[SCM] The rsync repository. - branch master updated

Rsync CVS commit messages rsync-cvs at lists.samba.org
Mon Jun 15 18:36:43 UTC 2020


The branch, master has been updated
       via  1fa38546 Document how to setup rsyncd behind a TLS proxy.
       via  249e28c7 Rename "haproxy header" to "proxy protocol".
       via  6273153c Add preliminary gnutls support.
       via  628dcceb Choose openssl before stunnel.
      from  00ec415a Tweak the stunnel4 Verify config; tweak the rsync-ssl docs/usage.

https://git.samba.org/?p=rsync.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1fa38546a093075c1829291c43ccead14734d4af
Author: Wayne Davison <wayne at opencoder.net>
Date:   Mon Jun 15 11:31:01 2020 -0700

    Document how to setup rsyncd behind a TLS proxy.

commit 249e28c75a7b4c192e6228f68cd45416d07a5ebb
Author: Wayne Davison <wayne at opencoder.net>
Date:   Mon Jun 15 11:23:27 2020 -0700

    Rename "haproxy header" to "proxy protocol".

commit 6273153c5f7aa615c69f20c25708390ca1048d3a
Author: Wayne Davison <wayne at opencoder.net>
Date:   Mon Jun 15 10:27:05 2020 -0700

    Add preliminary gnutls support.

commit 628dcceb8daf6aa2cf79bb03dfd22d36f97561e2
Author: Wayne Davison <wayne at opencoder.net>
Date:   Mon Jun 15 09:51:20 2020 -0700

    Choose openssl before stunnel.

-----------------------------------------------------------------------

Summary of changes:
 NEWS.md          | 17 +++++++++------
 clientname.c     |  4 ++--
 clientserver.c   |  2 +-
 loadparm.c       |  8 +++----
 rsync-ssl        | 28 +++++++++++++++++++++---
 rsync-ssl.1.md   | 29 +++++++++++++++++--------
 rsyncd.conf.5.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++---------
 7 files changed, 118 insertions(+), 36 deletions(-)


Changeset truncated at 500 lines:

diff --git a/NEWS.md b/NEWS.md
index 32163f8a..aa5b979c 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -88,15 +88,18 @@ Protocol: 31 (unchanged)
 
  - Added the `--write-devices` option based on the long-standing patch.
 
- - Added openssl support to the rsync-ssl script, which is now installed by
-   default.  This script was unified with the stunnel-rsync helper script to
-   simplify packaging.
+ - Added openssl & preliminary gnutls support to the rsync-ssl script, which is
+   now installed by default.  This was unified with the old stunnel-rsync
+   helper script to simplify packaging.  Note that the script accepts the use
+   of --type=gnutls for gnutls testing, but does not look for gnutls-cli on the
+   path yet.  The use of type=gnutls will not work right until gnutls-cli no
+   longer drops data.
 
  - Rsync was enhanced to set the `RSYNC_PORT` environment variable when running
    a daemon-over-rsh script. Its value is the user-specified port number (set
    via `--port` or an rsync:// URL) or 0 if the user didn't override the port.
 
- - Added the `haproxy header` daemon parameter that allows your rsyncd to know
+ - Added the `proxy protocol` daemon parameter that allows your rsyncd to know
    the real remote IP when it is setup behind a proxy.
 
  - Added negated matching to the daemon's `refuse options` setting by using
@@ -145,9 +148,9 @@ Protocol: 31 (unchanged)
  - Tweak auxilliary doc file names, such as: README.md, INSTALL.md, NEWS.md, &
    OLDNEWS.md.
 
- - The rsync-ssl script wants to run either openssl or stunnel4, so consider
-   adding a dependency for openssl (though it's probably fine to just let it
-   complain about being unable to find either program and let the user decide
+ - The rsync-ssl script wants to run openssl or stunnel4, so consider adding a
+   dependency for one of those options (though it's probably fine to just let
+   it complain about being unable to find the program and let the user decide
    if they want to install one or the other).
 
