Bug#903210: kgb-bot: Please add https support

Tue, 23 Jun 2020 13:45:26 -0700 

On 2018-07-07 19:15:05, Guillem Jover wrote:
> Package: kgb-bot
> Version: 1.51-1
> Severity: wishlist
>
> Hi!
>
> At least when using the kgb-client to talk to a kgb-bot, any passwords
> or tokens are sent in the clear. It would be nice if https was
> supported when talking to the server.

This is probably not the answer you're looking for, but I suspect it
might be preferable, if not easier, to delegate this to a proxy. It's
fairly trivial to implement one with Nginx or Apache and it might avoid
the complication of setting up TLS and certs management and all that
stuff inside this poor little bot.

I have used this configuration fairly successfully here:

server {
  listen 0.0.0.0:80;
  listen [::]:80;
  server_name kgb-bot.torproject.org;
  server_tokens off; ## Don't show the nginx version number, a security best 
practice
  return 301 https://$http_host$request_uri;
}

server {
  listen 0.0.0.0:443 ssl;
  listen [::]:443 ssl;
  server_name kgb-bot.torproject.org;
  server_tokens off; ## Don't show the nginx version number, a security best 
practice
  
  ssl on;
  ssl_certificate           
/etc/ssl/torproject/certs/kgb-bot.torproject.org.crt-chained;
  ssl_certificate_key       /etc/ssl/private/kgb-bot.torproject.org.key;
  
  access_log  /var/log/nginx/kgb-bot_access.log privacy;
  error_log   /var/log/nginx/kgb-bot_error.log;
  
  client_max_body_size 0;
  gzip off;
    
  proxy_redirect          off;
    
  proxy_set_header    Host                $http_host;
  proxy_set_header    X-Real-IP           $remote_addr;
  proxy_set_header    X-Forwarded-Ssl     on;
  proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
  proxy_set_header    X-Forwarded-Proto   $scheme;
  proxy_set_header    Upgrade             $http_upgrade;

  location / {
    proxy_pass http://localhost:5391;
  }

  # webhooks are unauthenticated in KGB, enfore that only the GitLab
  # host can write here.
  location /webhook {
    proxy_pass http://localhost:5391;

    # The proper way of doing this would be for KGB to implement
    # support for GitLab's secret tokens:
    #
    # https://bugs.debian.org/927342
    #
    # For now we'll just hardcode the IP address here.
    #
    # XXX: MAGIC-IP-ADDRESS: gitlab-02
    allow 116.202.120.180;
    allow 2a01:4f8:fff0:4f:266:37ff:feb8:3489;
    deny all;
  }
}

Note how we make an exception out of `webhook` because of #927342: this
is important as the proxy will bypass the webhook `allow_networks`
restriction...

I hope that helps!

a.

Reply via email to