From a23ae79561dcc17f96678619ccb2844259b3f3bf Mon Sep 17 00:00:00 2001 From: =?utf8?q?cat=20=C3=A6scling?= <11325618-aescling@users.noreply.gitlab.com> Date: Wed, 2 Aug 2023 06:03:41 -0400 Subject: [PATCH] Add example advanced deployments I say "advanced", but the http-to-https redirect is so essential, an example deployment needed to be provided The dynamic service creation is certainly an eyebrow raiser. s6-instance-maker was considered but it not seem to support enough of the functionality the current run script has The fact that both redirect deployments use the same run script is a code smell s6-ipcserver was not explicitly created for this purpose. it is actually distributed with s6 instead of s6-networking. the privelege escalation functionality of s6-ipcserver, while entirely reasonable for its intended purpose, might raise an eyebrow, but you need to run it (and httpd.execline) as root anyway, so it's not the obvious potential exploit of this system * Add hidden service--only deployment * Implement suggestions from self-review * /srv/httpd-execline -> /srv/httpd.execline * Fix many mistakes --- examples/README.md | 9 ++++ examples/hidden-service-only/README.md | 14 +++++ .../data/env/httpd_execline_root | 1 + ..._execline_unix_domain_superserver_location | 1 + .../log/data/env/httpd_execline_log_directory | 1 + .../log/data/env/httpd_execline_log_user | 1 + .../httpd.execline/log/run | 10 ++++ .../hidden-service-only/httpd.execline/run | 14 +++++ .../README.md | 21 ++++++++ .../httpd.execline/data/env/CERTFILE | 0 .../httpd.execline/data/env/KEYFILE | 0 .../httpd.execline/data/env/TLS_GID | 0 .../httpd.execline/data/env/TLS_UID | 0 .../data/env/httpd_execline_ip4 | 0 .../data/env/httpd_execline_ip6 | 0 .../data/env/httpd_execline_port_https | 1 + .../data/env/httpd_execline_port_redirect | 1 + .../data/env/httpd_execline_root | 1 + ..._execline_unix_domain_superserver_location | 1 + ...ttpd_execline_unix_domain_superserver_user | 0 .../data/env/httpd_execline_user_https | 0 .../data/env/httpd_execline_user_redirect | 0 .../log/data/env/httpd_execline_log_directory | 1 + .../log/data/env/httpd_execline_log_user | 1 + .../httpd.execline/log/run | 11 ++++ .../httpd.execline/run | 54 +++++++++++++++++++ .../httpd.execline/service/httpd-ipc/run | 15 ++++++ .../templates/run-https.execline | 17 ++++++ .../templates/run-redirect.execline | 17 ++++++ examples/https-with-redirect/README.md | 12 +++++ .../httpd.execline/data/env/CERTFILE | 0 .../httpd.execline/data/env/KEYFILE | 0 .../httpd.execline/data/env/TLS_GID | 0 .../httpd.execline/data/env/TLS_UID | 0 .../data/env/httpd_execline_ip4 | 0 .../data/env/httpd_execline_ip6 | 0 .../data/env/httpd_execline_port_https | 1 + .../data/env/httpd_execline_port_redirect | 1 + .../data/env/httpd_execline_root | 1 + .../data/env/httpd_execline_user_https | 0 .../data/env/httpd_execline_user_redirect | 0 .../log/data/env/httpd_execline_log_directory | 1 + .../log/data/env/httpd_execline_log_user | 1 + .../httpd.execline/log/run | 11 ++++ .../https-with-redirect/httpd.execline/run | 40 ++++++++++++++ .../templates/run-https.execline | 21 ++++++++ .../templates/run-redirect.execline | 16 ++++++ log/run.example | 4 -- run.template | 39 -------------- ...irect.execline => httpd-redirect.execline} | 4 +- 50 files changed, 298 insertions(+), 46 deletions(-) create mode 100644 examples/README.md create mode 100644 examples/hidden-service-only/README.md create mode 100644 examples/hidden-service-only/httpd.execline/data/env/httpd_execline_root create mode 100644 examples/hidden-service-only/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location create mode 100644 examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_directory create mode 100644 examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_user create mode 100644 examples/hidden-service-only/httpd.execline/log/run create mode 100644 examples/hidden-service-only/httpd.execline/run create mode 100644 examples/https-with-redirect-and-with-hidden-service/README.md create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/CERTFILE create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/KEYFILE create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_GID create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_UID create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip4 create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip6 create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_https create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_redirect create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_root create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_user create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_https create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_redirect create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_directory create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_user