Re: [Tails-dev] FWD: Re: Tails for arm64 (with support for A…

このメッセージを削除

このメッセージに返信
著者: noisycoil
日付:  
To: N9iu7pk, The Tails public development discussion list
CC: Tails Dev
題目: Re: [Tails-dev] FWD: Re: Tails for arm64 (with support for Apple Silicon)
Hi there,

I went for a DNS hack precisely so I could keep the patches to a minimum. All the relevant downloads are done via plain HTTP+signature verification, so in the end it was enough to disable a couple of points in the code where the signatures are actually checked.

Note that simply pointing your DNS resolver to Debian's servers is not enough. Tails's repository (at least for branches based on devel) is also queried to fetch the timestamp of the most recent snapshot to be used, so you must redirect both to Debian AND to Tails depending on the URL. To do so, you must:

1. configure your DNS resolver so that the Tails domain resolves to a webserver you control
2. use that webserver to redirect some URLs to Debian, and some others to Tails


*** DNS hijacking ***

There are many ways to hijack your DNS resolution. The simplest to set up probably (and the one I'm using) is to use systemd-resolved with the stub resolver turned on, adding the following line to /etc/hosts in your build machine:

x.x.x.x time-based.snapshots.deb.tails.boum.org

where x.x.x.x is the IP address of the webserver you control. This can be running on the build machine itself, but if you decide to go this way make sure that x.x.x.x is not in 127.0.0.0/8, otherwise the VM that builds the image will be redirected to its own localhost!

Some of the options you have here are: using an address (not in 127.0.0.0/8) bound to one of your network interfaces, creating a dummy network interface and assigning it a new address, or using the address of a remote host you control. One special case of the first option is using the address of the gateway for the local network that Vagrant will create for the VM (if you know that in advance). Personally, I'm using a remote host, because it was simpler to set up for me. In any case, make sure that the VM is able to connect to that IP address (and that the webserver is listening on port 80 of that address, of course).

*** Webserver configuration ***

I'm using an nginx webserver with the following configuration:

server {
    server_name time-based.snapshots.deb.tails.boum.org;
    listen *:80;
    rewrite ^/(debian|debian-security)/[0-9]+(/?.*) http://deb.debian.org/$1$2;
    rewrite ^/[0-9.]+(/?.*) http://deb.debian.org$1;

    location ~ ^/(debian|debian-security|tails)/project/trace/(debian|debian-security|tails) {
        proxy_pass http://204.13.164.63:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }

    location ~ ^/(tails|torproject) {
        proxy_pass http://204.13.164.63:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
    }
}

204.13.164.63 <http://204.13.164.63:80> is the real IP address of time-based.snapshots.deb.tails.boum.org. URLs that match the regex ^/(debian|debian-security|tails)/project/trace/(debian|debian-security|tails) must be redirected back to Tails to get the timestamp of the most recent snapshot. This timestamp however is never actually used: the redirections

http://time-based.snapshots.deb.tails.boum.org/(debian|debian-security)/[0-9]+(/?.*)    ---->    http://deb.debian.org/$1$2 <http://deb.debian.org/$1$2>
http://time-based.snapshots.deb.tails.boum.org/[0-9.]+(/?.*)    ---->    http://deb.debian.org$1 <http://deb.debian.org$1>

will point the VM to the live Debian archive rather than to a Tails snapshot (in practice they will remove the timestamp from the URL and replace the Tails domain with the Debian domain). As for ^/(tails|torproject), I'm not sure these need to be redirected too, but hey, this way it works so let's keep them. Also, it's unlikely that anything is reading the X-Headers, but let's keep those configs too.

A corresponding configuration could be written for Apache, but I don't know how to do that.


Keep in mind that if you hijack your DNS like above you won't be able to build Tails on branches other than my own: the hijacked packages are signed with Debian's keys, but the regular branches expect Tails's! So after you are finished delete the entry from /etc/hosts and restart systemd-resolved.

If you need more help feel free to write me!

NC