-- Leo's gemini proxy

-- Connecting to tilde.team:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini; lang=en

Gemini on Tor


Specifically, tilde.black is now running gemini over tor properly. Are you running your gemini client over tor already? Try this link to find this page on tor:


This page on tor!


Want to see a picture?


Picture of Kristall running tilde.black over tor!


Here's what I did.


Generated a new TLS cert (good for 5 years) with both tilde.black and the onion address as subjectAltNames

Set up a wrapper for jetforce according to the vhost.py example to serve both versions of the site

fixed my rc.d service to run everything on openbsd

oh yeah... set up tor


Lets look at each in turn.


Creating a new cert


The newest openssl can do "-addext" which makes adding subjectAltName really easy. OpenBSD doesn't do that though cause it hates me. So instead I had to do this monstrosity. Yes, I'm running -nodes multiple times. No, I have no idea why or what these things do. No, I have no idea if the order is important. This was trial and error and stitching things together.


openssl req \
  -newkey rsa:2048 \
  -days 1825 \
  -nodes \
  -keyout tilde.black.key \
  -subj "/CN=tilde.black" \
  -reqexts SAN \
  -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:tilde.black,DNS:black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion")) \
  -nodes -x509 \
  -out tilde.black.crt \
  -extensions SAN

Because I run gemini under a service user, I chowned the crt and key files to that user and socked them away in /etc/gemini/ for good luck.



The jetforce wrapper


I stuck with the example code as much as possible here. I probably don't need app_a, app_b, and app_default at all and could have just used one. I'm not 100% sure though and once it worked I stopped messing with it. The idea is to serve up files for either tilde.black or the onion address and this does that. Note I needed to tell the server where my keys were and to run on 0.0.0.0. I'm not sure what I would need to do to get this to run on both ipv4 and ipv6 at the same time. Maybe one of you can chime in?


from jetforce import GeminiServer, StaticDirectoryApplication
from jetforce.app.composite import CompositeApplication

app_a = StaticDirectoryApplication(root_directory="/var/gemini/")
app_b = StaticDirectoryApplication(root_directory="/var/gemini/")
app_default = StaticDirectoryApplication(root_directory="/var/gemini/")

app = CompositeApplication(
    {
        "tilde.black": app_a,
        "black6kfjetfuzaeozz7fs53whh7xtd4e27telrf5fg5kgdt5ah5plad.onion": app_b,
        # Use a default static file server for all other domains
        None: app_default,
    }
)

if __name__ == "__main__":
    server = GeminiServer(app, certfile="/etc/gemini/tilde.black.crt", keyfile="/etc/gemini/tilde.black.key", host="0.0.0.0")
    server.run()

The rc.d service


Running python scripts in rc.d is annoying because the check method doesn't find the running code properly and all sorts of problems happen. I separate the code for the daemon and the python3 instigator so I can get it all to play nice. I have no idea how I'd get virtualenv to work with this. This is why python gives me a headache.


#!/bin/ksh

# /etc/rc.d/jetforce

daemon="/opt/jetforce/vhost.py"
daemon_user="gemini"
. /etc/rc.d/rc.subr
pexp="/usr/local/bin/python3 ${daemon}"
rc_reload="NO"

rc_check() {
  pgrep -q -f "${daemon}"
}

rc_start() {
  ${rcexec} "${pexp}" &
}

rc_cmd $1

Set up tor


Honestly, this part is an addition because it's been done so long I forgot about it. When gemini was brand new I added the one line to my torrc file that was needed to "make our ship go".


HiddenServicePort 1965 tilde.black:1965

That's it. I already have tor set up from gopher & web stuff here already. If you need to know how to do that, the basic tor instructions available online are plenty good enough to assist. There's nothing fancy here.



Originally Published 2020-07-06 at: gemini://tilde.team/~tomasino/journal/20200706-gemini-on-tor.gmi


If you have questions or thoughts to add please send me a link to your response.

Contact Information

-- Response ended

-- Page fetched on Thu Mar 28 14:30:15 2024