Add README.md

9 months ago · 595232f9e3
3 changed files with 155 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,151 @@
+# Meta
+
+*Meta* is a small Nginx/PHP tool displaying some informations in order to debug or satisfy your curiosity.
+
+## Use
+
+### Paths
+
+`/me` will redirect to `/<your-ip-address>`
+`/<any-ip-address>` will print informations obtained from databases located in the `geolite2` directory
+`/emoji` will print an emoji list
+`/<anything-else>` will print *IP*, *TCP*, *TLS* and *HTTP* metadata
+
+### Domains
+
+`meta.4.niv.re` have working A (IPv4) and AAAA (IPv6) records
+You can test IP version connectivity by forcing it throught
+* `ipv4.meta.4.niv.re` only have the A record
+* `ipv6.meta.4.niv.re` only have the AAAA record
+
+### Ports
+
+You can try to connect to a few other TCP ports than 443, using IPv6.
+
+## Installation
+
+### Nginx configuration
+
+```
+server {
+    listen 443 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:1 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:2 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:20 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:21 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:22 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:25 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:53 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:80 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:123 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:143 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:443 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:587 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:853 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:993 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:1194 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:1312 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:3478 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:5349 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:8448 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:9001 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:9030 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:16384 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:25565 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:32768 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:49152 ssl http2;
+    listen [2a01:e0a:15c:2e40::65:535]:65535 ssl http2;
+
+    server_name meta.4.niv.re *.meta.4.niv.re;
+
+    root /var/www/meta;
+    index index.php;
+    try_files $uri/ /;
+
+    more_set_headers "Content-Security-Policy : default-src 'none'; frame-ancestors 'none'; form-action 'none';";
+    more_set_headers "X-Content-Type-Options : nosniff";
+    more_set_headers "X-XSS-Protection : 1; mode=block";
+    more_set_headers "X-Download-Options : noopen";
+    more_set_headers "X-Permitted-Cross-Domain-Policies : none";
+    more_set_headers "X-Frame-Options : DENY";
+    more_set_headers "Referrer-Policy : no-referrer";
+    more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload";
+    more_clear_headers Server;
+
+    ssl_prefer_server_ciphers off;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    ssl_early_data off;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
+
+    ssl_ecdh_curve X25519:X448;
+
+    ssl_certificate /etc/letsencrypt/live/meta.4.niv.re/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/meta.4.niv.re/privkey.pem;
+
+    error_log /var/log/nginx/meta.4.niv.re-error.log info;
+    access_log off;
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/var/run/php/meta.sock;
+        include inc/fastcgi.conf;
+        fastcgi_param SSL_CURVES $ssl_curves;
+        fastcgi_param SSL_CIPHERS $ssl_ciphers;
+        fastcgi_param SSL_CIPHER $ssl_cipher;
+        fastcgi_param SSL_PROTOCOL $ssl_protocol;
+        fastcgi_param SSL_SESSION_ID $ssl_session_id;
+        fastcgi_param NGINX_VERSION $nginx_version;
+        fastcgi_param TCPINFO_RTT $tcpinfo_rtt;
+        fastcgi_param TCPINFO_RTTVAR $tcpinfo_rttvar;
+        fastcgi_param TCPINFO_SND_CWND $tcpinfo_snd_cwnd;
+        fastcgi_param TCPINFO_RCV_SPACE $tcpinfo_rcv_space;
+        fastcgi_param CONNECTION $connection;
+        fastcgi_param CONNECTION_REQUESTS $connection_requests;
+        fastcgi_param REQUEST $request;
+    }
+
+    location ~ emojis.txt {
+        charset utf-8;
+    }
+}
+```
+
+### Might be useful
+
+```
+ip addr add 2a01:e0a:15c:2e40::65:535 dev eno1
+ufw allow in proto tcp to 2a01:e0a:15c:2e40::65:535 port 1:65535
+certbot certonly --nginx --key-type rsa --rsa-key-size 3072 -d *.meta.4.niv.re -d meta.4.niv.re
+```
+
+`/etc/network/interfaces`:
+
+```
+iface eno1 inet6 static
+address 2a01:e0a:15c:2e40::65:535
+```
+
+## Ressources
+
+Nginx variable list: <https://nginx.org/docs/varindex.html>
+
+PHP $_SERVER list: <https://www.php.net/manual/reserved.variables.server.php>
+
+### HTTP headers
+
+https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
+https://developer.mozilla.org/docs/Web/HTTP/Headers
+https://datatracker.ietf.org/doc/html/rfc7231
+
+## Free software
+
+*Meta* is published under **AGPLv3+** (see `LICENSE`), it's source code is available at <https://code.antopie.org/miraty/meta>. `db-reader` and `geolite2` directories contents have their own license.
--- a/index.php
+++ b/index.php
@ -1,8 +1,8 @@
 <?php
-if ($_SERVER['REQUEST_URI'] === "/me")
-  header("Location: /" . htmlspecialchars($_SERVER['REMOTE_ADDR']));
-else if ($_SERVER['REQUEST_URI'] === "/emoji")
+if ($_SERVER['REQUEST_URI'] === "/emoji")
  echo file_get_contents("emoji.html");
+else if ($_SERVER['REQUEST_URI'] === "/me")
+  header("Location: /" . htmlspecialchars($_SERVER['REMOTE_ADDR']));
 else if (filter_var(substr($_SERVER['REQUEST_URI'], 1), FILTER_VALIDATE_IP))
  require "geolite2.php";
 else
--- a/meta.php
+++ b/meta.php
@ -34,7 +34,7 @@
        <details>
          <summary>Test outgoing destination ports (IPv6 only)</summary>
          <?php
-          $reachablePorts = Array(1,2,20,21,22,23,25,53,80,123,143,443,587,853,993,1312,3478,5349,8448,16384,25535,32768,49152,65535);
+          $reachablePorts = Array(1,2,20,21,22,23,25,53,80,123,143,443,587,853,993,1312,3478,5349,8448,9001,9030,16384,25535,32768,49152,65535);
          foreach ($reachablePorts as $port) { ?>
            <a href="https://ports.meta.4.niv.re:<?= $port ?>/">https://ports.meta.4.niv.re:<strong><?= $port ?></strong>/</a><br>
          <?php }
@ -64,15 +64,6 @@
          if ($name !== "Content-Length" AND $name !== "Content-Type")
            echo htmlspecialchars($name) . ": " . htmlspecialchars($value) . "\n";
        } ?></pre>
-
-        <details>
-          <summary>Headers definition lists</summary>
-          <a href="https://en.wikipedia.org/wiki/List_of_HTTP_header_fields">https://en.wikipedia.org/wiki/List_of_HTTP_header_fields</a><br>
-          <a href="https://developer.mozilla.org/docs/Web/HTTP/Headers">https://developer.mozilla.org/docs/Web/HTTP/Headers</a><br>
-          <a href="https://datatracker.ietf.org/doc/html/rfc2616">https://datatracker.ietf.org/doc/html/rfc2616</a><br>
-          <a href="https://datatracker.ietf.org/doc/html/rfc7231#section-5">RFC 7231 <em>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</em> > <em>5. Request Header Fields</em></a><br>
-          <a href="https://datatracker.ietf.org/doc/html/rfc7231#section-7">RFC 7231 <em>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</em> > <em>7. Response Header Fields</em></a><br>
-        </details>
      </section>
    </section>