  - If you packaged rsync + rsync-ssl + rsync-ssl-daemon as separate packages,
diff --git a/clientname.c b/clientname.c
index b73d11c6..05f14ed7 100644
--- a/clientname.c
+++ b/clientname.c
@@ -156,8 +156,8 @@ char *client_name(const char *ipaddr)
 }
 
 
-/* Try to read an haproxy header (V1 or V2). Returns 1 on success or 0 on failure. */
-int read_haproxy_header(int fd)
+/* Try to read an proxy protocol header (V1 or V2). Returns 1 on success or 0 on failure. */
+int read_proxy_protocol_header(int fd)
 {
 	union {
 		struct {
diff --git a/clientserver.c b/clientserver.c
index d4304ae6..fa7d47aa 100644
--- a/clientserver.c
+++ b/clientserver.c
@@ -1130,7 +1130,7 @@ int start_daemon(int f_in, int f_out)
 	if (!load_config(0))
 		exit_cleanup(RERR_SYNTAX);
 
-	if (lp_haproxy_header() && !read_haproxy_header(f_in))
+	if (lp_proxy_protocol() && !read_proxy_protocol_header(f_in))
 		return -1;
 
 	p = lp_daemon_chroot();
diff --git a/loadparm.c b/loadparm.c
index f84af532..58c898e8 100644
--- a/loadparm.c
+++ b/loadparm.c
@@ -112,7 +112,7 @@ typedef struct {
 	int listen_backlog;
 	int rsync_port;
 
-	BOOL haproxy_header;
+	BOOL proxy_protocol;
 } global_vars;
 
 /* This structure describes a single section.  Their order must match the
@@ -233,7 +233,7 @@ static const all_vars Defaults = {
  /* listen_backlog; */		5,
  /* rsync_port; */		0,
 
- /* haproxy_header; */		False,
+ /* proxy_protocol; */		False,
  },
 
  /* ==== local_vars ==== */
@@ -406,8 +406,8 @@ static struct parm_struct parm_table[] =
  {"motd file",         P_STRING, P_GLOBAL,&Vars.g.motd_file,           NULL,0},
  {"pid file",          P_STRING, P_GLOBAL,&Vars.g.pid_file,            NULL,0},
  {"port",              P_INTEGER,P_GLOBAL,&Vars.g.rsync_port,          NULL,0},
+ {"proxy protocol",    P_BOOL,   P_LOCAL, &Vars.g.proxy_protocol,      NULL,0},
  {"socket options",    P_STRING, P_GLOBAL,&Vars.g.socket_options,      NULL,0},
- {"haproxy header",    P_BOOL,   P_LOCAL, &Vars.g.haproxy_header,      NULL,0},
 
  {"auth users",        P_STRING, P_LOCAL, &Vars.l.auth_users,          NULL,0},
  {"charset",           P_STRING, P_LOCAL, &Vars.l.charset,             NULL,0},
@@ -549,7 +549,7 @@ FN_GLOBAL_STRING(lp_socket_options, socket_options)
 FN_GLOBAL_INTEGER(lp_listen_backlog, listen_backlog)
 FN_GLOBAL_INTEGER(lp_rsync_port, rsync_port)
 
-FN_GLOBAL_BOOL(lp_haproxy_header, haproxy_header)
+FN_GLOBAL_BOOL(lp_proxy_protocol, proxy_protocol)
 
 FN_LOCAL_STRING(lp_auth_users, auth_users)
 FN_LOCAL_STRING(lp_charset, charset)
diff --git a/rsync-ssl b/rsync-ssl
index 4f0e86ba..4e066ade 100755
--- a/rsync-ssl
+++ b/rsync-ssl
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# This script supports using stunnel or openssl to secure an rsync daemon connection.
+# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.
 
 # By default this script takes rsync args and hands them off to the actual
 # rsync command with an --rsh option that makes it open an SSL connection to an
@@ -31,10 +31,13 @@ function rsync_ssl_run {
 
 function rsync_ssl_helper {
     if [[ -z "$RSYNC_SSL_TYPE" ]]; then
-	found=`path_search stunnel4 stunnel openssl` || exit 1
+	found=`path_search openssl stunnel4 stunnel` || exit 1
 	if [[ "$found" == */openssl ]]; then
 	    RSYNC_SSL_TYPE=openssl
 	    RSYNC_SSL_OPENSSL="$found"
+	elif [[ "$found" == */gnutls-cli ]]; then
+	    RSYNC_SSL_TYPE=gnutls
+	    RSYNC_SSL_GNUTLS="$found"
 	else
 	    RSYNC_SSL_TYPE=stunnel
 	    RSYNC_SSL_STUNNEL="$found"
@@ -48,6 +51,12 @@ function rsync_ssl_helper {
 	    fi
 	    optsep=' '
 	    ;;
+	gnutls)
+	    if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
+		RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
+	    fi
+	    optsep=' '
+	    ;;
 	stunnel)
 	    if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
 		RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
@@ -62,21 +71,30 @@ function rsync_ssl_helper {
 
