def test_setFQDN_http(self): """Calling ``server.setFQDN([…], https=False)`` should not prepend anything at all to the module :data:`server.SERVER_PUBLIC_FQDN` variable. """ server.setFQDN('example.com', https=False) self.assertEqual(server.SERVER_PUBLIC_FQDN, "example.com")
def test_setFQDN_https(self): """Calling ``server.setFQDN([…], https=True)`` should prepend ``"https://"`` to the module :data:`server.SERVER_PUBLIC_FQDN` variable. """ server.setFQDN('example.com', https=True) self.assertEqual(server.SERVER_PUBLIC_FQDN, "https://example.com")
def addWebServer(config, distributor): """Set up a web server for HTTP(S)-based bridge distribution. :type config: :class:`bridgedb.persistent.Conf` :param config: A configuration object from :mod:`bridgedb.main`. Currently, we use these options:: HTTP_UNENCRYPTED_PORT HTTP_UNENCRYPTED_BIND_IP HTTP_USE_IP_FROM_FORWARDED_HEADER HTTPS_N_BRIDGES_PER_ANSWER HTTPS_INCLUDE_FINGERPRINTS HTTPS_KEY_FILE HTTPS_CERT_FILE HTTPS_PORT HTTPS_BIND_IP HTTPS_USE_IP_FROM_FORWARDED_HEADER HTTPS_ROTATION_PERIOD RECAPTCHA_ENABLED RECAPTCHA_PUB_KEY RECAPTCHA_SEC_KEY RECAPTCHA_REMOTEIP GIMP_CAPTCHA_ENABLED GIMP_CAPTCHA_DIR GIMP_CAPTCHA_HMAC_KEYFILE GIMP_CAPTCHA_RSA_KEYFILE SERVER_PUBLIC_FQDN CSP_ENABLED CSP_REPORT_ONLY CSP_INCLUDE_SELF :type distributor: :class:`bridgedb.distributors.https.distributor.HTTPSDistributor` :param distributor: A bridge distributor. :raises SystemExit: if the servers cannot be started. :rtype: :api:`twisted.web.server.Site` :returns: A webserver. """ captcha = None fwdHeaders = config.HTTP_USE_IP_FROM_FORWARDED_HEADER numBridges = config.HTTPS_N_BRIDGES_PER_ANSWER fprInclude = config.HTTPS_INCLUDE_FINGERPRINTS logging.info("Starting web servers...") setFQDN(config.SERVER_PUBLIC_FQDN) index = IndexResource() options = OptionsResource() howto = HowtoResource() robots = static.File(os.path.join(TEMPLATE_DIR, 'robots.txt')) assets = static.File(os.path.join(TEMPLATE_DIR, 'assets/')) keys = static.Data(bytes(strings.BRIDGEDB_OPENPGP_KEY), 'text/plain') csp = CSPResource(enabled=config.CSP_ENABLED, includeSelf=config.CSP_INCLUDE_SELF, reportViolations=config.CSP_REPORT_ONLY, useForwardedHeader=fwdHeaders) root = CustomErrorHandlingResource() root.putChild('', index) root.putChild('robots.txt', robots) root.putChild('keys', keys) root.putChild('assets', assets) root.putChild('options', options) root.putChild('howto', howto) root.putChild('maintenance', maintenance) root.putChild('error', resource500) root.putChild(CSPResource.reportURI, csp) if config.RECAPTCHA_ENABLED: publicKey = config.RECAPTCHA_PUB_KEY secretKey = config.RECAPTCHA_SEC_KEY captcha = partial(ReCaptchaProtectedResource, remoteIP=config.RECAPTCHA_REMOTEIP) elif config.GIMP_CAPTCHA_ENABLED: # Get the master HMAC secret key for CAPTCHA challenges, and then # create a new HMAC key from it for use on the server. captchaKey = crypto.getKey(config.GIMP_CAPTCHA_HMAC_KEYFILE) hmacKey = crypto.getHMAC(captchaKey, "Captcha-Key") # Load or create our encryption keys: secretKey, publicKey = crypto.getRSAKey(config.GIMP_CAPTCHA_RSA_KEYFILE) captcha = partial(GimpCaptchaProtectedResource, hmacKey=hmacKey, captchaDir=config.GIMP_CAPTCHA_DIR) if config.HTTPS_ROTATION_PERIOD: count, period = config.HTTPS_ROTATION_PERIOD.split() sched = ScheduledInterval(count, period) else: sched = Unscheduled() bridges = BridgesResource(distributor, sched, numBridges, fwdHeaders, includeFingerprints=fprInclude) if captcha: # Protect the 'bridges' page with a CAPTCHA, if configured to do so: protected = captcha(publicKey=publicKey, secretKey=secretKey, useForwardedHeader=fwdHeaders, protectedResource=bridges) root.putChild('bridges', protected) logging.info("Protecting resources with %s." % captcha.func.