On 2018-07-07 19:15:05, Guillem Jover wrote: > Package: kgb-bot > Version: 1.51-1 > Severity: wishlist > > Hi! > > At least when using the kgb-client to talk to a kgb-bot, any passwords > or tokens are sent in the clear. It would be nice if https was > supported when talking to the server.
This is probably not the answer you're looking for, but I suspect it might be preferable, if not easier, to delegate this to a proxy. It's fairly trivial to implement one with Nginx or Apache and it might avoid the complication of setting up TLS and certs management and all that stuff inside this poor little bot. I have used this configuration fairly successfully here: server { listen 0.0.0.0:80; listen [::]:80; server_name kgb-bot.torproject.org; server_tokens off; ## Don't show the nginx version number, a security best practice return 301 https://$http_host$request_uri; } server { listen 0.0.0.0:443 ssl; listen [::]:443 ssl; server_name kgb-bot.torproject.org; server_tokens off; ## Don't show the nginx version number, a security best practice ssl on; ssl_certificate /etc/ssl/torproject/certs/kgb-bot.torproject.org.crt-chained; ssl_certificate_key /etc/ssl/private/kgb-bot.torproject.org.key; access_log /var/log/nginx/kgb-bot_access.log privacy; error_log /var/log/nginx/kgb-bot_error.log; client_max_body_size 0; gzip off; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; location / { proxy_pass http://localhost:5391; } # webhooks are unauthenticated in KGB, enfore that only the GitLab # host can write here. location /webhook { proxy_pass http://localhost:5391; # The proper way of doing this would be for KGB to implement # support for GitLab's secret tokens: # # https://bugs.debian.org/927342 # # For now we'll just hardcode the IP address here. # # XXX: MAGIC-IP-ADDRESS: gitlab-02 allow 116.202.120.180; allow 2a01:4f8:fff0:4f:266:37ff:feb8:3489; deny all; } } Note how we make an exception out of `webhook` because of #927342: this is important as the proxy will bypass the webhook `allow_networks` restriction... I hope that helps! a.