...
 
Commits (3)
.PHONY: start-vms
start-vms:
vagrant up
install-central: start-vms
@test $(CENTRAL_SRC)
@mkdir -p build
@vagrant ssh-config boundery.me | grep -v User > build/boundery.sshconf
vagrant ssh boundery.me -c '[ -f /usr/local/share/ca-certificates/pebble.minica.crt ]'
vagrant upload $(CENTRAL_SRC)/setupserver /tmp/setupserver boundery.me
vagrant ssh boundery.me -c 'echo fakepasswd | sudo /tmp/setupserver'
vagrant ssh boundery.me -c 'sudo cp -r .ssh /root/'
SERVER=boundery.me SSH_CONF=`readlink -f build/boundery.sshconf` make -C $(CENTRAL_SRC) deploy
......@@ -21,17 +21,27 @@ Vagrant.configure("2") do |config|
virtualbox__intnet: "boundery_inet"
inet.vm.provision "shell", inline: <<-SHELL
sudo apt-get update
sudo apt-get install -y --no-install-recommends unbound python3-dnslib dnsutils
sudo apt-get install -y --no-install-recommends python3-dnslib dnsutils socat netsed
sudo cp /vagrant/inet/test-recursor.conf /etc/unbound/unbound.conf.d/
sudo cp /vagrant/inet/fakeroot.hints /etc/unbound/
sudo /etc/init.d/unbound restart
sudo cp /vagrant/boundery/nodnsupdate /etc/dhcp/dhclient-enter-hooks.d/
sudo chmod a+x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
sudo cp /vagrant/inet/fakerootdns.py /usr/local/sbin/
sudo cp /vagrant/inet/intercept.py /usr/local/sbin/
#https://github.com/hal/testsuite.next/blob/master/how-run-pebble.md
sudo wget https://github.com/letsencrypt/pebble/releases/download/v2.3.0/pebble_linux-amd64 -O /usr/local/sbin/pebble
sudo chmod a+x /usr/local/sbin/pebble
#docker run --rm -it -v `pwd`:/output modedemploi/minica \
# -ca-cert pebble.minica.pem -ca-key pebble.minica.key.pem \
# -domains acme-v02.api.letsencrypt.org,acme-staging-v02.api.letsencrypt.org,localhost \
# -ip-addresses 30.0.0.1,30.0.1.1,127.0.0.1
#sudo chown -R ...
if ! [ -x /usr/local/sbin/pebble ]; then
sudo wget https://github.com/letsencrypt/pebble/releases/download/v2.3.0/pebble_linux-amd64 -O /usr/local/sbin/pebble
sudo chmod a+x /usr/local/sbin/pebble
fi
mkdir -p /etc/pebble/
sudo cp -r /vagrant/inet/pebble/* /etc/pebble/
sudo cp /vagrant/inet/rewrite_pebble.sh /usr/local/sbin/
sudo chmod a+x /usr/local/sbin/rewrite_pebble.sh
sudo cp /vagrant/inet/rc.local /etc/
sudo chmod a+x /etc/rc.local
......@@ -40,20 +50,21 @@ Vagrant.configure("2") do |config|
end
################# BOUNDERY SERVER #################
config.vm.define "boundery" do |boundery|
config.vm.define "boundery.me" do |boundery|
boundery.vm.hostname = "boundery"
boundery.vm.network "private_network", ip: "30.0.1.9",
virtualbox__intnet: "boundery_inet"
boundery.vm.provision "shell", inline: <<-SHELL
sudo cp /vagrant/boundery/nodnsupdate /etc/dhcp/dhclient-enter-hooks.d/
sudo chmod a+x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
sudo cp /vagrant/inet/pebble/pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
sudo update-ca-certificates
sudo cp /vagrant/boundery/rc.local /etc/
sudo chmod a+x /etc/rc.local
sudo /etc/rc.local
#XXX Get /etc/resolv.conf pointed at unbound on inet.
#XXX Install docker and any other deps. Basically run setup_server
SHELL
#XXX Provisioner to install containers, os images, client installers, etc.
end
################# HOME ROUTER #################
......@@ -88,10 +99,16 @@ Vagrant.configure("2") do |config|
# .vmdk can wrap a raw image, so no need to copy to .vdi:
# VBoxManage internalcommands createrawvmdk -filename test.vmdk -rawdisk raw.img
client.vm.provision "shell", inline: <<-SHELL
sudo cp /vagrant/inet/pebble/pebble.minica.pem /usr/local/share/ca-certificates/pebble.minica.crt
sudo update-ca-certificates
#XXX Install selenium/chromedriver/any other deps.
