Skip to content

Allow multiple projects on the same Onionspray instance

Yassine Zouggarirequested to merge
feat-multiple-projects-on-same-instance into main

Description

The variable onionspray_project_settings now contains all values used to customize a project, and is a list of dict. To handle more than one project on the same Onionspray deployment, we can now add a new dict to this list.

The key handling is improved to also allow for more than one key defined. A new variable onionspray_keys is added for this.

An additional check and additional variables for the CA certificate file used are added: these allow skipping the upstream TLS certificate check, and defining a custom path for the CA cert file to use, as well as a protection to warn the user if the CA certificate file used is not present (and abort).

Tests

Tested with the following values for my custom host:

onionspray_project_settings:
  - project_name: example1
    hardmaps:
      - proxied_domain: example.org
  - project_name: example2
    project_custom_settings: |
      # block access to "forbidden" subdomain
      set block_err This subdomain is forbidden.
      set block_host_re ^forbidden\.

      ## rate-limiting
      ## c.f. https://onionservices.torproject.org/apps/web/onionspray/guides/dos/
      # max number of connections through this proxy
      set tor_max_streams 1000
      # setting these two options expose a header named "X-Onion-CircuitID" with a unique ID per Tor user
      # that header can be used for rate-limiting
      set tor_export_circuit_id haproxy
      set nginx_x_onion_circuit_id 1
    softmaps:
      - tor_address: yetkvkuqlr23sdzkf2mynt7aixfjzq6pjys2ffurr3hzpyfxrc7swpqd
        proxied_domain: wikipedia.org
      - proxied_domain: wikimedia.org
onionspray_keys:
  - public_key_base64: REDACTED
    secret_key_base64: REDACTED
    tor_address: yetkvkuqlr23sdzkf2mynt7aixfjzq6pjys2ffurr3hzpyfxrc7swpqd
  - public_key_base64: REDACTED
    secret_key_base64: REDACTED
    tor_address: 2k7kfvpa53a4exfkluhg5y33jtvrq3cgsn53ali7cltdlg3iadh6j4id

Then on my Ansible controller:

ansible-playbook --diff playbook.yml -i hosts -b -l vps

The settings for these two websites are generated, and they are both accessible through the Tor Browser. I can verify this on the machine with my Onionspray user:

$ sudo su onionspray -s /bin/bash
$ ls ~/onionspray/secrets/
[...]
yetkvkuqlr23sdzkf2mynt7aixfjzq6pjys2ffurr3hzpyfxrc7swpqd.v3pub.key
yetkvkuqlr23sdzkf2mynt7aixfjzq6pjys2ffurr3hzpyfxrc7swpqd.v3sec.key
[...]
# the two keys I specified for one of the two projects are here, and two random ones were generated for the other one
$ ~/onionspray/onionspray status -a
:::: status mediaparttest ::::
    PID TTY      STAT   TIME COMMAND
 964151 ?        Sl     0:09 tor -f /home/onionspray/onionspray/projects/mediaparttest/tor.conf
 964156 ?        Ss     0:00 nginx: master process nginx -c /home/onionspray/onionspray/projects/mediaparttest/nginx.conf
:::: status myproject ::::
    PID TTY      STAT   TIME COMMAND
 964161 ?        Sl     0:09 tor -f /home/onionspray/onionspray/projects/myproject/tor.conf
 964166 ?        Ss     0:00 nginx: master process nginx -c /home/onionspray/onionspray/projects/myproject/nginx.conf
$ ~/onionspray/onionspray maps -a
:::: maps mediaparttest ::::
yoj4wwe6vqywpise2cddhoied76ujmbpxilg3qevzjichdsijstt24qd.onion mediapart.fr mediaparttest hardmap
:::: maps myproject ::::
yetkvkuqlr23sdzkf2mynt7aixfjzq6pjys2ffurr3hzpyfxrc7swpqd.onion wikipedia.org myproject hardmap

Blocking

The molecule tests need to be adapted: will try to do this when time allows. I have no Internet access during all of next week so beginning of March at the earliest. If another project member wants to handle that part, this PR can be used (I won't mind! :)). Thanks!

Edited by Yassine Zouggari

Merge request reports