__name__) else: root.putChild('bridges', bridges) site = Site(root) site.displayTracebacks = False if config.HTTP_UNENCRYPTED_PORT: # pragma: no cover ip = config.HTTP_UNENCRYPTED_BIND_IP or "" port = config.HTTP_UNENCRYPTED_PORT or 80 try: reactor.listenTCP(port, site, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started HTTP server on %s:%d" % (str(ip), int(port))) if config.HTTPS_PORT: # pragma: no cover ip = config.HTTPS_BIND_IP or "" port = config.HTTPS_PORT or 443 try: from twisted.internet.ssl import DefaultOpenSSLContextFactory factory = DefaultOpenSSLContextFactory(config.HTTPS_KEY_FILE, config.HTTPS_CERT_FILE) reactor.listenSSL(port, site, factory, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started HTTPS server on %s:%d" % (str(ip), int(port))) return site
def addMoatServer(config, distributor): """Set up a web server for moat bridge distribution. :type config: :class:`bridgedb.persistent.Conf` :param config: A configuration object from :mod:`bridgedb.main`. Currently, we use these options:: GIMP_CAPTCHA_DIR SERVER_PUBLIC_FQDN SUPPORTED_TRANSPORTS MOAT_DIST MOAT_DIST_VIA_MEEK_ONLY MOAT_TLS_CERT_FILE MOAT_TLS_KEY_FILE MOAT_SERVER_PUBLIC_ROOT MOAT_HTTPS_IP MOAT_HTTPS_PORT MOAT_HTTP_IP MOAT_HTTP_PORT MOAT_BRIDGES_PER_ANSWER MOAT_TRANSPORT_PREFERENCE_LIST MOAT_USE_IP_FROM_FORWARDED_HEADER MOAT_SKIP_LOOPBACK_ADDRESSES MOAT_ROTATION_PERIOD MOAT_GIMP_CAPTCHA_HMAC_KEYFILE MOAT_GIMP_CAPTCHA_RSA_KEYFILE :type distributor: :class:`bridgedb.distributors.moat.distributor.MoatDistributor` :param distributor: A bridge distributor. :raises SystemExit: if the servers cannot be started. :rtype: :api:`twisted.web.server.Site` :returns: A webserver. """ captcha = None fwdHeaders = config.MOAT_USE_IP_FROM_FORWARDED_HEADER numBridges = config.MOAT_BRIDGES_PER_ANSWER skipLoopback = config.MOAT_SKIP_LOOPBACK_ADDRESSES logging.info("Starting moat servers...") setFQDN(config.SERVER_PUBLIC_FQDN) setRoot(config.MOAT_SERVER_PUBLIC_ROOT) setSupportedTransports(config.SUPPORTED_TRANSPORTS) setPreferredTransports(config.MOAT_TRANSPORT_PREFERENCE_LIST) # Get the master HMAC secret key for CAPTCHA challenges, and then # create a new HMAC key from it for use on the server. captchaKey = crypto.getKey(config.MOAT_GIMP_CAPTCHA_HMAC_KEYFILE) hmacKey = crypto.getHMAC(captchaKey, "Moat-Captcha-Key") # Load or create our encryption keys: secretKey, publicKey = crypto.getRSAKey( config.MOAT_GIMP_CAPTCHA_RSA_KEYFILE) sched = Unscheduled() if config.MOAT_ROTATION_PERIOD: count, period = config.MOAT_ROTATION_PERIOD.split() sched = ScheduledInterval(count, period) sitePublicDir = getRoot() meek = CustomErrorHandlingResource() moat = CustomErrorHandlingResource() fetch = CaptchaFetchResource(hmacKey, publicKey, secretKey, config.GIMP_CAPTCHA_DIR, fwdHeaders, skipLoopback) check = CaptchaCheckResource(distributor, sched, numBridges, hmacKey, publicKey, secretKey, fwdHeaders, skipLoopback) moat.putChild(b"fetch", fetch) moat.putChild(b"check", check) meek.putChild(b"moat", moat) root = CustomErrorHandlingResource() root.putChild(b"meek", meek) root.putChild(b"moat", moat) site = Site(root) site.displayTracebacks = False if config.MOAT_HTTP_PORT: # pragma: no cover ip = config.MOAT_HTTP_IP or "" port = config.MOAT_HTTP_PORT or 80 try: reactor.listenTCP(port, site, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started Moat HTTP server on %s:%d" % (str(ip), int(port))) if config.MOAT_HTTPS_PORT: # pragma: no cover ip = config.MOAT_HTTPS_IP or "" port = config.MOAT_HTTPS_PORT or 443 try: from twisted.internet.ssl import DefaultOpenSSLContextFactory factory = DefaultOpenSSLContextFactory(config.MOAT_TLS_KEY_FILE, config.MOAT_TLS_CERT_FILE) reactor.listenSSL(port, site, factory, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started Moat TLS server on %s:%d" % (str(ip), int(port))) return site