#XXX Because we short circuit the dyndns NS forward to the pi, need to explicitly
# check that username.boundery.me gets the right NS destination (30.0.0.150).
SHELL
#XXX Provisioner to copy in tests, install client and run tests
#XXX Provisioner to install client from boundery.me
#XXX Provisioner to copy in (or rely on /vagrant?) and run tests
end
################# HOME SERVER #################
......@@ -122,6 +139,7 @@ Vagrant.configure("2") do |config|
server.vm.synced_folder ".", "/vagrant", disabled: true
#XXX Attach (and boot off of) USB stick that client wrote the image to.
#XXX Need to figure out how to get pebble's root cert into the os...
#XXX Attach USB stick for RW storage.
end
end
#!/bin/sh
make_resolv_conf() {
:
}
#!/bin/bash
ip route add 30.0.0.0/16 via 30.0.1.1
#/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate protects this from eth0 dhcp renew.
echo "nameserver 30.0.1.1" > /etc/resolv.conf
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 30.0.255.1
import sys, time
from dnslib import RR, RCODE, QTYPE
from dnslib.server import DNSServer,DNSHandler,BaseResolver,DNSLogger
class OURIP:
pass
#XXX I think all this could be replaced with dnslib's zoneresolver.py,
# by giving it fakeroot.hints with our extra records appended.
zone = {
('NS', '.'): 'a.root-servers.net.',
('A', 'net.'): OURIP(),
('A', 'root-servers.net.'): OURIP(),
('A', 'a.root-servers.net.'): OURIP(),
('A', 'acme-v02.api.letsencrypt.org'): OURIP(),
('A', 'acme-staging-v02.api.letsencrypt.org'): OURIP(),
('NS', 'boundery.me.'): [ 'ns1.boundery.me.', 'ns1.boundery.me.' ]
('A', 'ns1.boundery.me.'): '30.0.1.9',
('A', 'ns2.boundery.me.'): '30.0.1.9',
}
class DumbResolver(BaseResolver):
def resolve(self, request, handler):
reply = request.reply()
qname = str(request.q.qname).lower()
qtype = QTYPE[request.q.qtype]
print('REQUEST "%s" "%s"' % (qtype, qname))
recs = zone.get((qtype, qname))
if recs:
if type(recs) != list:
recs = [ recs, ]
for rec in recs:
data = sys.argv[1] if type(rec) == OURIP else rec
for rr in RR.fromZone('%s 60 IN %s %s' % (qname, qtype, data)):
print('REPLY WITH: %s' % rr)
reply.add_answer(rr)
else:
reply.header.rcode = RCODE.NXDOMAIN
return reply
if __name__ == '__main__':
if len(sys.argv) != 2:
raise Exception("Requires one argument: address to listen on")
print("DumbResolver started.")
resolver = DumbResolver()
udp_server = DNSServer(resolver, address=sys.argv[1])
tcp_server = DNSServer(resolver, address=sys.argv[1], tcp=True)
udp_server.start_thread()
tcp_server.start_thread()
while udp_server.isAlive() and tcp_server.isAlive():
time.sleep(1)
# -*- coding: utf-8 -*-
"""
InterceptResolver - proxy requests to upstream server
(optionally intercepting)
"""
from __future__ import print_function
import binascii,copy,socket,struct,sys
from dnslib import DNSRecord,RR,QTYPE,RCODE,parse_time
from dnslib.server import DNSServer,DNSHandler,BaseResolver,DNSLogger
from dnslib.label import DNSLabel
class InterceptResolver(BaseResolver):
"""
Intercepting resolver
Proxy requests to upstream server optionally intercepting requests
matching local records
"""
def __init__(self,address,port,ttl,intercept,skip,nxdomain,forward,all_qtypes,timeout=0):
"""
address/port - upstream server
ttl - default ttl for intercept records
intercept - list of wildcard RRs to respond to (zone format)
skip - list of wildcard labels to skip
nxdomain - list of wildcard labels to return NXDOMAIN
forward - list of wildcard labels to forward
all_qtypes - intercept all qtypes if qname matches.
