Skip to content

Instantly share code, notes, and snippets.

View stokito's full-sized avatar
🚀
Working on safe web

Sergey Ponomarev stokito

🚀
Working on safe web
View GitHub Profile
@stokito
stokito / onion-gen.js
Created June 28, 2022 17:21 — forked from ttaubert/onion-gen.js
Generating custom .onion names with the WebCrypto API
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
/*
* thirty-two
* https://github.com/chrisumbel/thirty-two
*
@stokito
stokito / somehost.conf
Last active July 7, 2022 09:39 — forked from tomkersten/somehost.conf
Nginx config with CORS headers added and Basic Auth
server {
server_name example.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /var/www/html;
access_log off;
location / {
if ($request_method = 'OPTIONS') {
@stokito
stokito / OpenWrt_Virtualbox.md
Last active August 13, 2022 10:11 — forked from jayluxferro/OpenWrt_Virtualbox.md
How to run OpenWrt in VirtualBox

The official doc seems too complicated OpenWrt on VirtualBox HowTo

  1. Download and install VirtualBox. On Windows add to PATH envs C:\Program Files\Oracle\VirtualBox
  2. Get an OpenWrt image openwrt-x86-64-combined-ext4.img.gz from targets/x86/64/ folder. Direct snapshot download
  3. Uncompress the image: gunzip openwrt.img.gz
  4. Convert it to native VirtualBox format:
VBoxManage convertfromraw --format VDI openwrt.img openwrt.vdi
@stokito
stokito / jwt-decode.sh
Last active June 16, 2023 10:17 — forked from KevCui/jwtDecoder.sh
A shell (ash, dash, Bash) script to decode JWT token. Version ported to OpenWrt here https://gist.github.com/stokito/43afca84fc34d1d362bf210cd941a366
#!/bin/sh
# Decode a JWT from stdin and verify it's signature with the JWT issuer public key
# Only RS256 keys are supported for signature check
#
# Put OAuth server public key in PEM format to /var/cache/oauth/$JWT_KID.key.pub.pem
# You must create the folder first
# $ sudo mkdir -p /var/cache/oauth/
# To converted key from JWK to PEM use https://8gwifi.org/jwkconvertfunctions.jsp or https://keytool.online/
# NOTE: For Google you can get the keys in PEM format via https://www.googleapis.com/oauth2/v1/certs
# Decode the keys with decodeURIComponent()
@stokito
stokito / onion-svc-v3-client-auth.sh
Last active July 24, 2023 02:53 — forked from mtigas/onion-svc-v3-client-auth.sh
experiments with using v3 onions with client auth (as of tor 0.3.5.X)
#!/bin/sh
# needs openssl 1.1+
# needs base64 and base32 utilities.
# On OpenWrt you may install coreutils-base64 and coreutils-base32.
# BusyBox can be compiled with them.
# On other systems try basenc or basez https://manpages.debian.org/testing/basez/base32hex.1.en.html
##### generate a key
@stokito
stokito / install-openjdk8-musl.sh
Last active August 21, 2023 06:43 — forked from simonswine/install-openjdk8-musl.sh
Install Java openjdk8 compiled for musl from Alpine onto OpenWRT (armv7). Tested on Turris Omnia (TurrisOS 6.4.1)
#!/bin/sh
# aarch64, armhf, armv7, ppc64le, s390x, x86, x86_64
ARCH="armv7" # Turris Omnia
REVISION="8.275.01-r0"
DESTDIR="" # empty for root, you can set to /opt
# Alpine v3.13 switched to musl v1.2.0 while TurrisOS 6.4.1 uses older musl v1.1.24
# Use ldd command to see a musl version.
# If it's newer then change the URL to https://dl-cdn.alpinelinux.org/alpine/edge/
# You will also need to change the REVISION for the latest
@stokito
stokito / generate-dropbear-key
Last active December 14, 2023 21:34 — forked from hongkongkiwi/generate-dropbear-key
Generate SSH Key in Dropbear with some options (by default it uses default id_dropbear as the name and ed25519 as the type)
#!/bin/sh +ux
# We set the sh +ux flags so that we error on undefined variables and error on bad commands
help() {
echo >&2 "$0 [-f] [-p] [-q] [<priv_key_file>] [<key_type>] [<key_comment>]"
echo >&2
echo >&2 "-q / --quiet to silent all output (except -p if passed)"
echo >&2 "-p / --pubkey to output public key after generation"
echo >&2 "-f / --force to force replacing existing key"
echo >&2
@stokito
stokito / firewall.user
Last active January 7, 2024 22:06 — forked from Manouchehri/cloudflare.sh
OpenWrt: Allow only CloudFlare to access HTTP 80 and HTTPS 443 ports. Use if your uhttpd is hidden behind CF. Put this file to /etc/firewall.user. NOTE: It uses HTTP to get the list of IPs because to wget via https we need to install ca-certs. This makes you vulnerable to MiTM attacks but that's ok to be protected from internet's hackers
# https://www.cloudflare.com/ips replace the ips-v4 with ips-v6 if needed
# https://blog.cloudflare.com/cloudflare-now-supporting-more-ports/
for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; do
iptables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -s $ip -j ACCEPT
done
@stokito
stokito / DNSSEC-Signing.md
Created February 5, 2024 22:51 — forked from sandeeprenjith/DNSSEC-Signing.md
DNSSEC Keys and Signing Process Simplified

cyber-security-2296269_1920

DNSSEC Keys and Signing Process Simplified

This article describes what happens when a zone is signed with DNSSEC. This document helps to understand the concept of zone signing and does not detail the actual steps for signing a zone.