offer rsync over SSH or TLS for


ID: 987
PHID: PHID-TASK-xum5es6ihkhfq4bk5fft
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal


  1. rsync over SSH with a restricted shell:
  1. rsync over TLS: Check out the “rsync over TLS” section on Mirrors - dotsrc

rsync does by itself not support TLS, but we can simply outsource TLS handling to the openssl s_client. The rsync authors have made a short script to do exactly that. This is how you use it to get a listing from our server:

chmod +x openssl-rsync
rsync --rsh=./openssl-rsync rsync://

You’ll need to configure e.g. apache/nginx to act as a proxy.

This is how nginx is configured:

stream {
    server {
        listen        874 ssl;
        listen        [::]:874 ssl;

        # generated 2020-01-20,

        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;
        ssl_session_timeout 5m;
        ssl_session_cache none;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        # intermediate configuration
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        # Documentation:
        # Proxy to rsync
        proxy_pass    localhost:873;

        # "Sets the timeout between two successive read or write operationson client or proxied server connections.
        # If no data is transmitted within this time, the connection isclosed."
        # If a client asks for the entire directory listing to be sent inone go, I think it will take some time.
        proxy_timeout 10m;

        # "Defines a timeout for establishing a connection with a proxiedserver."
        # If rsyncd does not respond within 5 sec, close the connection.
        proxy_connect_timeout 5s;

When done, ask to mirror over SSH or TLS.



2021-12-09 14:46:07 UTC