timeout - timeout for upstream server(s)
"""
self.address = address
self.port = port
self.ttl = parse_time(ttl)
self.skip = skip
self.nxdomain = nxdomain
self.forward = []
for i in forward:
qname, _, upstream = i.partition(':')
upstream_ip, _, upstream_port = upstream.partition(':')
self.forward.append((qname, upstream_ip, int(upstream_port or '53')))
self.all_qtypes = all_qtypes
self.timeout = timeout
self.zone = []
for i in intercept:
if i == '-':
i = sys.stdin.read()
for rr in RR.fromZone(i,ttl=self.ttl):
self.zone.append((rr.rname,QTYPE[rr.rtype],rr))
def resolve(self,request,handler):
matched = False
reply = request.reply()
qname = request.q.qname
qtype = QTYPE[request.q.qtype]
# Try to resolve locally unless on skip list
if not any([qname.matchGlob(s) for s in self.skip]):
for name,rtype,rr in self.zone:
if qname.matchGlob(name):
if qtype in (rtype,'ANY','CNAME'):
a = copy.copy(rr)
a.rname = qname
reply.add_answer(a)
matched = True
# Check for NXDOMAIN
if any([qname.matchGlob(s) for s in self.nxdomain]):
reply.header.rcode = getattr(RCODE,'NXDOMAIN')
return reply
if matched and self.all_qtypes:
return reply
# Otherwise proxy, first checking forwards, then to upstream.
upstream, upstream_port = self.address,self.port
if not any([qname.matchGlob(s) for s in self.skip]):
for name, ip, port in self.forward:
if qname.matchGlob(name):
upstream, upstream_port = ip, port
if not reply.rr:
try:
if handler.protocol == 'udp':
proxy_r = request.send(upstream,upstream_port,
timeout=self.timeout)
else:
proxy_r = request.send(upstream,upstream_port,
tcp=True,timeout=self.timeout)
reply = DNSRecord.parse(proxy_r)
except socket.timeout:
reply.header.rcode = getattr(RCODE,'SERVFAIL')
return reply
if __name__ == '__main__':
import argparse,sys,time
p = argparse.ArgumentParser(description="DNS Intercept Proxy")
p.add_argument("--port","-p",type=int,default=53,
metavar="<port>",
help="Local proxy port (default:53)")
p.add_argument("--address","-a",default="",
metavar="<address>",
help="Local proxy listen address (default:all)")
p.add_argument("--upstream","-u",default="8.8.8.8:53",
metavar="<dns server:port>",
help="Upstream DNS server:port (default:8.8.8.8:53)")
p.add_argument("--tcp",action='store_true',default=False,
help="TCP proxy (default: UDP only)")
p.add_argument("--intercept","-i",action="append",
metavar="<zone record>",
help="Intercept requests matching zone record (glob) ('-' for stdin)")
p.add_argument("--skip","-s",action="append",
metavar="<label>",
help="Don't intercept matching label (glob)")
p.add_argument("--nxdomain","-x",action="append",
metavar="<label>",
help="Return NXDOMAIN (glob)")
