Page MenuHomePhabricator

offer rsync over SSH or TLS for download.whonix.org
Open, NormalPublic

Description

  1. rsync over SSH with a restricted shell:

https://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/

  1. rsync over TLS: Check out the "rsync over TLS" section on https://dotsrc.org/mirrors/

rsync does by itself not support TLS, but we can simply outsource TLS handling to the openssl s_client. The rsync authors have made a short script to do exactly that. This is how you use it to get a listing from our server:

wget https://download.samba.org/pub/rsync/openssl-rsync
chmod +x openssl-rsync
rsync --rsh=./openssl-rsync rsync://mirrors.dotsrc.org

You'll need to configure e.g. apache/nginx to act as a proxy.

This is how mirrors.dotsrc.org nginx is configured:

stream {
    server {
        listen        874 ssl;
        listen        [::]:874 ssl;

        # generated 2020-01-20, https://ssl-config.mozilla.org/#server=nginx&server-version=1.14.0&config=intermediate&openssl-version=1.1.1&hsts=false&ocsp=false

        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate /etc/letsencrypt/live/mirrors.dotsrc.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mirrors.dotsrc.org/privkey.pem;
        ssl_session_timeout 5m;
        ssl_session_cache none;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        # intermediate configuration
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # Documentation: http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html
        # Proxy to rsync
        proxy_pass    localhost:873;

        # "Sets the timeout between two successive read or write operationson client or proxied server connections.
        # If no data is transmitted within this time, the connection isclosed."
        # If a client asks for the entire directory listing to be sent inone go, I think it will take some time.
        proxy_timeout 10m;

        # "Defines a timeout for establishing a connection with a proxiedserver."
        # If rsyncd does not respond within 5 sec, close the connection.
        proxy_connect_timeout 5s;
    }
}

When done, ask https://dotsrc.org to mirror over SSH or TLS.

Details

Impact
Needs Triage

Event Timeline

Patrick triaged this task as Normal priority.Apr 23 2020, 2:42 PM
Patrick created this task.