From 595232f9e39ff17cf756dfe1060b74bd8d90e785 Mon Sep 17 00:00:00 2001 From: Miraty Date: Wed, 29 Sep 2021 17:23:17 +0200 Subject: [PATCH] Add README.md --- README.md | 151 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ index.php | 6 +-- meta.php | 11 +--- 3 files changed, 155 insertions(+), 13 deletions(-) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..0b87f7b --- /dev/null +++ b/README.md @@ -0,0 +1,151 @@ +# Meta + +*Meta* is a small Nginx/PHP tool displaying some informations in order to debug or satisfy your curiosity. + +## Use + +### Paths + +`/me` will redirect to `/` +`/` will print informations obtained from databases located in the `geolite2` directory +`/emoji` will print an emoji list +`/` will print *IP*, *TCP*, *TLS* and *HTTP* metadata + +### Domains + +`meta.4.niv.re` have working A (IPv4) and AAAA (IPv6) records +You can test IP version connectivity by forcing it throught +* `ipv4.meta.4.niv.re` only have the A record +* `ipv6.meta.4.niv.re` only have the AAAA record + +### Ports + +You can try to connect to a few other TCP ports than 443, using IPv6. + +## Installation + +### Nginx configuration + +``` +server { + listen 443 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:1 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:2 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:20 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:21 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:22 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:25 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:53 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:80 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:123 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:143 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:443 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:587 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:853 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:993 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:1194 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:1312 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:3478 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:5349 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:8448 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:9001 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:9030 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:16384 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:25565 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:32768 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:49152 ssl http2; + listen [2a01:e0a:15c:2e40::65:535]:65535 ssl http2; + + server_name meta.4.niv.re *.meta.4.niv.re; + + root /var/www/meta; + index index.php; + try_files $uri/ /; + + more_set_headers "Content-Security-Policy : default-src 'none'; frame-ancestors 'none'; form-action 'none';"; + more_set_headers "X-Content-Type-Options : nosniff"; + more_set_headers "X-XSS-Protection : 1; mode=block"; + more_set_headers "X-Download-Options : noopen"; + more_set_headers "X-Permitted-Cross-Domain-Policies : none"; + more_set_headers "X-Frame-Options : DENY"; + more_set_headers "Referrer-Policy : no-referrer"; + more_set_headers "Strict-Transport-Security : max-age=94608000; includeSubDomains; preload"; + more_clear_headers Server; + + ssl_prefer_server_ciphers off; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + ssl_early_data off; + + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; + + ssl_ecdh_curve X25519:X448; + + ssl_certificate /etc/letsencrypt/live/meta.4.niv.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/meta.4.niv.re/privkey.pem; + + error_log /var/log/nginx/meta.4.niv.re-error.log info; + access_log off; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/meta.sock; + include inc/fastcgi.conf; + fastcgi_param SSL_CURVES $ssl_curves; + fastcgi_param SSL_CIPHERS $ssl_ciphers; + fastcgi_param SSL_CIPHER $ssl_cipher; + fastcgi_param SSL_PROTOCOL $ssl_protocol; + fastcgi_param SSL_SESSION_ID $ssl_session_id; + fastcgi_param NGINX_VERSION $nginx_version; + fastcgi_param TCPINFO_RTT $tcpinfo_rtt; + fastcgi_param TCPINFO_RTTVAR $tcpinfo_rttvar; + fastcgi_param TCPINFO_SND_CWND $tcpinfo_snd_cwnd; + fastcgi_param TCPINFO_RCV_SPACE $tcpinfo_rcv_space; + fastcgi_param CONNECTION $connection; + fastcgi_param CONNECTION_REQUESTS $connection_requests; + fastcgi_param REQUEST $request; + } + + location ~ emojis.txt { + charset utf-8; + } +} +``` + +### Might be useful + +``` +ip addr add 2a01:e0a:15c:2e40::65:535 dev eno1 +ufw allow in proto tcp to 2a01:e0a:15c:2e40::65:535 port 1:65535 +certbot certonly --nginx --key-type rsa --rsa-key-size 3072 -d *.meta.4.niv.re -d meta.4.niv.re +``` + +`/etc/network/interfaces`: + +``` +iface eno1 inet6 static +address 2a01:e0a:15c:2e40::65:535 +``` + +## Ressources + +Nginx variable list: + +PHP $_SERVER list: + +### HTTP headers + +https://en.wikipedia.org/wiki/List_of_HTTP_header_fields +https://developer.mozilla.org/docs/Web/HTTP/Headers +https://datatracker.ietf.org/doc/html/rfc7231 + +## Free software + +*Meta* is published under **AGPLv3+** (see `LICENSE`), it's source code is available at . `db-reader` and `geolite2` directories contents have their own license. diff --git a/index.php b/index.php index a10a912..dda41f9 100644 --- a/index.php +++ b/index.php @@ -1,8 +1,8 @@ Test outgoing destination ports (IPv6 only) https://ports.meta.4.niv.re:/
- -
- Headers definition lists - https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
- https://developer.mozilla.org/docs/Web/HTTP/Headers
- https://datatracker.ietf.org/doc/html/rfc2616
- RFC 7231 Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content > 5. Request Header Fields
- RFC 7231 Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content > 7. Response Header Fields
-