create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/run create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/run create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/service/httpd-ipc/run create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-https.execline create mode 100644 examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-redirect.execline create mode 100644 examples/https-with-redirect/README.md create mode 100644 examples/https-with-redirect/httpd.execline/data/env/CERTFILE create mode 100644 examples/https-with-redirect/httpd.execline/data/env/KEYFILE create mode 100644 examples/https-with-redirect/httpd.execline/data/env/TLS_GID create mode 100644 examples/https-with-redirect/httpd.execline/data/env/TLS_UID create mode 100644 examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip4 create mode 100644 examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip6 create mode 100644 examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_https create mode 100644 examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_redirect create mode 100644 examples/https-with-redirect/httpd.execline/data/env/httpd_execline_root create mode 100644 examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_https create mode 100644 examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_redirect create mode 100644 examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_directory create mode 100644 examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_user create mode 100644 examples/https-with-redirect/httpd.execline/log/run create mode 100644 examples/https-with-redirect/httpd.execline/run create mode 100644 examples/https-with-redirect/httpd.execline/templates/run-https.execline create mode 100644 examples/https-with-redirect/httpd.execline/templates/run-redirect.execline delete mode 100644 log/run.example delete mode 100755 run.template rename visible-to-httpd/binaries/{redirect.execline => httpd-redirect.execline} (93%) diff --git a/examples/README.md b/examples/README.md new file mode 100644 index 0000000..296c4dd --- /dev/null +++ b/examples/README.md @@ -0,0 +1,9 @@ +# examples + +these example service dirctories are intended for use with s6. +copy the relevant `httpd.execline` folder into `/etc/service`, edit the + environment variables in `data/env` and `log/data/env`, and create a + symlink in your system procces supervision directory. +(`https-with-redirect` is the recommended example configuartion.) + +you may need to edit the execlineb shebang for your system diff --git a/examples/hidden-service-only/README.md b/examples/hidden-service-only/README.md new file mode 100644 index 0000000..e7e5cab --- /dev/null +++ b/examples/hidden-service-only/README.md @@ -0,0 +1,14 @@ +# hidden-service only + +Notes: + +* the only listening sockets created are in the unix domain +* configure your Tor hidden service(s) appropriately +* these are service directories intended for supervision with s6 +* if a file in `data/env` should be nonempty, the corresponding environment + variable will be unset, and the script will fail +* the shebangs expect the systemwide execline to have been installed according + to the [slashpackage](https://cr.yp.to/slashpackage.html) convention + * if installed normally instead, edit accordingly +* the httpd user should not have write permissions on + any file or directory within the httpd.execline jail diff --git a/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_root b/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_root new file mode 100644 index 0000000..1c8f062 --- /dev/null +++ b/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_root @@ -0,0 +1 @@ +/srv/httpd.execline \ No newline at end of file diff --git a/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location b/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location new file mode 100644 index 0000000..addb9b9 --- /dev/null +++ b/examples/hidden-service-only/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location @@ -0,0 +1 @@ +/run/httpd_execline/httpd.sock \ No newline at end of file diff --git a/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_directory b/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_directory new file mode 100644 index 0000000..741dbaf --- /dev/null +++ b/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_directory @@ -0,0 +1 @@ +/var/log/httpd.execline \ No newline at end of file diff --git a/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_user b/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_user new file mode 100644 index 0000000..fbf828d --- /dev/null +++ b/examples/hidden-service-only/httpd.execline/log/data/env/httpd_execline_log_user @@ -0,0 +1 @@ +log \ No newline at end of file diff --git a/examples/hidden-service-only/httpd.execline/log/run b/examples/hidden-service-only/httpd.execline/log/run new file mode 100644 index 0000000..59db39b --- /dev/null +++ b/examples/hidden-service-only/httpd.execline/log/run @@ -0,0 +1,10 @@ +#!