Webserver

We use Lighttpd and Dokuwiki for our website. You can use Git for backups and redundant hosting. We plan to release a guide that explains this in detail. For now, here are some snippets from our configuration. Base server setup is similar to our exit setup.

Lighttpd

/etc/lighttpd/conf.d/torservers.conf

$HTTP["host"] =~ "^torservers\.net$" {
        url.redirect = ( "^/(.*)" => "https://www.torservers.net/$1" )
}

$SERVER["socket"] == ":443" {
        ssl.engine = "enable"
        ssl.ca-file = "/etc/lighttpd/ssl/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/ssl/torservers.pem"
        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM @STRENGTH"
}

$SERVER["socket"] == "[::]:443" {
        ssl.engine = "enable"
        ssl.ca-file = "/etc/lighttpd/ssl/ca-certs.crt"
        ssl.pemfile = "/etc/lighttpd/ssl/torservers.pem"
        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM @STRENGTH"
}

# no check for host www.torservers.net
# because this is the default for .onion and localhost too

fastcgi.map-extensions = ( ".html" => ".php" )

# https://developer.mozilla.org/en/Introducing_Content_Security_Policy
server.modules += ("mod_setenv")
setenv.add-response-header = (
 "Strict-Transport-Security" => "max-age=31556926;includeSubDomains",
 "X-Content-Security-Policy" => "allow 'self'",
 "X-Frame-Options" => deny",
 "X-Onion" => "http://hbpvnydyyjbmhx6b.onion/" )

## dokuwiki
var.dokudir = "/wiki"

$HTTP["url"] =~ "/(\.|_)ht" { url.access-deny = ( "" ) }
$HTTP["url"] =~ "^" + var.dokudir + "/(bin|data|inc|conf)/"  { url.access-deny = ( "" ) }
# rewrites for dokuwiki
$HTTP["url"] =~ "^" + var.dokudir { index-file.names = ("doku.php") }
url.rewrite = (
      "^" + var.dokudir + "/lib/.*$"              => "$0",
      "^" + var.dokudir + "/_media/(.*)?\?(.*)$"  => var.dokudir + "/lib/exe/fetch.php?media=$1&$2",
      "^" + var.dokudir + "/_media/(.*)$"         => var.dokudir + "/lib/exe/fetch.php?media=$1",
      "^" + var.dokudir + "/_detail/(.*)?\?(.*)$" => var.dokudir + "/lib/exe/detail.php?media=$1&$2",
      "^" + var.dokudir + "/_detail/(.*)?$"       => var.dokudir + "/lib/exe/detail.php?media=$1",
      "^" + var.dokudir + "/_export/([^/]+)/(.*)\?(.*)$" => var.dokudir + "/doku.php?do=export_$1&id=$2&$3",
      "^" + var.dokudir + "/_export/([^/]+)/(.*)" => var.dokudir + "/doku.php?do=export_$1&id=$2",
      "^" + var.dokudir + "/doku.php.*"           => "$0",
      "^" + var.dokudir + "/feed.php.*"           => "$0",
      "^" + var.dokudir + "/(.*)\?(.*)"           => var.dokudir + "/doku.php?id=$1&$2",
      "^" + var.dokudir + "/(.*)"                 => var.dokudir + "/doku.php?id=$1"
)

/etc/lighttpd/conf.d/torproject-mirror.conf

$HTTP["url"] =~ "^/mirrors" {
        server.document-root = "/var/www/"
        server.dir-listing = "enable"
#torproject.org specific
        mimetype.assign += (
         ".en" => "text/html",
         ".pl" => "text/html",
         ".it" => "text/html",
         ".fr" => "text/html",
         ".fa" => "text/html",
         ".ar" => "text/html",
         ".de" => "text/html"
        )

        index-file.names = ( "index.html.en", "index.php", "index.html",
                               "index.htm", "default.htm" )
}

/etc/lighttpd/conf.d/tails-mirror.conf

$HTTP["host"] =~ "^dl\.amnesia\.boum\.org$" {
        server.document-root="/var/www/mirrors/tails/"
        server.dir-listing = "enable"
}

/etc/lighttpd/conf.d/munin.conf

alias.url += (
          "/munin/" => "/var/cache/munin/www/",
)

$HTTP["url"] =~ "^/munin/" {
        fastcgi.map-extensions = ()
}

Hidden Service

Our website is also available as a Tor hidden service at http://hbpvnydyyjbmhx6b.onion/

/etc/tor/torrc

HiddenServiceDir /var/lib/tor/hidden_web/
HiddenServicePort 80 127.0.0.1:80

SocksPort 0
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor

Munin

https://www.torservers.net/munin/

 apt-get install munin munin-node

/etc/munin/munin.conf

[www.torservers.net]
    address 127.0.0.1
    use_node_name yes

[psilotorlu.torservers.net]
    address 212.117.180.65
    use_node_name yes
...

