108 lines
4.2 KiB
Plaintext
108 lines
4.2 KiB
Plaintext
# Gemini on Tor
|
|
|
|
Specifically, tilde.black is now running gemini over tor properly. Are you running your gemini client over tor already? Try this link to find this page on tor:
|
|
|
|
=> gemini://black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion/~tomasino/journal/20200706-gemini-on-tor.gmi This page on tor!
|
|
|
|
Want to see a picture?
|
|
|
|
=> gemini-on-tor.png Picture of Kristall running tilde.black over tor!
|
|
|
|
Here's what I did.
|
|
|
|
* Generated a new TLS cert (good for 5 years) with both tilde.black and the onion address as subjectAltNames
|
|
* Set up a wrapper for jetforce according to the vhost.py example to serve both versions of the site
|
|
* fixed my rc.d service to run everything on openbsd
|
|
* oh yeah... set up tor
|
|
|
|
Lets look at each in turn.
|
|
|
|
## Creating a new cert
|
|
|
|
The newest openssl can do "-addext" which makes adding subjectAltName really easy. OpenBSD doesn't do that though cause it hates me. So instead I had to do this monstrosity. Yes, I'm running -nodes multiple times. No, I have no idea why or what these things do. No, I have no idea if the order is important. This was trial and error and stitching things together.
|
|
|
|
``` openssl creation command
|
|
openssl req \
|
|
-newkey rsa:2048 \
|
|
-days 1825 \
|
|
-nodes \
|
|
-keyout tilde.black.key \
|
|
-subj "/CN=tilde.black" \
|
|
-reqexts SAN \
|
|
-config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:tilde.black,DNS:black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion")) \
|
|
-nodes -x509 \
|
|
-out tilde.black.crt \
|
|
-extensions SAN
|
|
```
|
|
|
|
Because I run gemini under a service user, I chowned the crt and key files to that user and socked them away in /etc/gemini/ for good luck.
|
|
|
|
|
|
## The jetforce wrapper
|
|
|
|
I stuck with the example code as much as possible here. I probably don't need app_a, app_b, and app_default at all and could have just used one. I'm not 100% sure though and once it worked I stopped messing with it. The idea is to serve up files for either tilde.black or the onion address and this does that. Note I needed to tell the server where my keys were and to run on 0.0.0.0. I'm not sure what I would need to do to get this to run on both ipv4 and ipv6 at the same time. Maybe one of you can chime in?
|
|
|
|
``` jetforce wrapper
|
|
from jetforce import GeminiServer, StaticDirectoryApplication
|
|
from jetforce.app.composite import CompositeApplication
|
|
|
|
app_a = StaticDirectoryApplication(root_directory="/var/gemini/")
|
|
app_b = StaticDirectoryApplication(root_directory="/var/gemini/")
|
|
app_default = StaticDirectoryApplication(root_directory="/var/gemini/")
|
|
|
|
app = CompositeApplication(
|
|
{
|
|
"tilde.black": app_a,
|
|
"black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion": app_b,
|
|
# Use a default static file server for all other domains
|
|
None: app_default,
|
|
}
|
|
)
|
|
|
|
if __name__ == "__main__":
|
|
server = GeminiServer(app, certfile="/etc/gemini/tilde.black.crt", keyfile="/etc/gemini/tilde.black.key", host="0.0.0.0")
|
|
server.run()
|
|
```
|
|
|
|
## The rc.d service
|
|
|
|
Running python scripts in rc.d is annoying because the check method doesn't find the running code properly and all sorts of problems happen. I separate the code for the daemon and the python3 instigator so I can get it all to play nice. I have no idea how I'd get virtualenv to work with this. This is why python gives me a headache.
|
|
|
|
``` jetforce rc.d service
|
|
#!/bin/ksh
|
|
|
|
# /etc/rc.d/jetforce
|
|
|
|
daemon="/opt/jetforce/vhost.py"
|
|
daemon_user="gemini"
|
|
. /etc/rc.d/rc.subr
|
|
pexp="/usr/local/bin/python3 ${daemon}"
|
|
rc_reload="NO"
|
|
|
|
rc_check() {
|
|
pgrep -q -f "${daemon}"
|
|
}
|
|
|
|
rc_start() {
|
|
${rcexec} "${pexp}" &
|
|
}
|
|
|
|
rc_cmd $1
|
|
```
|
|
|
|
## Set up tor
|
|
|
|
Honestly, this part is an addition because it's been done so long I forgot about it. When gemini was brand new I added the one line to my torrc file that was needed to "make our ship go".
|
|
|
|
``` torrc line
|
|
HiddenServicePort 1965 tilde.black:1965
|
|
```
|
|
|
|
That's it. I already have tor set up from gopher & web stuff here already. If you need to know how to do that, the basic tor instructions available online are plenty good enough to assist. There's nothing fancy here.
|
|
|
|
|
|
Originally Published 2020-07-06 at: gemini://tilde.team/~tomasino/journal/20200706-gemini-on-tor.gmi
|
|
|
|
If you have questions or thoughts to add please send me a link to your response.
|
|
=> /~tomasino/about.txt Contact Information
|