https://github.com/binki/anarchyirc-link-block-service

https://github.com/binki/anarchyirc-link-block-service

Last synced: 7 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/binki/anarchyirc-link-block-service
• Owner: binki
• Created: 2017-04-20T07:29:43.000Z (about 9 years ago)
• Default Branch: master
• Last Pushed: 2017-05-13T04:56:45.000Z (about 9 years ago)
• Last Synced: 2025-01-11T02:19:15.754Z (over 1 year ago)
• Language: JavaScript
• Homepage: http://anarchyirc.com/
• Size: 23.4 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
Meant to server `unrealircd.conf`-compatible `links.conf` for Remote

Includes and enable servers to update their SSL certificates through a

[simple

client](https://github.com/binki/anarchyirc-link-block-client).

# Configuration

The `servers` directory contains all of the human-managed per-server

configuration. The `data` directory contains all state which is

automatically updated by servers.

## `servers`

Each server shall have two file entries here. `«name».json` (optional)

and `«name».crt`.

`«name»` is a friendly name for the server. This is used as the name

of the link block in the generated configs.

`«name».crt` is the PEM-encoded certificate authorizing updates

generated by running `client-gen-cert.sh` on the client. This is used

to authenticate any requests made by the client to this service and

determine which client is making the request. The idea is that these

certificates will only ever be created once per server. They are

self-signed and are just like an “API key” or “cookie” used by the

client to identify itself to this service.

`«name».json` is a JSON encoded configuration for the

server. Currently, the following keys are allowed:

* `hostname`: The hostname of the server (defaults to `«name»`).

## `data`

To populate this initially, run the client update script on each

client.

`updated` may be touched in the `data` directory to cause the process

to exit (in case you cannot run `kill(1)` yourself). In the future it

may do this in a more graceful way.

# Apache Configuration

For the directory where this is deployed, the following configuration

is required:

```apache

# Allow things to read client certs but do not rely on CAs for stuff.

SSLVerifyClient optional_no_ca

# Export the client certificate to the environment so that it can be verified by the CGI scripts.

SSLOptions +ExportCertData

# You must have FastCGI set up, e.g., mod_fcgid, to serve

# exeutables ending in .cgi. It is recommended to use either

# mod_suexec or an appliance VM (not shown):

  # Do not use AddHandler because it matches files like

  # blah.cgi.en (or blah.cgi.i_do_not_want_this_to_execute).

  

    SetHandler fcgid-script

    Options +ExecCGI

  

```

# API

With how things are now, you must access and include `index.cgi` in

your URI. I.e., this uses (and only knows how to use) `PATH_INFO`.

For example, getting the links config can be `«URI to directory where

index.cgi is»/index.cgi/links.conf`. `index.cgi` is considered part of

the `«endpoint»` as documented [in the

client](https://github.com/binki/anarchyirc-link-block-client). E.g.,

an `«endpoint»` might be `https://example.org/ri/index.cgi`.

`«endpoint»/update`: POST, HTTP client must present an SSL certificate

matching the certificate in `servers/«server me::name».crt`. The link

block service looks up `me::name` based on the presented

certificate’s fingerprint (no need to set the Common Name or Subject

Alternative Name or anything). The POSTed body should include an

entity named `cert` which is the PEM formatted public certificate that

the IRCd uses. The POSTed cert will be deposited to

`data/«me::name».crt` and the link service will start returning the

new fingerprint in its generated link blocks after success.

`«endpoint»/links.conf`: GET, gets a configuration file meant to be

included into your IRCd’sconfiguration e.g. using [UnrealIRCd’s

Remote Includes

feature](https://www.unrealircd.org/docs/Remote_includes). The

generated configuration is safe to share with the public as no private

data is stored in it (unless you consider your listing of servers

private data which you may if e.g. you disable `/MAP` or `/LINKS` in

an attempt to make DoS attacks more difficult). However, even so, you

should access this URI over HTTPS to guard against a MiTM attempting

to intercept and modify the generated configuration.

This endpoint has the following GET parameters:

* `syntax` (default: `unrealircd4`). You may specify syntaxes of

  either `unrealircd3`, `unrealircd4`, or `json`. E.g.,

  `«endpoint»/links.conf?syntax=unrealircd` will return the

  configuration in `unrealircd3` style (but [you should not be using

  UnrealIRCd-3.x

  anymore](https://forums.unrealircd.org/viewtopic.php?f=1&t=8629)). The

  `json` format may be useful for consuming and transforming. Other

  syntaxes may be added by modifying

  [`conf-generation.js`](conf-generation.js).