def addWebServer(config, distributor): """Set up a web server for HTTP(S)-based bridge distribution. :type config: :class:`bridgedb.persistent.Conf` :param config: A configuration object from :mod:`bridgedb.main`. Currently, we use these options:: HTTP_UNENCRYPTED_PORT HTTP_UNENCRYPTED_BIND_IP HTTP_USE_IP_FROM_FORWARDED_HEADER HTTPS_N_BRIDGES_PER_ANSWER HTTPS_INCLUDE_FINGERPRINTS HTTPS_KEY_FILE HTTPS_CERT_FILE HTTPS_PORT HTTPS_BIND_IP HTTPS_USE_IP_FROM_FORWARDED_HEADER HTTPS_ROTATION_PERIOD RECAPTCHA_ENABLED RECAPTCHA_PUB_KEY RECAPTCHA_SEC_KEY RECAPTCHA_REMOTEIP GIMP_CAPTCHA_ENABLED GIMP_CAPTCHA_DIR GIMP_CAPTCHA_HMAC_KEYFILE GIMP_CAPTCHA_RSA_KEYFILE SERVER_PUBLIC_FQDN CSP_ENABLED CSP_REPORT_ONLY CSP_INCLUDE_SELF :type distributor: :class:`bridgedb.distributors.https.distributor.HTTPSDistributor` :param distributor: A bridge distributor. :raises SystemExit: if the servers cannot be started. :rtype: :api:`twisted.web.server.Site` :returns: A webserver. """ captcha = None fwdHeaders = config.HTTP_USE_IP_FROM_FORWARDED_HEADER numBridges = config.HTTPS_N_BRIDGES_PER_ANSWER fprInclude = config.HTTPS_INCLUDE_FINGERPRINTS logging.info("Starting web servers...") setFQDN(config.SERVER_PUBLIC_FQDN) index = IndexResource() options = OptionsResource() howto = HowtoResource() robots = static.File(os.path.join(TEMPLATE_DIR, 'robots.txt')) assets = static.File(os.path.join(TEMPLATE_DIR, 'assets/')) keys = static.Data(bytes(strings.BRIDGEDB_OPENPGP_KEY), 'text/plain') csp = CSPResource(enabled=config.CSP_ENABLED, includeSelf=config.CSP_INCLUDE_SELF, reportViolations=config.CSP_REPORT_ONLY, useForwardedHeader=fwdHeaders) root = CustomErrorHandlingResource() root.putChild('', index) root.putChild('robots.txt', robots) root.putChild('keys', keys) root.putChild('assets', assets) root.putChild('options', options) root.putChild('howto', howto) root.putChild('maintenance', maintenance) root.putChild('error', resource500) root.putChild(CSPResource.reportURI, csp) if config.RECAPTCHA_ENABLED: publicKey = config.RECAPTCHA_PUB_KEY secretKey = config.RECAPTCHA_SEC_KEY captcha = partial(ReCaptchaProtectedResource, remoteIP=config.RECAPTCHA_REMOTEIP) elif config.GIMP_CAPTCHA_ENABLED: # Get the master HMAC secret key for CAPTCHA challenges, and then # create a new HMAC key from it for use on the server. captchaKey = crypto.getKey(config.GIMP_CAPTCHA_HMAC_KEYFILE) hmacKey = crypto.getHMAC(captchaKey, "Captcha-Key") # Load or create our encryption keys: secretKey, publicKey = crypto.getRSAKey( config.GIMP_CAPTCHA_RSA_KEYFILE) captcha = partial(GimpCaptchaProtectedResource, hmacKey=hmacKey, captchaDir=config.GIMP_CAPTCHA_DIR) if config.HTTPS_ROTATION_PERIOD: count, period = config.HTTPS_ROTATION_PERIOD.split() sched = ScheduledInterval(count, period) else: sched = Unscheduled() bridges = BridgesResource(distributor, sched, numBridges, fwdHeaders, includeFingerprints=fprInclude) if captcha: # Protect the 'bridges' page with a CAPTCHA, if configured to do so: protected = captcha(publicKey=publicKey, secretKey=secretKey, useForwardedHeader=fwdHeaders, protectedResource=bridges) root.putChild('bridges', protected) logging.info("Protecting resources with %s." % captcha.func.