p.add_argument("--forward","-f",action="append",
metavar="<label:dns server:port>",
help="forward requests matching label (glob) to dns server")
p.add_argument("--ttl","-t",default="60s",
metavar="<ttl>",
help="Intercept TTL (default: 60s)")
p.add_argument("--timeout","-o",type=float,default=5,
metavar="<timeout>",
help="Upstream timeout (default: 5s)")
p.add_argument("--all-qtypes",action='store_true',default=False,
help="Return an empty response if qname matches, but qtype doesn't")
p.add_argument("--log",default="request,reply,truncated,error",
help="Log hooks to enable (default: +request,+reply,+truncated,+error,-recv,-send,-data)")
p.add_argument("--log-prefix",action='store_true',default=False,
help="Log prefix (timestamp/handler/resolver) (default: False)")
args = p.parse_args()
args.dns,_,args.dns_port = args.upstream.partition(':')
args.dns_port = int(args.dns_port or 53)
resolver = InterceptResolver(args.dns,
args.dns_port,
args.ttl,
args.intercept or [],
args.skip or [],
args.nxdomain or [],
args.forward or [],
args.all_qtypes,
args.timeout)
logger = DNSLogger(args.log,args.log_prefix)
print("Starting Intercept Proxy (%s:%d -> %s:%d) [%s]" % (
args.address or "*",args.port,
args.dns,args.dns_port,
"UDP/TCP" if args.tcp else "UDP"))
for rr in resolver.zone:
print(" | ",rr[2].toZone(),sep="")
if resolver.nxdomain:
print(" NXDOMAIN:",", ".join(resolver.nxdomain))
if resolver.skip:
print(" Skipping:",", ".join(resolver.skip))
if resolver.forward:
print(" Forwarding:")
for i in resolver.forward:
print(" | ","%s:%s:%s" % i,sep="")
print()
DNSHandler.log = {
'log_request', # DNS Request
'log_reply', # DNS Response
'log_truncated', # Truncated
'log_error', # Decoding error
}
udp_server = DNSServer(resolver,
port=args.port,
address=args.address,
logger=logger)
udp_server.start_thread()
if args.tcp:
tcp_server = DNSServer(resolver,
port=args.port,
address=args.address,
tcp=True,
logger=logger)
tcp_server.start_thread()
while udp_server.isAlive():
time.sleep(1)
#!/bin/sh
make_resolv_conf() {
:
}
-----BEGIN CERTIFICATE-----
MIIDeDCCAmCgAwIBAgIIQkoYDkn/W5cwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
AxMVbWluaWNhIHJvb3QgY2EgNDRiZDZjMCAXDTIwMDEyMzE1NTY0N1oYDzIxMTAw
MTIzMTU1NjQ3WjAnMSUwIwYDVQQDExxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs8v9xKAqH6269xTE
l+3mRXe19A2vj04EsXBrJysLI1AP1U1IFxoRCFVV+3ekkRAslZy0kbRWy+pcNscq
vkByK7gpafle0Q9PUcB7dDdn97uTLfykPaJYGyjZP8bGNYRaUSPbPQwEwjzpkuLn
Vfj/EU1+SmpxMxcn+08zEr0QAEr8TV/ZASEy/anU6pETkU10MQpmJLQ8uF8r9Sc0
zMwBr5NdAFPTw4CRAGm1yPj+jDf3s8vN/kpw3domP70ji/fxNkWmqKpzG2mkqgLn
w90GYQiulNRXG94sDFWVQ6sPsXf1mKOSBdeacL3dwbIIAquMWZ3SdBSFG0FRBDGP
