Last active
May 31, 2020 05:53
-
-
Save jhawkwind/80e245ad2f20b371dd430dabccb141af to your computer and use it in GitHub Desktop.
This is to build a static TOR instance on CentOS 7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
PREFIX="/opt" | |
BUILD_DIR=~/build | |
OPENSSL_VERSION="1.1.1c" | |
OPENSSL_DIR="openssl-${OPENSSL_VERSION}" | |
TOR_VERSION="0.4.1.5" | |
TOR_DIR="tor-${TOR_VERSION}" | |
TOR_USERGROUP="toranon" | |
LIBEVENT_VERSION="2.1.11-stable" | |
LIBEVENT_DIR="libevent-${LIBEVENT_VERSION}" | |
ZLIB_VERSION="1.2.11" | |
ZLIB_DIR="zlib-${ZLIB_VERSION}" | |
cd ~ | |
mkdir ${BUILD_DIR} | |
cd ${BUILD_DIR} | |
umask 0022 | |
sudo yum -y install wget screen mlocate htop yum-utils epel-release policycoreutils-python | |
sudo yum -y update | |
sudo yum history > yum-history.before | |
sudo yum -y install gcc gcc-c++ libevent kernel-devel zlib-devel libevent-devel perl-Module-Load-Conditional perl-core perl-Test-Harness systemd-devel zlib-static glibc-static openssl-devel | |
sudo yum history > yum-history.after | |
diff yum-history.before yum-history.after | tail -n 1 | sed -n -E 's/^[^\|0-9]*([0-9]+).*/\1/p' > yum-history.id | |
transaction_id="$(cat yum-history.id)"; | |
rollback_id="$(( transaction_id - 1 ))"; | |
cd ${BUILD_DIR} | |
# wget https://www.zlib.net/zlib-1.2.11.tar.gz | |
wget https://www.zlib.net/${ZLIB_DIR}.tar.gz | |
tar xvzf ${ZLIB_DIR}.tar.gz | |
# wget https://github.com/libevent/libevent/releases/download/release-2.1.11-stable/libevent-2.1.11-stable.tar.gz | |
wget https://github.com/libevent/libevent/releases/download/release-2.1.11-stable/${LIBEVENT_DIR}.tar.gz | |
tar xvzf ${LIBEVENT_DIR}.tar.gz | |
# wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz | |
wget https://www.openssl.org/source/${OPENSSL_DIR}.tar.gz | |
tar xvzf ${OPENSSL_DIR}.tar.gz | |
# wget https://dist.torproject.org/tor-0.4.1.5.tar.gz | |
wget https://dist.torproject.org/${TOR_DIR}.tar.gz | |
tar xvzf ${TOR_DIR}.tar.gz | |
cd ${BUILD_DIR}/${ZLIB_DIR} | |
# CFLAGS='-mstackrealign -fPIC' ./configure --static --prefix=/opt/zlib | |
CFLAGS='-mstackrealign -fPIC' ./configure --static --prefix=${PREFIX}/${ZLIB_DIR} | |
make | |
make test | |
sudo make install | |
cd ${BUILD_DIR}/${LIBEVENT_DIR} | |
# ./configure --disable-shared --enable-function-sections --enable-static --with-pic --prefix=/opt/libevent | |
./configure --disable-shared --enable-function-sections --enable-static --with-pic --prefix=${PREFIX}/${LIBEVENT_DIR} | |
make | |
make verify | |
sudo make install | |
cd ${BUILD_DIR}/${OPENSSL_DIR} | |
# ./config zlib-dynamic --with-zlib-include=/opt/zlib/include --with-zlib-lib=/opt/zlib/lib --prefix=/opt/openssl --openssldir=/opt/openssl -fPIC enable-ec_nistp_64_gcc_128 enable-tls1_3 | |
./config zlib-dynamic --with-zlib-include=${PREFIX}/${ZLIB_DIR}/include --with-zlib-lib=${PREFIX}/${ZLIB_DIR}/lib --prefix=${PREFIX}/${OPENSSL_DIR} --openssldir=${PREFIX}/${OPENSSL_DIR} -fPIC enable-ec_nistp_64_gcc_128 enable-tls1_3 | |
make | |
