├── .editorconfig ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── config.yml │ ├── feature_request.md │ └── question.md ├── pull_request_template.md └── workflows │ └── main.yaml ├── .gitignore ├── .shellcheckrc ├── LICENSE ├── README.md ├── auto-generated-man-pages ├── onionjuggler-cli-auth-client.8 ├── onionjuggler-cli-auth-server.8 ├── onionjuggler-cli-web.8 ├── onionjuggler-cli.8 ├── onionjuggler-tui.8 └── onionjuggler.conf.5 ├── changelog.upstream ├── configure.sh ├── debian ├── changelog ├── control ├── copyright ├── onionjuggler-cli-auth.install ├── onionjuggler-cli-auth.lintian-overrides ├── onionjuggler-cli-auth.manpages ├── onionjuggler-cli-web.install ├── onionjuggler-cli-web.lintian-overrides ├── onionjuggler-cli-web.manpages ├── onionjuggler-cli.install ├── onionjuggler-cli.lintian-overrides ├── onionjuggler-cli.manpages ├── onionjuggler-lib.install ├── onionjuggler-lib.lintian-overrides ├── onionjuggler-lib.manpages ├── onionjuggler-tui.install ├── onionjuggler-tui.lintian-overrides ├── onionjuggler-tui.manpages ├── rules ├── source │ ├── format │ └── lintian-overrides └── watch ├── docs ├── best-practices.md ├── client-auth.md ├── code_of_conduct.md ├── contributing.md ├── dos-guidelines.md ├── onion-services.md └── security.md ├── etc └── onionjuggler │ ├── anon.conf │ ├── arch.conf │ ├── conf.d │ └── user-sample.conf │ ├── debian.conf │ ├── dialogrc │ ├── fedora.conf │ ├── freebsd.conf │ ├── netbsd.conf │ ├── openbsd.conf │ ├── sample.conf │ ├── tails.conf │ └── void.conf ├── images ├── cli.png ├── tui-dialog.png └── tui-whiptail.png ├── man ├── onionjuggler-cli-auth-client.8.md ├── onionjuggler-cli-auth-server.8.md ├── onionjuggler-cli-web.8.md ├── onionjuggler-cli.8.md ├── onionjuggler-tui.8.md └── onionjuggler.conf.5.md ├── usr ├── bin │ ├── onionjuggler-cli │ ├── onionjuggler-cli-auth-client │ ├── onionjuggler-cli-auth-server │ ├── onionjuggler-cli-web │ └── onionjuggler-tui └── share │ ├── bash-completion │ ├── .shellcheckrc │ └── completions │ │ ├── onionjuggler-cli │ │ ├── onionjuggler-cli-auth-client │ │ ├── onionjuggler-cli-auth-server │ │ ├── onionjuggler-cli-web │ │ └── onionjuggler-tui │ └── onionjuggler │ └── defaults.sh └── version.txt /.editorconfig: -------------------------------------------------------------------------------- 1 | root = true 2 | 3 | [*] 4 | indent_style = space 5 | indent_size = 2 6 | tab_width = 2 7 | end_of_line = lf 8 | insert_final_newline = true 9 | trim_trailing_whitespace = true 10 | charset = utf-8 11 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: "[BUG] " 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | 12 | 13 | 14 | **To Reproduce** 15 | 16 | 17 | 18 | **Expected behavior** 19 | 20 | 21 | 22 | **Terminal output** 23 | 24 | 25 | 26 | **Screenshots** 27 | 28 | 29 | 30 | **Please complete the following specifications:** 31 | 36 | 37 | 38 | **Additional context** 39 | 40 | 41 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: OnionJuggler Project Security 4 | url: nyxnor@protonmail.com 5 | about: Please report security vulnerabilities here. 6 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: "[FEATURE REQUEST] " 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | 12 | 13 | 14 | **Describe the solution you'd like** 15 | 16 | 17 | 18 | **Describe alternatives you've considered** 19 | 20 | 21 | 22 | **Additional context** 23 | 24 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: Ask your questions here 4 | title: "[QUESTION] " 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | **My doubt is / How can I:** 11 | 15 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | **Related issue.** 2 | 3 | 4 | 5 | **Describe the changes** 6 | 7 | 8 | 9 | **Additional context** 10 | 11 | -------------------------------------------------------------------------------- /.github/workflows/main.yaml: -------------------------------------------------------------------------------- 1 | name: shellcheck 2 | on: [push] 3 | jobs: 4 | build: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - uses: actions/checkout@main 8 | - name: Run shellcheck. 9 | shell: sh 10 | run: ./configure.sh -b && sudo ./configure.sh -b && ./configure.sh -k 11 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | build/ 2 | *-build-deps_*.buildinfo 3 | *-build-deps_*.changes 4 | debian/*.debhelper.log 5 | debian/*.substvars 6 | debian/.debhelper 7 | debian/files 8 | debian/debhelper-build-stamp 9 | debian/onionjuggler 10 | debian/onionjuggler-cli 11 | debian/onionjuggler-lib 12 | debian/onionjuggler-tui 13 | debian/onionjuggler-auth 14 | debian/onionjuggler-cli-auth 15 | debian/onionjuggler-auth-server 16 | debian/onionjuggler-cli-auth-server 17 | debian/onionjuggler-auth-client 18 | debian/onionjuggler-cli-auth-client 19 | debian/onionjuggler-web 20 | debian/onionjuggler-cli-web 21 | debian/tmp 22 | *.deb 23 | *.swp 24 | **/*.swp 25 | -------------------------------------------------------------------------------- /.shellcheckrc: -------------------------------------------------------------------------------- 1 | shell=sh 2 | source=/dev/null 3 | ## disabling 2154 is raw but the variables 4 | ## are sourced from a non constant source 5 | disable=SC2154 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2021 OnionJuggler developers 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in 13 | all copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN 21 | THE SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OnionJuggler 2 | [![shellcheck](https://github.com/nyxnor/onionjuggler/actions/workflows/main.yaml/badge.svg)](https://github.com/nyxnor/onionjuggler/actions/workflows/main.yaml) 3 | [![CodeFactor](https://www.codefactor.io/repository/github/nyxnor/onionjuggler/badge/main)](https://www.codefactor.io/repository/github/nyxnor/onionjuggler/overview/main) 4 | [![GitHub top language](https://img.shields.io/github/languages/top/nyxnor/onionjuggler.svg)](https://github.com/nyxnor/onionjuggler/search?l=Shell) 5 | [![License](https://img.shields.io/github/license/nyxnor/onionjuggler.svg)](https://github.com/nyxnor/onionjuggler/blob/main/LICENSE) 6 | [![Just works](https://img.shields.io/badge/works-on_my_machine-darkred.svg?style=flat)](https://en.wikipedia.org/wiki/Typewriter) 7 | 8 | 9 | ### Feature-rich onion service manager for UNIX-like operating systems written in POSIX compliant shellscript 10 | 11 | OnionJuggler is a minimal requirement, portable collection of scripts and documentation to help the service operator juggle (manage) his onion(s). 12 | 13 | **WARNING: `do not trust this repo yet`, backup your hs keys in another location. This project has not been released and should be considered for development only.** 14 | 15 | Quick link to this repository: [git.io/onionjuggler](https://git.io/onionjuggler) 16 | 17 | ## Table of Contents 18 | 19 | * [Introduction](#introduction) 20 | * [Images](#images) 21 | * [History](#history) 22 | * [Goal](#goal) 23 | * [Features](#features) 24 | * [Requirements](#requirements) 25 | * [Compatibility](#compatibility) 26 | * [Instructions](#instructions) 27 | * [Clone the repository](#clone-the-repository) 28 | * [Set custom variables](#set-custom-variables) 29 | * [Setup the environment](#setup-the-environment) 30 | * [Usage](#usage) 31 | * [Featured on](#featured-on) 32 | * [Contributors](#contributors) 33 | 34 | ## Introduction 35 | 36 | ### Images 37 | 38 | ![tui-dialog](images/tui-dialog.png) 39 | ![tui-whiptail](images/tui-whiptail.png) 40 | ![cli](images/cli.png) 41 | 42 | ### History 43 | 44 | This project was started after seeing the amazing [OnionShare CLI python scripts](https://github.com/onionshare/onionshare/tree/develop/cli), which possibilitates ephemeral onion services that never touch the disk and can be run on Tails or Whonix easily. Then after seeing the [RaspiBlitz onion service bash script for the Raspberry Pi](https://github.com/rootzoll/raspiblitz/blob/v1.7/home.admin/config.scripts/internet.hiddenservice.sh), the idea to port it to any Debian distribution started. As the idea grew, using GNU Bash and Linux was a single point of failure [1](https://metrics.torproject.org/platforms.html) [2](https://metrics.torproject.org/webstats-tb-platform.html), so the making the script POSIX compliant to be compatible with any Unix-like system was a definitive goal. 45 | 46 | ### Goal 47 | 48 | The goal of this project is: 49 | * facilitate onion service management, from activating a service to adding client authorization to it, giving the full capabilities of editing files manually would have but with less tipying. 50 | * show the that managing the onion service is much more than just using a webserver with your pages. 51 | * distribution, from the source code level (FOSS) to the effect it takes when it allows anyone to run the code on any operating system, shell or service manager. Mitigation from a single point of failure 52 | 53 | Mitigation from a single point of failure: 54 | * **Kernel** from predominant `Linux` to also `BSD` and any other Unix-like system. 55 | * **Shell** from predominant `Bash` to also any POSIX shell such as `ksh`, `(y,d)ash` and `Zsh` (emulating sh). 56 | * **Service manager** from predominant `Systemd` to also `RC`, `OpenRC`, `SysVinit`, `Runit`. 57 | 58 | Editing the tor configuration file (torrc) is not difficult, but automation solves problem of misconfiguration and having: 59 | * less time spent by running a single line command 60 | * no downtime by rejecting invalid configuration before applying them to be used 61 | * complete uniformity 62 | * graphical interface to help newbies 63 | 64 | ### Features 65 | 66 | * [**Enable service**](https://community.torproject.org/onion-services/setup/) - Create directory if not existent (HiddenServiceDir), select onion version (HiddenServiceVersion), custom socket type being unix or tcp, with as many virtual ports as you would like, as well as targets (HiddenServicePort). 67 | * **Disable service** - Remove service configuration from the torrc, the service will not be acessible anymore, but you can enable it again any time you want. Optionally purge the service, deleting its configuration and directory, which will delete its keys permanently. 68 | * **Renew service address** - Focused on private onion services, if you ever leak its address, you can change its hostname, beware all of your authorized clients will be disconnected and the service keys will be permanently deleted. 69 | * **Credentials** - Show hostname, clients, torrc block, qrencoded hostname. 70 | * [**Onion authentication**](https://community.torproject.org/onion-services/advanced/client-auth/) - For v3 onion services only. This depends on client and server side configuration and works with a key pair, the client holds the private key part either generate by him (more safe) or given by the service operator and the onion service operator holds the public part. If any if 71 | * **Server** - Generate key pair or add public part, list client names and their public keys from `/authorized_clients/.auth`. If any client is configured, the service will not be acessible without authentication. 72 | * **Client** - Generate key pair or add public part, list your `/.auth_private`. 73 | * [**Onion-Location**](https://community.torproject.org/onion-services/advanced/onion-location/) - For public onion services You can redirect your plainnet users to your onion service with this guide for nginx, apache2 and html header attributes. 74 | * [**OpSec**](https://community.torproject.org/onion-services/advanced/opsec/) - Operation Security 75 | * [**Unix socket**](https://riseup.net/en/security/network-security/tor/onionservices-best-practices) - Support for enabling an onion service over unix socket to avoid localhost bypasses. 76 | * **Web server** - Serve files with your hidden service using Nginx or Apache2 web server. 77 | * **Usability** - There are two dialog boxes compatible with the project, `dialog` and `whiptail`. 78 | * **Bulk** - Some commands can be bulked with the argument `@all` to include all services or clients depending on the option `--service` or `--client`, list enabled arguments`[SERV1,SERV2,...]` and `[CLIENT1,CLIENT2,...]`, the command will loop the variables and apply the combination. 79 | * **Fool-proof** - The script tries its best to filter invalid commands and incorrect syntax. The commands are not difficult but at first sight may scare you. Don't worry, if it is invalid, it won't run to avoid tor daemon failing to reload because of invalid configuration. If an invalid command runs, please open an issue. 80 | 81 | ## Requirements 82 | 83 | * General: 84 | * Unix-like system. 85 | * superuser privileges to call commands as root and the tor user 86 | 87 | * Required programs: 88 | * **sh** - any POSIX shell: `dash` 0.5.4+, `bash` 2.03+, `ksh` 88+, `mksh` R28+, `yash` 2.29+, busybox `ash` 1.1.3+, `zsh` 3.1.9+ (`zsh --emulate sh`) etc. 89 | * **tor** >= 0.3.5.7 90 | * **grep** >=0.9 91 | * **sed** 92 | * **openssl** >= 1.1 (Client Authorization - requires algorithm x25519, so it can't be LibreSSL) 93 | * **basez** >= 1.6.2 (Client Authorization) 94 | * **git** (Build) 95 | * **dialog**/**whiptail** (TUI) 96 | * **nginx**/**apache2** (Web server) 97 | 98 | * Optional programs: 99 | * **(lib)qrencode** >= 4.1.1 (List) 100 | 101 | * Development programs: 102 | * **pandoc** (Manual) 103 | * **shellcheck** (Review) 104 | 105 | ## Compatibility 106 | 107 | Mainly tested on Debian systems, including Whonix. 108 | 109 | It can work on OpenBSD - 110 | - auth -> if you build `basez` from source, as it is not in ports. 111 | - web -> nginx or apache, openbsd's httpd configuration was difficult to cleanly remove the server block 112 | 113 | Regarding other operating systems, please see [etc/onionjuggler](etc/onionjuggler) for pre-defined configuration for your operating system. They were not all tested 114 | 115 | ## Instructions 116 | 117 | ### Clone the repository 118 | 119 | ```sh 120 | git clone https://github.com/nyxnor/onionjuggler.git 121 | cd onionjuggler 122 | ``` 123 | 124 | ### Setup the enviroment 125 | 126 | Run from inside the cloned repository to create the tor directories, create manual pages and copy scripts to path: 127 | ```sh 128 | ./configure.sh --install 129 | ``` 130 | 131 | ### Set custom variables 132 | 133 | You should not modify the default configuration on `/etc/onionjuggler/onionjuggler.conf`, it will be modified on every update. Your local configurations should be on `/etc/onionjuggler/conf.d/*.conf`, and from this folder, they will be parsed using lexical order, and the last value will supersede the defaults. 134 | 135 | 136 | ### Usage 137 | 138 | Each configuration and script has its own manual page and help message, it is the best way to learning onionjuggler entirely. 139 | 140 | Before executing any script to make changes, it is recommended to see what options are configured. Every script has a `--getconf` option that will print the current configuration read by onionjuggler: 141 | ```sh 142 | onionjuggler-cli --getconf 143 | ``` 144 | 145 | It is also possible to get command line options without making changes, useful to see if the assignment is correct: 146 | ```sh 147 | onionjuggler-cli --getopt --service=example --hs-version=3 148 | ``` 149 | 150 | **To use the TUI, just run:** 151 | ```sh 152 | onionjuggler-tui 153 | ``` 154 | 155 | **To create a service on the CLI:** 156 | ```sh 157 | onionjuggler-cli --on --service=terminator --socket=tcp --hs-version=3 --port="80:127.0.0.1:80" 158 | ``` 159 | 160 | Many more things are possible, read the man pages 161 | 162 | 163 | ## Featured on 164 | 165 | * [TorBox](https://github.com/radio24/TorBox) >= v.0.5.0 166 | 167 | ## Contributors 168 | 169 | [![Contributors graph](https://contrib.rocks/image?repo=nyxnor/onionjuggler)](https://github.com/nyxnor/onionjuggler/graphs/contributors) 170 | -------------------------------------------------------------------------------- /auto-generated-man-pages/onionjuggler-cli-auth-client.8: -------------------------------------------------------------------------------- 1 | .\" Automatically generated by Pandoc 2.9.2.1 2 | .\" 3 | .TH "ONIONJUGGLER-CLI-AUTH-CLIENT" "8" "2022-08-29" "onionjuggler-cli-auth-client 0.0.1" "Tor's System Manager Manual" 4 | .hy 5 | .SH NAME 6 | .PP 7 | onionjuggler-cli-auth-client - Manage onion service client side 8 | authorization 9 | .SH SYNOPSIS 10 | .PP 11 | \f[B]onionjuggler-cli-auth-client\f[R] 12 | [\f[B]--option\f[R]<=\f[I]ARGUMENT\f[R]>] 13 | .PD 0 14 | .P 15 | .PD 16 | \f[B]onionjuggler-cli-auth-client\f[R] [\f[B]--on\f[R]] 17 | [\f[B]--client-priv-file\f[R]=<\f[I]CLIENT_PRIV_FILE\f[R]>] 18 | [\f[B]--replace-file\f[R]] 19 | .PD 0 20 | .P 21 | .PD 22 | \f[B]onionjuggler-cli-auth-client\f[R] [\f[B]--on\f[R]] 23 | [\f[B]--client\f[R]=<\f[I]CLIENT\f[R]>] 24 | [\f[B]--client-priv-config\f[R]=<\f[I]CLIENT_PRIV_CONFIG\f[R]>] 25 | [\f[B]--replace-file\f[R]] 26 | .PD 0 27 | .P 28 | .PD 29 | \f[B]onionjuggler-cli-auth-client\f[R] [\f[B]--on\f[R]] 30 | [\f[B]--client\f[R]=<\f[I]CLIENT\f[R]>] 31 | [\f[B]--client-priv-key\f[R]=<\f[I]CLIENT_PRIV_KEY\f[R]>] 32 | [\f[B]--onion\f[R]=<\f[I]ONION\f[R]>] [\f[B]--replace-file\f[R]] 33 | .PD 0 34 | .P 35 | .PD 36 | \f[B]onionjuggler-cli-auth-client\f[R] [\f[B]--off\f[R]] 37 | [\f[B]--client\f[R]=<\f[I]CLIENT\f[R]>] 38 | .PD 0 39 | .P 40 | .PD 41 | \f[B]onionjuggler-cli-auth-client\f[R] [\f[B]--list\f[R]] 42 | .PD 0 43 | .P 44 | .PD 45 | \f[B]onionjuggler-cli-auth-client\f[R] 46 | [\f[B]--signal\f[R]=<\f[I]reload\f[R]|\f[I]restart\f[R]|\f[I]none\f[R]>] 47 | .PD 0 48 | .P 49 | .PD 50 | \f[B]onionjuggler-cli-auth-client [--getconf]\f[R] 51 | .PD 0 52 | .P 53 | .PD 54 | \f[B]onionjuggler-cli-auth-client [--getopt]\f[R] 55 | [\f[B]--client\f[R]=<\f[I]CLIENT\f[R]>] 56 | .PD 0 57 | .P 58 | .PD 59 | \f[B]onionjuggler-cli-auth-client\f[R] 60 | [\f[B]-V\f[R]|\f[B]--version\f[R]] 61 | .PD 0 62 | .P 63 | .PD 64 | \f[B]onionjuggler-cli-auth-client\f[R] [\f[B]-h\f[R]|\f[B]--help\f[R]] 65 | .SH DESCRIPTION 66 | .PP 67 | \f[B]onionjuggler-cli-atuh-client\f[R] helps manage client side onion 68 | authorizations. 69 | .SH OPTIONS 70 | .PP 71 | \f[B]--on\f[R] \f[B]--client-priv-file\f[R]=<\f[I]CLIENT_PRIV_FILE\f[R]> 72 | \f[B]--replace-file\f[R] 73 | .PD 0 74 | .P 75 | .PD 76 | \f[B]--on\f[R] \f[B]--client\f[R]=<\f[I]CLIENT\f[R]> 77 | \f[B]--client-priv-config\f[R]=<\f[I]CLIENT_PRIV_CONFIG\f[R]> 78 | \f[B]--replace-file\f[R] 79 | .PD 0 80 | .P 81 | .PD 82 | .TP 83 | \f[B]--on\f[R] \f[B]--client\f[R]=<\f[I]CLIENT\f[R]> \f[B]--onion\f[R]=<\f[I]ONION\f[R]> \f[B]--client-priv-key\f[R]=<\f[I]CLIENT_PRIV_KEY\f[R]> \f[B]--replace-file\f[R] 84 | Authenticate as a client to an onion serivce. 85 | If the client private keys is not provided, a new key pair of public and 86 | private keys will be generated, keys are sent to stdout and you should 87 | send to the onion service operator. 88 | Add a $ONION.auth_private to ClientOnionAuthDir. 89 | File(s) modified: ClientOnionAuthDir. 90 | .RS 91 | .IP 92 | .nf 93 | \f[C] 94 | onionjuggler-cli-auth-client --on --client-priv-file=/home/user/alice.auth_private 95 | onionjuggler-cli-auth-client --on --client=alice --client-priv-config=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd:descriptor:x25519:UBVCL52FL6IRYIOLEAYUVTZY3AIOM 96 | onionjuggler-cli-auth-client --on --client=alice --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion --client-priv-key=UBVCL52FL6IRYIOLEAYUVTZY3AIOMDI3AIFBAALZ7HJOHIJFVBIQ 97 | onionjuggler-cli-auth-client --on --client=alice --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion 98 | \f[R] 99 | .fi 100 | .RE 101 | .TP 102 | \f[B]--off\f[R] \f[B]--client\f[R]=<\f[I]CLIENT1,CLIENT2,...\f[R]> 103 | Deauthenticate from a remote onion serivce. 104 | Remove the $ONION.auth_private file from ClientOnionAuthDir. 105 | File(s) modified: ClientOnionAuthDir/. 106 | .RS 107 | .IP 108 | .nf 109 | \f[C] 110 | onionjuggler-cli-auth-client --off --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion 111 | onionjuggler-cli-auth-client --off --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion,yyyzxhjk6psc6ul5jnfwloamhtyh7si74b47a3k2q3pskwwxrzhsxmad.onion 112 | \f[R] 113 | .fi 114 | .RE 115 | .TP 116 | \f[B]--list\f[R] 117 | List authentication files and the respective private keys from 118 | ClientOnionAuthDir.Useful when removing files and you want to see which 119 | onions you are already authenticated with. 120 | File(s) modified: none. 121 | .RS 122 | .IP 123 | .nf 124 | \f[C] 125 | onionjuggler-cli-auth-client --list 126 | \f[R] 127 | .fi 128 | .RE 129 | .TP 130 | \f[B]-V\f[R], \f[B]--version\f[R] 131 | Print version information. 132 | .TP 133 | \f[B]--getconf\f[R] 134 | Print configuration in the format \f[B]key\f[R]=\[dq]\f[I]val\f[R]\[dq]. 135 | .TP 136 | \f[B]--getopt\f[R] 137 | Print option parsing results. 138 | .TP 139 | \f[B]--signal\f[R]=<\f[I]reload\f[R]|\f[I]hup\f[R]|\f[I]restart\f[R]|\f[I]int\f[R]|\f[I]no\f[R]|\f[I]none\f[R]> 140 | Send specific signal commands to the tor daemon. 141 | Sending the \f[I]restart|int\f[R] signal is useful for correcting a 142 | previously broken tor configuration. 143 | Sending \f[I]no|none\f[R] signal is useful when running consecutive 144 | commands to avoid tor signaling newnym everytime tor is hupped, then at 145 | last signal tor hup to tor reload its configuration and apply changes. 146 | (Default: reload|hup). 147 | .TP 148 | \f[B]-h\f[R], \f[B]--help\f[R] 149 | Display the script help message. 150 | Abscense of any parameter will also have the same effect. 151 | .RS 152 | .IP 153 | .nf 154 | \f[C] 155 | onionjuggler-cli-auth-client -h 156 | onionjuggler-cli-auth-client --help 157 | \f[R] 158 | .fi 159 | .RE 160 | .SH ENVIRONMENT 161 | .TP 162 | \f[B]ONIONJUGGLER_SKIP_PRE_TOR_CHECK\f[R] 163 | If set to 1, skip pre run tor check to allow the script to start running 164 | if the tor is failing to parse its configuration. 165 | Note it does not disable the last tor check to apply configuration 166 | changes, that is, if the configuration is still invalid, nothing will be 167 | changed. 168 | This option is useful if you are certain the configuration check will be 169 | fixed by the command. 170 | As the scripts requires root and you are probably calling the script 171 | from an unpriviliged user, preserve the variable value through 172 | environment changes by assigning it after the command to run the 173 | onionjuggler script as another user and before the script name: 174 | .RS 175 | .IP 176 | .nf 177 | \f[C] 178 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-client 179 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-client 180 | \f[R] 181 | .fi 182 | .RE 183 | .SH FILES 184 | .TP 185 | \f[B]/usr/share/onionjuggler/defaults.sh\f[R] 186 | Default library 187 | .TP 188 | \f[B]/etc/onionjuggler/onionjuggler.conf\f[R] 189 | Default system configuration file. 190 | .TP 191 | \f[B]/etc/onionjuggler/conf.d/*.conf\f[R] 192 | Local configuration files that overrrite the default one. 193 | .SH EXIT VALUE 194 | .TP 195 | \f[B]0\f[R] 196 | Success 197 | .TP 198 | \f[B]>0\f[R] 199 | Fail 200 | .SH BUGS 201 | .PP 202 | Bugs you may find. 203 | First search for related issues on 204 | https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new 205 | one. 206 | .SH SEE ALSO 207 | .PP 208 | onionjuggler.conf(5), onionjuggler-tui(8), 209 | onionjuggler-cli-auth-server(8), onionjuggler-cli-web(8), 210 | onionjuggler-cli(8), tor(1) 211 | .SH COPYRIGHT 212 | .PP 213 | Copyright \[co] 2021 OnionJuggler developers (MIT) This is free 214 | software: you are free to change and redistribute it. 215 | There is NO WARRANTY, to the extent permitted by law. 216 | .SH AUTHORS 217 | Written by nyxnor (nyxnor\[at]protonmail.com). 218 | -------------------------------------------------------------------------------- /auto-generated-man-pages/onionjuggler-cli-auth-server.8: -------------------------------------------------------------------------------- 1 | .\" Automatically generated by Pandoc 2.9.2.1 2 | .\" 3 | .TH "ONIONJUGGLER-CLI-AUTH0-SERVER" "8" "2022-08-29" "onionjuggler-cli-auth-server 0.0.1" "Tor's System Manager Manual" 4 | .hy 5 | .SH NAME 6 | .PP 7 | onionjuggler-cli-auth-server - Manage onion service server side 8 | authorization 9 | .SH SYNOPSIS 10 | .PP 11 | \f[B]onionjuggler-cli-auth-server\f[R] 12 | [\f[B]--option\f[R]<=\f[I]ARGUMENT\f[R]>] 13 | .PD 0 14 | .P 15 | .PD 16 | \f[B]onionjuggler-cli-auth-server\f[R] [\f[B]--on\f[R]] 17 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 18 | [\f[B]--client-pub-file\f[R]=<\f[I]CLIENT_PUB_FILE\f[R]>] 19 | .PD 0 20 | .P 21 | .PD 22 | \f[B]onionjuggler-cli-auth-server\f[R] [\f[B]--on\f[R]] 23 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 24 | [\f[B]--client\f[R]=<\f[I]CLIENT\f[R]>] 25 | [\f[B]--client-pub-config\f[R]=<\f[I]CLIENT_PUB_CONFIG\f[R]>] 26 | .PD 0 27 | .P 28 | .PD 29 | \f[B]onionjuggler-cli-auth-server\f[R] [\f[B]--on\f[R]] 30 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 31 | [\f[B]--client\f[R]=<\f[I]CLIENT\f[R]>] 32 | [\f[B]--client-pub-key\f[R]=<\f[I]CLIENT_PUB_KEY\f[R]>] 33 | .PD 0 34 | .P 35 | .PD 36 | \f[B]onionjuggler-cli-auth-server\f[R] [\f[B]--off\f[R]] 37 | [\f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]>] 38 | [\f[B]--client\f[R]=<\f[I]\[at]all\f[R]|\f[I]CLIENT1\f[R],\f[I]CLIENT2\f[R],\f[I]...\f[R]>] 39 | .PD 0 40 | .P 41 | .PD 42 | \f[B]onionjuggler-cli-auth-server\f[R] [\f[B]--list\f[R]] 43 | [\f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]>] 44 | .PD 0 45 | .P 46 | .PD 47 | \f[B]onionjuggler-cli-auth-server\f[R] 48 | [\f[B]--signal\f[R]=<\f[I]reload\f[R]|\f[I]restart\f[R]|\f[I]none\f[R]>] 49 | .PD 0 50 | .P 51 | .PD 52 | \f[B]onionjuggler-cli-auth-server [--getconf]\f[R] 53 | .PD 0 54 | .P 55 | .PD 56 | \f[B]onionjuggler-cli-auth-server [--getopt]\f[R] 57 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 58 | .PD 0 59 | .P 60 | .PD 61 | \f[B]onionjuggler-cli-auth-server\f[R] 62 | [\f[B]-V\f[R]|\f[B]--version\f[R]] 63 | .PD 0 64 | .P 65 | .PD 66 | \f[B]onionjuggler-cli-auth-server\f[R] [\f[B]-h\f[R]|\f[B]--help\f[R]] 67 | .SH DESCRIPTION 68 | .PP 69 | \f[B]onionjuggler-cli-auth-server\f[R] helps manage server side onion 70 | authorization. 71 | .SH OPTIONS 72 | .PP 73 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERVICE\f[R]> 74 | \f[B]--client-pub-file\f[R]=<\f[I]CLIENT_PUB_FILE\f[R]> 75 | \f[B]--replace-file\f[R] 76 | .PD 0 77 | .P 78 | .PD 79 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERVICE\f[R]> 80 | \f[B]--client-pub-config\f[R]=<\f[I]CLIENT_PUB_CONFIG\f[R]> 81 | \f[B]--client\f[R] \f[B]--replace-file\f[R] 82 | .PD 0 83 | .P 84 | .PD 85 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERVICE\f[R]> 86 | \f[B]--client\f[R]=<\f[I]CLIENT\f[R]> 87 | \f[B]--client-pub-key\f[R]=<\f[I]CLIENT_PUB_KEY\f[R]> 88 | \f[B]--replace-file\f[R] 89 | .PD 0 90 | .P 91 | .PD 92 | .TP 93 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERVICE\f[R]> \f[B]--client\f[R]=<\f[I]CLIENT\f[R]> 94 | Authorize a client to your service. 95 | A key pair of public and private keys will be generated, keys are sent 96 | to stdout and you should send to the client. 97 | A CLIENT.auth file will be created on 98 | HiddenServiceDir/authorized_clients folder. 99 | If no key is specified, then a key pair will be generated.File(s) 100 | modified: HiddenServiceDir/authorized_clients/ 101 | .RS 102 | .IP 103 | .nf 104 | \f[C] 105 | onionjuggler-cli-auth-server --on --service=ssh --client-pub-file=/home/user/bob.auth 106 | onionjuggler-cli-auth-server --on --service=ssh --client=bob --client-pub-config=descriptor:x25519:UQYM2MJ4CKZU25JABR3Z5L2QP3552EH2BUOIZC2XVULY2QRGXUVQ 107 | onionjuggler-cli-auth-server --on --service=ssh --client=bob --client-pub-key=UQYM2MJ4CKZU25JABR3Z5L2QP3552EH2BUOIZC2XVULY2QRGXUVQ 108 | onionjuggler-cli-auth-server --on --service=ssh --client=bob 109 | \f[R] 110 | .fi 111 | .RE 112 | .TP 113 | \f[B]--off\f[R] \f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]> \f[B]--client\f[R]=<\f[I]\[at]all\f[R]|\f[I]CLIENT1\f[R],\f[I]CLIENT2\f[R],\f[I]...