Skip to content

Instantly share code, notes, and snippets.

View mtigas's full-sized avatar

Mike Tigas mtigas

506 followers · 36 following
View GitHub Profile
@mtigas
mtigas / onion-svc-v3-client-auth.sh
Last active April 22, 2024 07:31
experiments with using v3 onions with client auth (as of tor 0.3.5.X)
#!/bin/bash
# needs openssl 1.1+
# needs `basez` https://manpages.debian.org/testing/basez/base32hex.1.en.html
# (but something else that decodes the base64 and re-encodes the raw key bytes
# to base32 is probably fine too)
##### generate a key
openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
@mtigas
mtigas / gist:952344
Last active April 3, 2024 07:57
Mini tutorial for configuring client-side SSL certificates.

Client-side SSL

For excessively paranoid client authentication.

Updated Apr 5 2019:

because this is a gist from 2011 that people stumble into and maybe you should AES instead of 3DES in the year of our lord 2019.

some other notes:

@mtigas
mtigas / LICENSE.txt
Created February 9, 2011 20:07
Script that allows batch-downloading a person's full Facebook photo collection.
Copyright 2011 Mike Tigas. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are
permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list
of conditions and the following disclaimer in the documentation and/or other materials
@mtigas
mtigas / 01.md
Last active November 5, 2023 03:45
HTTPS / SSL certificate config stuff

Normal SSL cert

export DATE=`date +"%Y%m"`
export SITENAME="mike_tig_as"
export KEYNAME="$DATE-$SITENAME"

# Generate private key, make it have no password.
# change to 2048 if you want compatibility with CDNs / aws cloudfront / load balancers, etc
openssl genrsa -aes256 -passout pass:xxxx -out "${KEYNAME}.pass.key" 4096
openssl rsa -passin pass:xxxx -in ${KEYNAME}.pass.key -out ${KEYNAME}.key
@mtigas
mtigas / nginx.conf
Last active July 11, 2023 11:14
Nginx configuration for securedrop.propublica.org. (Based on Ubuntu 13.10 / Nginx 1.4.1 default config.)
# This configuration file is provided on an "as is" basis,
# with no warranties or representations, and any use of it
# is at the user's own risk.
#
# You will need to edit domain name information, IP addresses for
# redirection (at the bottom), SSL certificate and key paths, and
# the "Public-Key-Pins" header. Search for any instance of "TODO".
user www-data;
worker_processes 4;
@mtigas
mtigas / 0-hidden-service-subdomains.md
Last active April 14, 2023 02:06
Example code for running a (HTTP/HTTPS) Tor hidden service supporting subdomains.

The following files show an example of how to create subdomains for onion site hidden services. (This hasn't been tested for hidden services for anything other than HTTP/HTTPS.)

(You might also want to read our blog post about ProPublica’s Tor hidden service, including a tutorial and notes on running a hidden service: https://www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services )

In general, this works (maybe just in recent Tor clients) because Tor will handle the connection to www.xxxxxxxxxxxxxxxx.onion as a connection to xxxxxxxxxxxxxxxx.onion. The encapsulated HTTP/HTTPS connection contains the subdomain in the Host: header (and in the case of HTTPS, the SNI

@mtigas
mtigas / 0 ProPublica Tor hidden service config.md
Last active April 10, 2023 16:31
Configuration for ProPublica’s Tor hidden service proxy.

Note (December 16, 2021): These example files haven't been updated since 2016. In either 2019 or 2020, our onion domain was changed to a longer v3 onion address (p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion). The examples below don't reflect this, but the configuration portions remain accurate regarding how we currently serve the onion site. (Tor Browser dropped support for v2 addresses, such as propub3r6espa33w.onion, in the second half of 2021.)

These files contain the base configuration for ProPublica’s Tor hidden service mirror.

Of note:

  • We're using the nginx "subs_filter" and "headers more" modules to allow us to rewrite content and update headers, so that we can convert clearnet links into onion links, where possible.
@mtigas
mtigas / sniff.sh
Created March 8, 2010 23:47
#!/bin/bash
#
# sniff.sh
# A simple script that allows your Mac to perform packet sniffing on
# unencrypted WiFi networks.
# ----------
# Usage:
# ./sniff.sh (keyword)
#
# `keyword` is optional and is simply appended to the resulting
@mtigas
mtigas / README.md
Last active December 16, 2022 02:12
this is the nginx config for https://mike.tig.as/, with config to avoid the BEAST exploit (by using TLS 1.2+ ciphers or RC4) and enable SSL perfect forward secrecy (by preferring ECDHE ciphers)

[mike.tig.as][mta] server configuration

This gist contains the nginx and tor configurations for the [mike.tig.as][mta] servers, mainly to show:

  • Use of the chris-lea/nginx-devel PPA to allow use of SPDY.
  • ssl_ciphers selection to mitigate BEAST attack, enable [perfect forward secrecy][pfs] if possible and select the strongest possible ciphers within those bounds. (Exception is made for several ciphers at the end of list, for compatibility reasons.)
@mtigas
mtigas / signal_cli_mac.sh
Last active April 10, 2021 08:38
[macos] homebrew-installed signal w/v2 group support (fixes libzkgroup warning)
#!/usr/bin/env bash
set -e
set -x
brew install signal-cli || brew upgrade signal-cli
SIGNAL_LIBEXEC_LIBDIR="`brew --prefix signal-cli`/libexec/lib"
# zkgroup-java*.jar --- remove the linux x86_64 bundled lib