• binkps

    From Al@21:4/106 to Avon on Tue Dec 24 19:49:42 2019
    Hello Avon,

    I have 153/757 and 21:4/106 listening over TLS for binkps. :)

    I have successfully polled 153/757 from 153/757.2, I haven't yet managed a successfull outbound poll but I have more nodes to test against so I think I'll
    just move on to some of that and get back to 153/757.2

    All the node and nodelist details are the same, just the port is 24553. See Oli's post to me earlier today in the BINKD area to see how he's done it.

    Anyone interested feel free to poll against my node if you'd like to test.

    The Rusty MailBox
    1:153/757 and 21:4/106
    trmb.ca binkp on port 24554 and binkps on port 24553

    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Avon@21:1/101 to Al on Thu Dec 26 10:07:09 2019
    On 24 Dec 2019 at 07:49p, Al pondered and said...

    Hello Avon,

    I have 153/757 and 21:4/106 listening over TLS for binkps. :)

    well done you :)

    I have successfully polled 153/757 from 153/757.2, I haven't yet managed
    a successfull outbound poll but I have more nodes to test against so I think I'll just move on to some of that and get back to 153/757.2

    All the node and nodelist details are the same, just the port is 24553. See Oli's post to me earlier today in the BINKD area to see how he's
    done it.

    Can you forward that here so we have a record.

    I'm debating on what to put my focus on next playing with all of this, of
    which I am very interested in getting working... or doing some work on NET 2
    to move it along from it's current setup..

    You're running a Linux system right? Might I need to move to that OS first before I can really play with all of this?

    --- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From Al@21:4/106 to Avon on Wed Dec 25 16:28:24 2019
    All the node and nodelist details are the same, just the port
    is 24553. See Oli's post to me earlier today in the BINKD area
    to see how he's done it.

    Can you forward that here so we have a record.

    Yep, I'll extract it and post it here in a few minutes.

    I'm debating on what to put my focus on next playing with all of
    this, of which I am very interested in getting working... or doing
    some work on NET 2 to move it along from it's current setup..

    That will need focus if you do that, I'd just do that if that's what you want/need to do. I am only getting started and we can get to this when
    time is available.

    You're running a Linux system right? Might I need to move to that
    OS first before I can really play with all of this?

    Yes, I already had all the stuff I needed installed so it was simple for
    me to do. I'd imagine it's just as easy to do on Windows but the commands
    and what not might be different. It would be a good thing if we could
    figure out how to do that on Windows or Linux.

    Ttyl :-),
    Al

    --- MagickaBBS v0.13alpha (Linux/x86_64)
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Al@21:4/106 to Avon on Wed Dec 25 17:28:28 2019
    Hello Avon,

    All the node and nodelist details are the same, just the port is
    24553. See Oli's post to me earlier today in the BINKD area to
    see how he's done it.

    Can you forward that here so we have a record.

    This is Oli's post..


    === Cut ===
    = BINKD (1:153/757) ===========================================================
    Msg : 211 of 215 Rcv
    From : Oli 2:280/464.47 Tue 24 Dec 19 16:21
    To : Alan Ianson
    Subj : BINKP over TLS ===============================================================================
    I posted several messages with different options how to do it (in
    fidonet and fsxnet). If you have some specific questions, I'm
    happy to help.

    I saw some posts by you and others but I got lost in the ports,
    stunnels and proxy's.

    Can you give me an example to..