\f[R]> 114 | Deauthorize from your service a client that is inside 115 | HiddenServiceDir/authorized_clients folder. 116 | File(s) modified: HiddenServiceDir/authorized_clients/ 117 | .RS 118 | .IP 119 | .nf 120 | \f[C] 121 | onionjuggler-cli-auth-server --off --service=ssh --client=alice 122 | onionjuggler-cli-auth-server --off --service=ssh --client=alice,bob 123 | onionjuggler-cli-auth-server --off --service=ssh,xmpp --client=alice 124 | onionjuggler-cli-auth-server --off --service=ssh,xmpp --client=alice,bob 125 | onionjuggler-cli-auth-server --off --service=\[at]all --client=alice,bob 126 | onionjuggler-cli-auth-server --off --service=\[at]all --client=\[at]all 127 | \f[R] 128 | .fi 129 | .RE 130 | .TP 131 | \f[B]--list\f[R] \f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]> 132 | List authorized clients and the respective public keys that are inside 133 | HiddenServiceDir/authorized_clients folder. 134 | File(s) modified: none 135 | .RS 136 | .IP 137 | .nf 138 | \f[C] 139 | onionjuggler-cli-auth-server --list --service=ssh 140 | onionjuggler-cli-auth-server --list --service=ssh,xmpp 141 | onionjuggler-cli-auth-server --list --service=\[at]all 142 | \f[R] 143 | .fi 144 | .RE 145 | .TP 146 | \f[B]-V\f[R], \f[B]--version\f[R] 147 | Print version information. 148 | .TP 149 | \f[B]--getconf\f[R] 150 | Print configuration in the format \f[B]key\f[R]=\[dq]\f[I]val\f[R]\[dq]. 151 | .TP 152 | \f[B]--getopt\f[R] 153 | Print option parsing results. 154 | .TP 155 | \f[B]--signal\f[R]=<\f[I]reload\f[R]|\f[I]hup\f[R]|\f[I]restart\f[R]|\f[I]int\f[R]|\f[I]no\f[R]|\f[I]none\f[R]> 156 | Send specific signal commands to the tor daemon. 157 | Sending the \f[I]restart|int\f[R] signal is useful for correcting a 158 | previously broken tor configuration. 159 | Sending \f[I]no|none\f[R] signal is useful when running consecutive 160 | commands to avoid tor signaling newnym everytime tor is hupped, then at 161 | last signal tor hup to tor reload its configuration and apply changes. 162 | (Default: reload|hup). 163 | .TP 164 | \f[B]-h\f[R], \f[B]--help\f[R] 165 | Display the script help message. 166 | Abscense of any parameter will also have the same effect. 167 | .RS 168 | .IP 169 | .nf 170 | \f[C] 171 | onionjuggler-cli-auth-server -h 172 | onionjuggler-cli-auth-server --help 173 | \f[R] 174 | .fi 175 | .RE 176 | .SH ENVIRONMENT 177 | .TP 178 | \f[B]ONIONJUGGLER_SKIP_PRE_TOR_CHECK\f[R] 179 | If set to 1, skip pre run tor check to allow the script to start running 180 | if the tor is failing to parse its configuration. 181 | Note it does not disable the last tor check to apply configuration 182 | changes, that is, if the configuration is still invalid, nothing will be 183 | changed. 184 | This option is useful if you are certain the configuration check will be 185 | fixed by the command. 186 | As the scripts requires root and you are probably calling the script 187 | from an unpriviliged user, preserve the variable value through 188 | environment changes by assigning it after the command to run the 189 | onionjuggler script as another user and before the script name: 190 | .RS 191 | .IP 192 | .nf 193 | \f[C] 194 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-server 195 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-server 196 | \f[R] 197 | .fi 198 | .RE 199 | .SH FILES 200 | .TP 201 | \f[B]/usr/share/onionjuggler/defaults.sh\f[R] 202 | Default library 203 | .TP 204 | \f[B]/etc/onionjuggler/onionjuggler.conf\f[R] 205 | Default system configuration file. 206 | .TP 207 | \f[B]/etc/onionjuggler/conf.d/*.conf\f[R] 208 | Local configuration files that overrrite the default one. 209 | .SH EXIT VALUE 210 | .TP 211 | \f[B]0\f[R] 212 | Success 213 | .TP 214 | \f[B]>0\f[R] 215 | Fail 216 | .SH BUGS 217 | .PP 218 | Bugs you may find. 219 | First search for related issues on 220 | https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new 221 | one. 222 | .SH SEE ALSO 223 | .PP 224 | onionjuggler.conf(5), onionjuggler-tui(8), 225 | onionjuggler-cli-auth-client(8), onionjuggler-cli-web(8), 226 | onionjuggler-cli(8), tor(1) 227 | .SH COPYRIGHT 228 | .PP 229 | Copyright \[co] 2021 OnionJuggler developers (MIT) This is free 230 | software: you are free to change and redistribute it. 231 | There is NO WARRANTY, to the extent permitted by law. 232 | .SH AUTHORS 233 | Written by nyxnor (nyxnor\[at]protonmail.com). 234 | -------------------------------------------------------------------------------- /auto-generated-man-pages/onionjuggler-cli-web.8: -------------------------------------------------------------------------------- 1 | .\" Automatically generated by Pandoc 2.9.2.1 2 | .\" 3 | .TH "ONIONJUGGLER-CLI-WEB" "8" "2022-08-29" "onionjuggler-cli-web 0.0.1" "Tor's System Manager Manual" 4 | .hy 5 | .SH NAME 6 | .PP 7 | onionjuggler-cli-web - Manage webserver for onion services 8 | .SH SYNOPSIS 9 | .PP 10 | \f[B]onionjuggler-cli-web\f[R] [\f[B]--option\f[R]<=\f[I]ARGUMENT\f[R]>] 11 | .PD 0 12 | .P 13 | .PD 14 | \f[B]onionjuggler-cli-web\f[R] [\f[B]--on\f[R]] 15 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 16 | [\f[B]--folder\f[R]=<\f[I]FOLDER\f[R]>] 17 | .PD 0 18 | .P 19 | .PD 20 | \f[B]onionjuggler-cli-web\f[R] [\f[B]--on\f[R]] 21 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 22 | [\f[B]--folder\f[R]=<\f[I]FOLDER\f[R]>] [\f[B]--no-check-service\f[R]] 23 | [\f[B]--port\f[R]=<\f[I]VIRTPORT[:TARGET]\f[R]>] 24 | .PD 0 25 | .P 26 | .PD 27 | \f[B]onionjuggler-cli-web\f[R] [\f[B]--off\f[R]] 28 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 29 | .PD 0 30 | .P 31 | .PD 32 | \f[B]onionjuggler-cli-web\f[R] [\f[B]--list\f[R]] 33 | .PD 0 34 | .P 35 | .PD 36 | \f[B]onionjuggler-cli-web [--getconf]\f[R] 37 | .PD 0 38 | .P 39 | .PD 40 | \f[B]onionjuggler-cli-web [--getopt]\f[R] 41 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 42 | .PD 0 43 | .P 44 | .PD 45 | \f[B]onionjuggler-cli-web [-V|--version]\f[R] 46 | .PD 0 47 | .P 48 | .PD 49 | \f[B]onionjuggler-cli-web\f[R] [\f[B]-h\f[R]|\f[B]--help\f[R]] 50 | .SH DESCRIPTION 51 | .PP 52 | \f[B]onionjuggler-cli-web\f[R] helps manage webserver configuration for 53 | onion services. 54 | .SH OPTIONS 55 | .TP 56 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERV\f[R]> \f[B]--folder\f[R]=<\f[I]FOLDER\f[R]> 57 | Enable a website using a specific onion service by creating a 58 | configuration file inside the web server folder by default, the folder 59 | name is to be considered the wanted folder inside website_dir variable 60 | defined on /etc/onionjuggler. 61 | If the path starts with forward slash \[dq]/\[dq] or tilde and slash 62 | \[dq]\[ti]/\[dq], that path will be considered instead. 63 | File(s) modified: $webserver_conf_dir. 64 | .RS 65 | .IP 66 | .nf 67 | \f[C] 68 | onionjuggler-cli-web --on --service=nextcloud --folder=nextcloud-local-site 69 | \f[R] 70 | .fi 71 | .RE 72 | .TP 73 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERV\f[R]> \f[B]--folder\f[R]=<\f[I]FOLDER\f[R]> \f[B]--no-check-service\f[R] \f[B]--port\f[R]=<\f[I]VIRTPORT[:TARGET]\f[R]> 74 | Enable a website on Workstations when there is no service being hosted 75 | on the same environment a a port must be manually specified. 76 | File(s) modified: $webserver_conf_dir. 77 | .RS 78 | .IP 79 | .nf 80 | \f[C] 81 | onionjuggler-cli-web --on --service=nextcloud --folder=nextcloud-local-site --no-check-service --port=80 82 | \f[R] 83 | .fi 84 | .RE 85 | .TP 86 | \f[B]--off\f[R] \f[B]--service\f[R]=<\f[I]SERV\f[R]> 87 | Disable a website from a specific onion service by removing its 88 | configuration file from the webserver folder. 89 | File(s) modified: $webserver_conf_dir 90 | .RS 91 | .IP 92 | .nf 93 | \f[C] 94 | onionjuggler-cli-web --off --service=nextcloud 95 | \f[R] 96 | .fi 97 | .RE 98 | .TP 99 | \f[B]--list\f[R] 100 | List enabled websites, meaning the configuration files inside the 101 | webserver folder /etc/${webserver}/sites-enabled/. 102 | File(s) modified: none. 103 | .RS 104 | .IP 105 | .nf 106 | \f[C] 107 | onionjuggler-cli-web --list 108 | \f[R] 109 | .fi 110 | .RE 111 | .TP 112 | \f[B]-V\f[R], \f[B]--version\f[R] 113 | Print version information. 114 | .TP 115 | \f[B]--getconf\f[R] 116 | Print configuration in the format \f[B]key\f[R]=\[dq]\f[I]val\f[R]\[dq]. 117 | .TP 118 | \f[B]--getopt\f[R] 119 | Print option parsing results. 120 | .TP 121 | \f[B]-h\f[R], \f[B]--help\f[R] 122 | Display the script help message. 123 | Abscense of any parameter will also have the same effect. 124 | .RS 125 | .IP 126 | .nf 127 | \f[C] 128 | onionjuggler-cli-web -h 129 | onionjuggler-cli-web --help 130 | \f[R] 131 | .fi 132 | .RE 133 | .SH ENVIRONMENT 134 | .TP 135 | \f[B]ONIONJUGGLER_SKIP_PRE_TOR_CHECK\f[R] 136 | If set to 1, skip pre run tor check to allow the script to start running 137 | if the tor is failing to parse its configuration. 138 | Note it does not disable the last tor check to apply configuration 139 | changes, that is, if the configuration is still invalid, nothing will be 140 | changed. 141 | This option is useful if you are certain the configuration check will be 142 | fixed by the command. 143 | As the scripts requires root and you are probably calling the script 144 | from an unpriviliged user, preserve the variable value through 145 | environment changes by assigning it after the command to run the 146 | onionjuggler script as another user and before the script name: 147 | .RS 148 | .IP 149 | .nf 150 | \f[C] 151 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-web 152 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-web 153 | \f[R] 154 | .fi 155 | .RE 156 | .SH FILES 157 | .TP 158 | \f[B]/usr/share/onionjuggler/defaults.sh\f[R] 159 | Default library 160 | .TP 161 | \f[B]/etc/onionjuggler/onionjuggler.conf\f[R] 162 | Default system configuration file. 163 | .TP 164 | \f[B]/etc/onionjuggler/conf.d/*.conf\f[R] 165 | Local configuration files that overrrite the default one. 166 | .SH EXIT VALUE 167 | .TP 168 | \f[B]0\f[R] 169 | Success 170 | .TP 171 | \f[B]>0\f[R] 172 | Fail 173 | .SH BUGS 174 | .PP 175 | Bugs you may find. 176 | First search for related issues on 177 | https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new 178 | one. 179 | .SH SEE ALSO 180 | .PP 181 | onionjuggler.conf(5), onionjuggler-tui(8), 182 | onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), 183 | onionjuggler-cli(8), tor(1) 184 | .SH COPYRIGHT 185 | .PP 186 | Copyright \[co] 2021 OnionJuggler developers (MIT) This is free 187 | software: you are free to change and redistribute it. 188 | There is NO WARRANTY, to the extent permitted by law. 189 | .SH AUTHORS 190 | Written by nyxnor (nyxnor\[at]protonmail.com). 191 | -------------------------------------------------------------------------------- /auto-generated-man-pages/onionjuggler-cli.8: -------------------------------------------------------------------------------- 1 | .\" Automatically generated by Pandoc 2.9.2.1 2 | .\" 3 | .TH "ONIONJUGGLER-CLI" "8" "2022-08-29" "onionjuggler-cli 0.0.1" "Tor's System Manager Manual" 4 | .hy 5 | .SH NAME 6 | .PP 7 | onionjuggler-cli - Dinamically juggle with onion services with a POSIX 8 | compliant shell 9 | .SH SYNOPSIS 10 | .PP 11 | \f[B]onionjuggler-cli\f[R] [\f[B]--option\f[R]<=\f[I]ARGUMENT\f[R]>] 12 | .PD 0 13 | .P 14 | .PD 15 | \f[B]onionjuggler-cli --on\f[R] 16 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 17 | [\f[B]--hs-version\f[R]=<\f[I]VERSION\f[R]>] 18 | [\f[B]--socket\f[R]=<\f[I]tcp\f[R]>] 19 | [\f[B]--port\f[R]=<\f[I]VIRTPORT\f[R][:\f[I]TARGET\f[R]],[\f[I]VIRTPORTn\f[R]][:\f[I]TARGETn\f[R]]>] 20 | [\f[B]--gateway\f[R]] 21 | .PD 0 22 | .P 23 | .PD 24 | \f[B]onionjuggler-cli --on\f[R] 25 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 26 | [\f[B]--version\f[R]=<\f[I]VERSION\f[R]>] 27 | [\f[B]--socket\f[R]=<\f[I]unix\f[R]>] 28 | [\f[B]--port\f[R]=[\f[I]VIRTPORT\f[R],[\f[I]VIRTPORT2\f[R]]>] 29 | .PD 0 30 | .P 31 | .PD 32 | \f[B]onionjuggler-cli --off\f[R] 33 | [\f[B]--service\f[R]=<\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]>] 34 | [\f[B]--purge\f[R]] 35 | .PD 0 36 | .P 37 | .PD 38 | \f[B]onionjuggler-cli --list\f[R] 39 | [\f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]>] 40 | [\f[B]--quiet\f[R]] 41 | .PD 0 42 | .P 43 | .PD 44 | \f[B]onionjuggler-cli --renew\f[R] 45 | [\f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]>] 46 | .PD 0 47 | .P 48 | .PD 49 | \f[B]onionjuggler-cli\f[R] 50 | [\f[B]--signal\f[R]=<\f[I]reload\f[R]|\f[I]restart\f[R]|\f[I]none\f[R]>] 51 | .PD 0 52 | .P 53 | .PD 54 | \f[B]onionjuggler-cli [--getconf]\f[R] 55 | .PD 0 56 | .P 57 | .PD 58 | \f[B]onionjuggler-cli [--getopt]\f[R] 59 | [\f[B]--service\f[R]=<\f[I]SERVICE\f[R]>] 60 | .PD 0 61 | .P 62 | .PD 63 | \f[B]onionjuggler-cli [-V|--version]\f[R] 64 | .PD 0 65 | .P 66 | .PD 67 | \f[B]onionjuggler-cli\f[R] [\f[B]-h\f[R]|\f[B]--help\f[R]] 68 | .SH DESCRIPTION 69 | .PP 70 | \f[B]onionjuggler-cli\f[R] helps onion service creation, deletion, 71 | listing. 72 | .SH OPTIONS 73 | .TP 74 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERV\f[R]> \f[B]--version\f[R]=\f[I]3\f[R] \f[B]--socket\f[R]=\f[I]tcp\f[R] \f[B]--port\f[R]=<\f[I]VIRTPORT\f[R]:<\f[I]TARGET\f[R]>,<\f[I]VIRTPORTn\f[R]>:<\f[I]TARGETn\f[R]>> \f[B]--gateway\f[R] 75 | Enable an onion service using TCP socket (addr:port) as target. 76 | If the TARGET is only the port of it TARGET was not provided, will use 77 | the same port as VIRTPORT and bind to 127.0.0.1. 78 | TARGET examples: 127.0.0.1:80, 192.168.1.100:80. 79 | File(s) modified: torrc. 80 | .RS 81 | .IP 82 | .nf 83 | \f[C] 84 | onionjuggler-cli --on --service=ssh --version=3 --socket=tcp --port=22 85 | onionjuggler-cli --on --service=ssh --port=22:127.0.1:22 86 | onionjuggler-cli --on --service=ssh --port=\[dq]80:127.0.0.1:80 443:127.0.0.1:443\[dq] 87 | onionjuggler-cli --on --service=ssh --port=\[dq]80:127.0.0.1:80,443:127.0.0.1:443\[dq] 88 | onionjuggler-cli --on --service=ssh --port=\[dq]80,443\[dq] 89 | \f[R] 90 | .fi 91 | .PP 92 | By default, services created on a Qubes-Whonix Gateway uses the Whonix 93 | Workstation qube IP address, services created on a Non-Qubes-Whonix uses 94 | the IP address 10.152.152.11. 95 | If you are on Whonix Gateway want to enforce the creation of a service 96 | to be running on the Whonix-Gateway (for itself), for example and onion 97 | service to ssh to the Gateway, and you haven\[aq]t set the target, just 98 | the virtual port, use the option \f[I]--gateway\f[R]: 99 | .IP 100 | .nf 101 | \f[C] 102 | onionjuggler-cli --on --service=ssh --socket=tcp --port=22 --gateway 103 | \f[R] 104 | .fi 105 | .RE 106 | .TP 107 | \f[B]--on\f[R] \f[B]--service\f[R]=<\f[I]SERV\f[R]> \f[B]--version\f[R]=\f[I]3\f[R] \f[B]--socket\f[R]=\f[I]unix\f[R] \f[B]--port\f[R]=<\f[I]VIRTPORT\f[R],<\f[I]VIRTPORT2\f[R]>> 108 | Enable an onion service using UNIX socket (unix:path) as target. 109 | The TARGET is handled automatically by the script. 110 | This method avoids leaking the onion service address to the local 111 | network. 112 | File(s) modified: torrc. 113 | .RS 114 | .IP 115 | .nf 116 | \f[C] 117 | onionjuggler-cli --on --service=ssh --version=3 --socket=unix --port=22 118 | onionjuggler-cli --on --service=ssh --version=3 --socket=unix --port=22,80 119 | \f[R] 120 | .fi 121 | .RE 122 | .TP 123 | \f[B]--off\f[R] \f[B]--service\f[R]=<\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]> <\f[I]--purge\f[R]> 124 | Disable an onion service by removing it configuration lines 125 | (HiddenService) from the torrc. 126 | Optionally purge its data directory, which will delete permanently the 127 | onion service folder (HiddenServiceDir). 128 | File(s) modified: torrc and optionally HiddenServiceDir. 129 | .RS 130 | .IP 131 | .nf 132 | \f[C] 133 | onionjuggler-cli --off --service=ssh 134 | onionjuggler-cli --off --service=ssh,xmpp 135 | onionjuggler-cli --off --service=ssh,xmpp --purge 136 | \f[R] 137 | .fi 138 | .RE 139 | .TP 140 | \f[B]--list\f[R] \f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]> <\f[I]--quiet\f[R]> 141 | List onion service information: hostname (address) and in QR encoded 142 | format, clients names and quantity, status if service is active or 143 | inactive regarding the torrc lines (un)present and the HiddenServiceDir 144 | presence, the torrc block. 145 | File(s) modified: none. 146 | .RS 147 | .IP 148 | .nf 149 | \f[C] 150 | onionjuggler-cli --list --service=ssh 151 | onionjuggler-cli --list --service=ssh,xmpp 152 | onionjuggler-cli --list --service=\[at]all 153 | onionjuggler-cli --list --service=\[at]all --quiet 154 | \f[R] 155 | .fi 156 | .RE 157 | .TP 158 | \f[B]--renew\f[R] \f[B]--service\f[R]=<\f[I]\[at]all\f[R]|\f[I]SERV1\f[R],\f[I]SERV2\f[R],\f[I]...\f[R]> 159 | Renew onion service hostname (.onion domain) and clients (inside 160 | HiddenServiceDir/authorized_clients/). 161 | The onion service keys (hs_ed25519_public_key and 162 | hs_ed25519_private_key) will be removed to override the hostname file. 163 | File(s) modified: HiddenServiceDir. 164 | .RS 165 | .IP 166 | .nf 167 | \f[C] 168 | onionjuggler-cli --renew --service=ssh 169 | onionjuggler-cli --renew --service=ssh,xmpp 170 | onionjuggler-cli --renew --service=\[at]all 171 | \f[R] 172 | .fi 173 | .RE 174 | .TP 175 | \f[B]-V\f[R], \f[B]--version\f[R] 176 | Print version information. 177 | .TP 178 | \f[B]--getconf\f[R] 179 | Print configuration in the format \f[B]key\f[R]=\[dq]\f[I]val\f[R]\[dq]. 180 | .TP 181 | \f[B]--getopt\f[R] 182 | Print option parsing results. 183 | .TP 184 | \f[B]--signal\f[R]=<\f[I]reload\f[R]|\f[I]hup\f[R]|\f[I]restart\f[R]|\f[I]int\f[R]|\f[I]no\f[R]|\f[I]none\f[R]> 185 | Send specific signal commands to the tor daemon. 186 | Sending the \f[I]restart|int\f[R] signal is useful for correcting a 187 | previously broken tor configuration. 188 | Sending \f[I]no|none\f[R] signal is useful when running consecutive 189 | commands to avoid tor signaling newnym everytime tor is hupped, then at 190 | last signal tor hup to tor reload its configuration and apply changes. 191 | (Default: reload|hup). 192 | .TP 193 | \f[B]-h\f[R], \f[B]--help\f[R] 194 | Display the script help message. 195 | Abscense of any parameter will also have the same effect. 196 | .RS 197 | .IP 198 | .nf 199 | \f[C] 200 | onionjuggler-cli -h 201 | onionjuggler-cli --help 202 | \f[R] 203 | .fi 204 | .RE 205 | .SH ENVIRONMENT 206 | .TP 207 | \f[B]ONIONJUGGLER_SKIP_PRE_TOR_CHECK\f[R] 208 | If set to 1, skip pre run tor check to allow the script to start running 209 | if the tor is failing to parse its configuration. 210 | Note it does not disable the last tor check to apply configuration 211 | changes, that is, if the configuration is still invalid, nothing will be 212 | changed. 213 | This option is useful if you are certain the configuration check will be 214 | fixed by the command. 215 | As the scripts requires root and you are probably calling the script 216 | from an unpriviliged user, preserve the variable value through 217 | environment changes by assigning it after the command to run the 218 | onionjuggler script as another user and before the script name: 219 | .RS 220 | .IP 221 | .nf 222 | \f[C] 223 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli 224 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli 225 | \f[R] 226 | .fi 227 | .RE 228 | .SH FILES 229 | .TP 230 | \f[B]/usr/share/onionjuggler/defaults.sh\f[R] 231 | Default library 232 | .TP 233 | \f[B]/etc/onionjuggler/onionjuggler.conf\f[R] 234 | Default system configuration file. 235 | .TP 236 | \f[B]/etc/onionjuggler/conf.d/*.conf\f[R] 237 | Local configuration files that overrrite the default one. 238 | .SH EXIT VALUE 239 | .TP 240 | \f[B]0\f[R] 241 | Success 242 | .TP 243 | \f[B]>0\f[R] 244 | Fail 245 | .SH BUGS 246 | .PP 247 | Bugs you may find. 248 | First search for related issues on 249 | https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new 250 | one. 251 | .SH SEE ALSO 252 | .PP 253 | onionjuggler.conf(5), onionjuggler-TUI(8), 254 | onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), 255 | onionjuggler-cli-web(8), tor(1) 256 | .SH COPYRIGHT 257 | .PP 258 | Copyright \[co] 2021 OnionJuggler developers (MIT) This is free 259 | software: you are free to change and redistribute it. 260 | There is NO WARRANTY, to the extent permitted by law. 261 | .SH AUTHORS 262 | Written by nyxnor (nyxnor\[at]protonmail.com). 263 | -------------------------------------------------------------------------------- /auto-generated-man-pages/onionjuggler-tui.8: -------------------------------------------------------------------------------- 1 | .\" Automatically generated by Pandoc 2.9.2.1 2 | .\" 3 | .TH "ONIONJUGGLER-TUI" "8" "2022-08-29" "onionjuggler-tui 0.0.1" "Tor's System Manager Manual" 4 | .hy 5 | .SH NAME 6 | .PP 7 | onionjuggler-tui - OnionJuggler Terminal User Interface, also known as 8 | the \f[I]onionjuggler-cli wrapper menu\f[R]. 9 | Dinamically juggle with onion services with a POSIX compliant shell 10 | .SH SYNOPSIS 11 | .PP 12 | \f[B]onionjuggler-tui\f[R] \f[B]command\f[R] 13 | [\f[B]--option\f[R]<=\f[I]ARGUMENT\f[R]>] 14 | .PD 0 15 | .P 16 | .PD 17 | \f[B]onionjuggler-tui\f[R] \f[B][-V|--version]\f[R] 18 | \f[B]onionjuggler-tui\f[R] \f[B]--help\f[R] 19 | .SH DESCRIPTION 20 | .PP 21 | \f[B]onionjuggler-tui\f[R] is a part of OnionJuggler, a combination of 22 | POSIX compliant scripts helps the interaction with onion service 23 | configuration and files to speed up usage and avoid misconfiguration. 24 | The \f[I]onionjuggler-tui\f[R] wraps the \f[I]onionjuggler-cli\f[R] into 25 | a terminal dialog box. 26 | .SH OPTIONS 27 | .TP 28 | \f[B]-V\f[R], \f[B]-version\f[R] 29 | Print version information. 30 | .TP 31 | \f[B]-h\f[R], \f[B]--help\f[R] 32 | Display a short help message and exit. 33 | .SH FILES 34 | .TP 35 | \f[B]/etc/onionjuggler/dialogrc\f[R] 36 | Default dialog run commands file. 37 | .SH ENVIRONMENT 38 | .TP 39 | \f[B]SUDO_EDITOR\f[R], \f[B]DOAS_EDITOR\f[R], \f[B]VISUAL\f[R], \f[B]EDITOR\f[R] 40 | Use environment variables in the above order to define the editor, in 41 | case any are empty, fallback to the next. 42 | If every variable is empty, fallback to Vi(1). 43 | .TP 44 | \f[B]ONIONJUGGLER_SKIP_PRE_TOR_CHECK\f[R] 45 | If set to 1, skip pre run tor check to allow the script to start running 46 | if the tor is failing to parse its configuration. 47 | Note it does not disable the last tor check to apply configuration 48 | changes, that is, if the configuration is still invalid, nothing will be 49 | changed. 50 | This option is useful if you are certain the configuration check will be 51 | fixed by the command. 52 | As the scripts requires root and you are probably calling the script 53 | from an unpriviliged user, preserve the variable value through 54 | environment changes by assigning it after the command to run the 55 | onionjuggler script as another user and before the script name: 56 | .RS 57 | .IP 58 | .nf 59 | \f[C] 60 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-tui 61 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-tui 62 | \f[R] 63 | .fi 64 | .RE 65 | .SH EXIT VALUE 66 | .TP 67 | \f[B]0\f[R] 68 | Success 69 | .TP 70 | \f[B]1\f[R] 71 | Fail 72 | .SH BUGS 73 | .PP 74 | Bugs you may find. 75 | First search for related issues on 76 | https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new 77 | one. 78 | .SH SEE ALSO 79 | .PP 80 | onionjuggler.conf(5), onionjuggler-cli(8), 81 | onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), 82 | onionjuggler-cli-web(8), tor(1) 83 | .SH COPYRIGHT 84 | .PP 85 | Copyright \[co] 2021 OnionJuggler developers (MIT) This is free 86 | software: you are free to change and redistribute it. 87 | There is NO WARRANTY, to the extent permitted by law. 88 | .SH AUTHORS 89 | Written by nyxnor (nyxnor\[at]protonmail.com). 90 | -------------------------------------------------------------------------------- /auto-generated-man-pages/onionjuggler.conf.5: -------------------------------------------------------------------------------- 1 | .\" Automatically generated by Pandoc 2.9.2.1 2 | .\" 3 | .TH "ONIONJUGGLER.CONF" "5" "2022-09-15" "onionjuggler.conf 0.0.1" "Tor's System Manager Manual" 4 | .hy 5 | .SH NAME 6 | .PP 7 | onionjuggler.conf - Configuration file for OnionJuggler 8 | .SH DESCRIPTION 9 | .PP 10 | \f[B]onionjuggler\f[R] environment is easily customizable to any 11 | Unix-like operating system due to be written in POSIX compliant 12 | Shellscript and every tor directory can be chosen via variables. 13 | .PP 14 | The default configuration file 15 | \f[I]/etc/onionjuggler/onionjuggler.conf\f[R] is replaced on every 16 | upgrade, so changes to this file are not persisted. 17 | Because of this, it is advised not to edit this file. 18 | This is the first configuration to file to be read and has the lowest 19 | priority. 20 | .PP 21 | Files in \f[I]/etc/onionjuggler/conf.d/*.conf\f[R] are reserved to 22 | packages that want to customize onionjuggler without overwriting the 23 | main configuration file to avoid conflicts. 24 | Users should avoid customizing files in this directory because it may 25 | conflict or take lower precedence that files shipped by a package. 26 | .PP 27 | The file \f[I]/usr/local/etc/onionjuggler/onionjuggler.conf\f[R] and 28 | files in \f[I]/usr/local/etc/onionjuggler/conf.d/*.conf\f[R] are 29 | reserved exclusively to the local administrator. 30 | Any other entity must not write files to this directory. 31 | These are the last files to be read and have the highest priority. 32 | .PP 33 | It is recommended to prefix all filenames in the \f[I]conf.d\f[R] 34 | directory with a two-digit number and a dash, to simplify ordering of 35 | the files and overrided default files with user defined setting using a 36 | higher prefix number compared to the one shipped by the system. 37 | .PP 38 | Variables set to and empty string, either \f[I]var=\f[R] or 39 | \f[I]var=\[dq]\[dq]\f[R], will run with default values, that may not be 40 | suitable for every system, so enforce the desired values by assigning 41 | every configuration option. 42 | .PP 43 | Before running any script for the first time after changing a 44 | configuration option, it is recommended to run the onionjuggler script 45 | with the option \f[I]--getconf\f[R], as it will print what the 46 | onionjuggler program read as options. 47 | .SS Order configuration files are sourced: 48 | .IP \[bu] 2 49 | /etc/onionjuggler/onionjuggler.conf 50 | .PD 0 51 | .P 52 | .PD 53 | .IP \[bu] 2 54 | /etc/onionjuggler/conf.d/*.conf 55 | .PD 0 56 | .P 57 | .PD 58 | .IP \[bu] 2 59 | /usr/local/etc/onionjuggler/onionjuggler.conf 60 | .PD 0 61 | .P 62 | .PD 63 | .IP \[bu] 2 64 | /usr/local/etc/onionjuggler/conf.d/*.conf 65 | .SS Rules for sourcing files: 66 | .IP \[bu] 2 67 | when inside the \f[I]conf.d\f[R] directories, source files in lexical 68 | order 69 | .PD 0 70 | .P 71 | .PD 72 | .IP \[bu] 2 73 | file names must end with the \[aq].conf\[aq] extension 74 | .SS Rules for writing the configuration files: 75 | .IP \[bu] 2 76 | must be POSIX compliant Shellscript, else the source will fail 77 | .PD 0 78 | .P 79 | .PD 80 | .IP \[bu] 2 81 | assign all variables to the desired values, else default values will be 82 | used 83 | .PD 0 84 | .P 85 | .PD 86 | .IP \[bu] 2 87 | variables should use double quotes to avoid unwanted expansions 88 | .SH OPTIONS 89 | .SS SYSTEM 90 | .TP 91 | \f[B]operating_system\f[R] 92 | Set operating system. 93 | Recognized values: \f[I]debian\f[R], \f[I]tails\f[R], 94 | \f[I]anon-gateway\f[R], \f[I]anon-workstation\f[R], \f[I]fedora\f[R], 95 | \f[I]arch\f[R], \f[I]openbsd\f[R]. 96 | .TP 97 | \f[B]onionjuggler_plugin\f[R] 98 | Only allow specified plugins to run, if empty, allow every plugin. 99 | (Default: \f[B]all plugins\f[R]). 100 | .TP 101 | \f[B]openssl_cmd\f[R] 102 | The OpenSSL command to create the certificate and private keys for 103 | Client Authorization using the x25519 algorithm. 104 | It must be the orignal OpenSSL v1.1 or later, not LibreSSL, as the 105 | latter does not support the aforementioned algorithm. 