[torservers.net;aggregates]
    update no
    total_bandwidth.graph_args --base 1000 -l 0
    total_bandwidth.graph_category Network
    total_bandwidth.graph_title Aggregated bandwidth
    total_bandwidth.upload.label upload
    total_bandwidth.update no
    total_bandwidth.total.graph yes
    total_bandwidth.upload.stack \
    axigy1=axigy1.torservers.net:if_eth1.up \
    axigy2=axigy2.torservers.net:if_eth1.up \
    drtornyc1=drtornyc1.torservers.net:if_eth0.up \
    drtornyc2=drtornyc2.torservers.net:if_eth0.up \
    drtorsea1=drtorsea1.torservers.net:if_eth0.up \
    drtorsea2=drtorsea2.torservers.net:if_eth0.up \
    nforce1=nforce1.torservers.net:if_eth0.up \
    nforce2=nforce2.torservers.net:if_eth0.up \
    psilotorlu=psilotorlu.torservers.net:if_venet0.up \
    voxility1=voxility1.torservers.net:if_eth0.up
    total_bandwidth.upload.type COUNTER

Backup to GitHub

create a new user on github.

su www-data
ssh-keygen -t rsa -C "your_email@youremail.com"
git config --global user.name "Your backup bot name"
git config --global user.email "your_email@youremail.com"

crontab -e -u www-data

*/30 * * * * cd /var/www/torservers/ && /usr/bin/git add . && /usr/bin/git commit -am 'Automatic backup' && /usr/bin/git push -u origin master >/dev/null 2>&1 ;fi

Mirrors

adduser tormirror
crontab -e -u tormirror

/var/www/mirrors/createinnocentmirror.sh

#!/bin/bash

## CREATE AN 'INNOCENT MIRROR' OF TOR BINARIES
##
## very quick and dirty script that creates symbolic links to dist/ files
## to stop simple url blacklisting of Tor downloads
##
## this is something NOT encouraged by torproject.org
## because downloaders can easily be tricked in installing something
## shady. the official way to get tor if download is blocked
## is the "gettor" command using email
##
## make sure potential downloaders use signature verification!

DIST="/var/www/mirrors/torproject.org/dist"
TARGET="/var/www/zwiebelfreunde/downloads"

rm -rf $TARGET/browser/*
cp -rs $DIST/torbrowser/* $TARGET/browser/
rename 's/tor-browser/setup/gi;' `find $TARGET/browser/ -type d`
rename 's/tor-browser/setup/gi;' `find $TARGET/browser/ -type l`
rename 's/torbrowser/setup/gi;' `find $TARGET/browser/`

rm -rf $TARGET/gui/*
cp -rs $DIST/vidalia-bundles/* $TARGET/gui/
rename 's/vidalia/setup/gi;' `find $TARGET/gui/ -type d`
rename 's/vidalia/setup/gi;' `find $TARGET/gui/ -type l`

rm -rf $TARGET/standalone/*
cp -rs $DIST/win32/* $TARGET/standalone/
rename 's/tor/setup/gi;' `find $TARGET/standalone/ -type d`
rename 's/tor/setup/gi;' `find $TARGET/standalone/ -type l`

crontab

45 */6 * * * nice -n 19 rsync -aq --delete rsync://rsync.torproject.org/tor/ /var/www/mirrors/torproject.org/
50 */6 * * * nice -n 19 /var/www/mirrors/createtorrents.sh
50 */6 * * * nice -n 19 /var/www/mirrors/createinnocentmirror.sh
15 * * * * nice -n 19 rsync -r archive.torproject.org::amnesia-archive /var/www/mirrors/tails/
setup/webserver.txt · Last modified: 2013/01/29 21:16 by moritz