    A. Have binkd listen on port 24553 for binkps/TLS?

    e.g. with nginx (change the path to a valid cert / key pair)

    nginx.conf:

    stream {
    server {
    listen 24553 ssl;
    ssl_certificate /etc/haproxy/ssl/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/haproxy/ssl/ssl-cert-key-snakeoil.pem;
    proxy_pass 127.0.0.1:24554;
    }
    }

    B. Poll a binkps node listening for binkps/TLS polls?

    binkd.cfg:

    node 1:153/757.2 -pipe "openssl s_client -quiet -alpn binkp -connect *H:*I" equinoxbbs.ddns.net:24555


    + Origin: kakistocracy (2:280/464.47)

    === Cut ===


    Ttyl :-),
    Al

    --- GoldED+/LNX 1.1.5-b20180707
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Alterego@21:2/116 to Al on Thu Dec 26 18:08:09 2019
    Re: binkps
    By: Al to Avon on Tue Dec 24 2019 07:49 pm

    I have 153/757 and 21:4/106 listening over TLS for binkps. :)

    Me too - 24553 for 21:2/116 and the other nets I'm in...
    ...deon


    ... After two days in hospital, I took a turn for the nurse.
    --- SBBSecho 3.10-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From shinobi@21:1/153 to Al on Fri Apr 10 11:15:53 2020
    Hello Al,

    nginx.conf:

    From that setup where You use nginx for the stream proxy of ssl binkps I
    would have a small comment. That's the trouble when You connect with more
    than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You connect with
    more than one node You got the Duplicate I.P. message. I'm uncertain if this cannot be configured otherwise. But there a solution on how to connect with more than one node at once.

    The Mystic BBS can be configured to listen on multiple ports with the BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558. Then You can have 5 concurrent connections from the proxy server. The nginx can
    load-balance and this is how it could be done:

    stream {
    upstream binkps {
    server 127.0.0.1:24554 max_conns=1;
    server 127.0.0.1:24555 max_conns=1;
    server 127.0.0.1:24556 max_conns=1;
    server 127.0.0.1:24557 max_conns=1;
    server 127.0.0.1:24558 max_conns=1;
    }
    server {
    listen 29543 ssl;
    proxy_pass binkps;
    ssl_certificate /etc/nginx/ssl/snake-oil.crt;
    ssl_certificate_key /etc/nginx/ssl/snake-oil.key;
    ssl_password_file /etc/nginx/ssl/password-file.txt;
    ssl_preread on;
    }
    }

    That will actually provide possibility of 5 concurrent connections from the nodes. The ssl_password_file parameter gives the file where the password for the certificate is stored.

    In the upstream list of server the max_conns prevents load balancing of more than one client at once to the given binkp server.

    Probably there is an easier solution. But this is what worked for me.

    BTW: The solution can be to use stunnel as You wrote in that case the
    following configuration can be used:

    /etc/stunnel/stunnel.conf
    [binkps]
    accept = 29543
    connect = 24554
    cert = /etc/stunnel/stunnel.pem
    protocol = proxy

    However it still retains the shortcoming of just only one concurrent session from the node. The other is rejected with the BUSY message.

    What I would really like to explore is the HAPROXY. However most of the solutions are made for http and https protocols. Therefore if You would like
    to forward the real ip address it can be achieved only in that protocols.

    I tried the configuration of nginx with the proxy option as follows:

    listen 29543 ssl proxy_protocol;

    and then

    proxy_protocol on;

    This works just for a moment when the client connects via the proxy to the BINKP. Just when the real ip address is forwarded then ... what I guess the BINKP server responds to the real ip ... but that's not accessible because
    the connection is established from within the nginx... and then the response goes elsewhere. If one would use http then the directive

    proxy_set_header X-Real-IP $proxy_protocol_addr;
    proxy_set_header X-Forwarded-For $proxy_protocol_addr;

    could be used. But that's not this case because the headers cannot be
    modified when in the stream tcp nginx proxy mode.

    That's about it. Correct me if I'm wrong.

    Best regards

    |08Shinobi <.Phenom.>
    |08
    |08BBS Toolbox https://bbst.neocities.org

    --- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
    * Origin: Infoline BBS (21:1/153)
  • From Al@21:4/106 to shinobi on Fri Apr 10 12:39:56 2020
    Hello shinobi,

    Long time no hear, I hope all is well with you.