106 | (Default: \f[B]openssl\f[R]). 107 | .TP 108 | \f[B]webserver\f[R] 109 | Webserver to serve a website. 110 | Compatible with \f[I]nginx\f[R] and \f[I]apache2\f[R]. 111 | (Default: \f[B]nginx\f[R]). 112 | .TP 113 | \f[B]webserver_conf_dir\f[R] 114 | Webserver configuration directory of the virtual hosts. 115 | (Default: \f[B]/etc/${webserver}\f[R]). 116 | .TP 117 | \f[B]website_dir\f[R] 118 | Specify the directory to check for website folders. 119 | (Default: \f[B]/var/www\f[R]). 120 | .TP 121 | \f[B]dialog_box\f[R] 122 | Terminal User Interface dialog box. 123 | Compatible with \f[I]dialog\f[R] and \f[I]whiptail\f[R]. 124 | (Default: \f[B]dialog\f[R]). 125 | .SS TOR DAEMON 126 | .TP 127 | \f[B]daemon_control\f[R] 128 | The service manager control command. 129 | Compatible with \f[I]systemctl\f[R] (Systemd), \f[I]service\f[R] (SysV 130 | init), \f[I]rcctl\f[R] or \f[I]/etc/rc.d\f[R] (OpenRC), \f[I]sv\f[R] 131 | (Runit). 132 | (Default: systemctl). 133 | .TP 134 | \f[B]tor_daemon\f[R] 135 | The tor service name. 136 | Common names are \f[I]tor\[at]default\f[R] and \f[I]tor\f[R]. 137 | (Default: \f[B]tor\[at]default\f[R]) 138 | .TP 139 | \f[B]tor_user\f[R] 140 | The tor user that runs the tor process. 141 | Common usernames are \f[I]debian-tor\f[R], \f[I]tor\f[R], *_tor* 142 | (Default: \f[B]debian-tor\f[R]). 143 | .TP 144 | \f[B]tor_conf_user_group\f[R] 145 | The /etc directory group owner. 146 | Normally \f[I]root\f[R] or \f[I]wheel\f[R]. 147 | (Default: \f[B]root:root\f[R]) 148 | .TP 149 | \f[B]tor_conf_dir\f[R] 150 | Base folder of torrc configuration. 151 | (Default: \f[B]/etc/tor\f[R]). 152 | .TP 153 | \f[B]tor_conf\f[R] 154 | The tor configuration file that will be modified. 155 | It is recommended to a set a separate configuration file to be managed 156 | by onionjuggler, one that is included by tor, as there could be some 157 | unpredicated issues if the file is modified manually. 158 | Read about \f[I]%include\f[R] on the \f[I]torrc(1)\f[R] man. 159 | (Default: \f[B]${tor_conf_dir}/torrc\f[R]). 160 | .TP 161 | \f[B]tor_main_torrc_conf\f[R] 162 | The main tor configuration file that tor reads. 163 | It is the file specified to the tor daemon with the option \f[I]-f 164 | FILE\f[R] or \f[I]--torrc-file FILE\f[R]. 165 | This file won\[aq]t be modified unless it is set as value to the 166 | \f[B]tor_conf\f[R] option, its purpose is to fully verify the tor 167 | configuration. 168 | (Default: \f[B]${tor_conf_dir}/torrc\f[R]). 169 | .TP 170 | \f[B]tor_defaults_torrc_conf\f[R] 171 | The tor defaults configuration file that tor reads. 172 | It is the file specified to the tor daemon with the option 173 | \f[I]--defaults-torrc FILE\f[R]. 174 | This file won\[aq]t be modified unless it is set as value to the 175 | \f[B]tor_conf\f[R] option, its purpose is to fully verify the tor 176 | configuration. 177 | (Default: \f[B]${tor_conf}-defaults\f[R]). 178 | .TP 179 | \f[B]tor_data_dir\f[R] 180 | Specify the DataDirectory for tor. 181 | (Default: /var/lib/tor). 182 | .TP 183 | \f[B]tor_data_dir_services\f[R] 184 | Specify the HiddenServiceDir base directory, onion sevices data will be 185 | created inside this directory. 186 | (Default: \f[B]${tor_data_dir}/services\f[R]). 187 | .TP 188 | \f[B]tor_data_dir_auth\f[R] 189 | Specify the ClientOnionAuthDir. 190 | (Default: \f[B]${tor_data_dir}/onion_auth\f[R]). 191 | .SH FILES 192 | .TP 193 | \f[B]/etc/onionjuggler/onionjuggler.conf\f[R] 194 | Default configuration file. 195 | .TP 196 | \f[B]/etc/onionjuggler/conf.d/*.conf\f[R] 197 | Packers configuration directory. 198 | .TP 199 | \f[B]/usr/local/etc/onionjuggler/onionjuggler.conf\f[R] 200 | Local administrator default configuration file. 201 | .TP 202 | \f[B]/usr/local/etc/onionjuggler/conf.d/*.conf\f[R] 203 | Local administrador configuration directory. 204 | .SH EXAMPLES 205 | .IP \[bu] 2 206 | \f[B]tor_user\f[R]=tor 207 | .IP \[bu] 2 208 | \f[B]tor_conf\f[R]=/usr/local/etc/tor/torrc 209 | .IP \[bu] 2 210 | \f[B]tor_data_dir\f[R]=/usr/local/var/lib/tor 211 | .IP \[bu] 2 212 | \f[B]tor_data_dir_services\f[R]=\[dq]${tor_data_dir}/services\[dq] 213 | .SH BUGS 214 | .PP 215 | Bugs you may find. 216 | First search for related issues on 217 | https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new 218 | one. 219 | .SH SEE ALSO 220 | .PP 221 | onionjuggler-tui(8), onionjuggler-cli(8), 222 | onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), 223 | onionjuggler-cli-web(8), tor(1) 224 | .SH COPYRIGHT 225 | .PP 226 | Copyright \[co] 2021 OnionJuggler developers (MIT) This is free 227 | software: you are free to change and redistribute it. 228 | There is NO WARRANTY, to the extent permitted by law. 229 | .SH AUTHORS 230 | Written by nyxnor (nyxnor\[at]protonmail.com). 231 | -------------------------------------------------------------------------------- /configure.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | ## This file should be run from inside the cloned repository 4 | ## Setup tor directories, user, packages needed for OnionJuggler. 5 | 6 | command -v git >/dev/null || { printf '%s\n' "Missing dependency, please install git"; exit 1; } 7 | git_top_dir="$(git rev-parse --show-toplevel || exit 1)" 8 | me="${0##*/}" 9 | version="$(cat "${git_top_dir}"/version.txt)" 10 | 11 | usage(){ 12 | printf %s"Configure the environment for OnionJuggler 13 | Usage: ${me} [--option ] 14 | Options: 15 | -b, --build build onionjuggler 16 | -i, --instal copy build to path 17 | -d, --uninstall [-P, --purge] remove onionjuggler scripts and manual pages from path 18 | -V, --version 19 | -h, --help show this help message 20 | \nDev options: 21 | -k, --check run pre-defined shellcheck 22 | -m, --man build manual pages 23 | -S, --clean remove temporary files 24 | -r, --release prepare for commiting 25 | " 26 | exit 1 27 | } 28 | [ -z "${1}" ] && usage 29 | 30 | 31 | ################### 32 | #### FUNCTIONS #### 33 | 34 | check_repo(){ 35 | if [ "${PWD}" != "${git_top_dir}" ]; then 36 | error_msg "This script must be run from the root of the onionjuggler repository!" 37 | fi 38 | } 39 | 40 | requires_root(){ [ "$(id -u)" -ne 0 ] && error_msg "run as root"; } 41 | 42 | not_as_root(){ [ "$(id -u)" -eq 0 ] && error_msg "do not run this option as root"; } 43 | 44 | install_package(){ 45 | install_pkg="" 46 | for package in "${@}"; do 47 | case "${package}" in 48 | openssl) ! command -v "${openssl_cmd}" >/dev/null && package="${openssl_cmd}" && install_pkg="${install_pkg} ${package}";; 49 | nginx|apache2) if ! command -v "${package}" >/dev/null; then ! "${package}" -v >/dev/null 2>&1 && install_pkg="${install_pkg} ${package}"; fi;; 50 | openbsd-httpd) :;; 51 | libqrencode|qrencode) ! command -v qrencode >/dev/null && install_pkg="${install_pkg} ${package}";; 52 | *) ! command -v "${package}" >/dev/null && install_pkg="${install_pkg} ${package}";; 53 | esac 54 | done 55 | 56 | if test -n "${install_pkg}" && [ "${install_pkg}" != " " ]; then 57 | notice "Missing requirements, maybe try: ${pkg_mngr_install} ${install_pkg}" 58 | fi 59 | } 60 | 61 | make_shellcheck(){ 62 | command -v shellcheck >/dev/null || error_msg "Install shellcheck to review syntax" 63 | notice "${yellow}Checking shell syntax${nocolor}" 64 | ## Customize severity with -S [error|warning|info|style] 65 | if 66 | ! shellcheck -s sh "${git_top_dir}"/configure.sh "${git_top_dir}"/etc/onionjuggler/*.conf \ 67 | "${git_top_dir}"/etc/onionjuggler/conf.d/*.conf "${git_top_dir}"/usr/bin/* \ 68 | "${git_top_dir}"/usr/share/onionjuggler/* || \ 69 | ! shellcheck -s bash "${git_top_dir}"/usr/share/bash-completion/completions/onionjuggler-* 70 | then 71 | error_msg "Please fix the shellcheck warnings above before pushing!" 72 | fi 73 | } 74 | 75 | make_man(){ 76 | command -v pandoc >/dev/null || error_msg "Install pandoc to create manuals" 77 | notice "${yellow}Setting version ${version}${nocolor}" 78 | sed -i'' "s/^version=.*/version=\"${version}\"/" "${git_top_dir}/usr/share/onionjuggler/defaults.sh" 79 | notice "${magenta}Creating manual pages${nocolor}" 80 | for man in "${git_top_dir}"/man/*; do 81 | man="${man##*/}" 82 | ## remove man number (5,8) and file ending (.md) 83 | man_ref="${man%.*}"; man_ref="${man_ref%.*}" 84 | pandoc -s -f markdown-smart -V header="Tor's System Manager Manual" -V footer="${man_ref} ${version}" -t man "${git_top_dir}/man/${man}" -o "${git_top_dir}/auto-generated-man-pages/${man%*.md}" 85 | sed -i'' "s/default_date/$(date +%Y-%m-%d)/" "${git_top_dir}/auto-generated-man-pages/${man%*.md}" 86 | done 87 | } 88 | 89 | range_variable(){ 90 | name="${1}" 91 | eval var='$'"${1}" 92 | shift 93 | if [ -n "${var:-}" ]; then 94 | success=0 95 | for tests in "${@}"; do 96 | [ "${var}" = "${tests}" ] && success=1 97 | done 98 | [ ${success} -ne 1 ] && error_msg "${name} has an incorrect value of : ${var}! Check onionjuggler.conf for more details." 99 | fi 100 | } 101 | 102 | get_os(){ 103 | ## Source: pfetch -> https://github.com/dylanaraps/pfetch/blob/master/pfetch 104 | os="$(uname -s)" 105 | kernel="$(uname -r)" 106 | 107 | case ${os} in 108 | Linux*) 109 | if test -f /usr/share/anon-dist/marker; then 110 | test -f /usr/share/anon-gw-base-files/gateway && distro="Anon Gateway" 111 | test -f /usr/share/anon-ws-base-files/workstation && distro="Anon Workstation" 112 | elif command -v lsb_release >/dev/null; then 113 | distro=$(lsb_release -sd) 114 | elif test -f /etc/os-release; then 115 | while IFS='=' read -r key val; do 116 | case "${key}" in (PRETTY_NAME) distro=${val};; esac 117 | done < /etc/os-release 118 | else 119 | command -v crux >/dev/null && distro=$(crux) 120 | command -v guix >/dev/null && distro='Guix System' 121 | fi 122 | distro=${distro##[\"\']} 123 | distro=${distro%%[\"\']} 124 | case ${PATH} in (*/bedrock/cross/*) distro='Bedrock Linux' ;; esac 125 | if [ "${WSLENV}" ]; then 126 | distro="${distro}${WSLENV+ on Windows 10 [WSL2]}" 127 | elif [ -z "${kernel%%*-Microsoft}" ]; then 128 | distro="${distro} on Windows 10 [WSL1]" 129 | fi 130 | ;; 131 | Haiku) distro=$(uname -sv);; 132 | Minix|DragonFly) distro="${os} ${kernel}";; 133 | SunOS) IFS='(' read -r distro _ < /etc/release;; 134 | OpenBSD*) distro="$(uname -sr)";; 135 | FreeBSD) distro="${os} $(freebsd-version)";; 136 | *) distro="${os} ${kernel}";; 137 | esac 138 | 139 | case "${os}" in 140 | Linux*) 141 | case "${distro}" in 142 | "Debian"*|*"buntu"*|"Armbian"*|"Rasp"*|"Linux Mint"*|"LinuxMint"*|"mint"*|"Tails"*) 143 | pkg_mngr_install="apt install -y" 144 | requirements="tor grep sed openssl basez qrencode whiptail nginx bash-completion" 145 | ;; 146 | "Anon Gateway") 147 | pkg_mngr_install="apt install -y" 148 | requirements="tor grep sed openssl basez qrencode dialog bash-completion" 149 | ;; 150 | "Anon Workstation") 151 | pkg_mngr_install="apt install -y" 152 | requirements="grep sed qrencode dialog nginx bash-completion" 153 | ;; 154 | "Arch"*|"Artix"*|"ArcoLinux"*) 155 | pkg_mngr_install="pacman -Syu" 156 | requirements="tor grep sed openssl basez qrencode dialog nginx bash-completion" 157 | ;; 158 | "Fedora"*|"CentOS"*|"rhel"*|"Redhat"*|"Red hat") 159 | pkg_mngr_install="dnf install -y" 160 | requirements="tor grep sed openssl basez qrencode dialog nginx bash-completion" 161 | ;; 162 | esac 163 | ;; 164 | "OpenBSD"*) 165 | pkg_mngr_install="pkg_add" 166 | requirements="tor grep sed eopenssl30 basez libqrencode dialog nginx shells/bash-completion" 167 | ;; 168 | "NetBSD"*) 169 | pkg_mngr_install="pkg_add" 170 | requirements="tor grep sed openssl basez libqrencode dialog nginx shells/bash-completion" 171 | ;; 172 | "FreeBSD"*|"HardenedBSD"*|"DragonFly"*) 173 | pkg_mngr_install="pkg install" 174 | requirements="tor grep sed openssl basez libqrencode dialog nginx shells/bash-completion" 175 | ;; 176 | *) error_msg "Unsupported system: ${os} ${kernel} ${distro}" 177 | esac 178 | 179 | 180 | } 181 | 182 | get_vars(){ 183 | ## get default values and functions 184 | onionjuggler_defaults="${git_top_dir}/usr/share/onionjuggler/defaults.sh" 185 | if ! test -f "${onionjuggler_defaults}" || ! test -r "${onionjuggler_defaults}"; then 186 | printf '%s\n' "${onionjuggler_defaults} does not exist, or is not a regular file or can not be read" 187 | exit 1 188 | fi 189 | . "${onionjuggler_defaults}" 190 | } 191 | 192 | 193 | ################### 194 | ###### MAIN ####### 195 | 196 | get_vars 197 | get_os 198 | build_dir="${git_top_dir}/build" 199 | 200 | while :; do 201 | shift_n="" 202 | # shellcheck disable=SC2034 203 | opt_orig="${1}" ## save opt orig for error message to understand which opt failed 204 | # shellcheck disable=SC2034 205 | arg_possible="${2}" ## need to pass the second positional parameter because maybe it is an argument 206 | clean_opt "${1}" || break 207 | # shellcheck disable=SC2034 208 | case "${opt}" in 209 | i|install|b|build|d|uninstall|r|release|k|check|m|man|S|clean) command="${opt}";; 210 | P|purge) action="${opt}";; 211 | V|version) printf '%s\n' "${me} ${version}"; exit 0;; 212 | h|help) usage;; 213 | "") break;; 214 | *) error_msg "Invalid option: '${opt_orig}'";; 215 | esac 216 | shift "${shift_n:-1}" 217 | [ -z "${1}" ] && break 218 | done 219 | 220 | case "${command}" in 221 | 222 | b|build) 223 | lib_dir="/usr/share" 224 | man_dir="/usr/share" 225 | bin_dir="/usr" 226 | conf_dir="/etc" 227 | 228 | check_repo 229 | rm -rf "${build_dir}" 230 | notice "${cyan}Build targeting ${os} ${distro} to ${build_dir}${nocolor}" 231 | 232 | mkdir "${build_dir}" 233 | for man in "${git_top_dir}/auto-generated-man-pages"/*; do 234 | man_extension="${man##*.}" 235 | mkdir -p "${build_dir}${man_dir}/man${man_extension}" 236 | cp "${man}" "${build_dir}${man_dir}/man${man_extension}" 237 | done 238 | 239 | ## make helper dirs 240 | mkdir -p "${build_dir}${lib_dir}/onionjuggler" 241 | cp "${git_top_dir}/usr/share/onionjuggler"/* "${build_dir}${lib_dir}/onionjuggler" 242 | mkdir -p "${build_dir}${conf_dir}/onionjuggler/conf.d" 243 | cp "${git_top_dir}/etc/onionjuggler/dialogrc" "${build_dir}${conf_dir}/onionjuggler" 244 | mkdir -p "${build_dir}${bin_dir}/bin" 245 | cp "${git_top_dir}/usr/bin"/* "${build_dir}${bin_dir}/bin" 246 | 247 | ## configuration 248 | case "${os}" in 249 | Linux*) 250 | case "${distro}" in 251 | "Debian"*|*"buntu"*|"Armbian"*|"Rasp"*|"Linux Mint"*|"LinuxMint"*|"mint"*) os_conf="${git_top_dir}/etc/onionjuggler/debian.conf";; 252 | "Tails"*) os_conf="${git_top_dir}/etc/onionjuggler/tails.conf";; 253 | "Anon"*) os_conf="${git_top_dir}/etc/onionjuggler/anon.conf";; 254 | "Arch"*|"Artix"*|"ArcoLinux"*) os_conf="${git_top_dir}/etc/onionjuggler/arch.conf";; 255 | "Fedora"*|"CentOS"*|"rhel"*|"Redhat"*|"Red hat") os_conf="${git_top_dir}/etc/onionjuggler/fedora.conf";; 256 | esac 257 | ;; 258 | "OpenBSD"*) os_conf="${git_top_dir}/etc/onionjuggler/openbsd.conf";; 259 | "NetBSD"*) os_conf="${git_top_dir}/etc/onionjuggler/netbsd.conf";; 260 | "FreeBSD"*|"HardenedBSD"*|"DragonFly"*) os_conf="${git_top_dir}/etc/onionjuggler/freebsd.conf";; 261 | esac 262 | cp "${os_conf}" "${build_dir}${conf_dir}/onionjuggler/onionjuggler.conf" 263 | notice %s"${blue}OnionJuggler built${nocolor}" 264 | ;; 265 | 266 | i|install) 267 | check_repo 268 | requires_root 269 | test -d "${build_dir}" || error_msg "${build_dir} does not exist" 270 | is_dir_empty "${build_dir}" && error_msg "${build_dir} does not have build files, use the option '--build'" 271 | notice "${magenta}Checking requirements${nocolor}" 272 | # shellcheck disable=SC2086 273 | install_package ${requirements} 274 | notice "${green}Copying files to path${nocolor}" 275 | cp -r "${build_dir}"/* / 276 | notice %s"${blue}OnionJuggler enviroment is ready${nocolor}" 277 | ;; 278 | 279 | d|uninstall) 280 | requires_root 281 | notice "${red}Removing OnionJuggler scripts from your system.${nocolor}" 282 | rm -f "${man_dir}/man1/onionjuggler-cli.1" "${man_dir}/man1/onionjuggler-tui.1" "${man_dir}/man5/onionjuggler.conf.5" 283 | #find "${man_dir}" -name "onionjuggler*" -delete 284 | rm -f "${bin_dir}/onionjuggler-cli"* "${bin_dir}/onionjuggler-tui" 285 | if [ "${action}" = "-P" ] || [ "${action}" = "--purge" ]; then 286 | notice "${red}Purging OnionJuggler configuration from your system.${nocolor}" 287 | rm -f "${conf_dir}/onionjuggler" 288 | fi 289 | notice "${green}Done!${nocolor}" 290 | ;; 291 | 292 | r|release) 293 | check_repo 294 | not_as_root 295 | notice "${blue}Preparing release${nocolor}" 296 | install_package shellcheck pandoc git 297 | make_man 298 | make_shellcheck 299 | notice "${cyan}Checking git status${nocolor}" 300 | ## should not delete, could destroy lines, just leave empty lines 301 | find "${git_top_dir}/usr" -type f -exec sed -i'' "s/set \-\x//g;s/set \-\v//g;s/set \+\x//g;s/set \+\v//g" {} \; 302 | if [ -n "$(git status -s)" ]; then 303 | git status 304 | error_msg "Please record the changes to the file(s) above with a commit before pushing!" 305 | fi 306 | notice "${green}Done!${nocolor}" 307 | ;; 308 | 309 | k|check) check_repo; make_shellcheck;; 310 | 311 | m|man) check_repo; not_as_root; make_man;; 312 | 313 | S|clean) 314 | requires_root 315 | notice "Cleaning directory..." 316 | rm -rf "${build_dir}" 317 | cd "${git_top_dir}" || error_msg "Failed to change directory to ${git_top_dir}" 318 | rm -rf -- *-build-deps_*.buildinfo *-build-deps_*.changes \ 319 | debian/*.debhelper.log debian/*.substvars \ 320 | debian/.debhelper debian/files \ 321 | debian/debhelper-build-stamp debian/tmp 322 | find debian/ -type d -name "onionjuggler*" -exec rm -r {} + 2>/dev/null 323 | rm -f -- ../onionjuggler_*.deb ../onionjuggler_*.buildinfo ../onionjuggler_*.changes 324 | ;; 325 | 326 | *) usage;; 327 | 328 | esac 329 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | onionjuggler (3:0.0.1-1) unstable; urgency=medium 2 | 3 | * New upstream version (local package). 4 | 5 | -- nyxnor Sat, 22 Jan 2022 12:10:00 +0000 6 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: onionjuggler 2 | Section: misc 3 | Priority: optional 4 | Maintainer: nyxnpor 5 | Build-Depends: debhelper (>= 13), debhelper-compat (= 13), dh-exec, 6 | Homepage: https://github.com/nyxnor/onionjuggler 7 | Vcs-Browser: https://github.com/nyxnor/onionjuggler 8 | Vcs-Git: https://github.com/nyxnor/onionjuggler.git 9 | Standards-Version: 4.5.1 10 | Rules-Requires-Root: no 11 | 12 | #Package: onionjuggler 13 | #Architecture: all 14 | #Depends: onionjuggler-lib, 15 | # onionjuggler-cli, 16 | # onionjuggler-cli-auth, 17 | # onionjuggler-cli-web, 18 | # onionjuggler-tui 19 | #Description: Bundle all OnionJuggler scripts 20 | # into one package. 21 | 22 | Package: onionjuggler-lib 23 | Architecture: all 24 | Depends: tor, 25 | grep (>= 1.0), 26 | sed (>= 1.0), 27 | bash-completion 28 | Description: Library for OnionJuggler 29 | Helper functions to avoid cluttering scripts. 30 | 31 | Package: onionjuggler-cli 32 | Architecture: all 33 | Depends: onionjuggler-lib, 34 | tor, 35 | qrencode 36 | Suggests: onionjuggler-cli-auth, 37 | onionjuggler-cli-web, 38 | onionjuggler-tui 39 | Description: Onion service management 40 | for Unix like operating systems. 41 | 42 | Package: onionjuggler-tui 43 | Architecture: all 44 | Depends: onionjuggler-lib, 45 | whiptail 46 | Recommends: onionjuggler-cli, 47 | onionjuggler-cli-auth, 48 | onionjuggler-cli-web 49 | Description: Dialog boxes for OnionJuggler 50 | As beautiful as it can be. 51 | 52 | Package: onionjuggler-cli-auth 53 | Architecture: all 54 | Depends: onionjuggler-lib, 55 | openssl, 56 | basez 57 | Description: Authentication scripts for OnionJuggler 58 | Help importing keys or generating a new key pair, 59 | to authenticate a client or be authenticated as 60 | a client to an onion service. 61 | 62 | Package: onionjuggler-cli-web 63 | Architecture: all 64 | Depends: onionjuggler-lib, 65 | nginx 66 | Description: Webserver management by OnionJuggler 67 | Helper for managing nginx webserver and configuring 68 | it easily for onion services. 69 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | 3 | Files: * 4 | Copyright: 2021 - 2022 nyxnor 5 | License: GPL-3+-with-additional-terms-1 6 | This program is free software: you can redistribute it and/or modify 7 | it under the terms of the GNU General Public License as published by 8 | the Free Software Foundation, either version 3 of the License, or 9 | (at your option) any later version. 10 | . 11 | This program is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | . 16 | You should have received a copy of the GNU General Public License 17 | along with this program. If not, see . 18 | . 19 | On Debian systems, the full text of the GNU General Public 20 | License version 3 can be found in the file 21 | `/usr/share/common-licenses/GPL-3'. 22 | . 23 | ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 24 | . 25 | 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its 26 | entirety and replaced with the following: 27 | . 28 | 15. Disclaimer of Warranty. 29 | . 30 | THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, 31 | INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR 32 | PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING 33 | DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR 34 | REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 35 | PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 36 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 37 | . 38 | 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its 39 | entirety and replaced with the following: 40 | . 41 | 16. LIMITATION OF LIABILITY. 42 | . 43 | UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY 44 | OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE 45 | LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY 46 | DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, 47 | INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN 48 | CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH 49 | THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED 50 | INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE 51 | PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER 52 | OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH 53 | DAMAGES COULD HAVE BEEN FORESEEN. 54 | . 55 | 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully 56 | all trademark, copyright and other proprietary and legal notices on any copies 57 | of the Program or any other required author attributions. This license does not 58 | grant you rights to use any copyright holder or any other party's name, logo, or 59 | trademarks. Neither the name of the copyright holder or its affiliates, or any 60 | other party who modifies and/or conveys the Program may be used to endorse or 61 | promote products derived from this software without specific prior written 62 | permission. The origin of the Program must not be misrepresented; you must not 63 | claim that you wrote the original Program. Altered source versions must be 64 | plainly marked as such, and must not be misrepresented as being the original 65 | Program. 66 | . 67 | 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT 68 | OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, 69 | YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND 70 | AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF 71 | ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE 72 | ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR 73 | IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. 74 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli-auth.install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/dh-exec 2 | 3 | usr/bin/onionjuggler-cli-auth-server 4 | usr/bin/onionjuggler-cli-auth-client 5 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli-auth.lintian-overrides: -------------------------------------------------------------------------------- 1 | onionjuggler-cli-auth: initial-upload-closes-no-bugs 2 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli-auth.manpages: -------------------------------------------------------------------------------- 1 | auto-generated-man-pages/onionjuggler-cli-auth-server.8 2 | auto-generated-man-pages/onionjuggler-cli-auth-client.8 3 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli-web.install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/dh-exec 2 | 3 | usr/bin/onionjuggler-cli-web 4 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli-web.lintian-overrides: -------------------------------------------------------------------------------- 1 | onionjuggler-cli-web: initial-upload-closes-no-bugs 2 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli-web.manpages: -------------------------------------------------------------------------------- 1 | auto-generated-man-pages/onionjuggler-cli-web.8 2 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli.install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/dh-exec 2 | 3 | #etc/onionjuggler/conf.d/* 4 | #etc/onionjuggler/debian.conf => etc/onionjuggler/onionjuggler.conf 5 | #etc/onionjuggler/dialogrc 6 | #usr/* 7 | 8 | #etc/onionjuggler/conf.d/* 9 | #etc/onionjuggler/debian.conf => etc/onionjuggler/onionjuggler.conf 10 | #etc/onionjuggler/dialogrc 11 | usr/bin/onionjuggler-cli 12 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli.lintian-overrides: -------------------------------------------------------------------------------- 1 | onionjuggler-cli: initial-upload-closes-no-bugs 2 | -------------------------------------------------------------------------------- /debian/onionjuggler-cli.manpages: -------------------------------------------------------------------------------- 1 | auto-generated-man-pages/onionjuggler-cli.8 2 | -------------------------------------------------------------------------------- /debian/onionjuggler-lib.install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/dh-exec 2 | 3 | etc/onionjuggler/conf.d/ 4 | etc/onionjuggler/debian.conf => etc/onionjuggler/onionjuggler.conf 5 | etc/onionjuggler/dialogrc 6 | usr/share/onionjuggler/* 7 | usr/share/bash-completion/completions/* 8 | -------------------------------------------------------------------------------- /debian/onionjuggler-lib.lintian-overrides: -------------------------------------------------------------------------------- 1 | onionjuggler-lib: initial-upload-closes-no-bugs 2 | onionjuggler-lib: script-not-executable etc/onionjuggler/onionjuggler.conf 3 | -------------------------------------------------------------------------------- /debian/onionjuggler-lib.manpages: -------------------------------------------------------------------------------- 1 | auto-generated-man-pages/onionjuggler.conf.5 2 | -------------------------------------------------------------------------------- /debian/onionjuggler-tui.install: -------------------------------------------------------------------------------- 1 | #!/usr/bin/dh-exec 2 | 3 | usr/bin/onionjuggler-tui 4 | -------------------------------------------------------------------------------- /debian/onionjuggler-tui.lintian-overrides: -------------------------------------------------------------------------------- 1 | onionjuggler-tui: initial-upload-closes-no-bugs 2 | -------------------------------------------------------------------------------- /debian/onionjuggler-tui.manpages: -------------------------------------------------------------------------------- 1 | auto-generated-man-pages/onionjuggler-tui.8 2 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | ## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP 4 | ## See the file COPYING for copying conditions. 5 | 6 | #export DH_VERBOSE=1 7 | 8 | %: 9 | dh $@ 10 | 11 | #override_dh_installman: 12 | # dh_installman $(CURDIR)/auto-generated-man-pages/* 13 | 14 | override_dh_installchangelogs: 15 | dh_installchangelogs changelog.upstream upstream 16 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /debian/source/lintian-overrides: -------------------------------------------------------------------------------- 1 | ## https://phabricator.whonix.org/T277 2 | debian-watch-does-not-check-gpg-signature 3 | -------------------------------------------------------------------------------- /debian/watch: -------------------------------------------------------------------------------- 1 | ## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP 2 | ## See the file COPYING for copying conditions. 3 | 4 | version=4 5 | opts=filenamemangle=s/.+\/v?(\d\S+)\.tar\.gz/onionjuggler-$1\.tar\.gz/ \ 6 | https://github.com/nyxnor/onionjuggler/tags .*/v?(\d\S+)\.tar\.gz 7 | -------------------------------------------------------------------------------- /docs/best-practices.md: -------------------------------------------------------------------------------- 1 | ## Security Advice 2 | 3 | The default version of onion services is version 3 and it has 56 characters long. Onion services version 2 is being deprecated and will be retired soon from the Tor network, after 0.4.6.x Tor release, in July 2021. Please read the blog post Onion Service version deprecation timeline for more information. 4 | 5 | Some onion site operators may not want to disclose their onion service location. Therefore, you need to configure your web server so it doesn't give away any information about you, your computer, or your location. 6 | 7 | OnionScan is a tool to check if your onion site is leaking information that could compromise your anonymity like your server IP address. 8 | Finally, if you plan to keep your service available for a long time, you might want to make a backup copy of the private_key file somewhere. 9 | 10 | Now that you have an onion site working, you may want to deploy Onion-Location, or use tools like Docker, Heroku, Terraform, Ansible or stem to automate the management of your onion services. If you have a static website, but never installed Nginx or Apache, another project to try is OnionShare, where running an onion site will be easier: guided with a graphic interface and with minimal configuration. 11 | 12 | ### Source 13 | 14 | https://community.torproject.org/onion-services/setup/#security-advice-and-more-tips 15 | 16 | 17 | ## Onion Services Best Practices 18 | 19 | ### How to use this guide. 20 | 21 | Here you can find information about running Onion Services based on our experiences running them and helpful tips from people like you. If you have a helpful tip, or can translate this into another language, please contribute! 22 | 23 | “Onion Services” were previously known as “Tor Hidden Services”, but have been renamed since “Hidden Service” didn’t accurately describe what was possibile. This guide uses the new name. 24 | 25 | ### Installing and configuring Onion Services 26 | For information on configuring onion services, please read the Tor Project’s guide 27 | 28 | #### Make sure your Tor software is updated 29 | It is not enough to simply install Tor and configure your onion service and then forget about it. You must keep it up to date so that critical security flaws are fixed. All software has bugs, and Tor is no exception. Make sure you are keeping your software up-to-date. 30 | 31 | #### Many things can be made into onion services 32 | You can do a lot of things over onion services, not just make a website available! You can also provide IMAP, or SMTP, or deliver mail between MTAs, among many other possibilities. Spread the onions far and wide! But be careful, if the service makes DNS request for whatever reason (like resolving where that SMTP server is to send the email), then you leak information. One way to work around this is to have the machine running your service fully iptabled to go through Tor all the time. 33 | 34 | #### Don’t run a relay at the same time 35 | Do not run a relay and an onion service on the same instance. Having a relay and an onion service on same IP and/or machine helps traffic correlation and fingerprinting. However, Tor is smart enough to not choose itself as a node for the circuit so it’s not a disaster but ideally you want to avoid it. 36 | 37 | #### Monitor your onion service(s) availability 38 | Although their stability has improved greatly, onion services can still fail for a number of reasons. Set up some monitoring to regularly connect to your onion service(s) to make sure that they are still functioning. 39 | 40 | #### Multiple ports for one onion service 41 | You don’t need to create a different onion service for every service you want to make available, just add more HiddenServicePort lines, for example: 42 | 43 | ``` 44 | HiddenServiceDir /usr/local/etc/tor/other_hidden_service/ 45 | HiddenServicePort 6667 127.0.0.1:6667 46 | HiddenServicePort 22 127.0.0.1:22 47 | ``` 48 | 49 | If you want to run multiple onion services from the same Tor client, just add another `HiddenServiceDir` line to the config file. 50 | 51 | #### SSL/TLS isn’t necessary 52 | You don’t really need SSL/TLS in an onion address (ie. https) since it’s a complete encrypted tunnel + PFS (perfect forward secrecy), but it does not hurt having extra layers in that onion! 53 | 54 | Although it is true that extra layers are good beware that usually redirecting to SSL/TLS will mean that the certificate will not validate (because the hostname will be *.onion, instead of the certificate that you have for your public service). If you can get a .onion certificate, that works! 55 | 56 | If your onion service does use TLS, make sure that it does not send a certificate for an external website. 57 | 58 | #### Onion services and Rails 4 59 | In order to get a .onion site to play nice with rails, and have the site also work over HTTPS when not using the .onion, you need change a few defaults. 60 | 61 | The first thing that must be changed is to not use the config.force_ssl = true option. This option is the default for rails apps in production. This setting forces secure cookies and forces HSTS. Change my_rails_app/config/environments/production.rb to be: 62 | 63 | config.force_ssl = false 64 | Once we set force_ssl = false, we want to add back the ability to enforce secure cookies and HSTS when using normal HTTPS. So, to do this, we make sure the web server is setting the HSTS headers for the HTTPS virtualhost, and we add the secureheaders gem to enforce secure cookies. The secureheaders gem will set the Secure cookie flag only for HTTPS connections, unlike the rails force_ssl flag. This allows use to have secure cookies for the regular HTTPS site and insecure cookies for the .onion site, which is what we want. 65 | 66 | Install the secureheaders gem for your application, in my_rails_app/Gemfile: 67 | 68 | gem 'secure_headers', '~> 3.5' 69 | (replace 3.5 with whatever the current version of secureheaders is available) 70 | 71 | Add a secureheaders configuration, in config/initializers/secureheaders.rb: 72 | 73 | ``` 74 | SecureHeaders::Configuration.default do |config| 75 | config.cookies = { 76 | secure: true, 77 | httponly: true, 78 | samesite: { 79 | strict: true 80 | } 81 | } 82 | end 83 | ``` 84 | 85 | NOTE: When configuring apache or nginx in this setup, do not set the X_FORWARDED_PROTO environment variable to be https on the port 80 onion virtual host. You should set it on the port :443 non-onion virtual hosts. 86 | 87 | ### Onion services can be found 88 | If you are not very careful and keep your server from revealing identifying information about you, your computer, or your location, then the onion service will no longer be hidden! 89 | 90 | #### Leaking the real server 91 | A common misstep here is server signatures, for example it is easy to determine if a webserver is thttpd or Apache, or learn about your operating system because the banner tells the version of the running service and operating system. 92 | 93 | Another way that your onion address will get out is via the referrer header in browsers when a client browses a hidden service website and then clicks on a clearnet/hidden service link. The Tor browser has taken care of many of these tiny leaks, so be sure to encourage your users to use an up-to-date tor browser instead of using their own browser with Tor. 94 | 95 | If the server running the onion service is also exposed to the clearnet, make sure that when you connect to either the clearnet service or the onion service, you cannot specify in the host header the other service and get a response. You should ensure the onion service is only listening on the internal IP and your external service is only listening on the external IP address. The easiest way to ensure there are no failures here is this is to run your service on a machine that has no external IP address. 96 | 97 | Make sure the time on your server is correct, and is corrected automatically by NTP, so that time skews do not help identify your server. 98 | 99 | Make sure you are not inadvertently exposing information, for example with PHP you may disclose the server’s real name/address if you leak phpinfo() or $_SERVER, or expose error messages! 100 | 101 | Look into protecting yourself against Server Side Request Forgery (SSRF). This attack works by getting the server to perform an external connection (DNS lookup, etc.) which can expose your machine’s real location. Strict egress firewalling is one way to mitigate against this problem. 102 | 103 | The longer an onion service is online, the higher the risk that its location is discovered. The most prominent attacks are building a profile of the onion service’s availability and matching induced traffic patterns. 104 | 105 | There are currently ways in the protocol that a bad relay can learn about your onion address, even if you don’t tell anybody. Follow the discussion on the subject if you want to stay on top of how the Tor project is working on fixing these issues. 106 | 107 | #### OnionScan 108 | Use the [OnionScan→onionscan.org] tool to scan HTTP onion services to look for leaks. It will look for IP addresses, EXIF metadata in images, and things like enabled mod_status that can leak the real IP address of the server. 109 | 110 | #### Onion services don’t need to be hidden! 111 | You can provide a onion service for a service that you offer publically on a server that is not intended to be hidden. Onion services are useful to protect users from passive network surveillance, they keep the snoopers from knowing where users are connecting from and to. 112 | 113 | #### Make your onion services easy to find 114 | If you provide onion services, make them known to your users by advertising their existance, their onion hostnames and ports that they provide in a way that authenticates they are the ones that are legitimate (for example, you could digitially sign the list of onion addresses like Riseup does, or put them in DNS txt records). 115 | 116 | #### Ask your favorite online service to provide an onion service! 117 | Advocate for more onion services by asking those who provide the services that you use to make them available. They are easy to setup and maintain, and there is no reason not to provide them! 118 | 119 | #### Moving onion services 120 | You can move onion services between systems, just copy the /var/lib/tor/ directory to the new system and make sure the torrc on the new system has the same configuration as the old one. Be sure to disable and stop the old one before starting the new one. The onion service directory simply contains the hostname of the onion service, and the private key. 121 | 122 | ### Protecting your services 123 | Protect your private keys 124 | Keep the onion service private key private! That key should not be available to the public, it should not be shared and it should have proper permissions set so it is not readable by anyone on your system, except for the Tor process. 125 | 126 | #### Backup your private keys 127 | If you plan to keep your service available for a long time, you might want to make a backup copy of the private_key file somewhere safe. 128 | 129 | #### Be careful of localhost bypasses! 130 | You should take very careful care to not accidentally expose things on your server that are restricted to the local machine. For example, if you provide /server-status in apache (from mod_status which is enabled per default in debian’s apache) to monitor the health of your apache webserver, that will typically be restricted to only allow access from 127.0.0.1, or you may have .htaccess rules that only allow localhost, etc. 131 | 132 | There are a few ways you can solve this problem: 133 | 134 | * **different machine**: consider running the onion service on a different machine (real or virtual) than the actual service. This has the advantage that you can isolate the service from the onion service (a compromise of one doesn’t compromise the other) and helps with isolating potential information leaks 135 | * **isolation**: similarly to the above, you can also isolate Tor and the service so it will run on a different network namespace than the service. Tails uses a Tor-or-fail packet filter. 136 | * **public ip**: configure the onion service to connect to the public IP address of the service instead of localhost/127.0.0.1, this should make Tor not pick 127.0.0.1 as the source address and avoid most misconfigurations. For example like this: 137 | 138 | ``` 139 | HiddenServiceDir /var/lib/tor/hidden/ftp/ 140 | HiddenServicePort 80 192.168.1.1:81 141 | ``` 142 | 143 | Note: This makes your server and vhost potentially reachable to an external entity. There has been a growing number of attempts to discover the true location of sites behind cloudflare that are badly configured because they still expose their true httpd on a public IP address. People regularly use masscan and zmap to scan the entire ipv4 address space and try to connect to a publicly exposed httpd and request “high-value” onion addresses from the httpd to see if they send a Host header and make the site serve their probed vhosts content. 144 | 145 | Binding to a port that is different from the “true” port is a source of a potential leak on Apache. If there is a directory, e.g. foo.onion/css/ then a request to foo.onion/css will cause apache to emit a 301 redirect, but when it does issue it, it will include the port that it thinks the service is listening on. Instead of sending a 301 to foo.onion/css/ it would send a 301 for foo.onion:81/css/ this both breaks the website and reveals the port the httpd is really running on. 146 | 147 | * **unix socket**: consider using unix socket support instead of a TCP socket (requires 0.26 or later Tor) – if you do this, then the onion service will be running on the same server as the service itself. With a socket approach, you should be able to run with privatenetwork=yes in systemd unit which gets you some really great isolation, for example: 148 | HiddenServicePort 80 unix:/etc/lighttpd/unix.sock 149 | But then the service itself needs to support unix sockets, otherwise you have to setup some socat redirection from tcp <→ unix (nginx, twisted, lighttpd all support this). 150 | 151 | **audit carefully**: carefully audit, and regularly re-audit your system for configurations that allow localhost/127.0.0.1, but prohibit everywhere else and configure those to work around the problem (for example make /server-status operate on a different IP; make the webserver listen on a different port for /server-status; make it password protected, etc.). 152 | 153 | #### You can make onion services require authentication to use. 154 | If you set HiddenServiceAuthorizeClient (see man page), then it is only available for authorized clients. This will mean that you can’t even attack the service unless you break Tor (or have the authorization key). 155 | 156 | #### Protect your onion services from advanced attacks 157 | If you run a high-security onion service which is under attack by sophisticated adversaries, you should install the Vanguards addon which defends against various advanced attacks. Please read Tor project’s blog post on how to install and use this tool. 158 | 159 | In addition, you can also enable Sandbox 1 in your torrc to enable the built in sandboxing. 160 | 161 | ## Source 162 | 163 | https://riseup.net/en/security/network-security/tor/onionservices-best-practices 164 | -------------------------------------------------------------------------------- /docs/client-auth.md: -------------------------------------------------------------------------------- 1 | ## What's a client or onion authentication? 2 | 3 | An authenticated onion service is an onion service that requires the client to provide an authentication credential to connect to the onion service. For v3 onion services, this method works with a pair of keys (a public and a private). The service side is configured with a public key and the client can only access it with a private key. The client private key is not transmitted to the service, and it's only used to decrypt its descriptor locally. 4 | 5 | Onion services authentication is only possible for private onion services with a limited number of visitors. This is impossible for a public onion service. For a public onion service this step should be skipped. Each visitor needs to be provided with a key file. 6 | 7 | With v3 onions addresses it is no longer possible for adversaries to learn about their existence if they are not published -- this was not the case previously with v2 onion addresses. Therefore, some readers might wonder what is the purpose of onion services authentication for v3 onions. 8 | 9 | Authentication for v3 onions exists to eliminate the side risks of the onion address accidentally being leaked. This is feasible due to human error, a bug in the software using the onion address, or other yet unknown possibilities. By using onion services authentication, the onion service could not be accessed even if the onion address was leaked. 10 | 11 | [Quote](https://lists.torproject.org/pipermail/tor-dev/2019-December/014106.html): 12 | 13 |
14 | Also, if you have multiple users, having one v3 address with authentication is much better than multiple addresses, for the following reasons: 15 | 16 | * easier management 17 | 18 | * easier to configure and easier to maintain the application behind it (web server or whatever it is) 19 | 20 | * less resources needed by the Tor daemon 21 | 22 | * less load on your guard(s) / bridge(s), thus more capacity and better experience for your clients / visitors (if you have multiple addresses you need to maintain active introduction point circuits for all of them, publish descriptors, etc.) 23 |
24 | 25 | 26 | ### Onion Service Operator 27 | 28 | Once you have configured client authorization, anyone with the address will not be able to access it from this point on. If no authorization is configured, the service will be accessible to anyone with the onion address. 29 | 30 | To configure client authorization on the service side, the <*HiddenServiceDir*>/authorized_clients/ directory needs to exist. Creating an onion service using the HiddenServiceDir and HiddenServicePort on torrc and reloading or restarting tor will automatically create this directory. Client authorization will only be enabled for the service if tor successfully loads at least one authorization file. 31 | 32 | For now, you need to create the keys yourself with a script (like these written in Bash, Rust or Python) or manually. 33 | 34 | To manually generate the keys, you need to install openssl version 1.1+ and basez. 35 | 36 | 1. Generate a key using the algorithm x25519: 37 | ```sh 38 | openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem 39 | ``` 40 | 41 | If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. 42 | 43 | 2. Format the keys into base32: 44 | 45 | Private key 46 | ```sh 47 | cat /tmp/k1.prv.pem | grep -v " PRIVATE KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.prv.key 48 | ``` 49 | 50 | Public key 51 | ```sh 52 | openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.pub.key 53 | ``` 54 | 55 | 3. Copy the public key: 56 | ```sh 57 | cat /tmp/k1.pub.key 58 | ``` 59 | 60 | 4. Create an authorized client file: 61 | 62 | Format the client authentication and create a new file in <*HiddenServiceDir*>/authorized_clients/ directory. Each file in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the file name is irrelevant) and its content format must be: 63 | `::` 64 | 65 | The supported values for <*auth-type*> are: "descriptor". 66 | 67 | The supported values for <*key-type*> are: "x25519". 68 | 69 | The <*base32-encoded-public-key*> is the base32 representation of the raw key bytes only (32 bytes for x25519). 70 | 71 | For example, the file `/var/lib/tor/services/hidden_service/authorized_clients/alice.auth` should look like: 72 | `descriptor:x25519:N2NU7BSRL6YODZCYPN4CREB54TYLKGIE2KYOQWLFYC23ZJVCE5DQ` 73 | 74 | If you are planning to have more authenticated clients, each file must contain one line only. Any malformed file will be ignored. 75 | 76 | 5. Reload the tor service: 77 | ``` 78 | systemctl reload tor 79 | ``` 80 | 81 | If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work. 82 | 83 | Important: Revoking a client can be done by removing their ".auth" file, however the revocation will be in effect only after the tor process gets restarted. 84 | 85 | 86 | ### Onion Service Client 87 | 88 | You can get the access credentials from the onion service operator. Reach out to the operator and request access. You may authenticate yourself directly in the Tor Browser. When accessing an authenticated onion service, Tor Browser will show in the URL bar an icon of a little gray key, accompanied by a tooltip. Enter your valid client private key into the input field. 89 | 90 | To access a version 3 onion service with client authorization as a client, make sure you have ClientOnionAuthDir set in your torrc. For example, add this line to /etc/tor/torrc: 91 | ``` 92 | ClientOnionAuthDir /var/lib/tor/onion_auth 93 | ``` 94 | Then, in the <*ClientOnionAuthDir*> directory, create an .auth_private file for the onion service corresponding to this key (i.e. 'bob_onion.auth_private'). The content of the <*ClientOnionAuthDir*>/<*user*>.auth_private file should look like this: 95 | 96 | `<56-char-onion-addr-without-.onion-part>:descriptor:x25519:<*x25519 private key in base32*>` 97 | 98 | For example: 99 | `rh5d6reakhpvuxe2t3next6um6iiq4jf43m7gmdrphfhopfpnoglzcyd:descriptor:x25519:ZDUVQQ7IKBXSGR2WWOBNM3VP5ELNOYSSINDK7CAUN2WD7A3EKZWQ` 100 | 101 | If you manually generated the key pair following the instructions in this page, you can copy and use the private key created in Step 2. Then restart tor and you should be able to connect to the onion service address. 102 | 103 | If you are generating a private key for an onion site, the user does not necessarily need to edit Tor Browser's torrc. It is possible to enter the private key directly in the Tor Browser interface. 104 | 105 | For more information about client authentication, please see Tor manual. 106 | 107 | ## Source 108 | 109 | Synopsis - https://support.torproject.org/onionservices/client-auth/ 110 | 111 | Setup client auth - https://community.torproject.org/onion-services/advanced/client-auth/ 112 | 113 | Use keys on Tor Browser - https://tb-manual.torproject.org/onion-services/#onion-service-authentication 114 | -------------------------------------------------------------------------------- /docs/code_of_conduct.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | ## Standards 4 | 5 | * The code applies to everyone, indistictively of hierarchy (user, contributor, collaborator, maintainer). 6 | * The universal language is English, use it. If there is a lack of understanding using the aforementioned language, ask if it is possible to be helped in another language. 7 | * Stay on topic. Narrow it down to the core of the issue been dealt with for faster resolution of the matter. 8 | * If a request is not approved, don't take it personal. 9 | * Criticize code, not people. 10 | * Constructive criticism always. Explain what is wrong and what could have been done better if applied to the case. 11 | * Satire/Irony/Sarcasm mode are enabled, have some sense of humour, altough it is forbidden the use of derrogatory/insulting/personal attacks and intimidation/threats, such as doxing private information of someonelse's identity or attempting to do so by any means and claim it was "just a joke". 12 | * Humans evolved to use the brain further than their animal instincts of fighting for food, water and copulation, so harassing the offender as it was done to you also makes you an offender. 13 | 14 | ## Enforcement 15 | 16 | Code only works if it is enforced. 17 | 18 | Steps: 19 | 1. Warn the other party of misconduct and referr to this Code of Conduct. 20 | 1. If the actions persists, warn the maintainers and a public warning will be made on the same issue or pull request it happened. Contact nyxnor@protonmail.com. 21 | 1. If after warning the violation continues to happen, the maintainer will ban the violator from the repository. 22 | -------------------------------------------------------------------------------- /docs/contributing.md: -------------------------------------------------------------------------------- 1 | # Contribute 2 | 3 | This project is not perfect and never will be, contributions are welcome. Don't be afraid to correct anyone with you spot something wrong or that can be improved. 4 | 5 | See the open issues and find one to contribute if possible. 6 | 7 | First, read the [docs](https://github.com/nyxnor/onionjuggler/tree/main/docs). 8 | 9 | ## License 10 | 11 | Every contribution will licensed accordingly to the [LICENSE](LICENSE), which currently is MIT. 12 | 13 | ## Shell 14 | 15 | ### Commands 16 | 17 | Currently there are many commands used and there is a constant development to use less commands, focusing on installing less packages. 18 | 19 | All POSIX shell comands are allowed - [Shell and Utilities volume of POSIX.1-2017 - IEEE Std 1003.1-2017 - ISO/IEC/IEEE 9945:2009](https://pubs.opengroup.org/onlinepubs/9699919799/utilities/contents.html): 20 | 21 | New requirements will be evaluated regarding their need and value. 22 | 23 | ### Builtins 24 | 25 | The project will never be pure POSIX alternative to external process such as git, grep, openssl, but it aims to use more of the shell capabilities than depending on more packages. Read the [pure-sh-bible](https://github.com/dylanaraps/pure-sh-bible), a POSIX compliant and efficiency guide, less commands to install, more portable it becomes. Prefer builtins alternatives to external process, then shell builtin, after that commands/packages available on *nix systems that have similar options. 26 | 27 | Shell builtins are preferred. To find all builtins: 28 | * Download shellspec builtins script: 29 | ```sh 30 | curl --tlsv1.3 --proto =https --location -o /tmp/builtins.sh https://raw.githubusercontent.com/shellspec/shellspec/master/contrib/builtins.sh 31 | #wget --https-only -P /tmp/ https://raw.githubusercontent.com/shellspec/shellspec/master/contrib/builtins.sh 32 | sh /tmp/builtins.sh 33 | ``` 34 | 35 | ### External commands limitations 36 | 37 | Operating system extensions (GNU extesions on commands such as grep) and commands unique to some unix operating systems but not present on others need to be avoided. If you still need to use external commands, check their POSIX manual, mentioned on [commands](#commands). 38 | 39 | ### Syntax 40 | 41 | * Identation is made by 2 spaces. 42 | * Lines that begin with `## ` try to explain what's going on. Lines that begin with just `#` are disabled commands. 43 | * Sacrificing some code legibility for speed is acceptable, but if the maintainer considers it messy because it does not help performance, it won't be approved. This is the only subjective requirement. 44 | * Less commands invoked and the lighter they are (following their use case for performance) -> Inefficient: `cat file | grep pattern`, Efficient: `grep pattern file`. 45 | * `printf` instead of `echo` for portability reasons. 46 | * exit codes if no error occurs is `0`, else `1`. 47 | * test managed with `&&` for true and `||` for false. 48 | * `case` instead of `if-then-else` when possible. 49 | * variables should be reffered with brackets `{}` and double quotes `""`, resulting in `"${var}"`. 50 | * unquoted variabes are for commands that need to expand, disable SC2086 as a directive in this case one line before the occurence -> `# shellcheck disable=SC2086`. 51 | * variables must be lower case and if there are two or more words, separated by `_` (underscore) -> `${onion}"`. 52 | * only environment variables can be uppercase. 53 | * for the rest, follow the same pattern predominant in the scripts. 54 | 55 | ### Check 56 | 57 | Run [shellcheck](https://github.com/koalaman/shellcheck) before commiting your changes, it should have no output. 58 | 59 | Some checks are not needed for certain files and are cherry picked to be disabled. It is recommended to check before every commit: 60 | 61 | ```sh 62 | ./configure.sh -r 63 | ``` 64 | 65 | **Shellcheck Codes**: 66 | * Global: specify on [.shellcheckrc](https://github.com/koalaman/shellcheck/wiki/Ignore#ignoring-one-or-more-type-of-error-forever). 67 | * Applicable to the entire file: [specify the line after the shebang](https://github.com/koalaman/shellcheck/wiki/Ignore#ignoring-one-specific-instance-in-a-file) 68 | * Applicable to certain lines: [specify on the line above the occurence](https://github.com/koalaman/shellcheck/wiki/Ignore#ignoring-all-instances-in-a-file-044) 69 | 70 | Some pitfalls can occur when writing that shellcheck won't recognize, as it doesn't warn about [SC2045](https://github.com/koalaman/shellcheck/wiki/SC2045), even though it should (we need to find a way to circumvent that as `DataDir` is owned by the tor user, not by your normal login user. This is way checking with `-d DIR` or ` -f FILE` doesn't work. A possiblle solution is `# find ${tor_data_dir_services} -maxdepth 1 -type d | tail -n +2`) 71 | 72 | Read [Bash Pitfalls](http://mywiki.wooledge.org/BashPitfalls) (some rules are applicable to POSIX shells). 73 | 74 | ## Documentation 75 | 76 | Not only code is important, making it understandable by anyone who reads the documentation is relevant, improve the docs, spell mistakes, better wording. 77 | 78 | ## Issues 79 | 80 | Help with open issues by responding in details to the author. 81 | 82 | Maintainers/Collaborators: 83 | * Before closing any issue, explain the reason for that actions, which can be: 84 | * lack of respone to the latest comment after 7 (seven days). 85 | * no longer relevant to the current code base. 86 | * if the issue won't be fixed. 87 | 88 | ## Commits 89 | 90 | Fork the repository [here](https://github.com/nyxnor/onionjuggler/fork) 91 | 92 | Clone: 93 | ```sh 94 | git clone https://github.com//onionjuggler.git 95 | cd onionjuggler 96 | ``` 97 | 98 | Create feature or fix branch based on the upstream project development branch as base: 99 | ```sh 100 | git remote add upstream https://github.com/nyxnor/onionjuggler.git 101 | git checkout -b upstream/ 102 | ``` 103 | 104 | After changes are finished, test thoroughly to see if it works. 105 | If it does and is valuable to the upstream project, first open an issue to be this discussed, after it is evaluated, create a merge request. 106 | 107 | Before commiting, shellcheck with: 108 | ```sh 109 | ./configure.sh -r 110 | ``` 111 | 112 | Commit to your branch: 113 | ```sh 114 | git add 115 | git rm 116 | git commit -m "Title with short description" -m "Detailed description of the changes" 117 | git push -u origin 118 | ``` 119 | 120 | Open a pull request on GitHub and compare it against the `upstream/`. 121 | 122 | ## Pull Requests 123 | 124 | Help with pull requests by reviewing it. 125 | -------------------------------------------------------------------------------- /docs/dos-guidelines.md: -------------------------------------------------------------------------------- 1 | ## Onionbalance 2 | 3 | [Onionbalance](https://onionbalance-v3.readthedocs.io/en/latest/v3/tutorial-v3.html) allows onion service operators to achieve the property of high availability by allowing multiple machines to handle requests for an onion service. 4 | You can use Onionbalance to scale horizontally. 5 | The more you scale, the harder it is for attackers to overwhelm you. 6 | Onionbalance is available for [v3 onion services](https://blog.torproject.org/cooking-onions-reclaiming-onionbalance). 7 | 8 | ## Client authorization or multiple onion addresses to compartmentalize your users 9 | 10 | If you have users you trust, give them dedicated onion service and client authorization credentials so that it can always be available. 11 | For users you don't trust, split them into multiple addresses. 12 | That said, having too many onion addresses is actually bad for your security (because of the use of many guard nodes), so try to use [client authorization](https://community.torproject.org/onion-services/advanced/client-auth) when possible. 13 | 14 | ## Webserver rate limiting 15 | 16 | If attackers are overwhelming you with aggressive circuits that perform too many queries, try to detect that overuse and kill them using the `HiddenServiceExportCircuitID` torrc option. 17 | You can use your own heuristics or use your web server's [rate limiting module](https://www.nginx.com/blog/rate-limiting-nginx/). 18 | 19 | The above tips should help you keep afloat in turbulent times. 20 | At the same time [we are working on more advanced defenses](https://blog.torproject.org/stop-the-onion-denial), so that less manual configuration and tinkering is needed by onion operators. 21 | 22 | 23 | ## Source 24 | 25 | https://community.torproject.org/onion-services/advanced/dos/ 26 | -------------------------------------------------------------------------------- /docs/onion-services.md: -------------------------------------------------------------------------------- 1 | ## Onion Services 2 | 3 | Onion services (formerly known as "hidden services") are services (like websites) that are only accessible through the Tor network. 4 | 5 | Onion services offer several advantages over ordinary services on the non-private web: 6 | 7 | * Onion services’ location and IP address are hidden, making it difficult for adversaries to censor them or identify their operators. 8 | * All traffic between Tor users and onion services is end-to-end encrypted, so you do not need to worry about connecting over HTTPS. 9 | * The address of an onion service is automatically generated, so the operators do not need to purchase a domain name; the .onion URL also helps Tor ensure that it is connecting to the right location and that the connection is not being tampered with. 10 | 11 | ### How to access an Onion Service 12 | 13 | Just like any other website, you will need to know the address of an onion service in order to connect to it. An onion address is a string of 56 mostly random letters and numbers, followed by ".onion". 14 | 15 | When accessing a website that uses an onion service, Tor Browser will show in the URL bar an icon of an onion displaying the state of your connection: secure and using an onion service. 16 | You can learn more about the onion site that you are visiting by looking at the Circuit Display. 17 | 18 | Another way to learn about an onion site is if the website administrator has implemented a feature called Onion-Location. 19 | Onion-Location is a non-standard HTTP header that websites can use to advertise their onion counterpart. 20 | If the website that you are visiting has an onion site available, a purple suggestion pill will prompt at the URL bar in Tor Browser displaying ".onion available". 21 | When you click on ".onion available", the website will be reloaded and redirected to its onion counterpart. 22 | 23 | To prioritize an onion site version of a website, you can enable automatic Onion-Location redirects. 24 | Click on hamburger menu (≡), go to Preferences (or Options on Windows), click on Privacy & Security, and in the Onion Services section look for the entry "Prioritize .onion sites when known." and check the option "Always". 25 | Or, if you're already running Tor Browser, you can copy and paste this string in a new tab: `about:preferences#privacy` and change this setting. 26 | 27 | ## Onion Service Authentication 28 | 29 | An authenticated onion service is a service like an onion site that requires the client to provide an authentication token before accessing the service. 30 | As a Tor user, you may authenticate yourself directly in the Tor Browser. 31 | In order to access this service, you will need access credentials from the onion service operator. 32 | When accessing an authenticated onion service, Tor Browser will show in the URL bar an icon of a little gray key, accompanied by a tooltip. 33 | Enter your valid private key into the input field. 34 | 35 | ### Onion Services Errors 36 | 37 | If you can't connect to an onion site, Tor Browser will provide a specific error message informing why the website is unavailable. 38 | Errors can happen in different layers: client errors, network errors or service errors. 39 | Some of these errors can be fixed by following the Troubleshooting section. 40 | The table below shows all the possible errors and which action you should take to solve the issue. 41 | 42 | | **Code** | **Error Title** | **Short Description** | 43 | |----------|-----------------|-----------------------| 44 | | XF0 | Onion site Not Found | The most likely cause is that the onion site is offline or disabled. Contact the onion site administrator. | 45 | | XF1 | Onion site Cannot Be Reached | The onion site is unreachable due to an internal error. | 46 | | XF2 | Onion site Has Disconnected | The most likely cause is that the onion site is offline or disabled. Contact the onion site administrator. | 47 | | XF3 | Unable to Connect to Onion site | The onion site is busy or the Tor network is overloaded. Try again later. | 48 | | XF4 | Onion site Requires Authentication | Access to the onion site requires a key but none was provided. | 49 | | XF5 | Onion site Authentication Failed | The provided key is incorrect or has been revoked. Contact the onion site administrator. | 50 | | XF6 | Invalid Onion site Address | The provided onion site address is invalid. Please check that you entered it correctly. | 51 | | XF7 | Onion site Circuit Creation Timed Out | Failed to connect to the onion site, possibly due to a poor network connection. | 52 | 53 | ### Troubleshooting 54 | 55 | If you cannot reach the onion service you requested, make sure that you have entered the onion address correctly: even a small mistake will stop Tor Browser from being able to reach the site. 56 | 57 | If you are still unable to connect to the onion service after verifying the address, please try again later. There may be a temporary connection issue, or the site operators may have allowed it to go offline without warning. 58 | 59 | If the onion service you are trying to access consists of a string of 16 characters (V2 format), this type of address is [deprecated](https://support.torproject.org/onionservices/v2-deprecation/). 60 | 61 | You can also test if you are able to access other onion services by connecting to [DuckDuckGo's Onion Service](https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/). 62 | 63 | ## Source 64 | 65 | https://tb-manual.torproject.org/onion-services/ 66 | -------------------------------------------------------------------------------- /docs/security.md: -------------------------------------------------------------------------------- 1 | # Security Policy 2 | 3 | ## Liability 4 | 5 | The developers are exempt from any liability according to the license. 6 | 7 | No upgrade is enforced and will never be. If there is a security update, upgrades will be recommended to avoid greater risks.The code should be reviewed before being added to your system. 8 | 9 | ## What is vulnerable? 10 | 11 | * Unwanted deletion of the onion service `hs_ed25519_secret_key`. 12 | * Extravagantly `high permissions` for files and folders that are not tor's default and are modified by this project. Defaults: 13 | * 600 - `HiddenServiceDir/hostname`, `HiddenServiceDir/hs_ed25519_public_key`, `HiddenServiceDir/hs_ed25519_secret_key` (HiddenService files) 14 | * 644 - `torrc` (Configuration file) 15 | * 700 - `/var/lib/tor|DataDirectory`, `DataDirectory/services/*`, `DataDirectory/onion_auth` (DataDirectory, HiddenServiceDir and ClientOnionAuthDir) 16 | * 755 - `/etc/tor/` (Configuration directory) 17 | 18 | ## Reporting a Vulnerability 19 | 20 | A vulnerability must be reported immediately. If there is no reply after 7 (seven) days, please reinforce the communication. If after 14 (fourteen) days no change is made, advertising a public is the recommended. 21 | 22 | ## Changelog 23 | 24 | If there was a security vulnerability, the next release changelog must contain a changelog referencing the commit that fixed it. 25 | 26 | ## Contact 27 | 28 | Please, communicate using cryptography. 29 | 30 | * Email: nyxnor@protonmail.com 31 | * PGP fingerprint: `A5FF74AB7F092BABB55DF1A96B6586CDC9BC8836` 32 | * PGP public key: 33 | ``` 34 | -----BEGIN PGP PUBLIC KEY BLOCK----- 35 | 36 | mQINBGCGB6YBEACy2SDTVDxNBtkynYYkrba9l5+/LpbAOeoZ/OYPze8GOLwvxop4 37 | 0mnvo7itN+l5w6/ufaZVYbAJuL08ipHAvhESKZx2dpX/Qtt6YxhLwlGEE0CO4K+I 38 | 2WSfi3RKJyJJwI2JLglDW6cR9RYoCHwe/dtsVl7Qb/AsX1x92JbNHrkSqiGOdpCy 39 | m4JaaXtyNfwEMYSosW57lL/PYlIZ04PIWDpQUHRofxtnmHxAPihti0qJpEuUp4cx 40 | /9GjaYnDCucVh2fnKuN8dyJeZxpl+JQKR2CcYDjRCH88qMiM17azGS8+Q+8cdfUU 41 | FV5dyRkVWOxbflHjet77NKlpj9kQKRm2wSutsLVxH+Ylu0OtP7LfvpmSv0H0r0OW 42 | DCXM9Zvqm5z6aaYYH8ueTOnkRO4GPPfhVJKvdc1VAH7wBTjAH4b/cBNghZQ3GiHM 43 | UhqSQD9ehen+NcZNEd1JHeZaFB0qlS2RJT/EGsbP7PUoxYzbVi2Uj9LUPdABOCky 44 | l/MGD1KFhyJZemrCKips/0WL2O0Fpo8pYEIz3YcivCrW+OP/Qb28+zmBd0nsknBZ 45 | rNuIYgMHIGj65WDMXDTtbkBuLR6WdAc0HRQOR6PQ+j2c1t45Ww/f1oKsnnJeb0JG 46 | xVJNSwIhsTwPt21vFYLglD00qhJWbwnC/U/7y8liA8Y/0yaC/nglWM8GQQARAQAB 47 | tB5ueXhub3IgPG55eG5vckBwcm90b25tYWlsLmNvbT6JAk4EEwEKADgWIQSl/3Sr 48 | fwkrq7Vd8alrZYbNybyINgUCYIYHpgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX 49 | gAAKCRBrZYbNybyINoqeD/4jgA4yKgIVAZ+iigDypq+P6LZJGnwGqHEvFpiZUTus 50 | /6nHGVhSs2hioxHThYp0p2VhHceoiEezJ0PAd6E78emN1nXCtQvldTQCBJ5N1WYy 51 | SA08mZhsikJ9G8vrbZpZ4FiTwt3UzZXw5Yw33AKEkzcSwVHcM3Ew4JZPBV7eW6kh 52 | HmcCQ83aLre74LV77WN/VB/n9yqQhmCegiVijcxvEZ2DkyLbak/eNXVGW0ece1IC 53 | mQD8xKQpkWDG6bnrnXtvlyLAI67JMDsVJlnARVbitAg1BDaKtQeLuG3IDQxIEdee 54 | tPWiQz/4mzXGob9PNMdUW3u18bf2g1BAaNv2LmFoCm/bbU/++HvzSPgv9b4Vnzxd 55 | QzkwsBcXkx76RCg6GozEb/Hznze/klQ/wokepqQ8mpq3uMQ7QsA6wJvV6JommQok 56 | KK9rPEB77XI8TOyvq/sXiiLMhocYb+2cdUxtWPgA+JY+14IvznpaMySubUMm54ea 57 | m2unkPKRAArvK1L1wVSKWuo6+vYawmnHugg3UzQu0xeYFSwquZpL42VwShwGhdRE 58 | 90r4XgrrjQBr6h82vLxlayPN8pWUCeCZaQUOgteQR9/Wchdr11U9M/0dhouh58Hs 59 | e5vnhvNWmEC6QH9yRjE8xIfP6h71oldjWOrmQeq+Bljwn1D8bsDZbVjBymZZDJVc 60 | N7kCDQRghgemARAAyhuPJgGrxBTo6hXjUgqnvuShBttrnpiAzPl6yxTcKuw9bN9i 61 | ZicNCWU/G9+Oo4M00YhL7/UXq+yKF5ysqvItPJB64RfRBtNHSwvOBzkS9OYDTrQE 62 | V0R+c525giz1RKWLejlYdFmfabQJEL6ouezhP4/eoOuNneRs1mwNFY6qt7hF18cQ 63 | nU0zfkh+MOWJcnv1Grhm2skYhdCwoeTOrAgFaaZaMR4TX7PPMZhtYTiFRjmqdbeU 64 | x2pZxg/OupQ92muGv6ejBETPFAnhe1R4mB8h9B0y9Gl1Fz5S7AcOsRhZ/cqtodi3 65 | fnMy/4Hp2SBwBn752KKCX0sjZC2EWd51T2NUvUoyF3IIqkVhvs2wWJxr5DWL9F32 66 | r0qCGB7ItIenK6+9QfylbAdwEdvg0OAYZmSHhDz5EakBoCp6da2i9yihoPA8uP7C 67 | YQeHotTKcDWD/rkmdIX40uiUCaSi6Fnd3cZ8saWNSU23mK+UrjzBbJhDMhONOqEO 68 | q1WmoP/1aO65au5fmJ/4uUrVHXbNPhccbPIOWk11EeuKaXz9V8E895Cnw16srVWk 69 | PXQNvi/aj7Sc+pxpXdQlGKxfSxS6FnewFZmIiJ2+MGRCqke0DFP9XvU9lYH13eH2 70 | Gl2XJ5aP5eTcGYjLtFVeQkj5eF/JRi2QGNy9/oOvWKUogcRyt5d63yf1OtsAEQEA 71 | AYkCNgQYAQoAIBYhBKX/dKt/CSurtV3xqWtlhs3JvIg2BQJghgemAhsMAAoJEGtl 72 | hs3JvIg2CM8P/A/tzNN6M/h6mms0lC5LD4ca+hDlaH82B2MmO5EwZjKuOkzmx2tj 73 | 4YJ2zDEhYnRpvvC05XvEBqf5hgCb2zbE5q9Mv1keBHhP2uEo0oQMerAqkbuxz1rS 74 | HP3srrkl2Eo3hW0bi69sd7VGhz7x0SVLFMHKKVb7f7AMM9fCohW6WzO19XkdKFhY 75 | F5icbKT8JtH8Qd9WVaFb1dw6ejx8MrwgfjA+uIDoi1MI1saNj1tEXQYuqJMzmV2C 76 | ZrbufH1I/qb66r7ZxeS3plBy/PK+ZFlnZcJ6golWRDy0QMNeCtRO6CJ9I8zOgNWB 77 | Hnpy9Nkic2SQoFqoYKUjRwy4NnT1t0Q/aAS+Q/7bmjJICDfwE49Xxmv/h/WF6VsF 78 | Y4kyJz1dYl1C8OvBEtZWSHQuJEgKHy0wceVS6E/DiRV40Z549JNlrcaBkK9ADh5/ 79 | 9BxLpI9BWX4DIR2zJAmx3XDyJiETbrzjims/SiU/cBlRQwLD57cqqueEeqviRINh 80 | S0a9w+LnrNDRSvOVhZUXefJFnCssTh4dhXpjBEJ8mu8x8ja78a7mWA3750fSeW9D 81 | XTA9OC+yQqJLaqHUmN3lzQm81J9iUZNrkCnvzuCAF++ZGUhaC6WX3xM3M30TZ4uI 82 | EdqcAux2aIKpo+jrk41J6FuPEw9ILNgBTAye3jB9TFTHF0eOuk+l5qc5 83 | =ZJiS 84 | -----END PGP PUBLIC KEY BLOCK----- 85 | ``` 86 | -------------------------------------------------------------------------------- /etc/onionjuggler/anon.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | if test -f /usr/share/anon-gw-base-files/gateway; then 25 | ## Gateway 26 | ########## System ########## 27 | operating_system="anon-gateway" 28 | ## web: should be on the workstation 29 | onionjuggler_plugin="auth-server,auth-client" 30 | openssl_cmd="openssl" 31 | dialog_box="whiptail" 32 | 33 | ########## tor daemon ########## 34 | daemon_control="systemctl" 35 | tor_daemon="tor@default" 36 | tor_user="debian-tor" 37 | tor_conf_user_group="root:root" 38 | ## included tor configuration folder, specifically files matching '*.conf' 39 | tor_conf_dir="/usr/local/etc/torrc.d" 40 | ## manage its own unique torrc to avoid user manual modification 41 | tor_conf="${tor_conf_dir}/40_onionjuggler.conf" 42 | ## just to set defaults conf, they won't be modified 43 | tor_main_torrc_conf="/etc/tor/torrc" 44 | tor_defaults_torrc_conf="/usr/share/tor/tor-service-defaults-torrc" 45 | tor_data_dir="/var/lib/tor" 46 | ## pre-confiured ClientOnionAuthDir 47 | tor_data_dir_auth="${tor_data_dir}/authdir" 48 | 49 | elif test -f /usr/share/anon-ws-base-files/workstation; then 50 | ## Workstation 51 | ########## System ########## 52 | operating_system="anon-workstation" 53 | ## web is the only usable plugin for Workstations 54 | onionjuggler_plugin="web" 55 | webserver="nginx" 56 | dialog_box="whiptail" 57 | 58 | elif ! test -f /usr/share/anon-dist/marker; then 59 | error_msg "wrong configuration chosen, this is not an anon dist" 60 | exit 1 61 | fi 62 | -------------------------------------------------------------------------------- /etc/onionjuggler/arch.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | ## Unsteted (TODO) 25 | printf "Untested system. Report interest by opening an issue on the repository and help testing.\n" && exit 1 26 | 27 | ########## System ########## 28 | operating_system="arch" 29 | openssl_cmd="openssl" 30 | webserver="nginx" 31 | dialog_box="dialog" 32 | 33 | ########## tor daemon ########## 34 | daemon_control="systemctl" 35 | tor_daemon="tor" 36 | tor_user="tor" 37 | tor_conf_user_group="root:root" 38 | tor_conf_dir="/etc/tor" 39 | tor_data_dir="/var/lib/tor" 40 | -------------------------------------------------------------------------------- /etc/onionjuggler/conf.d/user-sample.conf: -------------------------------------------------------------------------------- 1 | ## User Configuration file for OnionJuggler 2 | ## 3 | ## Options defined on this file override the default configuration file 4 | ## set on /etc/onionjuggler/onionjuggler.conf 5 | ## 6 | ## Files on /etc/onionjuggler/conf.d are parsed in lexical order. 7 | ## 8 | #tor_conf=/etc/tor/torrc -------------------------------------------------------------------------------- /etc/onionjuggler/debian.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | ########## System ########## 25 | operating_system="debian" 26 | openssl_cmd="openssl" 27 | webserver="nginx" 28 | dialog_box="whiptail" 29 | 30 | ########## tor daemon ########## 31 | daemon_control="systemctl" 32 | tor_daemon="tor@default" 33 | tor_user="debian-tor" 34 | tor_conf_user_group="root:root" 35 | tor_conf_dir="/etc/tor" 36 | tor_defaults_torrc_conf="/usr/share/tor/tor-service-defaults-torrc" 37 | tor_data_dir="/var/lib/tor" 38 | -------------------------------------------------------------------------------- /etc/onionjuggler/dialogrc: -------------------------------------------------------------------------------- 1 | # Run-time configuration file for dialog 2 | # 3 | # Types of values: 4 | # 5 | # Number - 6 | # String - "string" 7 | # Boolean - 8 | # Attribute - (foreground,background,highlight?,underline?,reverse?) 9 | # 10 | # 11 | # Colors: 12 | # 13 | # Interpret embedded "\Z" sequences in the dialog text by the following character, 14 | # which tells dialog to set colors or video attributes: 0 through 7 are the ANSI 15 | # used in curses: black, red, green, yellow, blue, magenta, cyan and white 16 | # respectively. Bold is set by 'b', reset by 'B'. Reverse is set by 'r', reset by 'R'. 17 | # Underline is set by 'u', reset by 'U'. The settings are cumulative, e.g., "\Zb\Z1" 18 | # makes the following text bold (perhaps bright) red. Restore normal settings with "\Zn". 19 | # 20 | # 0 = black 21 | # 1 = red 22 | # 2 = green 23 | # 3 = yellow 24 | # 4 = blue 25 | # 5 = magenta 26 | # 6 = cyan 27 | # 7 = white 28 | # 29 | # b = bold (set) 30 | # B = bold (unset) 31 | # r = reverse (set) 32 | # R = reverse (unset) 33 | # u = underline (set) 34 | # U = underline (unset) 35 | # n = default (restore) 36 | # 37 | # Source: https://github.com/openoms/joininbox/blob/v0.6.0/scripts/.dialogrc 38 | 39 | # Set aspect-ration. 40 | aspect = 0 41 | 42 | # Set separator (for multiple widgets output). 43 | separate_widget = "" 44 | 45 | # Set tab-length (for textbox tab-conversion). 46 | tab_len = 0 47 | 48 | # Make tab-traversal for checklist, etc., include the list. 49 | visit_items = OFF 50 | 51 | # Shadow dialog boxes? This also turns on color. 52 | use_shadow = OFF 53 | 54 | # Turn color support ON or OFF 55 | use_colors = ON 56 | 57 | # Screen color 58 | screen_color = (CYAN,BLACK,ON) 59 | 60 | # Shadow color 61 | shadow_color = (BLACK,BLACK,ON) 62 | 63 | # Dialog box color 64 | dialog_color = (CYAN,BLACK,ON) 65 | 66 | # Dialog box title color 67 | title_color = (CYAN,BLACK,ON) 68 | 69 | # Dialog box border color 70 | border_color = (BLACK,BLACK,ON) 71 | 72 | # Active button color 73 | button_active_color = (WHITE,CYAN,ON) 74 | 75 | # Inactive button color 76 | button_inactive_color = dialog_color 77 | 78 | # Active button key color 79 | button_key_active_color = button_active_color 80 | 81 | # Inactive button key color 82 | button_key_inactive_color = (RED,BLACK,OFF) 83 | 84 | # Active button label color 85 | button_label_active_color = (WHITE,CYAN,ON) 86 | 87 | # Inactive button label color 88 | button_label_inactive_color = (CYAN,BLACK,ON) 89 | 90 | # Input box color 91 | inputbox_color = dialog_color 92 | 93 | # Input box border color 94 | inputbox_border_color = dialog_color 95 | 96 | # Search box color 97 | searchbox_color = dialog_color 98 | 99 | # Search box title color 100 | searchbox_title_color = title_color 101 | 102 | # Search box border color 103 | searchbox_border_color = border_color 104 | 105 | # File position indicator color 106 | position_indicator_color = title_color 107 | 108 | # Menu box color 109 | menubox_color = dialog_color 110 | 111 | # Menu box border color 112 | menubox_border_color = border_color 113 | 114 | # Item color 115 | item_color = dialog_color 116 | 117 | # Selected item color 118 | item_selected_color = button_active_color 119 | 120 | # Tag color 121 | tag_color = title_color 122 | 123 | # Selected tag color 124 | tag_selected_color = button_label_active_color 125 | 126 | # Tag key color 127 | tag_key_color = button_key_inactive_color 128 | 129 | # Selected tag key color 130 | tag_key_selected_color = (RED,CYAN,ON) 131 | 132 | # Check box color 133 | check_color = dialog_color 134 | 135 | # Selected check box color 136 | check_selected_color = button_active_color 137 | 138 | # Up arrow color 139 | uarrow_color = (CYAN,BLACK,ON) 140 | 141 | # Down arrow color 142 | darrow_color = uarrow_color 143 | 144 | # Item help-text color 145 | itemhelp_color = (BLACK,WHITE,OFF) 146 | 147 | # Active form text color 148 | form_active_text_color = button_active_color 149 | 150 | # Form text color 151 | form_text_color = (BLACK,WHITE,ON) 152 | 153 | # Readonly form item color 154 | form_item_readonly_color = (CYAN,BLACK,ON) 155 | 156 | # Dialog box gauge color 157 | gauge_color = title_color 158 | 159 | # Dialog box border2 color 160 | border2_color = dialog_color 161 | 162 | # Input box border2 color 163 | inputbox_border2_color = dialog_color 164 | 165 | # Search box border2 color 166 | searchbox_border2_color = dialog_color 167 | 168 | # Menu box border2 color 169 | menubox_border2_color = dialog_color 170 | -------------------------------------------------------------------------------- /etc/onionjuggler/fedora.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | ## Unsteted (TODO) 25 | printf "Untested system. Report interest by opening an issue on the repository and help testing.\n" && exit 1 26 | 27 | ########## System ########## 28 | operating_system="fedora" 29 | openssl_cmd="openssl" 30 | webserver="nginx" 31 | dialog_box="dialog" 32 | 33 | ########## tor daemon ########## 34 | daemon_control="systemctl" 35 | tor_daemon="tor" 36 | tor_user="tor" 37 | tor_conf_user_group="root:root" 38 | tor_conf_dir="/etc/tor" 39 | tor_data_dir="/var/lib/tor" 40 | -------------------------------------------------------------------------------- /etc/onionjuggler/freebsd.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | 25 | ## Unsteted (TODO) 26 | printf "Untested system. Report interest by opening an issue on the repository and help testing.\n" && exit 1 27 | 28 | ########## System ########## 29 | operating_system="freebsd" 30 | openssl_cmd="openssl" 31 | webserver="nginx" 32 | dialog_box="dialog" 33 | 34 | ########## tor daemon ########## 35 | daemon_control="service" 36 | tor_daemon="tor" 37 | tor_user="_tor" 38 | tor_conf_user_group="root:wheel" 39 | tor_conf_dir="/usr/local/etc/tor" 40 | tor_data_dir="/var/tor" 41 | -------------------------------------------------------------------------------- /etc/onionjuggler/netbsd.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | ## Unsteted (TODO) 25 | printf "Untested system. Report interest by opening an issue on the repository and help testing.\n" && exit 1 26 | 27 | ########## System ########## 28 | operating_system="netbsd" 29 | openssl_cmd="openssl" 30 | webserver="nginx" 31 | dialog_box="dialog" 32 | 33 | ########## tor daemon ########## 34 | daemon_control="/etc/rc.d" 35 | tor_daemon="tor" 36 | tor_user="_tor" 37 | tor_conf_user_group="root:wheel" 38 | tor_conf_dir="/usr/pkg/etc/tor" 39 | tor_data_dir="/usr/pkg/var/tor" 40 | -------------------------------------------------------------------------------- /etc/onionjuggler/openbsd.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | ## TODO: basez does not exist on OpenBSD, a port is being made. 25 | ## TODO: WebServer is also not working, fix with obsd httpd. 26 | ## Unsteted (TODO) 27 | printf "Untested system. Report interest by opening an issue on the repository and help testing.\n" && exit 1 28 | 29 | ########## System ########## 30 | operating_system="openbsd" 31 | openssl_cmd="eopenssl30" 32 | webserver="nginx" 33 | dialog_box="dialog" 34 | 35 | ########## tor daemon ########## 36 | daemon_control="rcctl" 37 | tor_daemon="tor" 38 | tor_user="_tor" 39 | tor_conf_user_group="root:wheel" 40 | tor_conf_dir="/etc/tor" 41 | tor_data_dir="/var/tor" 42 | -------------------------------------------------------------------------------- /etc/onionjuggler/sample.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | 25 | ########## System ########## 26 | ## Set default operating system. 27 | operating_system="debian" 28 | ## 29 | ## Only install specified plugins, if empty, install everything. 30 | ## (Default: all plugins). 31 | onionjuggler_plugin="" 32 | ## 33 | ## The OpenSSL command to create the certificate and private keys for Client 34 | ## Authorization using the x25519 algorithm. It must be the orignal OpenSSL 35 | ## v1.1 or later, not LibreSSL, as the latter does not support the 36 | ## aforementioned algorithm. On OpenBSD, use *eopenssl30* or *eopenssl11*. 37 | ## (Default: openssl). 