{% trans -%} +Thank you for volunteering to run an I2P reseed server. +"Reseeding" is our term for bootstrapping new routers into the network. +New routers fetch a bundle of peer references, or "router infos", from one or more of a hardcoded list of HTTPS URLs. +{%- endtrans %}
+ +{% trans -%} +At its simplest, a reseed server consists of a Java I2P router, an HTTPS web server, +and some scripts that periodically gather router infos from the router, +bundle and sign them into a custom file format, and deliver these files over HTTPS. +In practice, it's a bit more complex, and a reseed operator must be fairly competent and attentive. +A reseed server is not appropriate for a residential internet connection. The complexities include: +{%- endtrans %}
+ +{% trans -%} +When your setup is complete and ready for testing, we will need the HTTPS URL, +the SSL public key certificate (only if selfsigned), and the su3 public key certificate. +After testing is complete, these will be added to the hardcoded entries in the Java and C++ routers in the next release, +and you will start seeing traffic. +We also will need your email address so we may continue to contact you about reseed administration issues. +The email will not be made public but will be known to the other reseed operators. +You should expect that your nick or name and its association with that URL or IP will become public. +{%- endtrans %}
+ +{% trans -%} +A reseed operator is a trusted role in the network. +While we do not yet have a formal privacy policy, you must ensure the privacy of our users +by not publicizing logs or IPs found in those logs, except as necessary to discuss administration issues with the I2P reseed team. +{%- endtrans %}
+ +{% trans -%} +Modest financial support may be available to those running reseed servers. +This support would be in partial reimbursement for your server costs. +Support will not be paid in advance and will probably not cover all your expenses. +Support is only available to those who have been running reseed servers in good standing for several months, and is based on actual need. +{%- endtrans %}
+ +{% trans -%} +If you would like to discuss support, please contact echelon and CC: zzz +{%- endtrans %}
+ + +{% trans -%} +Our reseed coordinator is "zzz" and he may be contacted at zzz at mail.i2p or zzz at i2pmail.org. +Unfortunately, he is not generally on IRC. The reseed setup is somewhat specialized, and you should direct most questions to him. +{%- endtrans %}
+ +{% trans -%} +For actual implementation, details below. We have one recommended reseed solution: +{%- endtrans %}
+ +{% trans -%} +For further information, read the information at the following links, and then contact zzz. +Thank you! +{%- endtrans %}
+ ++Public reseed servers are necessary to bootstrap into the I2P net. +New installed I2P routers needs one-time about one hundred RouterInfo's (RI) as jump start. +
++RI contains IP and Port from other I2P routers and are stored in dat-files in the netDB folder. +
++A random bunch of dat-files from the netDB are zipped, then signed to a su3-file +and finally offered to I2P routers seeking reseed service. +
++To secure bootstrap and enable a trusted start, HTTPS/TLS and signed su3-files are mandatory. +
++It is essential not to publish all RI from netDB, or all RI to one client. +
+ + ++Requirements for running a public reseed server: +
+This How-to is tested with Ubuntu/Debian as well as FreeBSD. +The web server has to be public reachable from all over the world, an I2P Site inside I2P can be setup in addition. +Also frequent or infrequent attempts to scrape all your reseed files, and of course attacks on your server. +The web server doesn't need to listen at default SSL/TLS port 443 - any other port can be used for obfuscation. +
+ + ++Note: A non default port other than 443 can be used; TLS certificate can be self signed; configure fail2ban as bot-net protection +
+ + ++ Debian/Ubuntu: sudo apt install git golang-go + Arch: sudo pacman -s git go ++ + +
+Note: Visit http://reseed.i2p and download a pre-build x86_64 binary, so you can skip step 2+3. +
++ export GOPATH=$HOME/go; mkdir $GOPATH; cd $GOPATH + go get github.com/martin61/i2p-tools + bin/i2p-tools -h ++ + +
+Replace 'yourname@mail.i2p' with your email address +Replace '/home/i/.i2p/netDb' with the path to the I2P 'netDb' in the home folder of the user running I2P +
++ GOPATH=$HOME/go; + cd $GOPATH; + bin/i2p-tools reseed --signer=yourname@mail.i2p \ + --netdb=/home/i/.i2p/netDb \ + --port=8443 \ + --ip=127.0.0.1 \ + --trustProxy ++ + +
+Make a backup from the newly created su3-signing key and certificate found in $GOPATH (.crt/.pem/.crl) and keep it in a safe, password protected location +
+ + ++Replace '...' with the appropriate command-line arguments as in step 4 +
++ @reboot GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed ... >/dev/null 2>&1 + 9 * * * * GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed ... >/dev/null 2>&1 ++ +
+lighttpd is no longer supported due to a limitation with the 'X-Forwarded-For' HTTP Header. Please use Apache or nginx. +