/command/execlineb -WP + +s6-env data/env +multisubstitute { + importas -iu user httpd_execline_log_user + importas -iu logdir httpd_execline_log_directory +emptyenv -p +s6-setuidgid ${user} + +s6-log t ${logdir} diff --git a/examples/hidden-service-only/httpd.execline/run b/examples/hidden-service-only/httpd.execline/run new file mode 100644 index 0000000..5b02e87 --- /dev/null +++ b/examples/hidden-service-only/httpd.execline/run @@ -0,0 +1,14 @@ +#!/command/execlineb + +multisubstitute { + importas -iu socket httpd_execline_unix_domain_superserver_location + importas -iu httpd_execline_root + importas -iu user httpd_execline_user +} +s6-envuidgid ${user} + +cd ${httpd_execline_root} +s6-ipcserver -Pv -- ${socket} + toybox timeout -v -i --foreground --preserve-status 60 + getpid process_id + ./binaries/httpd.execline diff --git a/examples/https-with-redirect-and-with-hidden-service/README.md b/examples/https-with-redirect-and-with-hidden-service/README.md new file mode 100644 index 0000000..4eaaeec --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/README.md @@ -0,0 +1,21 @@ +# https with redirect and with hidden service + +Notes: + +* **onion service access does not involve your TLS certificate in any way** + * while onion domains *can* be listed in TLS certificates, this is + uncommon; Let’s Encrypt does not support it at all + * if you *want* HTTPS over Tor, the https-with-redirect deployment is + already sufficient + * regardless, configure your Tor to point to the unix domain httpd +* these are service directories intended for supervision with s6 +* if a file in `data/env` should be nonempty, the corresponding environment + variable will be unset, and the script will fail +* the shebangs expect the systemwide execline to have been installed according + to the [slashpackage](https://cr.yp.to/slashpackage.html) convention + * if installed normally instead, edit accordingly +* the httpd and http-to-https users should not have write permissions on + any file or directory within the httpd.execline jail +* create symlinks from the hidden service domain names to the clearnet + ones or vice versa, and consider configuring domain-wide Onion-Location + headers for the clearnet domains diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/CERTFILE b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/CERTFILE new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/KEYFILE b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/KEYFILE new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_GID b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_GID new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_UID b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/TLS_UID new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip4 b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip4 new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip6 b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_ip6 new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_https b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_https new file mode 100644 index 0000000..8f6e441 --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_https @@ -0,0 +1 @@ +443 \ No newline at end of file diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_redirect b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_redirect new file mode 100644 index 0000000..e3f1e9b --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_port_redirect @@ -0,0 +1 @@ +80 \ No newline at end of file diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_root b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_root new file mode 100644 index 0000000..1c8f062 --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_root @@ -0,0 +1 @@ +/srv/httpd.execline \ No newline at end of file diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location new file mode 100644 index 0000000..addb9b9 --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_location @@ -0,0 +1 @@ +/run/httpd_execline/httpd.sock \ No newline at end of file diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_user b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_unix_domain_superserver_user new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_https b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_https new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_redirect b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/data/env/httpd_execline_user_redirect new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_directory b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_directory new file mode 100644 index 0000000..741dbaf --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_directory @@ -0,0 +1 @@ +/var/log/httpd.execline \ No newline at end of file diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_user b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_user new file mode 100644 index 0000000..fbf828d --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/data/env/httpd_execline_log_user @@ -0,0 +1 @@ +log \ No newline at end of file diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/run b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/run new file mode 100644 index 0000000..7042127 --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/log/run @@ -0,0 +1,11 @@ +#!