~ancarda/tls-redirector

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch
2 2

[PATCH] Tweak SystemD files

somini
Details
Message ID
<20201222190731.118101-1-dev@somini.xyz>
DKIM signature
missing
Download raw message
Patch: +17 -7
- Default to using systemd socket activation
- Improve security for service
- Automatically create the folder for ACME usage

This is implemented here:
https://aur.archlinux.org/packages/tls-redirector/
---
 systemd/tls-redirector.service       | 18 ++++++++++++------
 systemd/tls-redirector.socket        |  2 +-
 systemd/tls-redirector.tmpfiles.conf |  4 ++++
 3 files changed, 17 insertions(+), 7 deletions(-)
 create mode 100644 systemd/tls-redirector.tmpfiles.conf

diff --git a/systemd/tls-redirector.service b/systemd/tls-redirector.service
index 34f09f1..29a037c 100644
--- a/systemd/tls-redirector.service
+++ b/systemd/tls-redirector.service
@@ -1,10 +1,16 @@
[Unit]
Description=TLS Redirector (http to https)
After=tls-redirector.socket
Description=TLS Redirector

[Service]
#Environment=ACME_CHALLENGE_DIR=/tmp
Type=simple
ExecStart=/usr/bin/tls-redirector
Restart=on-failure
User=nobody
# Use SystemD activation
Environment=PORT=systemd
Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge
# Security
DynamicUser=yes
ProtectHome=tmpfs
PrivateDevices=yes
ProtectHostname=yes
## No need to be able to bind to sockets
CapabilityBoundingSet=
RestrictNamespaces=
diff --git a/systemd/tls-redirector.socket b/systemd/tls-redirector.socket
index ffc8c67..0c4d70c 100644
--- a/systemd/tls-redirector.socket
+++ b/systemd/tls-redirector.socket
@@ -1,5 +1,5 @@
[Unit]
Description=TLS Redirector Port 80 (socket)
Description=TLS Redirector Socket
After=network.target

[Socket]
diff --git a/systemd/tls-redirector.tmpfiles.conf b/systemd/tls-redirector.tmpfiles.conf
new file mode 100644
index 0000000..af19de3
--- /dev/null
+++ b/systemd/tls-redirector.tmpfiles.conf
@@ -0,0 +1,4 @@
#Type	Path	Mode	User	Group	Age	Argument
d	%C/acme-challenge	0755	-	-	-	-
d	%C/acme-challenge/.well-known	0755	-	-	-	-
d	%C/acme-challenge/.well-known/acme-challenge	0755	-	-	-	-
-- 
2.29.2
Details
Message ID
<d00bbefe311559f811df680c7b734c11@markdain.net>
In-Reply-To
<20201222190731.118101-1-dev@somini.xyz> (view parent)
DKIM signature
pass
Download raw message
Hi,

Sorry for the delay in getting back to you.

This patch looks good - thank you for sending it. I'd like to merge
most of the changes like DynamicUser but I have a few questions about
how HTTP ACME challenges are done now.



December 22, 2020 7:07 PM, "somini" <dev@somini.xyz> wrote:

> - Default to using systemd socket activation
> - Improve security for service
> - Automatically create the folder for ACME usage
> 
> This is implemented here:
> https://aur.archlinux.org/packages/tls-redirector
> ---
> systemd/tls-redirector.service | 18 ++++++++++++------
> systemd/tls-redirector.socket | 2 +-
> systemd/tls-redirector.tmpfiles.conf | 4 ++++
> 3 files changed, 17 insertions(+), 7 deletions(-)
> create mode 100644 systemd/tls-redirector.tmpfiles.conf
> 
> diff --git a/systemd/tls-redirector.service b/systemd/tls-redirector.service
> index 34f09f1..29a037c 100644
> --- a/systemd/tls-redirector.service
> +++ b/systemd/tls-redirector.service
> @@ -1,10 +1,16 @@
> [Unit]
> -Description=TLS Redirector (http to https)
> -After=tls-redirector.socket
> +Description=TLS Redirector
> 
> [Service]
> -#Environment=ACME_CHALLENGE_DIR=/tmp
> -Type=simple
> ExecStart=/usr/bin/tls-redirector
> -Restart=on-failure
> -User=nobody
> +# Use SystemD activation
> +Environment=PORT=systemd

Did you need to add this two lines in? Socket activation should be
detected automatically - "PORT=systemd" is more for backwards
compatibility or debugging these days.