++ nginx configuration example: +
+
+ location / {
+ proxy_pass http://127.0.0.1:8443;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
++ Apache (untested - feedback would be appreciated) +
++ ProxyRequests Off + <Proxy *> + Order deny,allow + Allow from all + </Proxy> + ProxyPass / http://127.0.0.1:8443/ + ProxyPassReverse / http://127.0.0.1:8443/ ++
+Additionally, ensure that your webserver uses these suggested settings for Strong SSL Security (visit CipherLi.st for the latest settings). Sample SSL settings are provided in section 4.5 Reverse-Proxy Setup. +
+ ++Note: i2p-tool has also an build-in standalone webserver with TLS support which can be used without a webserver. Please contact (zzz at mail.i2p.de) if you need help, or stop by #i2p-dev on IRC2P and talk to other reseed operators. +
+ + ++Send an email: zzz at mail.i2p, PGP signed welcome :-) + + +
+The previous steps for reseeding involves many steps, scripts and programs. +Most of them are easy and plain straight forward, but overall you can call it a little confusing. + +
+Here comes now an all-in-one solution from matt (Big Thanks!) for providing +a reseed server which merges the following functions into one binary: + +
+Almost all previous used scripts and described steps are not needed with this solution, +but to understand the overall reseed process it is recommended to read them too :-) + +
+Of course you need an up-to-date netDB folder with routerinfos from a running I2P router. +I2P does not have to be running on the same machine as this reseed binary. +In this case you can setup a cronjob to transfer the netDB from the I2P machine to the reseed machine. + +
+Matt's go solution can be used in parallel next to an already running http-server. +For this leave the http-server running at normal port 80 and 443, +and configure Go solution too use another port, e.g. port 8443. + +
+More: at github, README.md, https://github.com/martin61/i2p-tools + + +
+Requirements: +
+Install go from https://golang.org/doc/install, example for 64 bit Ubuntu/Debian: +
+ export GOPATH=$HOME/go + export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin ++
+Verify go: +
+$ go version ++which should state something like: "go version go1.4.2" + +
+Install Go solution from https://github.com/martin61/i2p-tools into $HOME/go: +
+$ go get github.com/martin61/i2p-tools ++ +
+This will install a binary to $GOPATH/bin/i2p-tools + +
+Run the go solution, the usage/help should be displayed, nothing more: +
+$ i2p-tools ++ +
+$ i2p-tools reseed --tlsHost=myserver.com --signer=myemail@mail.i2p --netdb=$HOME/.i2p/netDb ++ +
+Output: +
+2015/03/15 12:28:25 Rebuilding su3 cache... +2015/03/15 12:28:25 Building 200 su3 files each containing 75 out of 3180 routerInfos. +2015/03/15 12:28:35 Done rebuilding. +2015/03/15 12:28:35 HTTPS server started on 0.0.0.0:8443 ++ +
+So you can now test to reach the server at port 8443, see a previous chapter about proper testing. + +
+Some remarks: +
'iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443'+
+The reseed server should be started automatically, so you need a init.d or some sort of +startscript, here named as "seedserver". +This is only a very first draft for a simple startscript (it could be done better :-)) +
+Login as I2P user: +
+Now you can use the shell-script: +
+seedserver start ++
+And then (give it some seconds) take a look at the status: +
+seedserver status +seedserver showlog ++ +
+Some short explanation about seedserver: +
+If this is working fine, you can put the script in your personal crontab, to run it by auto-start +and to do logrotes simply by restarting it regularly once a week to avoid too big logfiles. +If you already reboot your server regularly, you can skip of course the "restart" command line. + +
+Login as I2P user, edit your crontab: +
+crontab -e ++
+and add these 3 lines at the end: +
+@reboot /home/i2p/bin/seedserver startdelayed +04 14 * * 2 /home/i2p/bin/seedserver restart +#end ++ +
+Save and close the editor. It would be good to check if this is properly working when you reboot your machine. + +
+"seedserver" shell script: + +
+######################################################################################################
+#!/bin/sh
+
+# Your settings
+toolpath=/home/i2p/bin
+tlsHost=myserver.com
+signer=myemail@mail.i2p
+netdb="/home/i2p/.i2p/netDb"
+
+
+tool=i2p-tools
+logpath="$toolpath/${tool}.log"
+logfile="$logpath/reseed.log"
+errfile="$logpath/reseed.error"
+
+cd "$toolpath"
+mkdir --parents "$logpath"
+
+
+do_status() {
+/bin/sleep 1
+if [ -n "$(pgrep -x "$tool")" ]; then
+echo "$tool running, pid $(pgrep "$tool")"
+else
+echo "$tool not running."
+fi;
+}
+
+do_start() {
+if [ -z "$(pgrep -x "$tool")" ]; then
+do_logrotate
+nohup "$toolpath/$tool" reseed -tlsHost="$tlsHost" --signer="$signer" --netdb="$netdb" > "$logfile" 2> "$errfile" &
+fi;
+do_status
+}
+
+do_stop() {
+if [ -n "$(pgrep -x "$tool")" ]; then
+pkill "$tool"
+fi;
+do_status
+}
+
+do_startdelayed() {
+echo "waiting 20s..."