    The Mystic BBS can be configured to listen on multiple ports with the BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558. Then You can have 5 concurrent connections from the proxy server. The nginx can load-balance and this is how it could be done:

    In my case I am using binkd. nginx is listening on port 24553 and if the tls handshake is successful it passes the connection to my running binkd on the standard port.

    That's not what I would call the right way to do it.

    That's about it. Correct me if I'm wrong.

    I think that's all right. All this network stuff is way above my pay grade quite frankly. ;)

    If it wasn't for Oli's help I wouldn't have been able to connect the dots.

    It is my hope that the binkd developers will sit around a table at some point and discuss what is needed to make this happen in binkd itself in a similar way
    to how Mystic and Synchronet (BinkIT) handle these tls connections themselves.

    Ttyl :-),
    Al

    --- GoldED+/LNX
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From alterego@21:2/116 to shinobi on Sat Apr 11 08:10:45 2020
    Re: Re: binkps
    By: shinobi to Al on Fri Apr 10 2020 11:15 am

    than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You

    Can you put localhost in a whitelist of some sort?
    ...deon


    ... Professionals build the Titanic, amateurs built the Ark.
    --- SBBSecho 3.10-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From Oli@21:3/102 to Al on Sat Apr 11 10:50:40 2020
    Al wrote (2020-04-10):

    The Mystic BBS can be configured to listen on multiple ports with
    the BINKP server. That means what could be done is to setup several
    BINKP server listening on localhost. E.g. 24554, 24555, 24556,
    24557, 24558. Then You can have 5 concurrent connections from the
    proxy server. The nginx can load-balance and this is how it could
    be done:

    In my case I am using binkd. nginx is listening on port 24553 and if the tls handshake is successful it passes the connection to my running binkd
    on the standard port.

    That's not what I would call the right way to do it.

    It's also not the wrong way to do it and it has some advantages (and a few disadvantages). I'm doing this with https and xmpps as well, even if the servers support TLS by themselves.

    TLS support in binkd would be nice, but for incoming connections I would still use nginx or haproxy for TLS termination.

    ---
    * Origin: (21:3/102)
  • From alterego@21:2/116 to Oli on Sat Apr 11 19:18:02 2020
    Re: binkps
    By: Oli to Al on Sat Apr 11 2020 10:50 am

    That's not what I would call the right way to do it.
    It's also not the wrong way to do it and it has some advantages (and a few
    disadvantages). I'm doing this with https and xmpps as
    well, even if the servers support TLS by themselves.

    I think Al was refering to getting around a mystic loophole, where multi connections from the same IP address are problematic (since all connections via
    nginx are via the nginx host's IP address).

    I wonder if setting 127.0.0.1 (or the nginx host's ip address) in a whitelist of some sort would get around this issue?
    ...deon


    ... There are always alternatives. Spock, The Galileo Seven, stardate 2822.3. --- SBBSecho 3.10-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)
  • From Oli@21:3/102 to shinobi on Sat Apr 11 11:46:56 2020
    shinobi wrote (2020-04-10):

    Hello Al,

    nginx.conf:

    From that setup where You use nginx for the stream proxy of ssl binkps I would have a small comment. That's the trouble when You connect with more than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You
    connect with more than one node You got the Duplicate I.P. message. I'm uncertain if this cannot be configured otherwise. But there a solution on how to connect with more than one node at once.

    The Mystic BBS can be configured to listen on multiple ports with the
    BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558.
    Then You can have 5 concurrent connections from the proxy server. The
    nginx can load-balance and this is how it could be done:

    you could also tell nginx to use different IPs for the connection. I haven't tried it and I cannot provide a configuration example, but I think it's doable

    proxy_bind 127.0.0.2;
    ....
    proxy_bind 127.0.0.3;
    ....
    proxy_bind 127.0.0.4;


    You can also try to running it as a transparent proxy.

    https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/#ip-transparency

    ---
    * Origin: (21:3/102)
  • From NuSkooler@21:1/121 to Oli on Sat Apr 11 12:56:48 2020

    On Saturday, April 11th Oli muttered...
    TLS support in binkd would be nice, but for incoming connections I would still use nginx or haproxy for TLS termination.