/command/execlineb -WP + +s6-envdir data/env +multisubstitute { + importas -iu user httpd_execline_log_user + importas -iu logdir httpd_execline_log_directory +} +emptyenv -p +s6-setuidgid ${user} + +s6-log t ${logdir} diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/run b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/run new file mode 100644 index 0000000..788297e --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/run @@ -0,0 +1,54 @@ +#!/command/execlineb -WP +# dynamically create and supervise services for https and http-to-https +# redirects, both using both ipv4 and ipv6. the result will be four instances +# of s6-tcpserver listening on the four ports +# +# on connection, the https services reverse proxy to a unix-domain superserver +# for httpd.execline proper. hidden servces should target this socket; +# configure your Tor config accordingly +# +# while https over tor is possible (if redundant), it would be desirable for +# both simplifying deployment (the https-with-redirect script would be +# perfectly usable) and for proving that the owner of the TLS certificate also +# owns the onion service. unfortunately, Let's Encrypt does not provide certs +# which list onion service domains, and probably do not ever plan to. Tor +# browser's UI complains when TLS authentication fails over onion services, so +# i prefer this setup +# +# if you do not want your website accessible over the clearnet, just use the +# httpd-ipc service directory directly +# +# while the ip address environment variables are expected to be ipv4 and ipv6, +# the script does not check, and will just try to use them as-is +# +# this script must as root; otherwise the subservices will fail + +s6-envdir data/env +multisubstitute { + importas -i httpd_execline_ip4 httpd_execline_ip4 + importas -i httpd_execline_ip6 httpd_execline_ip6 + importas -i httpd_execline_port_https httpd_execline_port_https + importas -i httpd_execline_port_redirect httpd_execline_port_redirect + +} +if { + forx -E ip { 4 6 } + forx -E service_type { https redirect } + define service_directory service/${service_type}-${ip} + if { mkdir -p ${service_directory}/data/env } + if { + redirfd -w 1 ${service_directory}/data/env/httpd_execline_ip + execlineb -WP -c + "importas -i -u output httpd_execline_ip"${ip}" + s6-echo -n -- ${output}" + } + if { + redirfd -w 1 ${service_directory}/data/env/httpd_execline_port + execlineb -WP -c + "importas -i -u output httpd_execline_port_"${service_type}" + s6-echo -n -- ${output}" + } + ln -sf templates/run.execline ${service_directory}/run +} +fdmove -c 2 1 +s6-svscan service diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/service/httpd-ipc/run b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/service/httpd-ipc/run new file mode 100644 index 0000000..2ce777a --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/service/httpd-ipc/run @@ -0,0 +1,15 @@ +#!/command/execlineb + +multisubstitute { + importas -iu socket httpd_execline_unix_domain_superserver_location + importas -iu httpd_execline_root + importas -iu user httpd_execline_unix_domain_superserver_user +} +emptyenv -p +s6-envuidgid ${user} + +cd ${httpd_execline_root} +s6-ipcserver -Pv -- ${socket} + toybox timeout -v -i --foreground --preserve-status 60 + getpid process_id + ./binaries/httpd.execline diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-https.execline b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-https.execline new file mode 100644 index 0000000..771f4a7 --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-https.execline @@ -0,0 +1,17 @@ +#!/command/execlineb -WP + +s6-envdir data/env +multisubstitute { + importas -iu ip httpd_execline_ip + importas -iu port httpd_execline_port + importas -iu httpd_execline_root httpd_execline_root + importas -iu user httpd_execline_user_https +} +emptyenv -p +s6-envuidgid ${user} + +cd ${httpd_execline_root} +s6-tlsserver -v -- ${ip} ${port} + toybox timeout -v -i --foreground --preserve-status 60 + getpid process_id + ./binaries/httpd.execline diff --git a/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-redirect.execline b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-redirect.execline new file mode 100644 index 0000000..653152b --- /dev/null +++ b/examples/https-with-redirect-and-with-hidden-service/httpd.execline/templates/run-redirect.execline @@ -0,0 +1,17 @@ +#!