+/bin/sleep 20
+do_start
+}
+
+do_restart() {
+do_status
+do_stop
+do_start
+}
+
+do_logrotate() {
+do_status
+if [ -z "$(pgrep -x "$tool")" ]; then
+mv --force "${logfile}.6" "${logfile}.7" 2>/dev/null
+mv --force "${logfile}.5" "${logfile}.6" 2>/dev/null
+mv --force "${logfile}.4" "${logfile}.5" 2>/dev/null
+mv --force "${logfile}.3" "${logfile}.4" 2>/dev/null
+mv --force "${logfile}.2" "${logfile}.3" 2>/dev/null
+mv --force "${logfile}.1" "${logfile}.2" 2>/dev/null
+mv --force "${logfile}" "${logfile}.1" 2>/dev/null
+mv --force "${errfile}.6" "${errfile}.7" 2>/dev/null
+mv --force "${errfile}.5" "${errfile}.6" 2>/dev/null
+mv --force "${errfile}.4" "${errfile}.5" 2>/dev/null
+mv --force "${errfile}.3" "${errfile}.4" 2>/dev/null
+mv --force "${errfile}.2" "${errfile}.3" 2>/dev/null
+mv --force "${errfile}.1" "${errfile}.2" 2>/dev/null
+mv --force "${errfile}" "${errfile}.1" 2>/dev/null
+echo "log-rotate done."
+else
+echo "log-rotate not possible."
+fi;
+}
+
+do_showlog() {
+echo "-------------------------------------------------------------------------------"
+tail "$errfile"
+echo "-------------------------------------------------------------------------------"
+tail "$logfile"
+echo "-------------------------------------------------------------------------------"
+}
+
+
+do_usage() {
+echo "Usage: {start|stop|status|restart|logrotate|startdelayed|showlog}"
+}
+
+case "$1" in
+start)
+do_start
+;;
+stop)
+do_stop
+;;
+status)
+do_status
+;;
+restart)
+do_restart
+;;
+startdelayed)
+do_startdelayed
+;;
+logrotate)
+do_logrotate
+;;
+showlog)
+do_showlog
+;;
+*)
+do_usage
+;;
+esac
+
+exit 0
+######################################################################################################
+
+
+
++You can run i2p-tools also behind your normal web-server (reverse-proxy). + +
+The web-server handles the TLS handshake, encryption, SSL Certificate and the logfiles. +But you don't need the scripts su3.php and the shell cronjob for creating su3-files. +i2p-tools is running "behind" the web-server, without TLS management, only bind to +local interface 127.0.0.1 and is handling complete building and handling of su3-files. + + +
+Run i2p-tools with this command: + +
+i2p-tools reseed --signer test@test.de \ + --key /path_to/test_at_test.de.pem \ + --netdb /path_to/netDb \ + --port=8443 \ + --ip 127.0.0.1 \ + --trustProxy ++ + +Important notes for this special setup: +
+ nginx configuration example: +
+
+ location / {
+ proxy_pass http://127.0.0.1:8443;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
++ Apache (untested - feedback would be appreciated) +
++ ProxyRequests Off + <Proxy *> + Order deny,allow + Allow from all + </Proxy> + ProxyPass / http://127.0.0.1:8443/ + ProxyPassReverse / http://127.0.0.1:8443/ ++
+ +
+and for X-Forwarded-For: +
+ proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ++ +
+Additionally, ensure that your webserver uses these suggested settings for Strong SSL Security (visit CipherLi.st for the latest settings). A sample configuration is provided below. +
++Apache +
++SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH +SSLProtocol All -SSLv2 -SSLv3 +SSLHonorCipherOrder On +Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" +Header always set X-Frame-Options DENY +Header always set X-Content-Type-Options nosniff +# Requires Apache >= 2.4 +SSLCompression off +SSLUseStapling on +SSLStaplingCache "shmcb:logs/stapling-cache(150000)" +# Requires Apache >= 2.4.11 +SSLSessionTickets Off ++
+nginx (remember to replace '$DNS-IP-1' & '$DNS-IP-2' with 2 trusted DNS servers) +
++ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +ssl_prefer_server_ciphers on; +ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; +ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 +ssl_session_cache shared:SSL:10m; +ssl_session_tickets off; # Requires nginx >= 1.5.9 +ssl_stapling on; # Requires nginx >= 1.3.7 +ssl_stapling_verify on; # Requires nginx => 1.3.7 +resolver $DNS-IP-1 $DNS-IP-2 valid=300s; +resolver_timeout 5s; +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +add_header X-Frame-Options DENY; +add_header X-Content-Type-Options nosniff; ++
+Complete nginx configuration (sample) +
+
+user nobody;
+worker_processes 1;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+ sendfile on;
+ keepalive_timeout 65;
+
+ server {
+ listen $IP_ADDRESS:443 ssl;
+ server_name $DOMAIN;
+
+ ssl_certificate keys/fullchain.pem;
+ ssl_certificate_key keys/privkey.pem;
+
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_tickets off; # Requires nginx >= 1.5.9
+ ssl_stapling on; # Requires nginx >= 1.3.7
+ ssl_stapling_verify on; # Requires nginx => 1.3.7
