Information
ID: 987
PHID: PHID-TASK-xum5es6ihkhfq4bk5fft
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal
Description
- rsync over SSH with a restricted shell:
- rsync over TLS: Check out the “rsync over TLS” section on Mirrors - dotsrc
rsync does by itself not support TLS, but we can simply outsource TLS handling to the openssl s_client. The rsync authors have made a short script to do exactly that. This is how you use it to get a listing from our server:
wget https://download.samba.org/pub/rsync/openssl-rsync
chmod +x openssl-rsync
rsync --rsh=./openssl-rsync rsync://mirrors.dotsrc.org
You’ll need to configure e.g. apache/nginx to act as a proxy.
This is how mirrors.dotsrc.org nginx is configured:
stream {
server {
listen 874 ssl;
listen [::]:874 ssl;
# generated 2020-01-20, https://ssl-config.mozilla.org/#server=nginx&server-version=1.14.0&config=intermediate&openssl-version=1.1.1&hsts=false&ocsp=false
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/mirrors.dotsrc.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mirrors.dotsrc.org/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache none;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# Documentation: http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html
# Proxy to rsync
proxy_pass localhost:873;
# "Sets the timeout between two successive read or write operationson client or proxied server connections.
# If no data is transmitted within this time, the connection isclosed."
# If a client asks for the entire directory listing to be sent inone go, I think it will take some time.
proxy_timeout 10m;
# "Defines a timeout for establishing a connection with a proxiedserver."
# If rsyncd does not respond within 5 sec, close the connection.
proxy_connect_timeout 5s;
}
}
When done, ask https://dotsrc.org to mirror over SSH or TLS.
Comments
Patrick
2021-12-09 14:46:07 UTC