/command/execlineb -WP + +s6-envdir data/env +multisubstitute { + importas -iu ip httpd_execline_ip + importas -iu port httpd_execline_port + importas -iu httpd_execline_root httpd_execline_root + importas -iu user httpd_execline_user_redirect +} +emptyenv -p +s6-envuidgid ${user} + +cd ${httpd_execline_root} +s6-tcpserver -v -- ${ip} ${port} + toybox timeout -v -i --foreground --preserve-status 60 + getpid process_id + ./binaries/httpd-redirect.execline diff --git a/examples/https-with-redirect/README.md b/examples/https-with-redirect/README.md new file mode 100644 index 0000000..518c37c --- /dev/null +++ b/examples/https-with-redirect/README.md @@ -0,0 +1,12 @@ +# https with redirect + +Notes: + +* these are service directories intended for supervision with s6 +* if a file in `data/env` should be nonempty, the corresponding environment + variable will be unset, and the script will fail +* the shebangs expect the systemwide execline to have been installed according + to the [slashpackage](https://cr.yp.to/slashpackage.html) convention + * if installed normally instead, edit accordingly +* the httpd and http-to-https users should not have write permissions on + any file or directory within the httpd.execline jail diff --git a/examples/https-with-redirect/httpd.execline/data/env/CERTFILE b/examples/https-with-redirect/httpd.execline/data/env/CERTFILE new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/data/env/KEYFILE b/examples/https-with-redirect/httpd.execline/data/env/KEYFILE new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/data/env/TLS_GID b/examples/https-with-redirect/httpd.execline/data/env/TLS_GID new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/data/env/TLS_UID b/examples/https-with-redirect/httpd.execline/data/env/TLS_UID new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip4 b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip4 new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip6 b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_ip6 new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_https b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_https new file mode 100644 index 0000000..8f6e441 --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_https @@ -0,0 +1 @@ +443 \ No newline at end of file diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_redirect b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_redirect new file mode 100644 index 0000000..e3f1e9b --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_port_redirect @@ -0,0 +1 @@ +80 \ No newline at end of file diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_root b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_root new file mode 100644 index 0000000..1c8f062 --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_root @@ -0,0 +1 @@ +/srv/httpd.execline \ No newline at end of file diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_https b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_https new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_redirect b/examples/https-with-redirect/httpd.execline/data/env/httpd_execline_user_redirect new file mode 100644 index 0000000..e69de29 diff --git a/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_directory b/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_directory new file mode 100644 index 0000000..741dbaf --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_directory @@ -0,0 +1 @@ +/var/log/httpd.execline \ No newline at end of file diff --git a/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_user b/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_user new file mode 100644 index 0000000..fbf828d --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/log/data/env/httpd_execline_log_user @@ -0,0 +1 @@ +log \ No newline at end of file diff --git a/examples/https-with-redirect/httpd.execline/log/run b/examples/https-with-redirect/httpd.execline/log/run new file mode 100644 index 0000000..7042127 --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/log/run @@ -0,0 +1,11 @@ +#!/command/execlineb -WP + +s6-envdir data/env +multisubstitute { + importas -iu user httpd_execline_log_user + importas -iu logdir httpd_execline_log_directory +} +emptyenv -p +s6-setuidgid ${user} + +s6-log t ${logdir} diff --git a/examples/https-with-redirect/httpd.execline/run b/examples/https-with-redirect/httpd.execline/run new file mode 100644 index 0000000..9a5e52d --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/run @@ -0,0 +1,40 @@ +#!