+ resolver $DNS_IP_1 $DNS_IP_2 valid=300s;
+ resolver_timeout 5s;
+ ssl_prefer_server_ciphers on;
+ ssl_dhparam keys/dh.pem;
+ server_tokens off;
+
+ charset utf8;
+
+ location /i2pseeds.su3 {
+ proxy_pass http://127.0.0.1:8443;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+ }
+}
+
+
+
++This describes how to convert your existing Java keystore with your su3 signing key to a plain crt- and pem-file. +This is only needed, when you already have a Java keystore and want to use Go solution. +If you create new keys+certs with matt's solution you can skip this chapter! + +
+Requirements: +
+Keep in mind: the Java keystore has two passwords: +
+This works in a Ubuntu/Debian shell: + +
+######################################################################################################
+file="keystore.ks"
+pass_jks=changeit
+
+# List the keystore content, show the included (email) alias
+keytool -list -storepass $pass_jks -keystore $file
+
+# Convert jks --> pkcs12, specify the correct email alias (xxxxx@mail.i2p):
+keytool -importkeystore \
+ -srcalias xxxxx@mail.i2p \
+ -srckeystore $file \
+ -srcstoretype jks \
+ -srcstorepass $pass_jks \
+ -destkeystore ${file}.p12 \
+ -deststoretype pkcs12 \
+ -deststorepass $pass_jks \
+ -destkeypass $pass_jks
+
+# Show the pkcs12 content:
+openssl pkcs12 -passin pass:$pass_jks -in ${file}.p12 -nodes -info
+
+# Convert pkcs12 --> pem
+openssl pkcs12 -passin pass:$pass_jks -in ${file}.p12 -nodes -out ${file}.pem
+
+# Decrypt the pem
+openssl rsa -in ${file}.pem -out xxxxx_at_mail.i2p.pem
+
+# Extract the certificate
+openssl x509 -in ${file}.pem -out xxxxx_at_mail.i2p.crt
+######################################################################################################
+
+
+
++The update/exchange of an already existing self-signed certificates has to be correct timed +on server *and* client side. Considering thousands of clients (many with older I2P version) the exchange +will not be seamless possible and will have very bad impact on many clients: reseed won't work for them. + +
+To avoid this issue and make the exchange as smooth as possible follow these simple steps: + +
+This idea based on the fact, that you can provide in i2p/certificates/ssl more than one crt-file for a server, e.g. +server.com.crt and server.com2.crt + + +
+You are already operating a reseed server but want to change your Domain/URL/Port? +To make the exchange as smooth as possible for many clients please follow these steps if possible: + +
+Some simple pre-test: test the website and fetch +
+ wget --user-agent="Wget/1.11.4" \ + -O /tmp/test.su3 \ + --no-check-certificate https://your-server.com:PORT/i2pseeds.su3 ++Replace "PORT" with default 443 or your chosen server setting. +Inspect the fetched file.: +Some simple pre-test: test the website and fetch +
+ zipinfo -z /tmp/test.su3 ++ +
+Replace "--no-check-certificate" with "--ca-certificate=~/i2p/certificates/ssl/your-server.com.crt" +which contains the path to your local public SSL-certificate to check also your ssl-certificate chain. + +
+Confirm the following: +
+Do a real reseed test on *another* I2P router machine: +
+2014/10/13 23:01:02 | Reseed start +2014/10/13 23:01:02 | Reseeding from https://your-server/i2pseeds.su3 +2014/10/13 23:01:05 | INFO: xx files extracted to /tmp/i2p-V2qudTbd.tmp/reseeds-1010682701 +2014/10/13 23:01:05 | Reseed got xx router infos from https://your-server.com/i2pseeds.su3 with 0 errors +2014/10/13 23:01:06 | Reseed complete, xx received ++
+Contact us via email zzz at mail.i2p (alternatively, post in the reseed section on the zzz.i2p forum) +Provide us with details about your new reseed server: +
+Feel free to contact zzz at mail.i2p in case of questions or problems or post your question at zzz's forum in the reseed section. + +{% endblock %} diff --git a/i2p2www/pages/site/get-involved/guides/reseed.html b/i2p2www/pages/site/get-involved/guides/reseed.html index 8ab7e242..cbb45242 100644 --- a/i2p2www/pages/site/get-involved/guides/reseed.html +++ b/i2p2www/pages/site/get-involved/guides/reseed.html @@ -3,952 +3,8 @@ {% block lastupdated %}2021-12{% endblock %} {% block content %} -
{% trans -%} -Thank you for volunteering to run an I2P reseed server. -"Reseeding" is our term for bootstrapping new routers into the network. -New routers fetch a bundle of peer references, or "router infos", from one or more of a hardcoded list of HTTPS URLs. -{%- endtrans %}