make test | |
sudo make install | |
cd ${BUILD_DIR}/${TOR_DIR} | |
sudo useradd --system -c "Tor anonymizing user" -d /var/lib/tor -M -U -s /sbin/nologin ${TOR_USERGROUP} | |
# ./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/var/lib/tor --sysconfdir=/etc --localstatedir=/var/lib --enable-static-openssl --with-openssl-dir=/opt/openssl --enable-static-libevent --with-libevent-dir=/opt/libevent --enable-static-zlib --with-zlib-dir=/opt/zlib --enable-systemd --with-tor-user=toranon --with-tor-group=toranon | |
./configure --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/var/lib/tor --sysconfdir=/etc --localstatedir=/var/lib --enable-static-openssl --enable-static-libevent --enable-static-zlib --enable-systemd --with-libevent-dir=${PREFIX}/${LIBEVENT_DIR} --with-zlib-dir=${PREFIX}/${ZLIB_DIR} --with-openssl-dir=${PREFIX}/${OPENSSL_DIR} --with-tor-user=${TOR_USERGROUP} --with-tor-group=${TOR_USERGROUP} | |
make | |
make test | |
sudo make install | |
sudo mkdir /var/lib/tor | |
sudo mkdir /var/log/tor | |
sudo restorecon -v -R /var/lib/tor /var/log/tor | |
chown -R ${TOR_USERGROUP}. /var/lib/tor | |
chown -R ${TOR_USERGROUP}. /var/log/tor | |
sudo rm -f /usr/lib/systemd/system/tor.service | |
sudo tee -a /usr/lib/systemd/system/tor.service > /dev/null <<EOT | |
[Unit] | |
Description=Anonymizing overlay network for TCP | |
After=syslog.target network.target nss-lookup.target | |
[Service] | |
Type=simple | |
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config | |
ExecStart=/usr/bin/tor -f /etc/tor/torrc | |
ExecReload=/bin/kill -HUP ${MAINPID} | |
KillSignal=SIGINT | |
TimeoutSec=30 | |
Restart=on-failure | |
RestartSec=1 | |
LimitNOFILE=32768 | |
# Hardening | |
PrivateTmp=yes | |
DeviceAllow=/dev/null rw | |
DeviceAllow=/dev/urandom r | |
InaccessibleDirectories=/home | |
InaccessibleDirectories=/root | |
InaccessibleDirectories=/run/user | |
ReadOnlyDirectories=/boot | |
ReadOnlyDirectories=/etc | |
ReadOnlyDirectories=/usr | |
ReadOnlyDirectories=/run | |
ReadOnlyDirectories=/var | |
ReadWriteDirectories=/run/tor | |
ReadWriteDirectories=/var/lib/tor | |
ReadWriteDirectories=/var/log/tor | |
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH | |
PermissionsStartOnly=yes | |
[Install] | |
WantedBy = multi-user.target | |
EOT | |
echo "Installation script has completed. If you wish to remove the extra build tools committed at the beginning, press ENTER." | |
echo "Otherwise, press CTRL+C to exit." | |
read -p "Press enter to continue . . ." | |
cd ${BUILD_DIR}/${OPENSSL_DIR} | |
sudo make uninstall | |
make clean | |
sudo rm -Rf ${PREFIX}/${OPENSSL_DIR} | |
cd ${BUILD_DIR}/${LIBEVENT_DIR} | |
sudo make uninstall | |
make clean | |
sudo rm -Rf ${PREFIX}/${LIBEVENT_DIR} | |
cd ${BUILD_DIR}/${ZLIB_DIR} | |
sudo make uninstall | |
make clean | |
sudo rm -Rf ${PREFIX}/${ZLIB_DIR} | |
if [[ "${rollback_id}" -gt 0 ]]; then | |
sudo yum -y history rollback ${rollback_id} | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment