Alexandre Kalatzis alpha14

Usage

# Setup the service
curl -sSL https://gist.githubusercontent.com/VibroAxe/80d55cc32b5c3290d7ee8b44b9d9a8cd/raw/autossh@.service | \
  sudo tee /etc/systemd/system/autossh@.service

sudo useradd -g nogroup -s /bin/false -m autossh
sudo -u autossh mkdir -p /home/autossh/.ssh  # and copy your private key here
sudo -u autossh ssh-keygen -t ed25519 # Generate a new private key

Platform server side static redirects comparison

Feature	Gitlab	Cloudflare	Netlify	Example
Redirects	✔️ Yes `200`, `301`, `302`	✔️ Yes `301`, `302`, `303`, `307`, `308`	✔️ Yes	`/wardrobe.html /narnia.html 302`
Rewrites	✔️ Yes	✔️ Yes	✔️ Yes	`/* / 200`
Rewrites (other than `200`)	❌ No	❌ No	✔️ Yes	`/en/* /en/404.html 404`
Splats	✔️ Yes	✔️ Yes	✔️ Yes	`/news/* /blog/:splat`
Placeholders	✔️ Yes	✔️ Yes	✔️ Yes	`/news/:year/:month/:date /blog-:year-:month-:date.html`
Query parameters	❌ No	❌ No	✔️ Yes	`/store id=:id /blog/:id 301`

OpenSSL 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

Generating Authy passwords on other authenticators

*update: TBC, but this new might affect how easy it is to use this technique past August 2024: Authy is shutting down its desktop app | The 2FA app Authy will only be available on Android and iOS starting in August

This gist, based in part on a gist by Brian Hartvigsen, allows you to export from Authy your TOTP tokens you have stored there.
Those can be "standard" 6-digits / 30 secs tokens, or Authy's own version, the 7-digits / 10 secs tokens.

Setting up an autossh reverse tunnel

1. Set up sshtunnel user

Follow this tutorial until step five-ish

If the test does not work because of "public key" issues, run sudo passwd sshtunnel on the server to change the password of the user. (If sudo tail -f /var/log/auth.log says the account is locked, this will be the issue.)

authorized_keys should look a little like:

Note (December 16, 2021): These example files haven't been updated since 2016. In either 2019 or 2020, our onion domain was changed to a longer v3 onion address (p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion). The examples below don't reflect this, but the configuration portions remain accurate regarding how we currently serve the onion site. (Tor Browser dropped support for v2 addresses, such as propub3r6espa33w.onion, in the second half of 2021.)

These files contain the base configuration for ProPublica’s Tor hidden service mirror.

Of note:

We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.

UFW

I use Ubuntu’s Uncomplicated firewall because it is available on Ubuntu and it's very simple.

Install UFW

if ufw is not installed by default be sure to install it first.

	#!/boot/bzImage

	# Linux kernel userspace initialization code, translated to bash
	# (Minus floppy disk handling, because seriously, it's 2017.)
	# Not 100% accurate, but gives you a good idea of how kernel init works
	# GPLv2, Copyright 2017 Hector Martin <marcan@marcan.st>
	# Based on Linux 4.10-rc2.

	# Note: pretend chroot is a builtin and affects the current process
	# Note: kernel actually uses major/minor device numbers instead of device name

	import time

	import psycopg2

	from iter_file import IteratorFile

	conn = psycopg2.connect(host="localhost", database="test")

	# args = [(1,2), (3,4), (5,6)]
	args = [(i,i+1) for i in range(1,110*4,2)]

	openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
	chmod 600 id_rsa.pem