- -{% trans -%} -At its simplest, a reseed server consists of a Java I2P router, an HTTPS web server, -and some scripts that periodically gather router infos from the router, -bundle and sign them into a custom file format, and deliver these files over HTTPS. -In practice, it's a bit more complex, and a reseed operator must be fairly competent and attentive. -A reseed server is not appropriate for a residential internet connection. The complexities include: -{%- endtrans %}
- -{% trans -%} -When your setup is complete and ready for testing, we will need the HTTPS URL, -the SSL public key certificate (only if selfsigned), and the su3 public key certificate. -After testing is complete, these will be added to the hardcoded entries in the Java and C++ routers in the next release, -and you will start seeing traffic. -We also will need your email address so we may continue to contact you about reseed administration issues. -The email will not be made public but will be known to the other reseed operators. -You should expect that your nick or name and its association with that URL or IP will become public. -{%- endtrans %}
- -{% trans -%} -A reseed operator is a trusted role in the network. -While we do not yet have a formal privacy policy, you must ensure the privacy of our users -by not publicizing logs or IPs found in those logs, except as necessary to discuss administration issues with the I2P reseed team. -{%- endtrans %}
- -{% trans -%} -Modest financial support may be available to those running reseed servers. -This support would be in partial reimbursement for your server costs. -Support will not be paid in advance and will probably not cover all your expenses. -Support is only available to those who have been running reseed servers in good standing for several months, and is based on actual need. -{%- endtrans %}
- -{% trans -%} -If you would like to discuss support, please contact echelon and CC: zzz -{%- endtrans %}
- - -{% trans -%} -Our reseed coordinator is "zzz" and he may be contacted at zzz at mail.i2p or zzz at i2pmail.org. -Unfortunately, he is not generally on IRC. The reseed setup is somewhat specialized, and you should direct most questions to him. -{%- endtrans %}
- -{% trans -%} -For actual implementation, details below. We have one recommended reseed solution: -{%- endtrans %}
- -{% trans -%} -For further information, read the information at the following links, and then contact zzz. -Thank you! -{%- endtrans %}
- --Public reseed servers are necessary to bootstrap into the I2P net. -New installed I2P routers needs one-time about one hundred RouterInfo's (RI) as jump start. -
--RI contains IP and Port from other I2P routers and are stored in dat-files in the netDB folder. -
--A random bunch of dat-files from the netDB are zipped, then signed to a su3-file -and finally offered to I2P routers seeking reseed service. -
--To secure bootstrap and enable a trusted start, HTTPS/TLS and signed su3-files are mandatory. -
--It is essential not to publish all RI from netDB, or all RI to one client. -
- - --Requirements for running a public reseed server: -
-This How-to is tested with Ubuntu/Debian as well as FreeBSD. -The web server has to be public reachable from all over the world, an I2P Site inside I2P can be setup in addition. -Also frequent or infrequent attempts to scrape all your reseed files, and of course attacks on your server. -The web server doesn't need to listen at default SSL/TLS port 443 - any other port can be used for obfuscation. -
- - --Note: A non default port other than 443 can be used; TLS certificate can be self signed; configure fail2ban as bot-net protection -
- - -- Debian/Ubuntu: sudo apt install git golang-go - Arch: sudo pacman -s git go -- - -
-Note: Visit http://reseed.i2p and download a pre-build x86_64 binary, so you can skip step 2+3. -
-- export GOPATH=$HOME/go; mkdir $GOPATH; cd $GOPATH - go get github.com/martin61/i2p-tools - bin/i2p-tools -h -- - -
-Replace 'yourname@mail.i2p' with your email address -Replace '/home/i/.i2p/netDb' with the path to the I2P 'netDb' in the home folder of the user running I2P -
-- GOPATH=$HOME/go; - cd $GOPATH; - bin/i2p-tools reseed --signer=yourname@mail.i2p \ - --netdb=/home/i/.i2p/netDb \ - --port=8443 \ - --ip=127.0.0.1 \ - --trustProxy -- - -
-Make a backup from the newly created su3-signing key and certificate found in $GOPATH (.crt/.pem/.crl) and keep it in a safe, password protected location -
- - --Replace '...' with the appropriate command-line arguments as in step 4 -
-- @reboot GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed ... >/dev/null 2>&1 - 9 * * * * GOPATH=$HOME/go; cd $GOPATH; bin/i2p-tools reseed ... >/dev/null 2>&1 -- -
-lighttpd is no longer supported due to a limitation with the 'X-Forwarded-For' HTTP Header. Please use Apache or nginx. -
-- nginx configuration example: -
-
