add detailed install instructions
This commit is contained in:
parent
132b6d2e12
commit
de6a4524b4
|
@ -0,0 +1,73 @@
|
|||
# Setup
|
||||
|
||||
## Install
|
||||
|
||||
Start by installing Go, Git, GCC and glibc (the program is written in Go, but a tiny bit of C code is used to drop privileges when running as root). On Debian, run:
|
||||
|
||||
```
|
||||
apt install golang git gcc libc6-dev
|
||||
```
|
||||
|
||||
Then fetch and build the program:
|
||||
|
||||
```
|
||||
go get tildegit.org/nervuri/client-hello-mirror
|
||||
```
|
||||
|
||||
The resulting binary should now be at `~/go/bin/client-hello-mirror`. You can make it available to all users on the system:
|
||||
|
||||
```
|
||||
ln -s ~/go/bin/client-hello-mirror /usr/local/bin/
|
||||
```
|
||||
|
||||
## Run
|
||||
|
||||
Generate TLS certificate:
|
||||
|
||||
```
|
||||
# CA-signed:
|
||||
certbot certonly --webroot -w /var/www/example.com -d example.com
|
||||
# or self-signed:
|
||||
openssl req -new -subj "/CN=example.com" -x509 -days 36500 -nodes -out cert.pem -keyout privkey.pem
|
||||
```
|
||||
|
||||
Run on port 1965:
|
||||
|
||||
```
|
||||
~/go/bin/client-hello-mirror -c cert.pem -k privkey.pem :1965
|
||||
```
|
||||
|
||||
## Daemonize
|
||||
|
||||
In order to run the program as a daemon and auto-start it on boot, you need to manage it with your operating system's init system. Here you'll find instructions for systemd.
|
||||
|
||||
Sample systemd unit file:
|
||||
|
||||
```
|
||||
[Unit]
|
||||
Description=TLS Client Hello Mirror
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
Restart=always
|
||||
ExecStart=client-hello-mirror -u www-data -c /etc/letsencrypt/live/example.org/cert.pem -k /etc/letsencrypt/live/example.org/privkey.pem :443 2\>/var/log/client-hello-mirror-error.log
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
Modify as needed, save to `/etc/systemd/system/client-hello-mirror.service` and run:
|
||||
|
||||
```
|
||||
systemctl enable client-hello-mirror.service
|
||||
systemctl start client-hello-mirror.service
|
||||
```
|
||||
|
||||
## Drop root
|
||||
|
||||
A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443. For security reasons, the program will drop root privileges imediately after loading the certificate and binding to the specified port. Use the `-u` option to select a user to switch to; the default is `www-data`.
|
||||
|
||||
## Redirect http:// to https://
|
||||
|
||||
For this you'll need to use another web server, such as nginx.
|
13
README.md
13
README.md
|
@ -16,18 +16,7 @@ Note that these lists do not include draft extensions and [GREASE](https://datat
|
|||
|
||||
## Installation
|
||||
|
||||
Instructions for Debian:
|
||||
|
||||
```
|
||||
# install Go
|
||||
apt install golang
|
||||
# fetch and build the program
|
||||
go get tildegit.org/nervuri/client-hello-mirror
|
||||
# generate TLS certificate
|
||||
openssl req -new -subj "/CN=localhost" -x509 -newkey ED25519 -days 36500 -nodes -out cert.pem -keyout privkey.pem
|
||||
# run on port 4444
|
||||
~/go/bin/client-hello-mirror -c cert.pem -k privkey.pem :4444
|
||||
```
|
||||
See [INSTALL.md](INSTALL.md).
|
||||
|
||||
## Roadmap
|
||||
|
||||
|
|
Loading…
Reference in New Issue