offer rsync over SSH or TLS for download.whonix.org

phabricator-migrator · February 19, 2024, 5:06pm

Information

ID: 987
PHID: PHID-TASK-xum5es6ihkhfq4bk5fft
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

rsync over SSH with a restricted shell:

rsync over TLS: Check out the “rsync over TLS” section on Mirrors - dotsrc

rsync does by itself not support TLS, but we can simply outsource TLS handling to the openssl s_client. The rsync authors have made a short script to do exactly that. This is how you use it to get a listing from our server:

wget https://download.samba.org/pub/rsync/openssl-rsync
chmod +x openssl-rsync
rsync --rsh=./openssl-rsync rsync://mirrors.dotsrc.org

You’ll need to configure e.g. apache/nginx to act as a proxy.

This is how mirrors.dotsrc.org nginx is configured:

stream {
    server {
        listen        874 ssl;
        listen        [::]:874 ssl;

        # generated 2020-01-20, https://ssl-config.mozilla.org/#server=nginx&server-version=1.14.0&config=intermediate&openssl-version=1.1.1&hsts=false&ocsp=false

        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate /etc/letsencrypt/live/mirrors.dotsrc.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mirrors.dotsrc.org/privkey.pem;
        ssl_session_timeout 5m;
        ssl_session_cache none;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /etc/ssl/certs/dhparam.pem;

        # intermediate configuration
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # Documentation: http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html
        # Proxy to rsync
        proxy_pass    localhost:873;

        # "Sets the timeout between two successive read or write operationson client or proxied server connections.
        # If no data is transmitted within this time, the connection isclosed."
        # If a client asks for the entire directory listing to be sent inone go, I think it will take some time.
        proxy_timeout 10m;

        # "Defines a timeout for establishing a connection with a proxiedserver."
        # If rsyncd does not respond within 5 sec, close the connection.
        proxy_connect_timeout 5s;
    }
}

When done, ask https://dotsrc.org to mirror over SSH or TLS.

Comments

Patrick

2021-12-09 14:46:07 UTC