- location / {
- proxy_pass http://127.0.0.1:8443;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $remote_addr;
- }
-
-- Apache (untested - feedback would be appreciated) -
-- ProxyRequests Off - <Proxy *> - Order deny,allow - Allow from all - </Proxy> - ProxyPass / http://127.0.0.1:8443/ - ProxyPassReverse / http://127.0.0.1:8443/ --
-Additionally, ensure that your webserver uses these suggested settings for Strong SSL Security (visit CipherLi.st for the latest settings). Sample SSL settings are provided in section 4.5 Reverse-Proxy Setup. -
- --Note: i2p-tool has also an build-in standalone webserver with TLS support which can be used without a webserver. Please contact (zzz at mail.i2p.de) if you need help, or stop by #i2p-dev on IRC2P and talk to other reseed operators. -
- - --Send an email: zzz at mail.i2p, PGP signed welcome :-) - - -
-The previous steps for reseeding involves many steps, scripts and programs. -Most of them are easy and plain straight forward, but overall you can call it a little confusing. - -
-Here comes now an all-in-one solution from matt (Big Thanks!) for providing -a reseed server which merges the following functions into one binary: - -
-Almost all previous used scripts and described steps are not needed with this solution, -but to understand the overall reseed process it is recommended to read them too :-) - -
-Of course you need an up-to-date netDB folder with routerinfos from a running I2P router. -I2P does not have to be running on the same machine as this reseed binary. -In this case you can setup a cronjob to transfer the netDB from the I2P machine to the reseed machine. - -
-Matt's go solution can be used in parallel next to an already running http-server. -For this leave the http-server running at normal port 80 and 443, -and configure Go solution too use another port, e.g. port 8443. - -
-More: at github, README.md, https://github.com/martin61/i2p-tools - - -
-Requirements: -
-Install go from https://golang.org/doc/install, example for 64 bit Ubuntu/Debian: -
- export GOPATH=$HOME/go - export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin --
-Verify go: -
-$ go version --which should state something like: "go version go1.4.2" - -
-Install Go solution from https://github.com/martin61/i2p-tools into $HOME/go: -
-$ go get github.com/martin61/i2p-tools -- -
-This will install a binary to $GOPATH/bin/i2p-tools - -
-Run the go solution, the usage/help should be displayed, nothing more: -
-$ i2p-tools -- -
-$ i2p-tools reseed --tlsHost=myserver.com --signer=myemail@mail.i2p --netdb=$HOME/.i2p/netDb -- -
-Output: -
-2015/03/15 12:28:25 Rebuilding su3 cache... -2015/03/15 12:28:25 Building 200 su3 files each containing 75 out of 3180 routerInfos. -2015/03/15 12:28:35 Done rebuilding. -2015/03/15 12:28:35 HTTPS server started on 0.0.0.0:8443 -- -
-So you can now test to reach the server at port 8443, see a previous chapter about proper testing. - -
-Some remarks: -
'iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-port 8443'-
-The reseed server should be started automatically, so you need a init.d or some sort of -startscript, here named as "seedserver". -This is only a very first draft for a simple startscript (it could be done better :-)) -
-Login as I2P user: -
-Now you can use the shell-script: -
-seedserver start --
-And then (give it some seconds) take a look at the status: -
-seedserver status -seedserver showlog -- -
-Some short explanation about seedserver: -
-If this is working fine, you can put the script in your personal crontab, to run it by auto-start -and to do logrotes simply by restarting it regularly once a week to avoid too big logfiles. -If you already reboot your server regularly, you can skip of course the "restart" command line. - -
-Login as I2P user, edit your crontab: -
-crontab -e --
-and add these 3 lines at the end: -
-@reboot /home/i2p/bin/seedserver startdelayed -04 14 * * 2 /home/i2p/bin/seedserver restart -#end -- -
-Save and close the editor. It would be good to check if this is properly working when you reboot your machine. - -
-"seedserver" shell script: - -
-######################################################################################################
-#!/bin/sh
-
-# Your settings
-toolpath=/home/i2p/bin
-tlsHost=myserver.com
-signer=myemail@mail.i2p
-netdb="/home/i2p/.i2p/netDb"
-
-
-tool=i2p-tools
-logpath="$toolpath/${tool}.log"
-logfile="$logpath/reseed.log"
-errfile="$logpath/reseed.error"
-
-cd "$toolpath"
-mkdir --parents "$logpath"
-
-
-do_status() {
-/bin/sleep 1
-if [ -n "$(pgrep -x "$tool")" ]; then
-echo "$tool running, pid $(pgrep "$tool")"
-else
-echo "$tool not running."
