries/httpd.execline
diff --git a/examples/https-with-redirect/httpd.execline/templates/run-redirect.execline b/examples/https-with-redirect/httpd.execline/templates/run-redirect.execline
new file mode 100644 (file)
index 0000000..343bb4a
--- /dev/null
@@ -0,0 +1,16 @@
+#!/command/execlineb -WP
+
+s6-envdir data/env
+multisubstitute {
+    importas -iu ip httpd_execline_ip
+    importas -iu port httpd_execline_port
+    importas -iu httpd_execline_root httpd_execline_root
+    importas -iu user httpd_execline_user_redirect
+}
+s6-envuidgid ${user}
+
+cd ${httpd_execline_root}
+s6-tcpserver -v -- ${ip} ${port}
+    toybox timeout -v -i --foreground --preserve-status 60
+        getpid process_id
+        ./binaries/httpd-redirect.execline
diff --git a/log/run.example b/log/run.example
deleted file mode 100644 (file)
index 7b2f84f..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/local/bin/execlineb -WP
-
-s6-setuidgid log
-s6-log t /log/httpd-ipc
diff --git a/run.template b/run.template
deleted file mode 100755 (executable)
index b74022d..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/execlineb -WP
-#
-# example `run` script for daemontools-style process supervision
-# replace contents in `${}` and copy to `./run`
-
-# for logging: redirect standard error to standard output
-fdmove -c 2 1
-
-# clear the entire environment except for PATH
-emptyenv -p
-
-# required by `s6-tld`
-export CERTFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/fullchain.pem
-export KEYFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/privkey.pem
-
-# we run as root until very early in `./binaries/httpd.execline` and `s6-tlsd`; this sets up environment variables for dropping priveleges
-#
-# sample numerical user ID for user `s6-tlsd` runs as (after reading certificate)
-export TLS_UID ${YOUR_TLS_USER_USER_ID_HERE}
-export TLS_GID ${YOUR_TLS_USER_GROUP_ID_HERE}
-# user for ./binaries/httpd.execline (after `chroot(8)`)
-s6-envuidgid ${YOUR_HTTP_USER_NAME_HERE}
-
-cd visible-to-httpd
-
-# somewhat verbose command line to make the httpd able to log the PID reported by s6-tcpserver  
-# (s6-tcpserver prints the pid of `s6-tlsd`, but `./httpd.execline` is a child of said PID)
-s6-tcpserver4
-       # for logging: log beginning and end of every connection
-       -v 2
-       # allow 1000 simultaneous connections; allow them all to be from the same ip address
-       -c 1000 -C 1000
-       --
-       ${YOUR_IP_ADDRESS_HERE}
-       443
-               getpid process_id # for logging
-               s6-tlsd
-                       --
-                               ./binaries/httpd.execline
similarity index 93%
rename from visible-to-httpd/binaries/redirect.execline
rename to visible-to-httpd/binaries/httpd-redirect.execline
index dff964c3d2d15efaf2b78d68a9859eb5fd571f2d..394410a358ef5721f229266f5008cc303706c540 100644 (file)
@@ -1,9 +1,7 @@
 #!/command/execlineb -WP
 
-importas -i httpd_execline_jail_directory httpd_execline_jail_directory
-
 export PATH /binaries
-chroot ${httpd_execline_jail_directory}
+chroot .
 s6-applyuidgid -U -z
 
 export program_name redirect.execline