> +Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge

Is this directory meant to be created by systemd? I don't understand
how the tmpfiles.conf file is suppose to work. The stock configuration
in git has this line commented out so out-of-the-box it will just
launch, and this can be enabled if people want it.

I generally encourage people to use the DNS based ACME challenge.

> +# Security
> +DynamicUser=yes
> +ProtectHome=tmpfs
> +PrivateDevices=yes
> +ProtectHostname=yes
> +## No need to be able to bind to sockets
> +CapabilityBoundingSet=
> +RestrictNamespaces=

> diff --git a/systemd/tls-redirector.socket b/systemd/tls-redirector.socket
> index ffc8c67..0c4d70c 100644
> --- a/systemd/tls-redirector.socket
> +++ b/systemd/tls-redirector.socket
> @@ -1,5 +1,5 @@
> [Unit]
> -Description=TLS Redirector Port 80 (socket)
> +Description=TLS Redirector Socket
> After=network.target
> 
> [Socket]

> diff --git a/systemd/tls-redirector.tmpfiles.conf b/systemd/tls-redirector.tmpfiles.conf
> new file mode 100644
> index 0000000..af19de3
> --- /dev/null
> +++ b/systemd/tls-redirector.tmpfiles.conf
> @@ -0,0 +1,4 @@
> +#Type Path Mode User Group Age Argument
> +d %C/acme-challenge 0755 - - - -
> +d %C/acme-challenge/.well-known 0755 - - - -
> +d %C/acme-challenge/.well-known/acme-challenge 0755 - - - -
> -- 
> 2.29.2
Details
Message ID
<bea413116b7d4593a3e7373228272f00@somini.xyz>
In-Reply-To
<d00bbefe311559f811df680c7b734c11@markdain.net> (view parent)
DKIM signature
missing
Download raw message
On 2021-01-09 10:47, Mark Dain wrote:
> Hi,
> 
> Sorry for the delay in getting back to you.
> 
> This patch looks good - thank you for sending it. I'd like to merge
> most of the changes like DynamicUser but I have a few questions about
> how HTTP ACME challenges are done now.

No problem, I'll reply to this inline.

>> +# Use SystemD activation
>> +Environment=PORT=systemd
> 
> Did you need to add this two lines in? Socket activation should be
> detected automatically - "PORT=systemd" is more for backwards
> compatibility or debugging these days.

I was just following the docs, I was not aware this was auto-detected.

I did test this now without this environment variable, so you can drop 
it.

>> +Environment=ACME_CHALLENGE_DIR=%C/acme-challenge/.well-known/acme-challenge
> 
> Is this directory meant to be created by systemd? I don't understand
> how the tmpfiles.conf file is suppose to work. The stock configuration
> in git has this line commented out so out-of-the-box it will just
> launch, and this can be enabled if people want it.

The tmpfiles format is documented in tmpfiles.d(5). Basically, it will 
guarantee that directory tree is created on boot (and when installing 
the package). This is so that HTTP validation works outside the box. If 
the user configures certbot to use DNS validation, those three 
directories have been created in vain, but that's fine.

For the AUR package, I print a message to the user to configure certbot 
HTTP validation to point to that top directory.
https://aur.archlinux.org/cgit/aur.git/tree/tls-redirector.install?h=tls-redirector
Reply to thread Export thread (mbox)