-fi;
-}
-
-do_start() {
-if [ -z "$(pgrep -x "$tool")" ]; then
-do_logrotate
-nohup "$toolpath/$tool" reseed -tlsHost="$tlsHost" --signer="$signer" --netdb="$netdb" > "$logfile" 2> "$errfile" &
-fi;
-do_status
-}
-
-do_stop() {
-if [ -n "$(pgrep -x "$tool")" ]; then
-pkill "$tool"
-fi;
-do_status
-}
-
-do_startdelayed() {
-echo "waiting 20s..."
-/bin/sleep 20
-do_start
-}
-
-do_restart() {
-do_status
-do_stop
-do_start
-}
-
-do_logrotate() {
-do_status
-if [ -z "$(pgrep -x "$tool")" ]; then
-mv --force "${logfile}.6" "${logfile}.7" 2>/dev/null
-mv --force "${logfile}.5" "${logfile}.6" 2>/dev/null
-mv --force "${logfile}.4" "${logfile}.5" 2>/dev/null
-mv --force "${logfile}.3" "${logfile}.4" 2>/dev/null
-mv --force "${logfile}.2" "${logfile}.3" 2>/dev/null
-mv --force "${logfile}.1" "${logfile}.2" 2>/dev/null
-mv --force "${logfile}" "${logfile}.1" 2>/dev/null
-mv --force "${errfile}.6" "${errfile}.7" 2>/dev/null
-mv --force "${errfile}.5" "${errfile}.6" 2>/dev/null
-mv --force "${errfile}.4" "${errfile}.5" 2>/dev/null
-mv --force "${errfile}.3" "${errfile}.4" 2>/dev/null
-mv --force "${errfile}.2" "${errfile}.3" 2>/dev/null
-mv --force "${errfile}.1" "${errfile}.2" 2>/dev/null
-mv --force "${errfile}" "${errfile}.1" 2>/dev/null
-echo "log-rotate done."
-else
-echo "log-rotate not possible."
-fi;
-}
-
-do_showlog() {
-echo "-------------------------------------------------------------------------------"
-tail "$errfile"
-echo "-------------------------------------------------------------------------------"
-tail "$logfile"
-echo "-------------------------------------------------------------------------------"
-}
-
-
-do_usage() {
-echo "Usage: {start|stop|status|restart|logrotate|startdelayed|showlog}"
-}
-
-case "$1" in
-start)
-do_start
-;;
-stop)
-do_stop
-;;
-status)
-do_status
-;;
-restart)
-do_restart
-;;
-startdelayed)
-do_startdelayed
-;;
-logrotate)
-do_logrotate
-;;
-showlog)
-do_showlog
-;;
-*)
-do_usage
-;;
-esac
-
-exit 0
-######################################################################################################
-
-
-
--You can run i2p-tools also behind your normal web-server (reverse-proxy). - -
-The web-server handles the TLS handshake, encryption, SSL Certificate and the logfiles. -But you don't need the scripts su3.php and the shell cronjob for creating su3-files. -i2p-tools is running "behind" the web-server, without TLS management, only bind to -local interface 127.0.0.1 and is handling complete building and handling of su3-files. - - -
-Run i2p-tools with this command: - -
-i2p-tools reseed --signer test@test.de \ - --key /path_to/test_at_test.de.pem \ - --netdb /path_to/netDb \ - --port=8443 \ - --ip 127.0.0.1 \ - --trustProxy -- - -Important notes for this special setup: -
- nginx configuration example: -
-
- location / {
- proxy_pass http://127.0.0.1:8443;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $remote_addr;
- }
-
-- Apache (untested - feedback would be appreciated) -
-- ProxyRequests Off - <Proxy *> - Order deny,allow - Allow from all - </Proxy> - ProxyPass / http://127.0.0.1:8443/ - ProxyPassReverse / http://127.0.0.1:8443/ --
- -
-and for X-Forwarded-For: -
- proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -- -
-Additionally, ensure that your webserver uses these suggested settings for Strong SSL Security (visit CipherLi.st for the latest settings). A sample configuration is provided below. -
--Apache -
--SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH -SSLProtocol All -SSLv2 -SSLv3 -SSLHonorCipherOrder On -Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" -Header always set X-Frame-Options DENY -Header always set X-Content-Type-Options nosniff -# Requires Apache >= 2.4 -SSLCompression off -SSLUseStapling on -SSLStaplingCache "shmcb:logs/stapling-cache(150000)" -# Requires Apache >= 2.4.11 -SSLSessionTickets Off --
-nginx (remember to replace '$DNS-IP-1' & '$DNS-IP-2' with 2 trusted DNS servers) -
--ssl_protocols TLSv1 TLSv1.1 TLSv1.2; -ssl_prefer_server_ciphers on; -ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; -ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 -ssl_session_cache shared:SSL:10m; -ssl_session_tickets off; # Requires nginx >= 1.5.9 -ssl_stapling on; # Requires nginx >= 1.3.7 -ssl_stapling_verify on; # Requires nginx => 1.3.7 -resolver $DNS-IP-1 $DNS-IP-2 valid=300s; -resolver_timeout 5s; -add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; -add_header X-Frame-Options DENY; -add_header X-Content-Type-Options nosniff; --