     if [[ -z "$RSYNC_SSL_CERT" ]]; then
 	certopt=""
+	gnutls_cert_opt=""
     else
 	certopt="cert$optsep$RSYNC_SSL_CERT"
+	gnutls_cert_opt="--x509keyfile=$RSYNC_SSL_CERT"
     fi
 
     if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
 	# RSYNC_SSL_CA_CERT unset - default CA set AND verify:
 	# openssl:
 	caopt="-verify_return_error -verify 4"
+	# gnutls:
+	gnutls_opts=""
 	# stunnel:
+	# Since there is no way of using the default CA certificate collection,
+	# we cannot do any verification. Thus, stunnel should really only be
+	# used if nothing else is available.
 	cafile=""
 	verify=""
     elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
 	# RSYNC_SSL_CA_CERT set but empty -do NO verifications:
 	# openssl:
 	caopt="-verify 1"
+	# gnutls:
+	gnutls_opts="--insecure"
 	# stunnel:
 	cafile=""
 	verify="verifyChain = no"
@@ -84,6 +102,8 @@ function rsync_ssl_helper {
 	# RSYNC_SSL_CA_CERT set - use CA AND verify:
 	# openssl:
 	caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+	# gnutls:
+	gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
 	# stunnel:
 	cafile="CAfile = $RSYNC_SSL_CA_CERT"
 	verify="verifyChain = yes"
@@ -110,6 +130,8 @@ function rsync_ssl_helper {
 
     if [[ $RSYNC_SSL_TYPE == openssl ]]; then
 	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+    elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+	exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
     else
 	# devzero at web.de came up with this no-tmpfile calling syntax:
 	exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
@@ -147,7 +169,7 @@ function path_search {
 
 if [[ "$#" == 0 ]]; then
     echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2
-    echo "The SSL_TYPE can be stunnel or openssl"
+    echo "The SSL_TYPE can be openssl or stunnel"
     exit 1
 fi
 
diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md
index c16b9657..c2903425 100644
--- a/rsync-ssl.1.md
+++ b/rsync-ssl.1.md
@@ -17,7 +17,7 @@ that requires ssl connections.
 
 If the **first** arg is a `--type=SSL_TYPE` option, the script will only use
 that particular program to open an ssl connection instead of trying to find an
-stunnel or openssl executable via a simple heuristic (assuming that the
+openssl or stunnel executable via a simple heuristic (assuming that the
 `RSYNC_SSL_TYPE` environment variable is not set as well -- see below).  This
 option must specify one of `openssl` or `stunnel`.  The equal sign is
 required for this particular option.
@@ -41,17 +41,15 @@ The ssl helper scripts are affected by the following environment variables:
     certificate to use for the connection.
 0.  `RSYNC_SSL_CA_CERT` If specified, the value is a filename that contains a
     certificate authority certificate that is used to validate the connection.
-0.  `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
-    connection type is set to stunnel.  If unspecified, the $PATH is searched
-    first for "stunnel4" and then for "stunnel".
 0.  `RSYNC_SSL_OPENSSL` Specifies the openssl executable to run when the
     connection type is set to openssl.  If unspecified, the $PATH is searched
     for "openssl".
-
-# CAVEATS
-
-Note that using an stunnel connection requires at least version 4 of stunnel,
-which should be the case on modern systems.
+0.  `RSYNC_SSL_GNUTLS` Specifies the gnutls-cli executable to run when the
+    connection type is set to gnutls.  If unspecified, the $PATH is searched
+    for "gnutls-cli".
+0.  `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
+    connection type is set to stunnel.  If unspecified, the $PATH is searched
+    first for "stunnel4" and then for "stunnel".
 
 # EXAMPLES
 
@@ -63,6 +61,19 @@ which should be the case on modern systems.
 
 **rsync**(1), **rsyncd.conf**(5)
 
+# CAVEATS
+
+Note that using an stunnel connection requires at least version 4 of stunnel,
+which should be the case on modern systems.  Also, it does not verify a
+connection against the CA certificate collection, so it only encrypts the
+connection without any cert validation unless you have specified the
+certificate environment options.
+
+This script also supports a `--type=gnutls` option, but at the time of this
+release the gnutls-cli command was dropping output, making it unusable.  If
+that bug has been fixed in your version, feel free to put gnutls into an
+exported RSYNC_SSL_TYPE environment variable to make its use the default.
+
 # BUGS
 
 Please report bugs! See the web site at <http://rsync.samba.org/>.
diff --git a/rsyncd.conf.5.md b/rsyncd.conf.5.md
index df19ecb1..a9193453 100644
--- a/rsyncd.conf.5.md
+++ b/rsyncd.conf.5.md
@@ -234,11 +234,11 @@ the values of parameters.  See the GLOBAL PARAMETERS section for more details.
     allow the daemon to function.  By default the daemon runs without any
     chrooting.
 
-0.  `haproxy header`
+0.  `proxy protocol`
 
     When this parameter is enabled, all incoming connections must start with a
-    V1 or V2 haproxy header.  If the header is not found, the connection is
-    closed.
+    V1 or V2 proxy protocol header.  If the header is not found, the connection
+    is closed.
 
     Setting this to `true` requires a proxy server to forward source IP
     information to rsync, allowing you to log proper IP/host info and make use
@@ -1065,8 +1065,54 @@ Also note that the rsync daemon protocol does not currently provide any
 encryption of the data that is transferred over the connection. Only
 authentication is provided. Use ssh as the transport if you want encryption.
 
-Future versions of rsync may support SSL for better authentication and
-encryption, but that is still being investigated.
+You can also make use of SSL/TLS encryption if you put rsync behind an
+SSL proxy.
+
+# SSL/TLS Daemon Setup
+
+When setting up an rsync daemon for access via SSL/TLS, you will need to
+configure a proxy (such as haproxy or nginx) as the front-end that handles the
+encryption.
+
+- You should limit the access to the backend-rsyncd port to only allow the
+  proxy to connect.  If it is on the same host as the proxy, then configuring
+  it to only listen on localhost is a good idea.
+
+- You should consider turning on the `proxy protocol` parameter if your proxy
+  supports sending that information.  The examples below assume that this is
+  enabled.
+
+An example haproxy setup is as follows:
+
+> ```
+> frontend fe_rsync-ssl
+>    bind :::874 ssl crt /etc/letsencrypt/example.com/combined.pem
+>    mode tcp
+>    use_backend be_rsync
+>
+> backend be_rsync
+>    mode tcp
+>    server local-rsync 127.0.0.1:873 check send-proxy
+> ```
+
+An example nginx proxy setup is as follows:
+
+> ```
+> stream {
+>    server {
+>        listen 874 ssl;
+>        listen [::]:874 ssl;
+>
+>        ssl_certificate /etc/letsencrypt/example.com/fullchain.pem;
+>        ssl_certificate_key /etc/letsencrypt/example.com/privkey.pem
+>
+>        proxy_pass localhost:873;
+>        proxy_protocol on; # Requires "proxy protocol = true"
+>        proxy_timeout 1m;
+>        proxy_connect_timeout 5s;
+>    }
+> }
+> ```
 
 # EXAMPLES
 
@@ -1088,23 +1134,23 @@ A more sophisticated example would be:
 > max connections = 4
 > syslog facility = local5
 > pid file = /var/run/rsyncd.pid
-> 
+>
 > [ftp]
 >         path = /var/ftp/./pub
 >         comment = whole ftp area (approx 6.1 GB)
-> 
+>
 > [sambaftp]
 >         path = /var/ftp/./pub/samba
 >         comment = Samba ftp area (approx 300 MB)
-> 
+>
 > [rsyncftp]
 >         path = /var/ftp/./pub/rsync
 >         comment = rsync ftp area (approx 6 MB)
-> 
+>
 > [sambawww]
 >         path = /public_html/samba
 >         comment = Samba WWW pages (approx 240 MB)
-> 
+>
 > [cvs]
 >         path = /data/cvs
 >         comment = CVS repository (requires authentication)


-- 
The rsync repository.



More information about the rsync-cvs mailing list