    +1 for TLS termination. nginx/HAProxy/Caddy/etc. are all heavily peer reviewed in terms of security. Various BBS packages are not. I had to enable some older cipher suites and lessen security just to allow some paritcular BBS terminals to connect to my b
    ...just kind of jumping in here. What did the "binkps" proto end up looking like? Just bink proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)





    --
    NuSkooler
    Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
    ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic
    --- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From Oli@21:3/102 to NuSkooler on Sat Apr 11 21:49:19 2020
    NuSkooler wrote (2020-04-11):

    On Saturday, April 11th Oli muttered...
    TLS support in binkd would be nice, but for incoming connections I
    would still use nginx or haproxy for TLS termination.

    +1 for TLS termination. nginx/HAProxy/Caddy/etc. are all heavily peer reviewed in terms of security. Various BBS packages are not. I had to enable some older cipher suites and lessen security just to allow some paritcular BBS terminals to connect to my b

    A Mystic hub truncated the line again ...

    ..just kind of jumping in
    here. What did the "binkps" proto end up looking like? Just bink proxied over TLS?

    Yes, but besides that we haven't agreed on anything. If I had to define it, it would most likely like this:

    - must support TLS 1.3
    - client must not send an unencrypted hostname (SNI) without prior agreement
    - it shouldn't rely on CAs. Pinned certs with TOFU, DANE or nodelist flag


    I'd like to get this set up (I'll be TLS terminating with Caddy
    personally)

    I haven't used Caddy as a TCP proxy, only nginx, haproxy and stunnel. Would be nice, if you could try it with binkp.

    ---
    * Origin: (21:3/102)
  • From Al@21:4/106 to NuSkooler on Sat Apr 11 13:11:18 2020
    Hello NuSkooler,

    What did the "binkps" proto end up looking like? Just bink
    proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)

    There is no binkps proto, at least such a thing hasn't happened yet.

    In my own pondering I think CRAM-MD5 and crypt could be removed if a binkps proto ever did come to be but that is for binkps developers to look at and decide on.

    I have not heard anything from the binkd developers about any of this. Maybe they are not interested or maybe there is no one on the binkd team to bring this forward.

    It would be a good thing if they were part of all this but I am not seeing them.

    Ttyl :-),
    Al

    --- GoldED+/LNX
    * Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)
  • From Havok@21:4/10 to alterego on Sat Apr 11 16:52:26 2020
    Re: Re: binkps
    By: alterego to shinobi on Sat Apr 11 2020 08:10 am


    Can you put localhost in a whitelist of some sort?

    I gues why not
    127.0.0.1
    192.168.0.65 (so to speak)

    How about anyone else?

    Just a thought...





    Havok

    ... Not one hundred percent efficient, of course.but nothing ever is.

    ---
    ■ Synchronet ■ Gray Matter BBS | graymatterbbs.com:2332
    * Origin: fsxNet FTN<>QWK Gateway (21:4/10)
  • From alterego@21:2/116 to NuSkooler on Sun Apr 12 10:33:33 2020
    Re: RE: binkps
    By: NuSkooler to Oli on Sat Apr 11 2020 12:56 pm

    here. What did the "binkps" proto end up looking like? Just bink proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)

    Yup, my implementation on Hub 3 is via nginx - so caddy should be OK to do the same thing.

    On my node 2/116, its with binkit, and I think DM just put in a TLS call before
    running the main binkit code.

    If you need help, yell out. You can poll Hub 3 or me if need to test :)
    ...deon


    ... There are always alternatives. Spock, The Galileo Seven, stardate 2822.3. --- SBBSecho 3.10-Linux
    * Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)