diff --git a/scripts/bisq-monitor-13002.conf b/scripts/bisq-monitor-13002.conf new file mode 100644 index 0000000..073b2e8 --- /dev/null +++ b/scripts/bisq-monitor-13002.conf @@ -0,0 +1,5 @@ +PROXY_HOST=127.0.0.1 +PROXY_PORT=9050 +LOCAL_PORT=9082 +REMOTE_HOST=bisqmonorsysbgqnma5ghacqgc2pyobk5gezlfo4q5wkemq66r47vmqd.onion +REMOTE_PORT=13002 \ No newline at end of file diff --git a/scripts/bisq-monitor-2002.conf b/scripts/bisq-monitor-2002.conf new file mode 100644 index 0000000..b0e5e65 --- /dev/null +++ b/scripts/bisq-monitor-2002.conf @@ -0,0 +1,5 @@ +PROXY_HOST=127.0.0.1 +PROXY_PORT=9050 +LOCAL_PORT=9081 +REMOTE_HOST=bisqmonorsysbgqnma5ghacqgc2pyobk5gezlfo4q5wkemq66r47vmqd.onion +REMOTE_PORT=2002 \ No newline at end of file diff --git a/scripts/http-to-socks-proxy@.service b/scripts/http-to-socks-proxy@.service new file mode 100644 index 0000000..a4a9190 --- /dev/null +++ b/scripts/http-to-socks-proxy@.service @@ -0,0 +1,10 @@ +[Unit] +Description=HTTP-to-SOCKS proxy +After=network.target + +[Service] +EnvironmentFile=/etc/http-to-socks-proxy/%i.conf +ExecStart=/usr/bin/socat tcp4-LISTEN:${LOCAL_PORT},reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:${PROXY_HOST}:${REMOTE_HOST}:${REMOTE_PORT},socksport=${PROXY_PORT} + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/scripts/install_collectd_debian.sh b/scripts/install_collectd_debian.sh index fac32c5..2786eb4 100755 --- a/scripts/install_collectd_debian.sh +++ b/scripts/install_collectd_debian.sh @@ -3,22 +3,22 @@ set -e # Usage: `$ sudo ./install_collectd_debian.sh` -echo "[*] Bisq Server Monitoring installation script" +echo "[*] Bisq server monitoring installation script" -##### change paths if necessary for your system +##### Change parameters if necessary for your system BISQ_MONITOR_REPO_URL=https://raw.githubusercontent.com/bisq-network/bisq-monitor BISQ_MONITOR_REPO_TAG=main ROOT_USER=root ROOT_GROUP=root ROOT_HOME=~root -ROOT_PKG=(curl patch nginx collectd openssl) +ROOT_PKG=(curl patch nginx libnginx-mod-stream collectd openssl socat tor basez) SYSTEMD_ENV_HOME=/etc/default ##### echo "[*] Gathering information" -read -p "Please provide the onion address of your service (eg. 3f3cu2yw7u457ztq): " onionaddress +read -p "Please provide the onion address of your service, without \".onion\" (eg. runbtcsd42pwlfna32ibcrrykrcmozgv6x73sxjrdohkm55v5f6nh6ad): " onionaddress echo "[*] Updating apt repo sources" DEBIAN_FRONTEND=noninteractive apt-get update -q @@ -29,8 +29,7 @@ DEBIAN_FRONTEND=noninteractive apt-get upgrade -qq -y echo "[*] Installing base packages" DEBIAN_FRONTEND=noninteractive apt-get install -qq -y ${ROOT_PKG[@]} -echo "[*] Preparing Bisq init script for monitoring" -# remove stuff it it is there already +echo "[*] Configuring JVM options to allow for monitoring" for file in "${SYSTEMD_ENV_HOME}/bisq.env" "${SYSTEMD_ENV_HOME}/bisq-pricenode.env" do if [ -f "$file" ];then @@ -41,8 +40,8 @@ done echo "[*] Seeding entropy from /dev/urandom" /bin/sh -c "head -1500 /dev/urandom > ${ROOT_HOME}/.rnd" + echo "[*] Installing Nginx config" -openssl req -x509 -nodes -newkey rsa:2048 -days 3000 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt -subj="/O=Bisq/OU=Bisq Infrastructure/CN=$onionaddress" curl -s "${BISQ_MONITOR_REPO_URL}/${BISQ_MONITOR_REPO_TAG}/scripts/nginx.conf" > /tmp/nginx.conf install -c -o "${ROOT_USER}" -g "${ROOT_GROUP}" -m 644 /tmp/nginx.conf /etc/nginx/nginx.conf @@ -51,10 +50,33 @@ curl -s "${BISQ_MONITOR_REPO_URL}/${BISQ_MONITOR_REPO_TAG}/scripts/collectd.conf install -c -o "${ROOT_USER}" -g "${ROOT_GROUP}" -m 644 /tmp/collectd.conf /etc/collectd/collectd.conf sed -i -e "s/__ONION_ADDRESS__/$onionaddress/" /etc/collectd/collectd.conf +echo "[*] Installing http-to-socks-proxy config" +curl -s "${BISQ_MONITOR_REPO_URL}/${BISQ_MONITOR_REPO_TAG}/scripts/http-to-socks-proxy@.service" > /tmp/http-to-socks-proxy@.service +install -c -o "${ROOT_USER}" -g "${ROOT_GROUP}" -m 644 /tmp/http-to-socks-proxy@.service /etc/systemd/system/http-to-socks-proxy@.service +curl -s "${BISQ_MONITOR_REPO_URL}/${BISQ_MONITOR_REPO_TAG}/scripts/bisq-monitor-2002.conf" > /tmp/bisq-monitor-2002.conf +curl -s "${BISQ_MONITOR_REPO_URL}/${BISQ_MONITOR_REPO_TAG}/scripts/bisq-monitor-13002.conf" > /tmp/bisq-monitor-13002.conf +mkdir -p /etc/http-to-socks-proxy/ +install -c -o "${ROOT_USER}" -g "${ROOT_GROUP}" -m 644 /tmp/bisq-monitor-2002.conf /etc/http-to-socks-proxy/bisq-monitor-2002.conf +install -c -o "${ROOT_USER}" -g "${ROOT_GROUP}" -m 644 /tmp/bisq-monitor-13002.conf /etc/http-to-socks-proxy/bisq-monitor-13002.conf + +echo "[*] Generating Tor client authorization key" +openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem +private_key=$(cat /tmp/k1.prv.pem | grep -v " PRIVATE KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g') +public_key=$(openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g') +rm /tmp/k1.prv.pem + +echo "[*] Configuring ClientOnionAuth" +grep -qxF 'ClientOnionAuthDir /var/lib/tor/onion_auth' /etc/tor/torrc || echo 'ClientOnionAuthDir /var/lib/tor/onion_auth' >> /etc/tor/torrc +mkdir /var/lib/tor/onion_auth +echo "bisqmonorsysbgqnma5ghacqgc2pyobk5gezlfo4q5wkemq66r47vmqd:descriptor:x25519:$private_key" > /var/lib/tor/onion_auth/bisqmonorsysbgqnma5ghacqgc2pyobk5gezlfo4q5wkemq66r47vmqd.auth_private +chown -R debian-tor:debian-tor /var/lib/tor/onion_auth + echo "[*] Updating systemd daemon configuration" systemctl daemon-reload systemctl enable nginx.service systemctl enable collectd.service +systemctl enable http-to-socks-proxy@bisq-monitor-2002 +systemctl enable http-to-socks-proxy@bisq-monitor-13002 echo "[*] Symlink libjvm.so for collectd to work" ln -s /usr/lib/jvm/openjdk-11.0.2/lib/server/libjvm.so /lib/x86_64-linux-gnu/libjvm.so || true @@ -63,8 +85,7 @@ echo "[*] Add monitor parameter to bisq seednode service" ( patch -u /etc/default/bisq.env || true ) </dev/null 2>&1 @@ -96,14 +114,16 @@ service bisq-pricenode status >/dev/null 2>&1 [ $? != 4 ] && systemctl restart bisq-pricenode.service systemctl restart nginx.service systemctl restart collectd.service +systemctl restart http-to-socks-proxy@bisq-monitor-2002 +systemctl restart http-to-socks-proxy@bisq-monitor-13002 echo '[*] Done!' echo ' ' -echo '[*] Report this certificate to the monitoring team!' +echo '[*] Provide the following to the monitoring team!' echo '----------------------------------------------------------------' echo "Server: $onionaddress" echo ' ' -cat /etc/nginx/cert.crt +echo "Public key: $public_key" echo '----------------------------------------------------------------' echo ' ' diff --git a/scripts/nginx.conf b/scripts/nginx.conf index d498e73..b157d7d 100644 --- a/scripts/nginx.conf +++ b/scripts/nginx.conf @@ -8,31 +8,20 @@ events { stream { - log_format basic '$remote_addr [$time_local] ' - '$protocol Status $status Sent $bytes_sent Received $bytes_received ' - 'Time $session_time'; - - error_log syslog:server=unix:/dev/log; - access_log syslog:server=unix:/dev/log basic; - - server { - listen 127.0.0.1:2003; - proxy_pass monitor.bisq.network:2002; - proxy_ssl on; - - proxy_ssl_certificate /etc/nginx/cert.crt; - proxy_ssl_certificate_key /etc/nginx/cert.key; - - proxy_ssl_session_reuse on; - } - server { - listen 127.0.0.1:13003; - proxy_pass monitor.bisq.network:13002; - proxy_ssl on; - - proxy_ssl_certificate /etc/nginx/cert.crt; - proxy_ssl_certificate_key /etc/nginx/cert.key; - - proxy_ssl_session_reuse on; - } + log_format basic '$remote_addr [$time_local] ' + '$protocol Status $status Sent $bytes_sent Received $bytes_received ' + 'Time $session_time'; + + error_log syslog:server=unix:/dev/log; + access_log syslog:server=unix:/dev/log basic; + + server { + listen 127.0.0.1:2003; + proxy_pass 127.0.0.1:9081; + } + + server { + listen 127.0.0.1:13003; + proxy_pass 127.0.0.1:9082; + } }