38 | openssl_cmd="openssl" 39 | ## 40 | ## Web server to serve a website. Compatible with *nginx* and *apache2*. 41 | ## (Default: nginx). 42 | webserver="nginx" 43 | ## 44 | ## Web server configuration of the virtual hosts. 45 | ## With nginx and apache2 it must be a directory (/etc/${webserver}) 46 | webserver_conf_dir="/etc/${webserver}" 47 | ## 48 | ## Specify the directory to check for website folders. 49 | ## On OpenBSD, it is the chroot directory (Default: /var/www). 50 | website_dir="/var/www" 51 | ## 52 | ## Terminal User Interface dialog box. Compatible with *dialog* and *whiptail*. 53 | ## (default: dialog). 54 | dialog_box="dialog" 55 | 56 | 57 | ########## tor daemon ########## 58 | ## 59 | ## The service manager control command: 60 | ## systemctl, service, rcctl, /etc/rc.d, sv (Default: systemctl) 61 | daemon_control="systemctl" 62 | ## 63 | ## The tor service name: *tor@default*, *tor* (Default: tor@default). 64 | tor_daemon="tor@default" 65 | ## 66 | ## The tor user that runs the tor process: *debian-tor*, *tor*, *_tor* 67 | ## (Default: debian-tor). 68 | tor_user="debian-tor" 69 | ## 70 | ## The /etc directory user and group owner. Normally *root:root* or 71 | ## *root:wheel*. (Default: root:root) 72 | tor_conf_user_group="root:root" 73 | ## 74 | ## Base folder of torrc configuration. (Default: /etc/tor). 75 | tor_conf_dir="/etc/tor" 76 | ## 77 | ## The torrc that will be modified. (Default: ${tor_conf_dir}/torrc). 78 | tor_conf="${tor_conf_dir}/torrc" 79 | ## 80 | ## The main torrc tor will read. 81 | ## The defaults torrc. Useful to fully read all configuration optons and fully 82 | ## verify tor configuration. This file won't be modified unless it is set 83 | ## to the variable tor_conf. 84 | ## (Default: ${tor_conf_dir}/torrc). 85 | tor_main_torrc_conf="${tor_conf_dir}/torrc" 86 | ## 87 | ## The defaults torrc. Useful to fully read all configuration optons and fully 88 | ## verify tor configuration. This file won't be modified unless it is set 89 | ## to the variable tor_conf. 90 | ## (Default: ${tor_conf}-defaults). 91 | tor_defaults_torrc_conf="${tor_conf}-defaults" 92 | ## 93 | ## Specify the DataDirectory for tor. (Default: /var/lib/tor). 94 | tor_data_dir="/var/lib/tor" 95 | ## 96 | ## Specify the HiddenServiceDir base directory, onion sevices data 97 | ## will be created inside this directory. (Default: ${tor_data_dir}/services). 98 | tor_data_dir_services="${tor_data_dir}/services" 99 | ## 100 | ## Specify the ClientOnionAuthDir. (Default: ${tor_data_dir}/onion_auth). 101 | tor_data_dir_auth="${tor_data_dir}/onion_auth" 102 | 103 | -------------------------------------------------------------------------------- /etc/onionjuggler/tails.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | ########## System ########## 25 | operating_system="tails" 26 | openssl_cmd="openssl" 27 | webserver="nginx" 28 | dialog_box="whiptail" 29 | 30 | ########## tor daemon ########## 31 | daemon_control="systemctl" 32 | tor_daemon="tor@default" 33 | tor_user="debian-tor" 34 | tor_conf_user_group="${tor_user}:${tor_user}" 35 | tor_conf_dir="/etc/tor" 36 | tor_data_dir="/var/lib/tor" 37 | -------------------------------------------------------------------------------- /etc/onionjuggler/void.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | ## Configuration file for OnionJuggler on VoidLinux systems 3 | ## 4 | ## DO NOT EDIT THIS FILE!! 5 | ## 6 | ## This file defines the default service selection as shipped in a 7 | ## release. Upgrades of OnionJuggler will modify this file. 8 | ## 9 | ## To select the service options you desire, please override these 10 | ## options in the file /etc/onionjuggler/conf.d/*.conf 11 | ## 12 | ## DO NOT EDIT THIS FILE!! 13 | ## 14 | ## Lines that begin with "## " try to explain what's going on. Lines 15 | ## that begin with just "#" are disabled commands: you can enable them 16 | ## by removing the "#" symbol. 17 | ## 18 | ## If the variable is empty (var=""), will use the default option. 19 | ## Double quote to prevent globbing and word splitting. 20 | ## variable="value" 21 | ## 22 | # shellcheck disable=SC2034 23 | 24 | 25 | ## Unsteted (TODO) 26 | printf "Untested system. Report interest by opening an issue on the repository and help testing.\n" && exit 1 27 | 28 | ########## System ########## 29 | operating_system="void" 30 | openssl_cmd="openssl" 31 | webserver="nginx" 32 | dialog_box="dialog" 33 | 34 | ########## tor daemon ########## 35 | daemon_control="sv" 36 | tor_daemon="tor" 37 | tor_user="tor" 38 | tor_conf_user_group="root:root" 39 | tor_conf_dir="/etc/tor" 40 | tor_data_dir="/var/lib/tor" 41 | -------------------------------------------------------------------------------- /images/cli.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nyxnor/onionjuggler/cc2380c06b7ff958b21073f4b2cc6767304afa5f/images/cli.png -------------------------------------------------------------------------------- /images/tui-dialog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nyxnor/onionjuggler/cc2380c06b7ff958b21073f4b2cc6767304afa5f/images/tui-dialog.png -------------------------------------------------------------------------------- /images/tui-whiptail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nyxnor/onionjuggler/cc2380c06b7ff958b21073f4b2cc6767304afa5f/images/tui-whiptail.png -------------------------------------------------------------------------------- /man/onionjuggler-cli-auth-client.8.md: -------------------------------------------------------------------------------- 1 | % ONIONJUGGLER-CLI-AUTH-CLIENT(8) Manage onion service client side authorization 2 | % Written by nyxnor (nyxnor@protonmail.com) 3 | % default_date 4 | 5 | # NAME 6 | 7 | onionjuggler-cli-auth-client - Manage onion service client side authorization 8 | 9 | 10 | # SYNOPSIS 11 | 12 | **onionjuggler-cli-auth-client** [**--option**<=*ARGUMENT*>]\ 13 | **onionjuggler-cli-auth-client** [**--on**] [**--client-priv-file**=<*CLIENT_PRIV_FILE*>] [**--replace-file**]\ 14 | **onionjuggler-cli-auth-client** [**--on**] [**--client**=<*CLIENT*>] [**--client-priv-config**=<*CLIENT_PRIV_CONFIG*>] [**--replace-file**]\ 15 | **onionjuggler-cli-auth-client** [**--on**] [**--client**=<*CLIENT*>] [**--client-priv-key**=<*CLIENT_PRIV_KEY*>] [**--onion**=<*ONION*>] [**--replace-file**]\ 16 | **onionjuggler-cli-auth-client** [**--off**] [**--client**=<*CLIENT*>]\ 17 | **onionjuggler-cli-auth-client** [**--list**]\ 18 | **onionjuggler-cli-auth-client** [**--signal**=<*reload*|*restart*|*none*>]\ 19 | **onionjuggler-cli-auth-client [--getconf]**\ 20 | **onionjuggler-cli-auth-client [--getopt]** [**--client**=<*CLIENT*>]\ 21 | **onionjuggler-cli-auth-client** [**-V**|**--version**]\ 22 | **onionjuggler-cli-auth-client** [**-h**|**--help**] 23 | 24 | 25 | # DESCRIPTION 26 | 27 | **onionjuggler-cli-atuh-client** helps manage client side onion authorizations. 28 | 29 | 30 | # OPTIONS 31 | 32 | **--on** **--client-priv-file**=<*CLIENT_PRIV_FILE*> **--replace-file**\ 33 | **--on** **--client**=<*CLIENT*> **--client-priv-config**=<*CLIENT_PRIV_CONFIG*> **--replace-file**\ 34 | 35 | **--on** **--client**=<*CLIENT*> **--onion**=<*ONION*> **--client-priv-key**=<*CLIENT_PRIV_KEY*> **--replace-file** 36 | 37 | : Authenticate as a client to an onion serivce. If the client private keys is not provided, a new key pair of public and private keys will be generated, keys are sent to stdout and you should send to the onion service operator. Add a $ONION.auth_private to ClientOnionAuthDir. File(s) modified: ClientOnionAuthDir. 38 | ``` 39 | onionjuggler-cli-auth-client --on --client-priv-file=/home/user/alice.auth_private 40 | onionjuggler-cli-auth-client --on --client=alice --client-priv-config=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd:descriptor:x25519:UBVCL52FL6IRYIOLEAYUVTZY3AIOM 41 | onionjuggler-cli-auth-client --on --client=alice --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion --client-priv-key=UBVCL52FL6IRYIOLEAYUVTZY3AIOMDI3AIFBAALZ7HJOHIJFVBIQ 42 | onionjuggler-cli-auth-client --on --client=alice --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion 43 | ``` 44 | 45 | **--off** **--client**=<*CLIENT1,CLIENT2,...*> 46 | 47 | : Deauthenticate from a remote onion serivce. Remove the $ONION.auth_private file from ClientOnionAuthDir. File(s) modified: ClientOnionAuthDir/. 48 | ``` 49 | onionjuggler-cli-auth-client --off --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion 50 | onionjuggler-cli-auth-client --off --onion=fe4avn4qtxht5wighyii62n2nw72spfabzv6dyqilokzltet4b2r4wqd.onion,yyyzxhjk6psc6ul5jnfwloamhtyh7si74b47a3k2q3pskwwxrzhsxmad.onion 51 | ``` 52 | 53 | **--list** 54 | 55 | : List authentication files and the respective private keys from ClientOnionAuthDir.Useful when removing files and you want to see which onions you are already authenticated with. File(s) modified: none. 56 | ``` 57 | onionjuggler-cli-auth-client --list 58 | ``` 59 | 60 | **-V**, **--version** 61 | 62 | : Print version information. 63 | 64 | **--getconf** 65 | 66 | : Print configuration in the format **key**="*val*". 67 | 68 | **--getopt** 69 | 70 | : Print option parsing results. 71 | 72 | **--signal**=<*reload*|*hup*|*restart*|*int*|*no*|*none*> 73 | 74 | : Send specific signal commands to the tor daemon. Sending the _restart|int_ signal is useful for correcting a previously broken tor configuration. Sending _no|none_ signal is useful when running consecutive commands to avoid tor signaling newnym everytime tor is hupped, then at last signal tor hup to tor reload its configuration and apply changes. (Default: reload|hup). 75 | 76 | **-h**, **--help** 77 | : Display the script help message. Abscense of any parameter will also have the same effect. 78 | ``` 79 | onionjuggler-cli-auth-client -h 80 | onionjuggler-cli-auth-client --help 81 | ``` 82 | 83 | 84 | # ENVIRONMENT 85 | 86 | **ONIONJUGGLER_SKIP_PRE_TOR_CHECK** 87 | 88 | : If set to 1, skip pre run tor check to allow the script to start running if the tor is failing to parse its configuration. Note it does not disable the last tor check to apply configuration changes, that is, if the configuration is still invalid, nothing will be changed. This option is useful if you are certain the configuration check will be fixed by the command. As the scripts requires root and you are probably calling the script from an unpriviliged user, preserve the variable value through environment changes by assigning it after the command to run the onionjuggler script as another user and before the script name: 89 | ``` 90 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-client 91 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-client 92 | ``` 93 | 94 | 95 | # FILES 96 | 97 | **/usr/share/onionjuggler/defaults.sh** 98 | 99 | : Default library 100 | 101 | **/etc/onionjuggler/onionjuggler.conf** 102 | 103 | : Default system configuration file. 104 | 105 | **/etc/onionjuggler/conf.d/\*.conf** 106 | 107 | : Local configuration files that overrrite the default one. 108 | 109 | 110 | # EXIT VALUE 111 | 112 | **0** 113 | : Success 114 | 115 | **>0** 116 | : Fail 117 | 118 | 119 | # BUGS 120 | 121 | Bugs you may find. First search for related issues on https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new one. 122 | 123 | 124 | # SEE ALSO 125 | 126 | onionjuggler.conf(5), onionjuggler-tui(8), onionjuggler-cli-auth-server(8), onionjuggler-cli-web(8), onionjuggler-cli(8), tor(1) 127 | 128 | 129 | # COPYRIGHT 130 | 131 | Copyright © 2021 OnionJuggler developers (MIT) 132 | This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. 133 | -------------------------------------------------------------------------------- /man/onionjuggler-cli-auth-server.8.md: -------------------------------------------------------------------------------- 1 | % ONIONJUGGLER-CLI-AUTH0-SERVER(8) Manage onion service server side authorization 2 | % Written by nyxnor (nyxnor@protonmail.com) 3 | % default_date 4 | 5 | # NAME 6 | 7 | onionjuggler-cli-auth-server - Manage onion service server side authorization 8 | 9 | 10 | # SYNOPSIS 11 | 12 | **onionjuggler-cli-auth-server** [**--option**<=*ARGUMENT*>]\ 13 | **onionjuggler-cli-auth-server** [**--on**] [**--service**=<*SERVICE*>] [**--client-pub-file**=<*CLIENT_PUB_FILE*>]\ 14 | **onionjuggler-cli-auth-server** [**--on**] [**--service**=<*SERVICE*>] [**--client**=<*CLIENT*>] [**--client-pub-config**=<*CLIENT_PUB_CONFIG*>]\ 15 | **onionjuggler-cli-auth-server** [**--on**] [**--service**=<*SERVICE*>] [**--client**=<*CLIENT*>] [**--client-pub-key**=<*CLIENT_PUB_KEY*>]\ 16 | **onionjuggler-cli-auth-server** [**--off**] [**--service**=<*@all*|*SERV1*,*SERV2*,*...*>] [**--client**=<*@all*|*CLIENT1*,*CLIENT2*,*...*>]\ 17 | **onionjuggler-cli-auth-server** [**--list**] [**--service**=<*@all*|*SERV1*,*SERV2*,*...*>]\ 18 | **onionjuggler-cli-auth-server** [**--signal**=<*reload*|*restart*|*none*>]\ 19 | **onionjuggler-cli-auth-server [--getconf]**\ 20 | **onionjuggler-cli-auth-server [--getopt]** [**--service**=<*SERVICE*>]\ 21 | **onionjuggler-cli-auth-server** [**-V**|**--version**]\ 22 | **onionjuggler-cli-auth-server** [**-h**|**--help**] 23 | 24 | 25 | # DESCRIPTION 26 | 27 | **onionjuggler-cli-auth-server** helps manage server side onion authorization. 28 | 29 | 30 | # OPTIONS 31 | 32 | **--on** **--service**=<*SERVICE*> **--client-pub-file**=<*CLIENT_PUB_FILE*> **--replace-file**\ 33 | **--on** **--service**=<*SERVICE*> **--client-pub-config**=<*CLIENT_PUB_CONFIG*> **--client** **--replace-file**\ 34 | **--on** **--service**=<*SERVICE*> **--client**=<*CLIENT*> **--client-pub-key**=<*CLIENT_PUB_KEY*> **--replace-file**\ 35 | 36 | **--on** **--service**=<*SERVICE*> **--client**=<*CLIENT*> 37 | 38 | : Authorize a client to your service. A key pair of public and private keys will be generated, keys are sent to stdout and you should send to the client. A CLIENT.auth file will be created on HiddenServiceDir/authorized_clients folder. If no key is specified, then a key pair will be generated.File(s) modified: HiddenServiceDir/authorized_clients/ 39 | ``` 40 | onionjuggler-cli-auth-server --on --service=ssh --client-pub-file=/home/user/bob.auth 41 | onionjuggler-cli-auth-server --on --service=ssh --client=bob --client-pub-config=descriptor:x25519:UQYM2MJ4CKZU25JABR3Z5L2QP3552EH2BUOIZC2XVULY2QRGXUVQ 42 | onionjuggler-cli-auth-server --on --service=ssh --client=bob --client-pub-key=UQYM2MJ4CKZU25JABR3Z5L2QP3552EH2BUOIZC2XVULY2QRGXUVQ 43 | onionjuggler-cli-auth-server --on --service=ssh --client=bob 44 | ``` 45 | 46 | **--off** **--service**=<*@all*|*SERV1*,*SERV2*,*...*> **--client**=<*@all*|*CLIENT1*,*CLIENT2*,*...*> 47 | 48 | : Deauthorize from your service a client that is inside HiddenServiceDir/authorized_clients folder. File(s) modified: HiddenServiceDir/authorized_clients/ 49 | ``` 50 | onionjuggler-cli-auth-server --off --service=ssh --client=alice 51 | onionjuggler-cli-auth-server --off --service=ssh --client=alice,bob 52 | onionjuggler-cli-auth-server --off --service=ssh,xmpp --client=alice 53 | onionjuggler-cli-auth-server --off --service=ssh,xmpp --client=alice,bob 54 | onionjuggler-cli-auth-server --off --service=@all --client=alice,bob 55 | onionjuggler-cli-auth-server --off --service=@all --client=@all 56 | ``` 57 | 58 | **--list** **--service**=<*@all*|*SERV1*,*SERV2*,*...*> 59 | 60 | : List authorized clients and the respective public keys that are inside HiddenServiceDir/authorized_clients folder. File(s) modified: none 61 | ``` 62 | onionjuggler-cli-auth-server --list --service=ssh 63 | onionjuggler-cli-auth-server --list --service=ssh,xmpp 64 | onionjuggler-cli-auth-server --list --service=@all 65 | ``` 66 | 67 | **-V**, **--version** 68 | 69 | : Print version information. 70 | 71 | **--getconf** 72 | 73 | : Print configuration in the format **key**="*val*". 74 | 75 | **--getopt** 76 | 77 | : Print option parsing results. 78 | 79 | **--signal**=<*reload*|*hup*|*restart*|*int*|*no*|*none*> 80 | 81 | : Send specific signal commands to the tor daemon. Sending the _restart|int_ signal is useful for correcting a previously broken tor configuration. Sending _no|none_ signal is useful when running consecutive commands to avoid tor signaling newnym everytime tor is hupped, then at last signal tor hup to tor reload its configuration and apply changes. (Default: reload|hup). 82 | 83 | **-h**, **--help** 84 | : Display the script help message. Abscense of any parameter will also have the same effect. 85 | ``` 86 | onionjuggler-cli-auth-server -h 87 | onionjuggler-cli-auth-server --help 88 | ``` 89 | 90 | 91 | # ENVIRONMENT 92 | 93 | **ONIONJUGGLER_SKIP_PRE_TOR_CHECK** 94 | 95 | : If set to 1, skip pre run tor check to allow the script to start running if the tor is failing to parse its configuration. Note it does not disable the last tor check to apply configuration changes, that is, if the configuration is still invalid, nothing will be changed. This option is useful if you are certain the configuration check will be fixed by the command. As the scripts requires root and you are probably calling the script from an unpriviliged user, preserve the variable value through environment changes by assigning it after the command to run the onionjuggler script as another user and before the script name: 96 | ``` 97 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-server 98 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-auth-server 99 | ``` 100 | 101 | 102 | # FILES 103 | 104 | **/usr/share/onionjuggler/defaults.sh** 105 | 106 | : Default library 107 | 108 | **/etc/onionjuggler/onionjuggler.conf** 109 | 110 | : Default system configuration file. 111 | 112 | **/etc/onionjuggler/conf.d/\*.conf** 113 | 114 | : Local configuration files that overrrite the default one. 115 | 116 | 117 | # EXIT VALUE 118 | 119 | **0** 120 | : Success 121 | 122 | **>0** 123 | : Fail 124 | 125 | 126 | # BUGS 127 | 128 | Bugs you may find. First search for related issues on https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new one. 129 | 130 | 131 | # SEE ALSO 132 | 133 | onionjuggler.conf(5), onionjuggler-tui(8), onionjuggler-cli-auth-client(8), onionjuggler-cli-web(8), onionjuggler-cli(8), tor(1) 134 | 135 | 136 | # COPYRIGHT 137 | 138 | Copyright © 2021 OnionJuggler developers (MIT) 139 | This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. 140 | -------------------------------------------------------------------------------- /man/onionjuggler-cli-web.8.md: -------------------------------------------------------------------------------- 1 | % ONIONJUGGLER-CLI-WEB(8) Manage webserver for onion services 2 | % Written by nyxnor (nyxnor@protonmail.com) 3 | % default_date 4 | 5 | # NAME 6 | 7 | onionjuggler-cli-web - Manage webserver for onion services 8 | 9 | 10 | # SYNOPSIS 11 | 12 | **onionjuggler-cli-web** [**--option**<=*ARGUMENT*>]\ 13 | **onionjuggler-cli-web** [**--on**] [**--service**=<*SERVICE*>] [**--folder**=<*FOLDER*>]\ 14 | **onionjuggler-cli-web** [**--on**] [**--service**=<*SERVICE*>] [**--folder**=<*FOLDER*>] [**--no-check-service**] [**--port**=<*VIRTPORT[:TARGET]*>]\ 15 | **onionjuggler-cli-web** [**--off**] [**--service**=<*SERVICE*>]\ 16 | **onionjuggler-cli-web** [**--list**]\ 17 | **onionjuggler-cli-web [--getconf]**\ 18 | **onionjuggler-cli-web [--getopt]** [**--service**=<*SERVICE*>]\ 19 | **onionjuggler-cli-web [-V|--version]**\ 20 | **onionjuggler-cli-web** [**-h**|**--help**] 21 | 22 | 23 | # DESCRIPTION 24 | 25 | **onionjuggler-cli-web** helps manage webserver configuration for onion services. 26 | 27 | 28 | # OPTIONS 29 | 30 | **--on** **--service**=<*SERV*> **--folder**=<*FOLDER*> 31 | 32 | : Enable a website using a specific onion service by creating a configuration file inside the web server folder by default, the folder name is to be considered the wanted folder inside website_dir variable defined on /etc/onionjuggler. If the path starts with forward slash "/" or tilde and slash "~/", that path will be considered instead. File(s) modified: $webserver_conf_dir. 33 | ``` 34 | onionjuggler-cli-web --on --service=nextcloud --folder=nextcloud-local-site 35 | ``` 36 | 37 | **--on** **--service**=<*SERV*> **--folder**=<*FOLDER*> **--no-check-service** **--port**=<*VIRTPORT[:TARGET]*> 38 | 39 | : Enable a website on Workstations when there is no service being hosted on the same environment a a port must be manually specified. File(s) modified: $webserver_conf_dir. 40 | ``` 41 | onionjuggler-cli-web --on --service=nextcloud --folder=nextcloud-local-site --no-check-service --port=80 42 | ``` 43 | 44 | **--off** **--service**=<*SERV*> 45 | 46 | : Disable a website from a specific onion service by removing its configuration file from the webserver folder. File(s) modified: $webserver_conf_dir 47 | ``` 48 | onionjuggler-cli-web --off --service=nextcloud 49 | ``` 50 | 51 | **--list** 52 | 53 | : List enabled websites, meaning the configuration files inside the webserver folder /etc/${webserver}/sites-enabled/. File(s) modified: none. 54 | ``` 55 | onionjuggler-cli-web --list 56 | ``` 57 | 58 | **-V**, **--version** 59 | 60 | : Print version information. 61 | 62 | **--getconf** 63 | 64 | : Print configuration in the format **key**="*val*". 65 | 66 | **--getopt** 67 | 68 | : Print option parsing results. 69 | 70 | **-h**, **--help** 71 | : Display the script help message. Abscense of any parameter will also have the same effect. 72 | ``` 73 | onionjuggler-cli-web -h 74 | onionjuggler-cli-web --help 75 | ``` 76 | 77 | 78 | # ENVIRONMENT 79 | 80 | **ONIONJUGGLER_SKIP_PRE_TOR_CHECK** 81 | 82 | : If set to 1, skip pre run tor check to allow the script to start running if the tor is failing to parse its configuration. Note it does not disable the last tor check to apply configuration changes, that is, if the configuration is still invalid, nothing will be changed. This option is useful if you are certain the configuration check will be fixed by the command. As the scripts requires root and you are probably calling the script from an unpriviliged user, preserve the variable value through environment changes by assigning it after the command to run the onionjuggler script as another user and before the script name: 83 | ``` 84 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-web 85 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli-web 86 | ``` 87 | 88 | 89 | # FILES 90 | 91 | **/usr/share/onionjuggler/defaults.sh** 92 | 93 | : Default library 94 | 95 | **/etc/onionjuggler/onionjuggler.conf** 96 | 97 | : Default system configuration file. 98 | 99 | **/etc/onionjuggler/conf.d/\*.conf** 100 | 101 | : Local configuration files that overrrite the default one. 102 | 103 | 104 | # EXIT VALUE 105 | 106 | **0** 107 | : Success 108 | 109 | **>0** 110 | : Fail 111 | 112 | 113 | # BUGS 114 | 115 | Bugs you may find. First search for related issues on https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new one. 116 | 117 | 118 | # SEE ALSO 119 | 120 | onionjuggler.conf(5), onionjuggler-tui(8), onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), onionjuggler-cli(8), tor(1) 121 | 122 | 123 | # COPYRIGHT 124 | 125 | Copyright © 2021 OnionJuggler developers (MIT) 126 | This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. 127 | -------------------------------------------------------------------------------- /man/onionjuggler-cli.8.md: -------------------------------------------------------------------------------- 1 | % ONIONJUGGLER-CLI(8) Dinamically juggle with onion services with a POSIX compliant shell 2 | % Written by nyxnor (nyxnor@protonmail.com) 3 | % default_date 4 | 5 | # NAME 6 | 7 | onionjuggler-cli - Dinamically juggle with onion services with a POSIX compliant shell 8 | 9 | 10 | # SYNOPSIS 11 | 12 | **onionjuggler-cli** [**--option**<=*ARGUMENT*>]\ 13 | **onionjuggler-cli --on** [**--service**=<*SERVICE*>] [**--hs-version**=<*VERSION*>] [**--socket**=<*tcp*>] [**--port**=<*VIRTPORT*[:*TARGET*],[*VIRTPORTn*][:*TARGETn*]>] [**--gateway**]\ 14 | **onionjuggler-cli --on** [**--service**=<*SERVICE*>] [**--version**=<*VERSION*>] [**--socket**=<*unix*>] [**--port**=[*VIRTPORT*,[*VIRTPORT2*]>]\ 15 | **onionjuggler-cli --off** [**--service**=<*SERV1*,*SERV2*,*...*>] [**--purge**]\ 16 | **onionjuggler-cli --list** [**--service**=<*@all*|*SERV1*,*SERV2*,*...*>] [**--quiet**]\ 17 | **onionjuggler-cli --renew** [**--service**=<*@all*|*SERV1*,*SERV2*,*...*>]\ 18 | **onionjuggler-cli** [**--signal**=<*reload*|*restart*|*none*>]\ 19 | **onionjuggler-cli [--getconf]**\ 20 | **onionjuggler-cli [--getopt]** [**--service**=<*SERVICE*>]\ 21 | **onionjuggler-cli [-V|--version]**\ 22 | **onionjuggler-cli** [**-h**|**--help**] 23 | 24 | 25 | # DESCRIPTION 26 | 27 | **onionjuggler-cli** helps onion service creation, deletion, listing. 28 | 29 | 30 | # OPTIONS 31 | 32 | **--on** **--service**=<*SERV*> **--version**=*3* **--socket**=*tcp* **--port**=<*VIRTPORT*:<*TARGET*>,<*VIRTPORTn*>:<*TARGETn*>> **--gateway** 33 | 34 | : Enable an onion service using TCP socket (addr:port) as target. If the TARGET is only the port of it TARGET was not provided, will use the same port as VIRTPORT and bind to 127.0.0.1. TARGET examples: 127.0.0.1:80, 192.168.1.100:80. File(s) modified: torrc. 35 | ``` 36 | onionjuggler-cli --on --service=ssh --version=3 --socket=tcp --port=22 37 | onionjuggler-cli --on --service=ssh --port=22:127.0.1:22 38 | onionjuggler-cli --on --service=ssh --port="80:127.0.0.1:80 443:127.0.0.1:443" 39 | onionjuggler-cli --on --service=ssh --port="80:127.0.0.1:80,443:127.0.0.1:443" 40 | onionjuggler-cli --on --service=ssh --port="80,443" 41 | ``` 42 | By default, services created on a Qubes-Whonix Gateway uses the Whonix Workstation qube IP address, services created on a Non-Qubes-Whonix uses the IP address 10.152.152.11. If you are on Whonix Gateway want to enforce the creation of a service to be running on the Whonix-Gateway (for itself), for example and onion service to ssh to the Gateway, and you haven't set the target, just the virtual port, use the option *--gateway*: 43 | ``` 44 | onionjuggler-cli --on --service=ssh --socket=tcp --port=22 --gateway 45 | ``` 46 | 47 | **--on** **--service**=<*SERV*> **--version**=*3* **--socket**=*unix* **--port**=<*VIRTPORT*,<*VIRTPORT2*>> 48 | 49 | : Enable an onion service using UNIX socket (unix:path) as target. The TARGET is handled automatically by the script. This method avoids leaking the onion service address to the local network. File(s) modified: torrc. 50 | ``` 51 | onionjuggler-cli --on --service=ssh --version=3 --socket=unix --port=22 52 | onionjuggler-cli --on --service=ssh --version=3 --socket=unix --port=22,80 53 | ``` 54 | 55 | **--off** **--service**=<*SERV1*,*SERV2*,*...*> <*--purge*> 56 | 57 | : Disable an onion service by removing it configuration lines (HiddenService) from the torrc. Optionally purge its data directory, which will delete permanently the onion service folder (HiddenServiceDir). File(s) modified: torrc and optionally HiddenServiceDir. 58 | ``` 59 | onionjuggler-cli --off --service=ssh 60 | onionjuggler-cli --off --service=ssh,xmpp 61 | onionjuggler-cli --off --service=ssh,xmpp --purge 62 | ``` 63 | 64 | **--list** **--service**=<*@all*|*SERV1*,*SERV2*,*...*> <*--quiet*> 65 | 66 | : List onion service information: hostname (address) and in QR encoded format, clients names and quantity, status if service is active or inactive regarding the torrc lines (un)present and the HiddenServiceDir presence, the torrc block. File(s) modified: none. 67 | ``` 68 | onionjuggler-cli --list --service=ssh 69 | onionjuggler-cli --list --service=ssh,xmpp 70 | onionjuggler-cli --list --service=@all 71 | onionjuggler-cli --list --service=@all --quiet 72 | ``` 73 | 74 | **--renew** **--service**=<*@all*|*SERV1*,*SERV2*,*...*> 75 | 76 | : Renew onion service hostname (.onion domain) and clients (inside HiddenServiceDir/authorized_clients/). The onion service keys (hs_ed25519_public_key and hs_ed25519_private_key) will be removed to override the hostname file. File(s) modified: HiddenServiceDir. 