/command/execlineb -WP +# dynamically create and supervise services for https and http-to-https +# redirects, both using both ipv4 and ipv6. the result will be four instances +# of s6-tcpserver listening on the four ports +# +# while the ip address environment variables are expected to be ipv4 and ipv6, +# the script does not check, and will just try to use them as-is +# +# this script must as root; otherwise the subservices will fail + +s6-envdir data/env +multisubstitute { + importas -i httpd_execline_ip4 httpd_execline_ip4 + importas -i httpd_execline_ip6 httpd_execline_ip6 + importas -i httpd_execline_port_https httpd_execline_port_https + importas -i httpd_execline_port_redirect httpd_execline_port_redirect +} +backtick -E -n pwd { pwd } + +if { + forx -E ip { 4 6 } + forx -E service_type { https redirect } + define service_directory service/${service_type}-${ip} + if { mkdir -p ${service_directory}/data/env } + if { + redirfd -w 1 ${service_directory}/data/env/httpd_execline_ip + execlineb -WP -c + "importas -i -u output httpd_execline_ip"${ip}" + s6-echo -n -- ${output}" + } + if { + redirfd -w 1 ${service_directory}/data/env/httpd_execline_port + execlineb -WP -c + "importas -i -u output httpd_execline_port_"${service_type}" + s6-echo -n -- ${output}" + } + ln -sf ${pwd}/templates/run-${service_type}.execline ${service_directory}/run +} +fdmove -c 2 1 +s6-svscan service diff --git a/examples/https-with-redirect/httpd.execline/templates/run-https.execline b/examples/https-with-redirect/httpd.execline/templates/run-https.execline new file mode 100644 index 0000000..19494c4 --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/templates/run-https.execline @@ -0,0 +1,21 @@ +#!/command/execlineb -WP + +s6-envdir data/env +multisubstitute { + importas -iu ip httpd_execline_ip + importas -iu port httpd_execline_port + importas -iu httpd_execline_root httpd_execline_root + importas -iu user httpd_execline_user_https + importas -iu CERTFILE CERTFILE + importas -iu KEYFILE KEYFILE +} +emptyenv -p +export CERTFILE ${CERTFILE} +export KEYFILE ${KEYFILE} +s6-envuidgid ${user} + +cd ${httpd_execline_root} +s6-tlsserver -v -- ${ip} ${port} + toybox timeout -v -i --foreground --preserve-status 60 + getpid process_id + ./binaries/httpd.execline diff --git a/examples/https-with-redirect/httpd.execline/templates/run-redirect.execline b/examples/https-with-redirect/httpd.execline/templates/run-redirect.execline new file mode 100644 index 0000000..343bb4a --- /dev/null +++ b/examples/https-with-redirect/httpd.execline/templates/run-redirect.execline @@ -0,0 +1,16 @@ +#!/command/execlineb -WP + +s6-envdir data/env +multisubstitute { + importas -iu ip httpd_execline_ip + importas -iu port httpd_execline_port + importas -iu httpd_execline_root httpd_execline_root + importas -iu user httpd_execline_user_redirect +} +s6-envuidgid ${user} + +cd ${httpd_execline_root} +s6-tcpserver -v -- ${ip} ${port} + toybox timeout -v -i --foreground --preserve-status 60 + getpid process_id + ./binaries/httpd-redirect.execline diff --git a/log/run.example b/log/run.example deleted file mode 100644 index 7b2f84f..0000000 --- a/log/run.example +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/local/bin/execlineb -WP - -s6-setuidgid log -s6-log t /log/httpd-ipc diff --git a/run.template b/run.template deleted file mode 100755 index b74022d..0000000 --- a/run.template +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/execlineb -WP -# -# example `run` script for daemontools-style process supervision -# replace contents in `${}` and copy to `./run` - -# for logging: redirect standard error to standard output -fdmove -c 2 1 - -# clear the entire environment except for PATH -emptyenv -p - -# required by `s6-tld` -export CERTFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/fullchain.pem -export KEYFILE /etc/letsencrypt/live/${YOUR_SITE_HERE}/privkey.pem - -# we run as root until very early in `./binaries/httpd.execline` and `s6-tlsd`; this sets up environment variables for dropping priveleges -# -# sample numerical user ID for user `s6-tlsd` runs as (after reading certificate) -export TLS_UID ${YOUR_TLS_USER_USER_ID_HERE} -export TLS_GID ${YOUR_TLS_USER_GROUP_ID_HERE} -# user for ./binaries/httpd.execline (after `chroot(8)`) -s6-envuidgid ${YOUR_HTTP_USER_NAME_HERE} - -cd visible-to-httpd - -# somewhat verbose command line to make the httpd able to log the PID reported by s6-tcpserver -# (s6-tcpserver prints the pid of `s6-tlsd`, but `./httpd.execline` is a child of said PID) -s6-tcpserver4 - # for logging: log beginning and end of every connection - -v 2 - # allow 1000 simultaneous connections; allow them all to be from the same ip address - -c 1000 -C 1000 - -- - ${YOUR_IP_ADDRESS_HERE} - 443 - getpid process_id # for logging - s6-tlsd - -- - ./binaries/httpd.execline diff --git a/visible-to-httpd/binaries/redirect.execline b/visible-to-httpd/binaries/httpd-redirect.execline similarity index 93% rename from visible-to-httpd/binaries/redirect.execline rename to visible-to-httpd/binaries/httpd-redirect.execline index dff964c..394410a 100644 --- a/visible-to-httpd/binaries/redirect.execline +++ b/visible-to-httpd/binaries/httpd-redirect.execline @@ -1,9 +1,7 @@ #!/command/execlineb -WP -importas -i httpd_execline_jail_directory httpd_execline_jail_directory - export PATH /binaries -chroot ${httpd_execline_jail_directory} +chroot . s6-applyuidgid -U -z export program_name redirect.execline -- 2.47.3