__name__) else: root.putChild('bridges', bridges) site = Site(root) site.displayTracebacks = False if config.HTTP_UNENCRYPTED_PORT: # pragma: no cover ip = config.HTTP_UNENCRYPTED_BIND_IP or "" port = config.HTTP_UNENCRYPTED_PORT or 80 try: reactor.listenTCP(port, site, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started HTTP server on %s:%d" % (str(ip), int(port))) if config.HTTPS_PORT: # pragma: no cover ip = config.HTTPS_BIND_IP or "" port = config.HTTPS_PORT or 443 try: from twisted.internet.ssl import DefaultOpenSSLContextFactory factory = DefaultOpenSSLContextFactory(config.HTTPS_KEY_FILE, config.HTTPS_CERT_FILE) reactor.listenSSL(port, site, factory, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started HTTPS server on %s:%d" % (str(ip), int(port))) return site
def addMoatServer(config, distributor): """Set up a web server for moat bridge distribution. :type config: :class:`bridgedb.persistent.Conf` :param config: A configuration object from :mod:`bridgedb.main`. Currently, we use these options:: GIMP_CAPTCHA_DIR SERVER_PUBLIC_FQDN SUPPORTED_TRANSPORTS MOAT_DIST MOAT_DIST_VIA_MEEK_ONLY MOAT_TLS_CERT_FILE MOAT_TLS_KEY_FILE MOAT_SERVER_PUBLIC_ROOT MOAT_HTTPS_IP MOAT_HTTPS_PORT MOAT_HTTP_IP MOAT_HTTP_PORT MOAT_BRIDGES_PER_ANSWER MOAT_TRANSPORT_PREFERENCE_LIST MOAT_USE_IP_FROM_FORWARDED_HEADER MOAT_SKIP_LOOPBACK_ADDRESSES MOAT_ROTATION_PERIOD MOAT_GIMP_CAPTCHA_HMAC_KEYFILE MOAT_GIMP_CAPTCHA_RSA_KEYFILE :type distributor: :class:`bridgedb.distributors.moat.distributor.MoatDistributor` :param distributor: A bridge distributor. :raises SystemExit: if the servers cannot be started. :rtype: :api:`twisted.web.server.Site` :returns: A webserver. """ captcha = None fwdHeaders = config.MOAT_USE_IP_FROM_FORWARDED_HEADER numBridges = config.MOAT_BRIDGES_PER_ANSWER skipLoopback = config.MOAT_SKIP_LOOPBACK_ADDRESSES logging.info("Starting moat servers...") setFQDN(config.SERVER_PUBLIC_FQDN) setRoot(config.MOAT_SERVER_PUBLIC_ROOT) setSupportedTransports(config.SUPPORTED_TRANSPORTS) setPreferredTransports(config.MOAT_TRANSPORT_PREFERENCE_LIST) # Get the master HMAC secret key for CAPTCHA challenges, and then # create a new HMAC key from it for use on the server. captchaKey = crypto.getKey(config.MOAT_GIMP_CAPTCHA_HMAC_KEYFILE) hmacKey = crypto.getHMAC(captchaKey, "Moat-Captcha-Key") # Load or create our encryption keys: secretKey, publicKey = crypto.getRSAKey(config.MOAT_GIMP_CAPTCHA_RSA_KEYFILE) sched = Unscheduled() if config.MOAT_ROTATION_PERIOD: count, period = config.MOAT_ROTATION_PERIOD.split() sched = ScheduledInterval(count, period) sitePublicDir = getRoot() meek = CustomErrorHandlingResource() moat = CustomErrorHandlingResource() fetch = CaptchaFetchResource(hmacKey, publicKey, secretKey, config.GIMP_CAPTCHA_DIR, fwdHeaders, skipLoopback) check = CaptchaCheckResource(distributor, sched, numBridges, hmacKey, publicKey, secretKey, fwdHeaders, skipLoopback) moat.putChild("fetch", fetch) moat.putChild("check", check) meek.putChild("moat", moat) root = CustomErrorHandlingResource() root.putChild("meek", meek) root.putChild("moat", moat) site = Site(root) site.displayTracebacks = False if config.MOAT_HTTP_PORT: # pragma: no cover ip = config.MOAT_HTTP_IP or "" port = config.MOAT_HTTP_PORT or 80 try: reactor.listenTCP(port, site, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started Moat HTTP server on %s:%d" % (str(ip), int(port))) if config.MOAT_HTTPS_PORT: # pragma: no cover ip = config.MOAT_HTTPS_IP or "" port = config.MOAT_HTTPS_PORT or 443 try: from twisted.internet.ssl import DefaultOpenSSLContextFactory factory = DefaultOpenSSLContextFactory(config.MOAT_TLS_KEY_FILE, config.MOAT_TLS_CERT_FILE) reactor.listenSSL(port, site, factory, interface=ip) except CannotListenError as error: raise SystemExit(error) logging.info("Started Moat TLS server on %s:%d" % (str(ip), int(port))) return site