77 | ``` 78 | onionjuggler-cli --renew --service=ssh 79 | onionjuggler-cli --renew --service=ssh,xmpp 80 | onionjuggler-cli --renew --service=@all 81 | ``` 82 | 83 | **-V**, **--version** 84 | 85 | : Print version information. 86 | 87 | **--getconf** 88 | 89 | : Print configuration in the format **key**="*val*". 90 | 91 | **--getopt** 92 | 93 | : Print option parsing results. 94 | 95 | **--signal**=<*reload*|*hup*|*restart*|*int*|*no*|*none*> 96 | 97 | : Send specific signal commands to the tor daemon. Sending the _restart|int_ signal is useful for correcting a previously broken tor configuration. Sending _no|none_ signal is useful when running consecutive commands to avoid tor signaling newnym everytime tor is hupped, then at last signal tor hup to tor reload its configuration and apply changes. (Default: reload|hup). 98 | 99 | **-h**, **--help** 100 | : Display the script help message. Abscense of any parameter will also have the same effect. 101 | ``` 102 | onionjuggler-cli -h 103 | onionjuggler-cli --help 104 | ``` 105 | 106 | # ENVIRONMENT 107 | 108 | **ONIONJUGGLER_SKIP_PRE_TOR_CHECK** 109 | 110 | : If set to 1, skip pre run tor check to allow the script to start running if the tor is failing to parse its configuration. Note it does not disable the last tor check to apply configuration changes, that is, if the configuration is still invalid, nothing will be changed. This option is useful if you are certain the configuration check will be fixed by the command. As the scripts requires root and you are probably calling the script from an unpriviliged user, preserve the variable value through environment changes by assigning it after the command to run the onionjuggler script as another user and before the script name: 111 | ``` 112 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli 113 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-cli 114 | ``` 115 | 116 | # FILES 117 | 118 | **/usr/share/onionjuggler/defaults.sh** 119 | 120 | : Default library 121 | 122 | **/etc/onionjuggler/onionjuggler.conf** 123 | 124 | : Default system configuration file. 125 | 126 | **/etc/onionjuggler/conf.d/\*.conf** 127 | 128 | : Local configuration files that overrrite the default one. 129 | 130 | 131 | # EXIT VALUE 132 | 133 | **0** 134 | : Success 135 | 136 | **>0** 137 | : Fail 138 | 139 | 140 | # BUGS 141 | 142 | Bugs you may find. First search for related issues on https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new one. 143 | 144 | 145 | # SEE ALSO 146 | 147 | onionjuggler.conf(5), onionjuggler-TUI(8), onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), onionjuggler-cli-web(8), tor(1) 148 | 149 | 150 | # COPYRIGHT 151 | 152 | Copyright © 2021 OnionJuggler developers (MIT) 153 | This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. 154 | -------------------------------------------------------------------------------- /man/onionjuggler-tui.8.md: -------------------------------------------------------------------------------- 1 | % ONIONJUGGLER-TUI(8) Dinamically juggle with onion services with a POSIX compliant shell 2 | % Written by nyxnor (nyxnor@protonmail.com) 3 | % default_date 4 | 5 | # NAME 6 | 7 | onionjuggler-tui - OnionJuggler Terminal User Interface, also known as the *onionjuggler-cli wrapper menu*. Dinamically juggle with onion services with a POSIX compliant shell 8 | 9 | 10 | # SYNOPSIS 11 | 12 | **onionjuggler-tui** **command** [**--option**<=*ARGUMENT*>]\ 13 | **onionjuggler-tui** **[-V|--version]** 14 | **onionjuggler-tui** **--help** 15 | 16 | # DESCRIPTION 17 | 18 | **onionjuggler-tui** is a part of OnionJuggler, a combination of POSIX compliant scripts helps the interaction with onion service configuration and files to speed up usage and avoid misconfiguration. The *onionjuggler-tui* wraps the *onionjuggler-cli* into a terminal dialog box. 19 | 20 | 21 | # OPTIONS 22 | 23 | **-V**, **-version** 24 | 25 | : Print version information. 26 | 27 | **-h**, **--help** 28 | 29 | : Display a short help message and exit. 30 | 31 | # FILES 32 | 33 | **/etc/onionjuggler/dialogrc** 34 | 35 | : Default dialog run commands file. 36 | 37 | 38 | # ENVIRONMENT 39 | 40 | **SUDO_EDITOR**, **DOAS_EDITOR**, **VISUAL**, **EDITOR** 41 | 42 | : Use environment variables in the above order to define the editor, in case any are empty, fallback to the next. If every variable is empty, fallback to Vi(1). 43 | 44 | **ONIONJUGGLER_SKIP_PRE_TOR_CHECK** 45 | 46 | : If set to 1, skip pre run tor check to allow the script to start running if the tor is failing to parse its configuration. Note it does not disable the last tor check to apply configuration changes, that is, if the configuration is still invalid, nothing will be changed. This option is useful if you are certain the configuration check will be fixed by the command. As the scripts requires root and you are probably calling the script from an unpriviliged user, preserve the variable value through environment changes by assigning it after the command to run the onionjuggler script as another user and before the script name: 47 | ``` 48 | sudo ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-tui 49 | doas ONIONJUGGLER_SKIP_PRE_TOR_CHECK=1 onionjuggler-tui 50 | ``` 51 | 52 | # EXIT VALUE 53 | 54 | **0** 55 | : Success 56 | 57 | **1** 58 | : Fail 59 | 60 | 61 | # BUGS 62 | 63 | Bugs you may find. First search for related issues on https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new one. 64 | 65 | 66 | # SEE ALSO 67 | 68 | onionjuggler.conf(5), onionjuggler-cli(8), onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), onionjuggler-cli-web(8), tor(1) 69 | 70 | 71 | # COPYRIGHT 72 | 73 | Copyright © 2021 OnionJuggler developers (MIT) 74 | This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. 75 | -------------------------------------------------------------------------------- /man/onionjuggler.conf.5.md: -------------------------------------------------------------------------------- 1 | % ONIONJUGGLER.CONF(5) Configuration file for OnionJuggler 2 | % Written by nyxnor (nyxnor@protonmail.com) 3 | % default_date 4 | 5 | # NAME 6 | 7 | onionjuggler.conf - Configuration file for OnionJuggler 8 | 9 | 10 | # DESCRIPTION 11 | 12 | **onionjuggler** environment is easily customizable to any Unix-like operating 13 | system due to be written in POSIX compliant Shellscript and every tor 14 | directory can be chosen via variables. 15 | 16 | The default configuration file _/etc/onionjuggler/onionjuggler.conf_ is 17 | replaced on every upgrade, so changes to this file are not persisted. 18 | Because of this, it is advised not to edit this file. This is the first 19 | configuration to file to be read and has the lowest priority. 20 | 21 | Files in _/etc/onionjuggler/conf.d/\*.conf_ are reserved to packages that 22 | want to customize onionjuggler without overwriting the main configuration file 23 | to avoid conflicts. Users should avoid customizing files in this directory 24 | because it may conflict or take lower precedence that files shipped by a 25 | package. 26 | 27 | The file _/usr/local/etc/onionjuggler/onionjuggler.conf_ and files in 28 | _/usr/local/etc/onionjuggler/conf.d/\*.conf_ are reserved exclusively to the 29 | local administrator. Any other entity must not write files to this directory. 30 | These are the last files to be read and have the highest priority. 31 | 32 | It is recommended to prefix all filenames in the _conf.d_ 33 | directory with a two-digit number and a dash, to simplify ordering of the files 34 | and overrided default files with user defined setting using a higher prefix 35 | number compared to the one shipped by the system. 36 | 37 | Variables set to and empty string, either *var=* or *var=""*, will run with 38 | default values, that may not be suitable for every system, so enforce the 39 | desired values by assigning every configuration option. 40 | 41 | Before running any script for the first time after changing a configuration 42 | option, it is recommended to run the onionjuggler script with the option 43 | _--getconf_, as it will print what the onionjuggler program read as options. 44 | 45 | ### Order configuration files are sourced: 46 | 47 | - /etc/onionjuggler/onionjuggler.conf\ 48 | - /etc/onionjuggler/conf.d/\*.conf\ 49 | - /usr/local/etc/onionjuggler/onionjuggler.conf\ 50 | - /usr/local/etc/onionjuggler/conf.d/\*.conf 51 | 52 | ### Rules for sourcing files: 53 | 54 | - when inside the _conf.d_ directories, source files in lexical order\ 55 | - file names must end with the '.conf' extension 56 | 57 | ### Rules for writing the configuration files: 58 | 59 | - must be POSIX compliant Shellscript, else the source will fail\ 60 | - assign all variables to the desired values, else default values will be used\ 61 | - variables should use double quotes to avoid unwanted expansions 62 | 63 | 64 | # OPTIONS 65 | 66 | ## SYSTEM 67 | 68 | **operating_system** 69 | 70 | : Set operating system. Recognized values: *debian*, *tails*, *anon-gateway*, *anon-workstation*, *fedora*, *arch*, *openbsd*. 71 | 72 | **onionjuggler_plugin** 73 | 74 | : Only allow specified plugins to run, if empty, allow every plugin. (Default: **all plugins**). 75 | 76 | **openssl_cmd** 77 | 78 | : The OpenSSL command to create the certificate and private keys for Client Authorization using the x25519 algorithm. It must be the orignal OpenSSL v1.1 or later, not LibreSSL, as the latter does not support the aforementioned algorithm. (Default: **openssl**). 79 | 80 | **webserver** 81 | 82 | : Webserver to serve a website. Compatible with *nginx* and *apache2*. (Default: **nginx**). 83 | 84 | **webserver_conf_dir** 85 | 86 | : Webserver configuration directory of the virtual hosts. (Default: **/etc/${webserver}**). 87 | 88 | **website_dir** 89 | 90 | : Specify the directory to check for website folders. (Default: **/var/www**). 91 | 92 | **dialog_box** 93 | 94 | : Terminal User Interface dialog box. Compatible with *dialog* and *whiptail*. (Default: **dialog**). 95 | 96 | 97 | ## TOR DAEMON 98 | 99 | **daemon_control** 100 | 101 | : The service manager control command. Compatible with *systemctl* (Systemd), *service* (SysV init), *rcctl* or */etc/rc.d* (OpenRC), *sv* (Runit). (Default: systemctl). 102 | 103 | **tor_daemon** 104 | 105 | : The tor service name. Common names are *tor@default* and *tor*. (Default: **tor@default**) 106 | 107 | **tor_user** 108 | 109 | : The tor user that runs the tor process. Common usernames are *debian-tor*, *tor*, *_tor* (Default: **debian-tor**). 110 | 111 | **tor_conf_user_group** 112 | 113 | : The /etc directory group owner. Normally *root* or *wheel*. (Default: **root:root**) 114 | 115 | **tor_conf_dir** 116 | 117 | : Base folder of torrc configuration. (Default: **/etc/tor**). 118 | 119 | **tor_conf** 120 | 121 | : The tor configuration file that will be modified. It is recommended to a set a separate configuration file to be managed by onionjuggler, one that is included by tor, as there could be some unpredicated issues if the file is modified manually. Read about _%include_ on the _torrc(1)_ man. (Default: **${tor_conf_dir}/torrc**). 122 | 123 | **tor_main_torrc_conf** 124 | 125 | : The main tor configuration file that tor reads. It is the file specified to the tor daemon with the option _-f FILE_ or _--torrc-file FILE_. This file won't be modified unless it is set as value to the **tor_conf** option, its purpose is to fully verify the tor configuration. (Default: **${tor_conf_dir}/torrc**). 126 | 127 | **tor_defaults_torrc_conf** 128 | 129 | : The tor defaults configuration file that tor reads. It is the file specified to the tor daemon with the option _--defaults-torrc FILE_. This file won't be modified unless it is set as value to the **tor_conf** option, its purpose is to fully verify the tor configuration. (Default: **${tor_conf}-defaults**). 130 | 131 | **tor_data_dir** 132 | 133 | : Specify the DataDirectory for tor. (Default: /var/lib/tor). 134 | 135 | **tor_data_dir_services** 136 | 137 | : Specify the HiddenServiceDir base directory, onion sevices data will be created inside this directory. (Default: **${tor_data_dir}/services**). 138 | 139 | **tor_data_dir_auth** 140 | 141 | : Specify the ClientOnionAuthDir. (Default: **${tor_data_dir}/onion_auth**). 142 | 143 | 144 | # FILES 145 | 146 | **/etc/onionjuggler/onionjuggler.conf** 147 | 148 | : Default configuration file. 149 | 150 | **/etc/onionjuggler/conf.d/\*.conf** 151 | 152 | : Packers configuration directory. 153 | 154 | **/usr/local/etc/onionjuggler/onionjuggler.conf** 155 | 156 | : Local administrator default configuration file. 157 | 158 | **/usr/local/etc/onionjuggler/conf.d/\*.conf** 159 | 160 | : Local administrador configuration directory. 161 | 162 | 163 | # EXAMPLES 164 | 165 | * **tor_user**=tor 166 | 167 | * **tor_conf**=/usr/local/etc/tor/torrc 168 | 169 | * **tor_data_dir**=/usr/local/var/lib/tor 170 | 171 | * **tor_data_dir_services**="\$\{tor_data_dir\}/services" 172 | 173 | # BUGS 174 | 175 | Bugs you may find. First search for related issues on https://github.com/nyxnor/onionjuggler/issues, if not solved, open a new one. 176 | 177 | 178 | # SEE ALSO 179 | 180 | onionjuggler-tui(8), onionjuggler-cli(8), onionjuggler-cli-auth-client(8), onionjuggler-cli-auth-server(8), onionjuggler-cli-web(8), tor(1) 181 | 182 | 183 | # COPYRIGHT 184 | 185 | Copyright © 2021 OnionJuggler developers (MIT) 186 | This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. 187 | -------------------------------------------------------------------------------- /usr/bin/onionjuggler-cli-auth-client: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | ## manage client authorization client side (ClientOnionAuthDir) 4 | 5 | onionjuggler_defaults="/usr/share/onionjuggler/defaults.sh" 6 | [ -e "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} does not exist"; exit 1; } 7 | [ -f "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} is not a regular file"; exit 1; } 8 | [ -r "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} can not be read"; exit 1; } 9 | . "${onionjuggler_defaults}" 10 | source_conf 11 | 12 | me="${0##*/}" 13 | check_plugin_enabled "${me}" || error_msg "Plugin '${me}' is disabled by configuration" 14 | 15 | usage(){ 16 | printf %s"Usage: ${me} [--option ] 17 | Description: client side onion authorization on ClientOnionAuthDir 18 | Complete options: 19 | --on [--client-priv-file=] [--replace-file] 20 | import '.auth_private' contents 21 | --on [--client=] [--client-priv-config=] [--replace-file] 22 | import client private configuration 23 | --on [--client=] [--onion ] [--client-priv-key=] [--replace-file] 24 | generate client keys and import priv key, else use existent client's priv key 25 | --off [--client=] 26 | remove client side credential based on client name 27 | --list [--client=<@all|CLIENT1,CLIENT2,...>] 28 | list client side credentials, optionally specify client names 29 | 30 | Options: 31 | --on add client private keys to ClientOninAuthDir 32 | --client= client name 33 | --client-priv-file= 34 | client private file 35 | --client-priv-config= 36 | client private configuration 37 | --client-priv-key= 38 | client private key 39 | --onion= onion hostname 40 | --replace-file replace file if it exists under the same name 41 | --off remove clients in ClientOnionAuthDir 42 | --client= 43 | client names 44 | --list list clients in ClientOnionAuthDir 45 | --client=<@all|CLIENT1,CLIENT2> 46 | client names 47 | --version print version 48 | --getopt print options parsed 49 | --getconf print configuration values 50 | --signal= signal tor reload, restart, none 51 | -h, --help print this help message 52 | " 53 | exit 1 54 | } 55 | 56 | ######################## 57 | #### OPTION PARSING #### 58 | 59 | ## hacky getopts 60 | ## accepts long (--option) and short (-o) options 61 | ## accept argument assignment with space (--option arg | -o arg) or equal sign (--option=arg | -o=arg) 62 | [ -z "${1}" ] && usage 63 | while :; do 64 | shift_n="" 65 | opt_orig="${1}" ## save opt orig for error message to understand which opt failed 66 | # shellcheck disable=SC2034 67 | arg_possible="${2}" ## need to pass the second positional parameter because maybe it is an argument 68 | clean_opt "${1}" || break 69 | case "${opt}" in 70 | on|off|list|n|f|l) set_arg status "${opt}";; 71 | signal) get_arg signal;; 72 | client-priv-file) get_arg client_priv_file;; 73 | client-priv-config) get_arg client_priv_config;; 74 | client-priv-key) get_arg client_priv_key;; 75 | o|onion) get_arg onion_hostname;; 76 | client) get_arg client;; 77 | replace-file) set_arg replace_file "1";; 78 | getopt|getconf|V|version) set_arg dev "${opt}";; 79 | h|help) usage;; 80 | *) error_msg "Invalid option: '${opt_orig}'";; 81 | esac 82 | ## shift as many times as demanded 83 | ## if empty, shift at least once to pass to next option 84 | shift "${shift_n:-1}" 85 | [ -z "${1}" ] && break 86 | done 87 | 88 | case "${dev}" in 89 | getconf) get_conf_values; exit 0;; 90 | getopt) printf %s"${arg_saved}\n"; exit 0;; 91 | V|version) printf '%s\n' "${me} ${version}"; exit 0;; 92 | esac 93 | 94 | 95 | pre_run_check 96 | case "${status}" in 97 | 98 | 99 | ## as the onion service client, add a key given by the onion service operator to authenticate yourself inside ClientOnionAuthDir 100 | ## The suffix '.auth_private' should not be mentioned, it will be automatically inserted when mentioning the name of the file. 101 | ## private key format must be: :descriptor:x25519: 102 | ## use the onion hostname as the file name, this avoid overriding the file by mistake and it indicates outside of the file for which service it refers to (of course it is written inside also) 103 | ## adding to Tor Browser automatically not supported yet 104 | n|on) 105 | 106 | auth_client_check_file(){ 107 | test -f "${client_priv_file}" || error_msg "file ${client_priv_file} does not exist or is not a regular file" 108 | test -r "${client_priv_file}" || error_msg "file ${client_priv_file} cannot be read" 109 | client_priv_file_name="${client_priv_file##*/}" 110 | [ "${client_priv_file_name%%*[^a-zA-Z0-9_.-]*}" ] || error_msg "file name can only contain letters, numbers, hifen, underscore and dot" 111 | echo "${client_priv_file_name}" | cut -c 1 | grep -qF "." && error_msg "file name can not start with dot" 112 | ## avoid copying wrong file to the auth dir 113 | echo "${client_priv_file_name}" | grep -q ".auth_private$" || error_msg "file name does not end with '.auth_private'" 114 | } 115 | 116 | auth_client_check_replace(){ 117 | client_priv_file="${1}" 118 | client_priv_file_name="${client_priv_file##*/}" 119 | if test -f "${tor_data_dir_auth}/${client_priv_file_name}"; then 120 | test -n "${replace_file}" || error_msg "file named ${client_priv_file_name} already exist on ${tor_data_dir_auth}, to replace it, use the option '--replace-file'" 121 | fi 122 | ## multiple files with the same onion address leads to a tor error 123 | for auth in "${tor_data_dir_auth}"/*; do 124 | [ "${auth##*/}" = "*" ] && break 125 | if [ "${auth##*/}" != "${client_priv_file_name}" ]; then 126 | ## compare onion address, the first field 127 | [ "${client_priv_key_config%%:*}" = "$(cut -d ":" -f1 "${auth}")" ] && error_msg "file with the same onion address already present on ${auth}" 128 | fi 129 | done 130 | } 131 | 132 | auth_client_check_content(){ 133 | client_priv_file_content="${1}" 134 | echo "${client_priv_file_content}" | grep -q ":descriptor:x25519:" || error_msg "configuraiton does not contain pattern ':descriptor:x25519:" 135 | [ "${client_priv_file_content%%*[^a-zA-Z0-9:]*}" ] || error_msg "configuration has special characters, perhaps extra spaces?" 136 | client_priv_file_onion_found="$(echo "${client_priv_file_content}" | cut -d ":" -f1)" 137 | [ "${client_priv_file_onion_found%%*[^a-z2-7]*}" ] || error_msg "onion '${client_priv_file_onion_found}' is not within base32 alphabet lower-case encoding [a-z][2-7]" 138 | [ "${#client_priv_file_onion_found}" = "56" ] || error_msg "onion '${client_priv_file_onion_found}' has size '${#client_priv_file_onion_found}', but expected 56 chars" 139 | echo "${client_priv_file_content}" | cut -d ":" -f2 | grep -q "descriptor" || error_msg "descriptor reference not found in the 2nd field" 140 | echo "${client_priv_file_content}" | cut -d ":" -f3 | grep -q "x25519" || error_msg "descriptor type not found in the 3rd field" 141 | client_priv_file_priv_found="$(echo "${client_priv_file_content}" | cut -d ":" -f4)" 142 | [ "${client_priv_file_priv_found%%*[^A-Z2-7]*}" ] || error_msg "client private key '${client_priv_file_priv_found}' is not within base32 alphabet upper-case encoding [A-Z][2-7]" 143 | [ "${#client_priv_file_priv_found}" = "52" ] || error_msg "client private key '${client_priv_file_priv_found}' has size of '${#client_priv_file_priv_found}', but expected 52 chars" 144 | ## this check is last in the list because it doesn't indicate where the problem is, just that the size doesn't match 145 | [ "${#client_priv_file_content}" = "127" ] || error_msg "config '${client_priv_file_content}' has size '${#client_priv_file_content}', but expected 127 chars" 146 | } 147 | 148 | create_clientonionauthdir(){ 149 | # shellcheck disable=SC2086 150 | if grep -q "ClientOnionAuthDir" ${tor_dump_config_file}; then 151 | if ! grep -q "ClientOnionAuthDir ${tor_data_dir_auth}" ${tor_dump_config_file}; then 152 | client_onion_auth_dir_found="$(grep "ClientOnionAuthDir" ${tor_dump_config_file} | cut -d " " -f2)" 153 | error_msg "ClientOnionAuthDir found is ${client_onion_auth_dir_found}, not ${tor_data_dir_auth} as specifed on onionjuggler configuration" 154 | fi 155 | else 156 | safe_edit tmp tor_conf 157 | printf %s"\nClientOnionAuthDir ${tor_data_dir_auth}\n\n" | tee -a "${tor_conf_tmp}" 158 | fi 159 | 160 | test -d "${tor_data_dir_auth}" || mkdir -p "${tor_data_dir_auth}" 161 | } 162 | 163 | clean_onion(){ 164 | check_opt_filled onion_hostname 165 | ## clean URL of protocol (http(s)://) and page (/index.html), tail 63 bytes to clean subdomain 166 | ## example of URL it is able to clean: 167 | ## http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Remote_Administration 168 | onion_hostname="$(printf %s"${onion_hostname}\n" | sed "s|.*://||;s|/.*||" | tail -c 63)" 169 | onion_hostname_without_onion="${onion_hostname%.onion}" 170 | } 171 | 172 | auth_client_finish(){ 173 | # shellcheck disable=SC2034 174 | auth_client_conf="${tor_data_dir_auth}/${client}.auth_private" 175 | safe_edit tmp auth_client_conf 176 | printf %s"${client_priv_key_config}\n" | tee "${auth_client_conf_tmp}" >/dev/null 177 | notice "Client side authorization configured" 178 | notice "\nClient private key config saved to ${tor_data_dir_auth}/${client}.auth_private" 179 | notice "${bold}- Client priv conf:${nocolor} ${client_priv_key_config}" 180 | notice "\nNow it depends on the service operator to authorize your client public key" 181 | } 182 | 183 | 184 | ## main 185 | create_clientonionauthdir 186 | if test -n "${client_priv_file}"; then 187 | client="${client_priv_file##*/}" 188 | client="${client%.auth_private}" 189 | auth_client_check_file 190 | client_priv_key_config="$(cat "${client_priv_file}")" 191 | auth_client_check_content "${client_priv_key_config}" 192 | auth_client_check_replace "${client_priv_file}" 193 | auth_client_finish 194 | 195 | elif test -n "${client_priv_config}"; then 196 | check_opt_filled client 197 | client="${client##*/}" 198 | check_name client 199 | client_priv_key_config="${client_priv_config}" 200 | auth_client_check_content "${client_priv_key_config}" 201 | auth_client_check_replace "${client}.auth_private" 202 | auth_client_finish 203 | 204 | elif test -n "${client_priv_key}"; then 205 | check_opt_filled client 206 | client="${client##*/}" 207 | check_name client 208 | clean_onion 209 | client_priv_key_config="${onion_hostname_without_onion}:descriptor:x25519:${client_priv_key}" 210 | auth_client_check_content "${client_priv_key_config}" 211 | auth_client_check_replace "${client}.auth_private" 212 | auth_client_finish 213 | 214 | else 215 | check_opt_filled client 216 | client="${client##*/}" 217 | check_name client 218 | clean_onion 219 | gen_auth_key_pair 220 | auth_client_check_replace "${client}.auth_private" 221 | auth_client_finish 222 | notice "Send the public key config to the onion service operator of ${onion_hostname}.onion" 223 | notice "${bold}- Client pub conf:${nocolor} ${client_pub_key_config}" 224 | fi 225 | 226 | printf '\n' 227 | signal_tor 228 | ;; 229 | 230 | 231 | ## as the onion service client, delete '.auth_private' files from ClientOnionAuthDir that are not valid or has no use anymore 232 | f|off) 233 | is_dir_empty "${tor_data_dir_auth}" && error_msg "ClientOnionAuthDir ${tor_data_dir_auth} is empty" 234 | check_opt_filled client 235 | 236 | auth_client_remove(){ 237 | client="${1}" 238 | client="${client##*/}" 239 | client_clean="${client%.auth_private}" 240 | if test -f "${tor_data_dir_auth}/${client_clean}".auth_private; then 241 | notice "${red}Removing ${tor_data_dir_auth}/${client_clean}.auth_private${nocolor}" 242 | rm -fv "${tor_data_dir_auth}/${client_clean}".auth_private 243 | else 244 | error_msg "File ${tor_data_dir_auth}/${client_clean}.auth_private does not exist" 245 | fi 246 | } 247 | 248 | loop_list auth_client_remove "${client}" 249 | printf '\n' 250 | signal_tor 251 | ;; 252 | 253 | 254 | l|list) 255 | auth_client_list(){ 256 | auth="${1}" 257 | auth="${auth##*/}" 258 | notice "\n${bold}File name:${nocolor} ${auth}.auth_private" 259 | notice "${bold}Content:${nocolor} $(grep "descriptor:x25519:" "${tor_data_dir_auth}/${auth}.auth_private")" 260 | } 261 | 262 | is_dir_empty "${tor_data_dir_auth}" && error_msg "ClientOnionAuthDir ${tor_data_dir_auth} is empty" 263 | notice "${bold}ClientOnionAuthDir ${tor_data_dir_auth}${nocolor}" 264 | if [ -z "${client}" ] || [ "${client}" = "@all" ]; then 265 | create_client_priv_list; client="${client_name_priv_list}" 266 | fi 267 | loop_list auth_client_list "${client}" 268 | ;; 269 | 270 | 271 | *) usage;; 272 | 273 | esac 274 | -------------------------------------------------------------------------------- /usr/bin/onionjuggler-cli-auth-server: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | ## manage client authorization server side (HiddenServiceDir/authorized_clients/) 4 | 5 | onionjuggler_defaults="/usr/share/onionjuggler/defaults.sh" 6 | [ -e "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} does not exist"; exit 1; } 7 | [ -f "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} is not a regular file"; exit 1; } 8 | [ -r "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} can not be read"; exit 1; } 9 | . "${onionjuggler_defaults}" 10 | source_conf 11 | 12 | me="${0##*/}" 13 | check_plugin_enabled "${me}" || error_msg "Plugin '${me}' is disabled by configuration" 14 | 15 | usage(){ 16 | printf %s"Usage: ${me} [--option ] 17 | Description: server side onion authorization on HiddenServiceDir/authorized_clients 18 | Complete options: 19 | --on [--service=] [--client-pub-file=] [--replace-file] 20 | import '.auth' file 21 | --on [--service=] [--client=] [--client-pub-config=] [--replace-file] 22 | import client public configuration 23 | --on [--service=] [--client=] [--client-pub-key=] [--replace-file] 24 | generate client keys and import pub key, else use existent client's pub key 25 | --off [--service=<@all|SERV1,SERV2,...>] [--client=<@all|CLIENT1,CLIENT2,...>] 26 | remove client authorization 27 | --list [--service=<@all|SERV1,SERV2,...>] 28 | list authorized clients for indicated service 29 | 30 | Options: 31 | --on 32 | --service= service that will hold client keys 33 | --client-pub-file= 34 | client public file 35 | --client-pub-config= 36 | client private configuration 37 | --client-pub-key 38 | client private key 39 | --replace-file replace file if it exists under the same name 40 | --off del client from HiddenServiceDir/authorized_clients 41 | --service=<@all|SERV1,SERV2,...>] 42 | service that client will be removed from 43 | --client=<@all|CLIENT1,CLIENT2,...