PiHwMQIDAQABo4GsMIGpMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADBqBgNVHREEYzBhghxhY21lLXYw
Mi5hcGkubGV0c2VuY3J5cHQub3JngiRhY21lLXN0YWdpbmctdjAyLmFwaS5sZXRz
ZW5jcnlwdC5vcmeCCWxvY2FsaG9zdIcEHgAAAYcEHgABAYcEfwAAATANBgkqhkiG
9w0BAQsFAAOCAQEAmWfmvU0owyF6TVTza8gGVNRkD6sLL5OUoVgO0JCR/6sLTe4Y
S6uOPiXCTFpeS/aNHRcu+YDP6eJrhrOxfLx5WyImqUwQup6ww/SGHaYtaFqEuLlF
iHhPX0f11KWhFJrNxq/Ql8EgRHBB3xUydFLb+9ShGpYgnjyeHD0L2YlP0bnKmFMV
X3nPWm7WXKffrqspg23Sleqv2eXxOuJ1hdt8+T4bZNTVIvcouxG4r1StehkOvX27
iW5a0XU45Yj3VGZ1SrqhbuUZUE0g36FZbmTY0XKI77+cUweXKckN295PgaYb9Xzs
TZyCUIoYQGFVcaeoKbKv9cIWnG10+mjVyBZ2qQ==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAs8v9xKAqH6269xTEl+3mRXe19A2vj04EsXBrJysLI1AP1U1I
FxoRCFVV+3ekkRAslZy0kbRWy+pcNscqvkByK7gpafle0Q9PUcB7dDdn97uTLfyk
PaJYGyjZP8bGNYRaUSPbPQwEwjzpkuLnVfj/EU1+SmpxMxcn+08zEr0QAEr8TV/Z
ASEy/anU6pETkU10MQpmJLQ8uF8r9Sc0zMwBr5NdAFPTw4CRAGm1yPj+jDf3s8vN
/kpw3domP70ji/fxNkWmqKpzG2mkqgLnw90GYQiulNRXG94sDFWVQ6sPsXf1mKOS
BdeacL3dwbIIAquMWZ3SdBSFG0FRBDGPPiHwMQIDAQABAoIBAErBiVzkvz72rCMp
hmgpKTI/CO9VdWZfKQJh3JungPUIx9yHSm8YjnZpjNuGrm0GTZNTWZyvX9tfMUIx
Y2tBPndBFi8S2UKRXAiAwJPcqaTOX+6h+eQKiRmZzWKAEk+UHT1ZbEGgqqXcT72c
DFWpttwJ3XWxdimo+h26m2CyLWIBGGfuSTHMrJ6I2/na0NfvoqewmK9+Z2I4DIET
Sob8Qs7nvWpxhzZVo9+Rck1FWldrBssfJrR+Pb2DD1dZPeXgxRXKof9KIVsmYanj
KT/EdRbaAxbsagJOKBFCDgLfVC6MrWLdIyy1x8QRkonJwLz7gP6+oyxV1v+vLf0O
aGN5mDUCgYEA6yXiRyJRVqV797jpWx6BUGv3gvF5qns95TLNcdq48irWn7fIHwJ5
SxIpmaSI0u9dLfcUg+0C++aN7i3HSkzv8zYzLr93B9h0zTisiiZo3+QaKLf60tFF
s+m8++Cvh+W6YEDhqqqEUnvWHEPb69ahfg+MrYF8KeUhMXDCziU1IwMCgYEAw72T
cv+EQap0ZUy5QQ0+fPiEfusynW58hY2ZvBWzoTi1hWkZcJrqOO0euzWDB4nm28FN
GeAUL+NYT8KWVp6GA9He98aDj3A99DdysJmwa2pA+2IjkUl+rUvxDva4/H2FO9VE
gETCY66oKnTq/WWjA2+aUbR1IcQ2HD93nARcH7sCgYB+5b/aEXwBnWZsBf7wrGKu
qsU0henZhY6ebK8P/TAHh/Sw1rYJfgVE7PVEM9Wet4v6bTdGBpawp/f6C/xbbW+k
OaCfXrX2pupJgYcjOp0oDenMBZU3RbYu5DmXV+aCGQheP0VJG6Iy/R9Lu5coC3i1
FeEeFR2TYlJqYubN5qhpTwKBgASQTvfHbVX6m2whNdCGdoaDZNNwuGVjRhP3ETaJ
av6/S7wojydI9V0OakEDJmLunCtTfnC0AMR9EHoLl2W9nHJKWmB8iGS3wToIcOwd
KTfX6lvyFdI1XHa95ojqx7VbV9flSQuUjtO0JseWokP2Mq7J01dEVdbLtFdEQ42n
rF4xAoGABRGYnBD6kz2AVyzXGYq4efn4WEEvTLSLef5JLduBked9dFF569AF3LSF
JnA/Ayzvcdv/uxSk9LgYVDBPP0GFWpPaQfnmQkjIORrhROS6DDvGRYFhl/zcRThf
5dad5WQnu24YPoLHJmkJvjA/hHx3Um9T9WlTP4dFegWeC4AEbN8=
-----END RSA PRIVATE KEY-----
<!doctype html public "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Nolan Leake</title>
</head>
<body bgcolor="#ffffff">
<br>
<a href="http://www.linkedin.com/in/nolan">Nolan's resume</a>
<br><br>
<a href="http://cumulusnetworks.com">Work: Cumulus Networks</a>
<br><br>
<a href="/breakout/">-- Play Breakout --</a>
<br><br>
<a href="/underwater_rockets/">-- Underwater Rocket Project --</a>
<br><br>