-Complete nginx configuration (sample) -
-
-user nobody;
-worker_processes 1;
-
-events {
- worker_connections 1024;
-}
-
-http {
- include mime.types;
- default_type application/octet-stream;
- sendfile on;
- keepalive_timeout 65;
-
- server {
- listen $IP_ADDRESS:443 ssl;
- server_name $DOMAIN;
-
- ssl_certificate keys/fullchain.pem;
- ssl_certificate_key keys/privkey.pem;
-
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
- ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
- ssl_session_cache shared:SSL:10m;
- ssl_session_tickets off; # Requires nginx >= 1.5.9
- ssl_stapling on; # Requires nginx >= 1.3.7
- ssl_stapling_verify on; # Requires nginx => 1.3.7
- resolver $DNS_IP_1 $DNS_IP_2 valid=300s;
- resolver_timeout 5s;
- ssl_prefer_server_ciphers on;
- ssl_dhparam keys/dh.pem;
- server_tokens off;
-
- charset utf8;
-
- location /i2pseeds.su3 {
- proxy_pass http://127.0.0.1:8443;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $remote_addr;
- }
- }
-}
-
-
-
--This describes how to convert your existing Java keystore with your su3 signing key to a plain crt- and pem-file. -This is only needed, when you already have a Java keystore and want to use Go solution. -If you create new keys+certs with matt's solution you can skip this chapter! - -
-Requirements: -
-Keep in mind: the Java keystore has two passwords: -
-This works in a Ubuntu/Debian shell: - -
-######################################################################################################
-file="keystore.ks"
-pass_jks=changeit
-
-# List the keystore content, show the included (email) alias
-keytool -list -storepass $pass_jks -keystore $file
-
-# Convert jks --> pkcs12, specify the correct email alias (xxxxx@mail.i2p):
-keytool -importkeystore \
- -srcalias xxxxx@mail.i2p \
- -srckeystore $file \
- -srcstoretype jks \
- -srcstorepass $pass_jks \
- -destkeystore ${file}.p12 \
- -deststoretype pkcs12 \
- -deststorepass $pass_jks \
- -destkeypass $pass_jks
-
-# Show the pkcs12 content:
-openssl pkcs12 -passin pass:$pass_jks -in ${file}.p12 -nodes -info
-
-# Convert pkcs12 --> pem
-openssl pkcs12 -passin pass:$pass_jks -in ${file}.p12 -nodes -out ${file}.pem
-
-# Decrypt the pem
-openssl rsa -in ${file}.pem -out xxxxx_at_mail.i2p.pem
-
-# Extract the certificate
-openssl x509 -in ${file}.pem -out xxxxx_at_mail.i2p.crt
-######################################################################################################
-
-
-
--The update/exchange of an already existing self-signed certificates has to be correct timed -on server *and* client side. Considering thousands of clients (many with older I2P version) the exchange -will not be seamless possible and will have very bad impact on many clients: reseed won't work for them. - -
-To avoid this issue and make the exchange as smooth as possible follow these simple steps: - -
-This idea based on the fact, that you can provide in i2p/certificates/ssl more than one crt-file for a server, e.g. -server.com.crt and server.com2.crt - - -
-You are already operating a reseed server but want to change your Domain/URL/Port? -To make the exchange as smooth as possible for many clients please follow these steps if possible: - -
-Some simple pre-test: test the website and fetch -
- wget --user-agent="Wget/1.11.4" \ - -O /tmp/test.su3 \ - --no-check-certificate https://your-server.com:PORT/i2pseeds.su3 --Replace "PORT" with default 443 or your chosen server setting. -Inspect the fetched file.: -Some simple pre-test: test the website and fetch -
- zipinfo -z /tmp/test.su3 -- -
-Replace "--no-check-certificate" with "--ca-certificate=~/i2p/certificates/ssl/your-server.com.crt" -which contains the path to your local public SSL-certificate to check also your ssl-certificate chain. - -
-Confirm the following: -
-Do a real reseed test on *another* I2P router machine: -
-2014/10/13 23:01:02 | Reseed start -2014/10/13 23:01:02 | Reseeding from https://your-server/i2pseeds.su3 -2014/10/13 23:01:05 | INFO: xx files extracted to /tmp/i2p-V2qudTbd.tmp/reseeds-1010682701 -2014/10/13 23:01:05 | Reseed got xx router infos from https://your-server.com/i2pseeds.su3 with 0 errors -2014/10/13 23:01:06 | Reseed complete, xx received --
-Contact us via email zzz at mail.i2p (alternatively, post in the reseed section on the zzz.i2p forum) -Provide us with details about your new reseed server: -
-Feel free to contact zzz at mail.i2p in case of questions or problems or post your question at zzz's forum in the reseed section. +