> 44 | client that will be removed 45 | --list list authorized clients for indicated service 46 | --service=<@all|SERV1,SERV2,...>] 47 | service that clients will be listed from 48 | --version print version 49 | --getopt print options parsed 50 | --getconf print configuration values 51 | --signal= signal tor reload, restart, none 52 | -h, --help print this help message 53 | " 54 | exit 1 55 | } 56 | 57 | 58 | ######################## 59 | #### OPTION PARSING #### 60 | 61 | ## hacky getopts 62 | ## accepts long (--option) and short (-o) options 63 | ## accept argument assignment with space (--option arg | -o arg) or equal sign (--option=arg | -o=arg) 64 | [ -z "${1}" ] && usage 65 | while :; do 66 | shift_n="" 67 | opt_orig="${1}" ## save opt orig for error message to understand which opt failed 68 | # shellcheck disable=SC2034 69 | arg_possible="${2}" ## need to pass the second positional parameter because maybe it is an argument 70 | clean_opt "${1}" || break 71 | case "${opt}" in 72 | signal) get_arg signal;; 73 | on|off|list|n|f|l) set_arg status "${opt}";; 74 | s|service) get_arg service;; 75 | c|client) get_arg client;; 76 | client-pub-file) get_arg client_pub_file;; 77 | client-pub-config) get_arg client_pub_config;; 78 | client-pub-key) get_arg client_pub_key;; 79 | replace-file) set_arg replace_file "1";; 80 | getopt|getconf|V|version) set_arg dev "${opt}";; 81 | h|help) usage;; 82 | *) error_msg "Invalid option: '${opt_orig}'";; 83 | esac 84 | ## shift as many times as demanded 85 | ## if empty, shift at least once to pass to next option 86 | shift "${shift_n:-1}" 87 | [ -z "${1}" ] && break 88 | done 89 | 90 | case "${dev}" in 91 | getconf) get_conf_values; exit 0;; 92 | getopt) printf %s"${arg_saved}\n"; exit 0;; 93 | V|version) printf '%s\n' "${me} ${version}"; exit 0;; 94 | esac 95 | 96 | 97 | pre_run_check 98 | is_service_dir_empty 99 | case "${status}" in 100 | 101 | ## as the onion service operator, make your onion authenticated by generating a pair or public and private keys, 102 | ## the client pub key is automatically saved inside /authorized_clients/alice.auth 103 | ## the client private key is shown in the screen and the key file deleted 104 | ## the onion service operator should send the private key for the desired client 105 | n|on) 106 | 107 | auth_server_check_file(){ 108 | test -f "${client_pub_file}" || error_msg "file ${client_pub_file} does not exist or is not a regular file" 109 | test -r "${client_pub_file}" || error_msg "file ${client_pub_file} cannot be read" 110 | client_pub_file_name="${client_pub_file##*/}" 111 | [ "${client_pub_file_name%%*[^a-zA-Z0-9_.-]*}" ] || error_msg "file name can only contain letters, numbers, hifen, underscore and dot" 112 | echo "${client_pub_file_name}" | cut -c 1 | grep -qF "." && error_msg "file name can not start with dot" 113 | ## avoid copying wrong file to the auth dir 114 | echo "${client_pub_file_name}" | grep -q ".auth$" || error_msg "file name does not end with '.auth'" 115 | } 116 | 117 | auth_server_check_replace(){ 118 | client_pub_file="${1}" 119 | client_pub_file_name="${client_pub_file##*/}" 120 | if test -f "${tor_data_dir_services}/${service}/authorized_clients/${client_pub_file_name}"; then 121 | test -n "${replace_file}" || error_msg "file named ${client_pub_file_name} already exist on ${tor_data_dir_services}/${service}/authorized_clients, to replace it, use the option '--replace-file'" 122 | fi 123 | ## multiple files with the same pub key leads to a tor error 124 | for auth in "${tor_data_dir_services}/${service}/authorized_clients"/*; do 125 | [ "${auth##*/}" = "*" ] && break 126 | if [ "${auth##*/}" != "${client_pub_file_name}" ]; then 127 | ## compare onion address, the first field 128 | [ "${client_pub_key_config%%:*}" = "$(cut -d ":" -f3 "${auth}")" ] && error_msg "file with the same onion address already present on ${auth}" 129 | fi 130 | done 131 | } 132 | 133 | auth_server_check_content(){ 134 | client_pub_file_content="${1}" 135 | echo "${client_pub_file_content}" | grep -q "^descriptor:x25519:" || error_msg "configuration does not start with pattern 'descriptor:x25519:" 136 | [ "${client_pub_file_content%%*[^a-zA-Z0-9:]*}" ] || error_msg "configuration has special characters" 137 | client_pub_file_pub_found="$(echo "${client_pub_file_content}" | cut -d ":" -f3)" 138 | [ "${client_pub_file_pub_found%%*[^A-Z2-7]*}" ] || error_msg "client public key '${client_pub_file_pub_found}' is not within base32 alphabet upper-case encoding [A-Z][2-7]" 139 | [ "${#client_pub_file_pub_found}" = "52" ] || error_msg "client public key '${client_pub_file_pub_found}' has size of '${#client_pub_file_pub_found}', but expected 52 chars" 140 | ## this check is last in the list because it doesn't indicate where the problem is, just that the size doesn't match 141 | [ "${#client_pub_file_content}" = "70" ] || error_msg "config '${client_pub_file_content}' has size '${#client_pub_file_content}', but expected 70 chars" 142 | 143 | } 144 | 145 | auth_server_finish(){ 146 | # shellcheck disable=SC2034 147 | auth_server_conf="${tor_data_dir_services}/${service}/authorized_clients/${client}.auth" 148 | safe_edit tmp auth_server_conf 149 | printf %s"${client_pub_key_config}\n" | tee "${auth_server_conf_tmp}" >/dev/null 150 | printf %s"${bold}Server side authorization configured${nocolor}\n" 151 | printf %s"\nClient public key config saved to ${tor_data_dir_services}/${service}/authorized_clients/${client}.auth\n" 152 | printf %s"${bold}- Client pub conf:${nocolor} ${client_pub_key_config}\n" 153 | printf '\n' 154 | } 155 | 156 | check_opt_filled service 157 | [ "${service}" != "@all" ] && check_name service 158 | [ "${service}" = "@all" ] && { create_service_list ; service="${service_name_list}" ; } 159 | [ "${client}" = "@all" ] && error_msg "Client name cannot be @all, it is a restricted wildcard referring to all clients" 160 | 161 | test_service_exists "${service}" 162 | if test -n "${client_pub_file}"; then 163 | client="${client_pub_file##*/}" 164 | client="${client%.auth}" 165 | auth_server_check_file 166 | client_pub_key_config="$(cat "${client_pub_file}")" 167 | auth_server_check_content "${client_pub_key_config}" 168 | auth_server_check_replace "${client}.auth" 169 | auth_server_finish 170 | 171 | elif test -n "${client_pub_config}"; then 172 | check_opt_filled client 173 | check_name client 174 | client_pub_key_config="${client_pub_config}" 175 | auth_server_check_content "${client_pub_key_config}" 176 | auth_server_check_replace "${client}.auth" 177 | auth_server_finish 178 | 179 | elif test -n "${client_pub_key}"; then 180 | check_opt_filled client 181 | check_name client 182 | client_pub_key_config="descriptor:x25519:${client_pub_key}" 183 | auth_server_check_content "${client_pub_key_config}" 184 | auth_server_check_replace "${client}.auth" 185 | auth_server_finish 186 | 187 | else 188 | check_opt_filled client 189 | check_name client 190 | gen_auth_key_pair 191 | auth_server_check_replace "${client}.auth" 192 | auth_server_finish 193 | printf %s"Send the private key to the client of ${onion_hostname}\n" 194 | printf %s"${bold}- Client priv conf:${nocolor} ${client_priv_key_config}\n\n" 195 | fi 196 | 197 | signal_tor 198 | ;; 199 | 200 | 201 | ## as the onion service operator, after making your onion service authenticated, you can also remove a specific client authorization 202 | ## if no clients are present, the service will be available to anyone that has the onion service address 203 | f|off) 204 | auth_server_remove_clients(){ 205 | service="${1}" 206 | client="${2}" 207 | test_service_exists "${service}" 208 | #notice "Service: ${service}" 209 | if [ "${client}" = "@all" ]; then 210 | rm -fv "${tor_data_dir_services}/${service}/authorized_clients"/*.auth 211 | else 212 | rm -fv "${tor_data_dir_services}/${service}/authorized_clients/${client}.auth" 213 | fi 214 | if ! ls "${tor_data_dir_services}/${service}/authorized_clients"/*.auth 2>/dev/null; then 215 | notice "Service '${service}' does not have clients, it is accessible by anyone with the onion address" 216 | fi 217 | } 218 | 219 | check_opt_filled service 220 | [ "${service}" != "@all" ] && check_name service 221 | check_opt_filled client 222 | 223 | if [ "${service}" = "@all" ]; then 224 | notice "${bold}Removing client authorization for:${nocolor}" 225 | notice "${bold}Service:${nocolor} @all - ALL SERVICES" 226 | create_service_list; service="${service_name_list}" 227 | if [ "${client}" = "@all" ]; then 228 | notice "${bold}Clients:${nocolor} @all - ALL CLIENTS\n" 229 | else 230 | notice "If any client remains, the service will still be authenticated." 231 | fi 232 | else 233 | notice "${bold}Removing client authorization for:${nocolor}" 234 | notice "${bold}Service:${nocolor} ${service}" 235 | if [ "${client}" = "@all" ]; then 236 | notice "${bold}Clients: @all${nocolor}\nThe service is now accessible for anyone with the onion address.\n" 237 | else 238 | notice "If any client remains, the service will still be authenticated." 239 | fi 240 | fi 241 | 242 | loop_list auth_server_remove_clients "${service}" "${client}" 243 | printf "\n" 244 | signal_tor 245 | ;; 246 | 247 | 248 | l|list) 249 | auth_server_list(){ 250 | service="${1}" 251 | test_service_exists "${service}" 252 | create_client_list "${service}" 253 | notice "\n${bold}Service:${nocolor} ${service}" 254 | if [ -n "${client_count}" ]; then 255 | [ -n "${client_name_list}" ] && printf %s"${bold}Clients:${nocolor} ${client_name_list} (${client_count})\n" 256 | for auth in "${tor_data_dir_services}/${service}/authorized_clients"/*; do 257 | auth="${auth##*/}" 258 | notice "${bold}- ${auth}:${nocolor} $(grep "descriptor:x25519:" "${tor_data_dir_services}/${service}/authorized_clients/${auth}")${nocolor}" 259 | done 260 | else 261 | notice "${bold}Clients:${nocolor} NONE (0)" 262 | fi 263 | } 264 | 265 | notice "${bold}Authorized clients for Onion Services in ${tor_data_dir_services}${nocolor}" 266 | if [ -z "${service}" ] || [ "${service}" = "@all" ]; then 267 | create_service_list; service="${service_name_list}" 268 | fi 269 | loop_list auth_server_list "${service}" 270 | ;; 271 | 272 | 273 | *) usage 274 | esac 275 | -------------------------------------------------------------------------------- /usr/bin/onionjuggler-cli-web: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | 3 | ## Webserver management 4 | 5 | onionjuggler_defaults="/usr/share/onionjuggler/defaults.sh" 6 | [ -e "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} does not exist"; exit 1; } 7 | [ -f "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} is not a regular file"; exit 1; } 8 | [ -r "${onionjuggler_defaults}" ] || { printf '%s\n' "library ${onionjuggler_defaults} can not be read"; exit 1; } 9 | . "${onionjuggler_defaults}" 10 | source_conf 11 | 12 | me="${0##*/}" 13 | check_plugin_enabled "${me}" || error_msg "Plugin '${me}' is disabled by configuration" 14 | 15 | usage(){ 16 | printf %s"Usage: ${me} [--option ] 17 | Complete options: 18 | --on [--service=] [--folder=] 19 | start serving a website for certain service and its folder 20 | --on [--service=] [--folder=] [--no-check-service] [--port=] 21 | useful for workstations when the tor process is running on the gateway 22 | --off [--service=] 23 | stop serving a website for certain service and its folder 24 | --list list enabled websites 25 | 26 | Options: 27 | --on activate website 28 | --service= service that will host the website 29 | --folder= path to directory holding the html 30 | --no-check-service for workstations, don't check service existence 31 | --port= 32 | for workstation, indicate port listening port 33 | --off stop website 34 | --service= stop website for service 35 | --list list enabled websites 36 | --service= list from services 37 | --version print version 38 | --getopt print options parsed 39 | --getconf print configuration values 40 | -h, --help print this help message 41 | " 42 | exit 1 43 | } 44 | 45 | ######################## 46 | #### OPTION PARSING #### 47 | 48 | ## hacky getopts 49 | ## accepts long (--option) and short (-o) options 50 | ## accept argument assignment with space (--option arg | -o arg) or equal sign (--option=arg | -o=arg) 51 | [ -z "${1}" ] && usage 52 | while :; do 53 | shift_n="" 54 | opt_orig="${1}" ## save opt orig for error message to understand which opt failed 55 | # shellcheck disable=SC2034 56 | arg_possible="${2}" ## need to pass the second positional parameter because maybe it is an argument 57 | clean_opt "${1}" || break 58 | case "${opt}" in 59 | on|off|list|n|f|l) set_arg status "${opt}";; 60 | s|service) get_arg service;; 61 | o|onion) get_arg onion;; 62 | p|port) get_arg port;; 63 | w|folder) get_arg folder;; 64 | no-check-service) set_arg no_check_service 1;; 65 | getopt|getconf|V|version) set_arg dev "${opt}";; 66 | h|help) usage;; 67 | *) error_msg "Invalid option: '${opt_orig}'";; 68 | esac 69 | ## shift as many times as demanded 70 | ## if empty, shift at least once to pass to next option 71 | shift "${shift_n:-1}" 72 | [ -z "${1}" ] && break 73 | done 74 | 75 | ######################## 76 | ######### MAIN ######### 77 | 78 | case "${dev}" in 79 | getconf) get_conf_values; exit 0;; 80 | getopt) printf %s"${arg_saved}\n"; exit 0;; 81 | V|version) printf '%s\n' "${me} ${version}"; exit 0;; 82 | esac 83 | 84 | pre_run_check 85 | [ -z "${status}" ] && usage 86 | if [ "${webserver}" != "nginx" ] && [ "${webserver}" != "apache2" ]; then 87 | error_msg "webserver can be either 'nginx' or 'apache2', not '${webserver}'" 88 | fi 89 | 90 | reload_webserver(){ 91 | notice "\nReloading web server to apply new configuration" 92 | case "${webserver}" in 93 | nginx) 94 | if nginx -t; then 95 | nginx -s reload 96 | else 97 | rm -f "${webserver_conf_dir}/sites-available/${service}-onion.conf" 98 | rm -f "${webserver_conf_dir}/sites-enabled/${service}-onion.conf" 99 | error_msg "Webserver configuration failed, aborting" 100 | fi 101 | ;; 102 | apache2) 103 | if apache2 -t; then 104 | apache2 -k graceful 105 | else 106 | rm -f "${webserver_conf_dir}/sites-available/${service}-onion.conf" 107 | rm -f "${webserver_conf_dir}/sites-enabled/${service}-onion.conf" 108 | error_msg "Webserver configuration failed, aborting" 109 | fi 110 | ;; 111 | esac 112 | if [ "${?}" -eq 1 ]; then 113 | error_msg "Failed to reload ${webserver}, you must restart it manually before running this script again." 114 | fi 115 | } 116 | 117 | 118 | case "${status}" in 119 | 120 | n|on) 121 | { [ -z "${service}" ] || [ -z "${folder}" ]; } && usage 122 | 123 | ## Don't check if service exists. Useful for Workstations 124 | if [ "${no_check_service}" = "1" ]; then 125 | check_opt_filled port 126 | port="$(printf %s"${port}" | tr "," " " | tr -s " " | tr " " "\n" | sed "s|:| |")" 127 | virtport="${port% *}" 128 | target="${port#* }" 129 | target_addr="${target%%:*}" 130 | target_port="${target##*:}" 131 | ## happens when user specified only the port without addr 132 | [ "${target_addr}" = "${target_port}" ] && target="127.0.0.1:${target_port}" 133 | is_addr_port "${target}" 134 | else 135 | is_service_dir_empty 136 | test_service_exists "${service}" 137 | port=$(service_block print "${service}" "${tor_conf}" | grep "HiddenServicePort" | tail -n 1) 138 | only_ports=${port#* } 139 | virtport=${only_ports% *} 140 | target=${only_ports##* } 141 | target_addr="${target%%:*}" 142 | target_port="${target##*:}" 143 | fi 144 | 145 | case "${webserver}" in 146 | apache2) printf %s"${target}" | grep -q "unix" && error_msg "Web server '${webserver}' does not accept listening on a unix domain socket." ;; 147 | esac 148 | notice "${cyan}Activating web server for the service: ${service}${nocolor}\n" 149 | case "${webserver}" in 150 | nginx|apache2) 151 | test -d "${webserver_conf_dir}/sites-available" || error_msg "${webserver_conf_dir}/sites-available directory does not exist" 152 | test -d "${webserver_conf_dir}/sites-enabled" || error_msg "${webserver_conf_dir}/sites-enabled directory does not exist" 153 | ## If $folder starts with '~/' or '/', user specified the path, if started with anything else expect a folder inside ${website_dir} 154 | case "${folder}" in 155 | ~/*|/*) :;; 156 | *) folder="${website_dir}/${folder}";; 157 | esac 158 | [ ! -d "${folder}" ] && error_msg "Website folder '${folder}' does not exist." 159 | ;; 160 | esac 161 | 162 | case "${webserver}" in 163 | nginx) 164 | printf %s" 165 | server { 166 | listen ${target} default_server; 167 | 168 | server_tokens off; 169 | access_log /var/log/nginx/access_${service}.log; 170 | error_log /var/log/nginx/error_${service}.log; 171 | 172 | root ${folder}; 173 | index index.html index.htm index.nginx-debian.html index.php; 174 | } 175 | " | tee "${webserver_conf_dir}/sites-available/${service}-onion.conf" 176 | ln -sf "${webserver_conf_dir}/sites-available/${service}-onion.conf" "${webserver_conf_dir}/sites-enabled/${service}-onion.conf" 177 | ;; 178 | apache2) 179 | printf %s" 180 | 181 | ServerName ${onion_hostname:-"_"} 182 | DocumentRoot ${folder} 183 | ErrorLog /var/log/${webserver}/${service}.log 184 | ServerTokens Prod 185 | ServerSignature Off 186 | 187 | " | tee "${webserver_conf_dir}/sites-available/${service}-onion.conf" 188 | ln -sf "${webserver_conf_dir}/sites-available/${service}-onion.conf" "${webserver_conf_dir}/sites-enabled/${service}-onion.conf" 189 | ;; 190 | esac 191 | reload_webserver 192 | #rm -f /tmp/"${service}"-onion.conf 193 | if [ -n "${onion_hostname}" ]; then 194 | notice "\n# Address: ${magenta}${onion_hostname}:${virtport}${nocolor}" 195 | has qrencode && qrencode -m 2 -t ANSIUTF8 "${onion_hostname}:${virtport}" 196 | fi 197 | 198 | if [ "${operating_system}" = "anon-workstation" ]; then 199 | printf '\n' 200 | ## create whonix firewall folder, allow port via config file, reload firewall 201 | notice "Allow port ${target_port} on firewall /usr/local/etc/whonix_firewall.d/40_onionjuggler.conf" 202 | mkdir -p /usr/local/etc/whonix_firewall.d/ 203 | echo "EXTERNAL_OPEN_PORTS+=\" ${target_port} \"" | sudo tee -a /usr/local/etc/whonix_firewall.d/40_onionjuggler.conf 204 | whonix_firewall 205 | ## information to activate the service 206 | printf '\n' 207 | notice "${magenta}Activate the onion service on the Gateway with the following options:${nocolor}" 208 | has qubesdb-read && target_addr_remote="$(qubesdb-read /qubes-ip)" 209 | printf '%s\n' " -s ${service} -p ${virtport} ${target_addr_remote:-${target_addr}}:${target_port}" 210 | fi 211 | ;; 212 | 213 | f|off) 214 | [ -z "${service}" ] && usage 215 | if [ "${operating_system}" = "anon-workstation" ]; then 216 | ## block WS firewall based on webserver listening port 217 | target="$(grep "listen " "${webserver_conf_dir}/sites-enabled/${service}-onion.conf" | sed "s/.*listen //;s/\;//")" 218 | target_addr="${target%%:*}" 219 | target_port="${target##*:}" 220 | printf '\n' 221 | notice "Closing port ${target_port} on firewall /usr/local/etc/whonix_firewall.d/40_onionjuggler.conf" 222 | sed -i'' "/EXTERNAL_OPEN_PORTS+=\" ${target_port} \"/d" /usr/local/etc/whonix_firewall.d/40_onionjuggler.conf 223 | whonix_firewall 224 | fi 225 | disable_site(){ 226 | service="${1}" 227 | notice "\nStopping website of the service: ${service}" 228 | case "${webserver}" in 229 | nginx|apache2) rm -fv "${webserver_conf_dir}/sites-available/${service}-onion.conf" "${webserver_conf_dir}/sites-enabled/${service}-onion.conf";; 230 | esac 231 | } 232 | loop_list disable_site "${service}" 0 233 | reload_webserver 234 | ;; 235 | 236 | l|list) 237 | notice "${bold}Web server: ${webserver}${nocolor}\n" 238 | notice "${bold}# Enabled websites:${nocolor}" 239 | case "${webserver}" in 240 | nginx|apache2) 241 | for site in "${webserver_conf_dir}/sites-enabled"/*; do 242 | site="${site##*/}" 243 | site="${site%*-onion.conf}" 244 | sites_enabled="$(printf '%s\n%s\n' "${sites_enabled}" "${site}")" 245 | done 246 | ;; 247 | esac 248 | if [ -n "${sites_enabled}" ]; then 249 | notice "\n${sites_enabled}" 250 | else 251 | error_msg "No website enabled" 252 | fi 253 | ;; 254 | 255 | *) usage;; 256 | esac 257 | -------------------------------------------------------------------------------- /usr/share/bash-completion/.shellcheckrc: -------------------------------------------------------------------------------- 1 | ## This rc is a copy of 2 | ## https://github.com/scop/bash-completion/blob/master/.shellcheckrc 3 | ## but the commented lines are OnionJuggler choices 4 | shell=bash 5 | disable=SC1090 # not really fixable usually (ever?) 6 | disable=SC2034 # for localizing variables set in called functions 7 | #disable=SC2128 # intentional style choice 8 | disable=SC2206 # suggested alternatives fail in posix mode or use temp files 9 | disable=SC2207 # suggested alternatives fail in posix mode or use temp files 10 | 11 | # These disables are to be investigated and decided 12 | #disable=SC2016 13 | #disable=SC2086 14 | #disable=SC2155 15 | 16 | 17 | ## This is onionjuggler rc 18 | source=/dev/null 19 | ## disabling 2154 is raw but the variables 20 | ## are sourced from a non constant source 21 | disable=SC2154 22 | -------------------------------------------------------------------------------- /usr/share/bash-completion/completions/onionjuggler-cli: -------------------------------------------------------------------------------- 1 | # onionjuggler-cli(8) completion -*- shell-script -*- 2 | 3 | #COMPREPLY=($(_comp_xfunc onionjuggler-cli services $cur)) 4 | _comp_xfunc_onionjuggler_cli_services() 5 | { 6 | . /usr/share/onionjuggler/defaults.sh || return 7 | source_conf || return 8 | test -f "${tor_conf}" || return 9 | 10 | ## empty the value 11 | service_store="" 12 | 13 | ## TODO: improve loop to catch active services, inactive services, all managed services 14 | 15 | # shellcheck disable=SC2013 16 | #for hs in $(grep -e "HiddenServiceDir ${tor_data_dir_services}/" "${tor_conf}"); do 17 | for hs in $(grep -e "HiddenServiceDir ${tor_data_dir_services}/" "${tor_conf}"\ 18 | | grep -v -F "#" | sed "s/HiddenServiceDir //"); do 19 | ## remove the longest hashtag, if nothing remains, line was commented 20 | #service_commented="${hs##'#'*}" 21 | #test -z "${service_commented}" && return 22 | 23 | #service_clean="${hs/HiddenServiceDir//}" 24 | 25 | service_clean="${hs%*/}" 26 | service_base="${service_clean##*/}" 27 | service_path="${service_clean%/*}" 28 | if test -z "${service_store}"; then 29 | service_store="$(printf '%s\n' "${service_base}")" 30 | else 31 | service_store="$(printf '%s\n%s\n' "${service_store}" "${service_base}")" 32 | fi 33 | done 34 | 35 | printf '%s\n' "${service_store}" 36 | } 37 | 38 | _onionjuggler_cli() 39 | { 40 | local cur prev words cword 41 | _init_completion -s || return 42 | 43 | case $prev in 44 | --port | --gateway | --purge | --renew | --quiet ) 45 | return 46 | ;; 47 | --service ) 48 | COMPREPLY=($(compgen -W "$(_comp_xfunc_onionjuggler_cli_services)" -- "$cur")) 49 | return 50 | ;; 51 | --hs-version ) 52 | COMPREPLY=($(compgen -W "3" -- "$cur")) 53 | return 54 | ;; 55 | --socket ) 56 | COMPREPLY=($(compgen -W "tcp unix" -- "$cur")) 57 | return 58 | ;; 59 | --signal ) 60 | COMPREPLY=($(compgen -W "reload restart none" -- "$cur")) 61 | return 62 | ;; 63 | --on | --off | --list | --getopt ) 64 | return 65 | ;; 66 | --help | --version | --getconf ) 67 | return 68 | ;; 69 | esac 70 | 71 | if [[ $cur == -* ]]; then 72 | COMPREPLY=($(compgen -W "$(_parse_help "$1")" -- "$cur")) 73 | [[ ${COMPREPLY-} == *= ]] && compopt -o nospace 74 | return 75 | fi 76 | 77 | } && 78 | complete -F _onionjuggler_cli onionjuggler-cli 79 | 80 | # ex: filetype=sh 81 | -------------------------------------------------------------------------------- /usr/share/bash-completion/completions/onionjuggler-cli-auth-client: -------------------------------------------------------------------------------- 1 | # onionjuggler-cli-auth-client(8) completion -*- shell-script -*- 2 | 3 | _onionjuggler_cli_auth_client() 4 | { 5 | local cur prev words cword 6 | _init_completion -s || return 7 | 8 | case $prev in 9 | --client | --replace-file | \ 10 | --client-priv-config | --client-priv-key ) 11 | return 12 | ;; 13 | --client-priv-file ) 14 | _filedir auth_private 15 | return 16 | ;; 17 | --signal ) 18 | COMPREPLY=($(compgen -W "reload restart none" -- "$cur")) 19 | return 20 | ;; 21 | --on | --off | --list | --getopt ) 22 | return 23 | ;; 24 | --help | --version | --getconf ) 25 | return 26 | ;; 27 | esac 28 | 29 | if [[ $cur == -* ]]; then 30 | COMPREPLY=($(compgen -W "$(_parse_help "$1")" -- "$cur")) 31 | [[ ${COMPREPLY-} == *= ]] && compopt -o nospace 32 | return 33 | fi 34 | 35 | } && 36 | complete -F _onionjuggler_cli_auth_client onionjuggler-cli-auth-client 37 | 38 | # ex: filetype=sh 39 | -------------------------------------------------------------------------------- /usr/share/bash-completion/completions/onionjuggler-cli-auth-server: -------------------------------------------------------------------------------- 1 | # onionjuggler-cli-auth-server(8) completion -*- shell-script -*- 2 | 3 | _onionjuggler_cli_auth_server() 4 | { 5 | local cur prev words cword 6 | _init_completion -s || return 7 | 8 | case $prev in 9 | --client | --replace-file | \ 10 | --client-pub-config | --client-pub-key ) 11 | return 12 | ;; 13 | --service ) 14 | COMPREPLY=($(compgen -W "$(_comp_xfunc onionjuggler-cli services)" -- "$cur")) 15 | return 16 | ;; 17 | --client-pub-file ) 18 | _filedir auth 19 | return 20 | ;; 21 | --signal ) 22 | COMPREPLY=($(compgen -W "reload restart none" -- "$cur")) 23 | return 24 | ;; 25 | --on | --off | --list | --getopt ) 26 | return 27 | ;; 28 | --help | --version | --getconf ) 29 | return 30 | ;; 31 | esac 32 | 33 | if [[ $cur == -* ]]; then 34 | COMPREPLY=($(compgen -W "$(_parse_help "$1")" -- "$cur")) 35 | [[ ${COMPREPLY-} == *= ]] && compopt -o nospace 36 | return 37 | fi 38 | 39 | } && 40 | complete -F _onionjuggler_cli_auth_server onionjuggler-cli-auth-server 41 | 42 | # ex: filetype=sh -------------------------------------------------------------------------------- /usr/share/bash-completion/completions/onionjuggler-cli-web: -------------------------------------------------------------------------------- 1 | # onionjuggler-cli-web(8) completion -*- shell-script -*- 2 | 3 | _onionjuggler_cli_web() 4 | { 5 | local cur prev words cword 6 | _init_completion -s || return 7 | 8 | case $prev in 9 | --port | -no-check-service ) 10 | return 11 | ;; 12 | --service ) 13 | COMPREPLY=($(compgen -W "$(_comp_xfunc onionjuggler-cli services)" -- "$cur")) 14 | return 15 | ;; 16 | --folder ) 17 | _filedir -d 18 | return 19 | ;; 20 | --on | --off | --list | --getopt ) 21 | return 22 | ;; 23 | --help | --version | --getconf ) 24 | return 25 | ;; 26 | esac 27 | 28 | if [[ $cur == -* ]]; then 29 | COMPREPLY=($(compgen -W "$(_parse_help "$1")" -- "$cur")) 30 | [[ ${COMPREPLY-} == *= ]] && compopt -o nospace 31 | return 32 | fi 33 | 34 | } && 35 | complete -F _onionjuggler_cli_web onionjuggler-cli-web 36 | 37 | # ex: filetype=sh 38 | -------------------------------------------------------------------------------- /usr/share/bash-completion/completions/onionjuggler-tui: -------------------------------------------------------------------------------- 1 | # onionjuggler-tui(8) completion -*- shell-script -*- 2 | 3 | _onionjuggler_tui() 4 | { 5 | local cur prev words cword 6 | _init_completion -s || return 7 | 8 | case $prev in 9 | --help | --version ) 10 | return 11 | ;; 12 | esac 13 | 14 | if [[ $cur == -* ]]; then 15 | COMPREPLY=($(compgen -W "$(_parse_help "$1")" -- "$cur")) 16 | [[ ${COMPREPLY-} == *= ]] && compopt -o nospace 17 | return 18 | fi 19 | 20 | } && 21 | complete -F _onionjuggler_tui onionjuggler-tui 22 | 23 | # ex: filetype=sh 24 | -------------------------------------------------------------------------------- /version.txt: -------------------------------------------------------------------------------- 1 | 0.0.1 2 | --------------------------------------------------------------------------------