<a href="gpg.pub">Nolan's GPG public key</a>
</body>
</html>
{
"pebble": {
"listenAddress": "0.0.0.0:4443",
"managementListenAddress": "0.0.0.0:15000",
"certificate": "/etc/pebble/acme-v02.api.letsencrypt.org/cert.pem",
"privateKey": "/etc/pebble/acme-v02.api.letsencrypt.org/key.pem",
"httpPort": 80,
"tlsPort": 443,
"ocspResponderURL": "",
"externalAccountBindingRequired": false
}
}
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3CenY6tARPR6EIU4nanWUTJWpx4dWgZHB9aYq8rBgNpBuqd+
UO3WmMHFj3zArzj5zyRAVoHJ+X5J95JHwzxVijsTi/6yXlBKfceKJf+V7Fr0epl/
MNy3UgIPpYZUBnk80R1V2E+7CI3WDRvSPkaOooMoOG03xplgkTtqpJaMtorfdBmc
HYaFp++yWGXFjn7zzMDO5H1WS/DF8PmOnAqq4KbUt90V4XJG2V/DBx0x+80Sho7g
1AGhh6hX73GBcvw+bEOFDgarzuF3EoVWae3HhlyhOSi0wbRfUH+BaRleGtn5grJd
IzmuA8mDE/VlhF5da4wAwfKO/aHepObWQb/vMwIDAQABAoIBAF5f6VPCj7R/kOwQ
D+sWaTc5ewf80txKoJxtk9jg+/5+kXqwXmfW7Q1i04vlELyMkhoIEkSDMs/vIUot
vPGmpYyyMnjq4A+qH6S3qzMK03wUqYT81BdgJn3TQF3WraJwym9iQfCOjUDnfID2
EjR8Dpz/2HgH6ccK7OiVLewMVZnSNlAJT+o20GYUHj1apEzp0FyRhfjYVPZq1ScK
BXZgfnue8/UYCCcT+AW9M1MxkkGx6rPVgnZe+o2PqnYbtCpVbeL8B1z8AVcXIIYZ
QSBl/g9RBwDGd319tG3SEMLjqCTtMDSx3W11erV+N/Hlo0/szPCHCpnN1F5zARt5
OZSvGxECgYEA/1Jisgb5U4d628MEeCMi1aY+zO7GG7B7yzfEmgNNcMkw2j57rWUS
Qnyy1LJwDYLkfaBedJNlqZKyxY4A/0e4iyowlUiNRXYU5qFwaysQNonUJJ+sU+07
JgbAMYR4QHapejmprnCtrzq69tzapsrAN6dm9m3yeNpLGsE6gKdS31UCgYEA3L1a
/YUO95TaDesCVmh6tIR+KEhcePb7f6LaVqjCSRbh/8JCsD5ybphw2m0NdtFCbMoM
bTzS2jpNNp9GGPVcJ9GFINvqFEDrsftfGY6pGAAFuQittaph16ngkQl+aCf6JC6S
PXTUkFX6itRCJ1Z+VnyKacMl2JwHCXKyP2y/xGcCgYBAe+ZBYFGILydwaYivbvBV
VW93Arc2NxSM9sDIxRzB545XEIDcAjLiZ+winA6A2xYqRF6WwsNiWJKeIodN8idB
vp4WlgRYDsKonQ1vg6jMnXLe7RTw/XF64SmZWAOnBFE5dWbNj9fN8d9WieEPTxXM
+JKgmpQqwbdGQpcr9xaPIQKBgQCwwFrkl6/VZXZ5II39nKlsdI8EOHT7U2Es4b0N
GRKBLfaHMgjuUQKWNjBfZmUamBMlQ2BR9BsuLPL44u5hO86v/6AnIJC96QIRwSN0
NnyFwDbU4/McfTLdWqR73ms+gYxVfokQ9sTiUkZM9guGrkZ5gD3g1Ccw3DbyRMof
6TdgzwKBgQDVdrCCOSmNjqfaGRItwchQu66T/rV/bi504da+gx3iwNELm+TIdIOS
kiWo/ZZbSVJfFzGoCwcZ0Jz+qADL/AS+ut5vCbqdfp7G4xUAdQxLBjsRNbQUjyNi
Y1gL4JXdumAsjyyjufJG+I+0aF+V3KFiHXTVv8Nqwe4F4Dgzqxin9A==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIIRL1sJtrbSeIwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
AxMVbWluaWNhIHJvb3QgY2EgNDRiZDZjMCAXDTIwMDEyMzE1NTY0N1oYDzIxMjAw
MTIzMTU1NjQ3WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA0NGJkNmMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcJ6djq0BE9HoQhTidqdZRMlan
Hh1aBkcH1pirysGA2kG6p35Q7daYwcWPfMCvOPnPJEBWgcn5fkn3kkfDPFWKOxOL
/rJeUEp9x4ol/5XsWvR6mX8w3LdSAg+lhlQGeTzRHVXYT7sIjdYNG9I+Ro6igyg4
bTfGmWCRO2qkloy2it90GZwdhoWn77JYZcWOfvPMwM7kfVZL8MXw+Y6cCqrgptS3
3RXhckbZX8MHHTH7zRKGjuDUAaGHqFfvcYFy/D5sQ4UOBqvO4XcShVZp7ceGXKE5
KLTBtF9Qf4FpGV4a2fmCsl0jOa4DyYMT9WWEXl1rjADB8o79od6k5tZBv+8zAgMB
AAGjRTBDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAI8X0
fIEANliNaO6YWP8theu30tY8JbkFEsFSUsUDF8cxhyC2/z2koxK+rNygwG5jDPFI
sjpdXYPwoO+Rpf5n4xOmOoTzfbfmtjhwejw25/SOztnUVtYSuuxIQNo5SxXQm0ad
J+Quuht0EpT88vlO/bipiEJLtTT7/4rlVk3zDBZ0yE3Ns5yQHQNMRb/6vqZm5jnu
dj3X2iXSIPy5zmumw4oiHnPagQliv0yGXEeRRQynM/3Jd32orjLF33n1S5a6muro
PuFGVuezprmex8FHPGf46WYawWh2d70i1E3ml3/V4fAj99ooMf8vgbJwwLNchQ9M
DZIpy51CsHWhhyUuvg==
-----END CERTIFICATE-----
......@@ -2,13 +2,39 @@
echo 1 > /proc/sys/net/ipv4/ip_forward
if ! ip addr show dev lo | grep -q 30[.]0[.]255[.]1; then
ip addr add 30.0.255.1/24 dev lo
#/etc/dhcp/dhclient-enter-hooks.d/nodnsupdate protects this from eth0 dhcp renew.
echo "nameserver 30.0.1.1" > /etc/resolv.conf
if [ -f /run/intercept.pid ]; then
kill -9 `cat /run/intercept.pid`
rm /run/intercept.pid
fi
python3 /usr/local/sbin/intercept.py --all-qtypes --tcp -u 10.0.2.3 \
-f '*.boundery.me:30.0.0.150' \
-f 'boundery.me.:30.0.1.9' -f 'www.boundery.me.:30.0.1.9' \
-i 'acme-v02.api.letsencrypt.org. 60 IN A 30.0.0.1' \
-i 'acme-staging-v02.api.letsencrypt.org. 60 IN A 30.0.0.1' \
-i 'checkip.amazonaws.com. 60 IN A 30.0.0.1' \
>/var/log/intercept.log 2>&1 &
echo $! > /run/intercept.pid
if [ -f /run/checkip_aws_com.pid ]; then
kill -9 `cat /run/checkip_aws_com.pid`
rm /run/checkip_aws_com.pid
fi
socat tcp-listen:80,reuseaddr,fork exec:'echo -e HTTP/1.1 200 OK\n\n30.0.1.9' > /var/log/checkip.log 2>&1 &
echo $! > /run/checkip_aws_com.pid
if [ -f /run/rewrite_pebble.pid ]; then
kill -9 `cat /run/rewrite_pebble.pid`
rm /run/rewrite_pebble.pid
fi
/usr/local/sbin/rewrite_pebble.sh -l >/var/log/rewrite_pebble.log 2>&1 &
echo $! > /run/rewrite_pebble.pid
if [ -f /run/fakerootdns.pid ]; then
kill -9 `cat /run/fakerootdns.pid`
rm /run/fakerootdns.pid
if [ -f /run/pebble.pid ]; then
kill -9 `cat /run/pebble.pid`
rm /run/pebble.pid
fi
python3 /usr/local/sbin/fakerootdns.py 30.0.255.1 >/var/log/fakedns.log 2>&1 &
echo $! > /run/fakerootdns.pid
PEBBLE_VA_NOSLEEP=1 /usr/local/sbin/pebble -config /etc/pebble/pebble-config.json >/var/log/pebble.log 2>&1 &
echo $! > /run/pebble.pid
#!/bin/sh
socat openssl-listen:443,reuseaddr,fork,cert=/etc/pebble/acme-v02.api.letsencrypt.org/cert.pem,key=/etc/pebble/acme-v02.api.letsencrypt.org/key.pem,verify=0 tcp:localhost:4441 &
netsed tcp 4441 127.0.0.1 4442 's/GET %2fdirectory HTTP/GET %2fdir HTTP/1o' &
socat -v tcp-listen:4442,reuseaddr,fork ssl:localhost:4443,verify=0 &
wait
server:
verbosity: 10
root-hints: fakeroot.hints
interface: 30.0.0.1
interface: 30.0.1.1
access-control: 30.0.0.0/24 allow
access-control: 30.0.1.0/24 allow
module-config: "iterator" #Disable dnssec.