Page MenuHomePhabricator

offer rsync over SSH or TLS for
Closed, ResolvedPublic


  1. rsync over SSH with a restricted shell:

  1. rsync over TLS: Check out the "rsync over TLS" section on

rsync does by itself not support TLS, but we can simply outsource TLS handling to the openssl s_client. The rsync authors have made a short script to do exactly that. This is how you use it to get a listing from our server:

chmod +x openssl-rsync
rsync --rsh=./openssl-rsync rsync://

You'll need to configure e.g. apache/nginx to act as a proxy.

This is how nginx is configured:

stream {
    server {
        listen        874 ssl;
        listen        [::]:874 ssl;

        # generated 2020-01-20,

        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;
        ssl_session_timeout 5m;
        ssl_session_cache none;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        # intermediate configuration
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        # Documentation:
        # Proxy to rsync
        proxy_pass    localhost:873;

        # "Sets the timeout between two successive read or write operationson client or proxied server connections.
        # If no data is transmitted within this time, the connection isclosed."
        # If a client asks for the entire directory listing to be sent inone go, I think it will take some time.
        proxy_timeout 10m;

        # "Defines a timeout for establishing a connection with a proxiedserver."
        # If rsyncd does not respond within 5 sec, close the connection.
        proxy_connect_timeout 5s;

When done, ask to mirror over SSH or TLS.


Needs Triage

Event Timeline

Patrick triaged this task as Normal priority.Apr 23 2020, 12:42 PM
Patrick created this task.
Patrick claimed this task.

rsync over TLS or even onion is implemented for a long time already and documented here: