proxy70

----------------------------------------
gophernicus TLS howto
January 20th, 2019
----------------------------------------

A few people on mastodon requested a little guide on how to set up
stunnel4 with gophernicus to offer TLS. As you might know from my
earlier posts on gopher.black, I prefer to run this gopher server
as a tor service instead of using the TLS approach alone since it
does all the same things plus some extra goodies and doesn't
require modification to your gopher clients. Regardless, gopher
over TLS is cool in its own right (and I use it on cosmic.voyage).

Here's how:

1) Make sure you're using gophernicus and it's Kim's Prison
   Edition, not one of the ancient ones that shows up when you
   google gophernicus, like prologic's

2) Have an SSL cert. I use letsencrypt because why pay for
   something that's free?

3) Have stunnel4. I think it was an apt install for me.

Actually configuring everything is just a matter of tweaking
2 files:

1) /etc/default/gophernicus

OPTIONS="-o UTF-8 -nt -nh -nf -T 7070"

The important part for TLS is the last bit (-T PORT). The other
switches hide the /stats page which is a security issue, and get
rid of titles and footer and stuff, which make for a cleaner
rendered gophermap. They're cool settings, but not necessary for
TLS.

2) /etc/stunnel/gophernicus.conf

;
; Gophernicus behind Stunnel4 for gopher over TLS
;

; User/group for stunnel daemon
setuid = stunnel4
setgid = stunnel4

; PID file location
pid = /var/run/stunnel4/gophernicus.pid

; Log to file, not syslog
output = /var/log/stunnel4/gophernicus.log
syslog = no

; Certificate in pem format is needed for TLS
cert = /etc/letsencrypt/live/cosmic.voyage/fullchain.pem
key = /etc/letsencrypt/live/cosmic.voyage/privkey.pem

; Enable TCP wrappers
libwrap = yes
service = in.gophernicus-tls

; Gopher over TLS service
[gophernicus]
accept  = :::7070
connect = 127.0.0.1:70
protocol = proxy


So I'm pointing at my letsencrypt cert for cosmic in this file,
and I've chosen to use port 7070 for TLS. Kensanata says there's
an argument for port 7443 that was given on the gopher mailing
list, but I never read it. Use what makes sense to you, but make
sure it matches what you have in /etc/default/gophernicus.

And that's it. Oh, I guess you'll need to open up your port with
your firewall, but everything else should just work(TM).

Good luck!