diff options
| author | Peter Palfrader <peter@palfrader.org> | 2016-02-03 13:16:02 +0000 |
|---|---|---|
| committer | Peter Palfrader <peter@palfrader.org> | 2016-02-03 13:16:02 +0000 |
| commit | 17828dfb598b927752a75ff1f56c7fed863d194e (patch) | |
| tree | 177f75204032390a228ce567a5107251e3f70d77 | |
| parent | f79e3a2077f60fb979d62299351187a6a91ca92a (diff) | |
Also support socat, and document that both stunnel4 and socat in their current versions are horrible
| -rwxr-xr-x | bin/ftpsync | 60 | ||||
| -rwxr-xr-x | bin/rsync-ssl-tunnel | 88 | ||||
| -rw-r--r-- | etc/ftpsync.conf.sample | 22 |
3 files changed, 123 insertions, 47 deletions
diff --git a/bin/ftpsync b/bin/ftpsync index 0088619..c96f8f5 100755 --- a/bin/ftpsync +++ b/bin/ftpsync @@ -256,38 +256,6 @@ tracefile() { esac } -setup_stunnel_config() { - if [[ "$(declare -p RSYNC)" =~ "declare -a" ]]; then - : # RSYNC already is an array - else - RSYNC=($RSYNC) - fi - - if [[ true != ${RSYNC_SSL} ]]; then - return - fi - STUNNEL_CONFIG="${BASEDIR}/etc/stunnel-${NAME}.conf" - cat << EOF > "$STUNNEL_CONFIG" -# This file has been automatically created by ftpsync for syncing -# from ${RSYNC_HOST}. -# -# Do not edit it, it will be overwritten next time ftpsync runs. -# -# To test if things works, try the following: -# rsync -e 'stunnel4 ${STUNNEL_CONFIG}' ${RSYNC_USER}@dummy:: -# -client = yes -verify = 2 -CApath = ${RSYNC_SSL_CAPATH} - -syslog = no -debug = 4 -output = /dev/stderr - -connect = ${RSYNC_HOST}:${RSYNC_SSL_PORT} -EOF - RSYNC+=('-e' "stunnel4 ${STUNNEL_CONFIG}") -} ######################################################################## ######################################################################## @@ -474,10 +442,6 @@ RSYNC_PASSWORD=${RSYNC_PASSWORD:-""} # a possible proxy RSYNC_PROXY=${RSYNC_PROXY:-""} -RSYNC_SSL=${RSYNC_SSL:-"false"} -RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"} -RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"} - # Do we sync stage1? SYNCSTAGE1=${SYNCSTAGE1:-"false"} # Do we sync stage2? @@ -520,6 +484,20 @@ for ARCH in ${ARCH_EXCLUDE}; do fi done +RSYNC_SSL=${RSYNC_SSL:-"false"} +RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"} +RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"} +RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"socat"} + +if [[ true != ${RSYNC_SSL} ]]; then + RSYNC_SSL_OPTIONS="" +else + export RSYNC_SSL_PORT + export RSYNC_SSL_CAPATH + export RSYNC_SSL_METHOD + RSYNC_SSL_OPTIONS="-e ${BASEDIR}/bin/rsync-ssl-tunnel" +fi + # Hooks HOOK1=${HOOK1:-""} HOOK2=${HOOK2:-""} @@ -530,8 +508,6 @@ HOOK5=${HOOK5:-""} # Are we a hub? HUB=${HUB:-"false"} -setup_stunnel_config - DATE_STARTED=$(LC_ALL=POSIX LANG=POSIX date -u -R) ######################################################################## # Really nothing to see below here. Only code follows. # @@ -635,12 +611,12 @@ while [[ -e ${UPDATEREQUIRED} ]]; do if [[ true = ${SYNCSTAGE1} ]] || [[ true = ${SYNCALL} ]]; then while [[ -e ${UPDATEREQUIRED} ]]; do rm -f "${UPDATEREQUIRED}" - log "Running stage1: ${RSYNC[@]} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}" + log "Running stage1: ${RSYNC} ${RSYNC_SSL_OPTIONS} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}" set +e # Step one, sync everything except Packages/Releases rsync_started=$(date +%s) - "${RSYNC[@]}" ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} \ + ${RSYNC} ${RSYNC_SSL_OPTIONS} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS1} ${EXCLUDE} ${SOURCE_EXCLUDE} \ ${RSYNCPTH}::${RSYNC_PATH} "${TO}" >>"${LOGDIR}/rsync-${NAME}.log" 2>>"${LOGDIR}/rsync-${NAME}.error" result=$? rsync_ended=$(date +%s) @@ -709,13 +685,13 @@ while [[ -e ${UPDATEREQUIRED} ]]; do result=1 fi else - log "Running stage2: ${RSYNC[@]} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}" + log "Running stage2: ${RSYNC} ${RSYNC_SSL_OPTIONS} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} ${RSYNCPTH}::${RSYNC_PATH} ${TO}" set +e # We are lucky, it worked. Now do step 2 and sync again, this time including # the packages/releases files rsync_started=$(date +%s) - "${RSYNC[@]}" ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} \ + ${RSYNC} ${RSYNC_SSL_OPTIONS} ${RSYNC_OPTIONS} ${RSYNC_OPTIONS2} ${EXCLUDE} ${SOURCE_EXCLUDE} \ ${RSYNCPTH}::${RSYNC_PATH} "${TO}" >>"${LOGDIR}/rsync-${NAME}.log" 2>>"${LOGDIR}/rsync-${NAME}.error" result=$? rsync_ended=$(date +%s) diff --git a/bin/rsync-ssl-tunnel b/bin/rsync-ssl-tunnel new file mode 100755 index 0000000..e6f2fa9 --- /dev/null +++ b/bin/rsync-ssl-tunnel @@ -0,0 +1,88 @@ +#! /bin/bash + +set -e +set -u + +usage() { + echo "Usage: [RSYNC_SSL_CAPATH=<capath>] [RSYNC_SSL_CAPATH=<port>] $0 <RSYNC_HOST>" +} + +while [[ "$#" -gt 0 ]]; do + case "$1" in + -h|--help) + usage + exit 0 + ;; + -l) + shift + shift + continue + ;; + --) + shift + continue + ;; + -*) + usage >&2 + exit 1 + ;; + *) + RSYNC_HOST="$1"; shift + break + esac +done + +if [[ "$#" = 0 ]]; then + usage >&2 + echo >&2 "No arguments given." + exit 1 +fi +RSYNC_SSL_PORT=${RSYNC_SSL_PORT:-"1873"} +RSYNC_SSL_CAPATH=${RSYNC_SSL_CAPATH:-"/etc/ssl/certs"} +RSYNC_SSL_METHOD=${RSYNC_SSL_METHOD:-"socat"} + +method_stunnel() { + tmp="`tempfile`" + trap "rm -f '$tmp'" EXIT + + cat << EOF > "$tmp" +# This file has been automatically created by ftpsync for syncing +# from ${RSYNC_HOST}. +# +# To test if things works, try the following: +# rsync -e 'stunnel4 <this config file>' \$RSYNC_USER@dummy:: +# +client = yes +verify = 2 +CApath = ${RSYNC_SSL_CAPATH} + +syslog = no +debug = 4 +output = /dev/stderr + +connect = ${RSYNC_HOST}:${RSYNC_SSL_PORT} +EOF + + exec stunnel4 "$tmp" + echo >&2 "Failed to exec stunnel4" + exit 1 +} + +method_socat() { + exec socat - "openssl-connect:${RSYNC_HOST}:${RSYNC_SSL_PORT},capath=${RSYNC_SSL_CAPATH}" + echo >&2 "Failed to exec socat." + exit 1 +} + +case ${RSYNC_SSL_METHOD:-} in + stunnel4) + method_stunnel + ;; + socat) + method_socat + ;; + *) + echo >&2 "Unknown method $RSYNC_SSL_METHOD." + exit 1 + ;; +esac diff --git a/etc/ftpsync.conf.sample b/etc/ftpsync.conf.sample index d58fbaf..7b8c81c 100644 --- a/etc/ftpsync.conf.sample +++ b/etc/ftpsync.conf.sample @@ -31,14 +31,26 @@ ## If we need a user we also need a password #RSYNC_PASSWORD= -## Set to "true" to tunnel your rsync through stunnel. Requires that stunnel4 be -## available in PATH. ftpsync will then create an stunnel config file and use -## rsync's -e to connect to RSYNC_SSL_PORT on the remote site. (This requires -## server support, obviously.) The presented certificate is checked by stunnel -## against the certificate authorities in RSYNC_SSL_CAPATH. +## Set to "true" to tunnel your rsync through stunnel. +## +## ftpsync will then use rsync's -e option to wrap the connection +## with bin/rsync-ssl-tunnel which sets up an stunnel to connect to +## RSYNC_SSL_PORT on the remote site. (This requires server +## support, obviously.) +## +## ftpsync can use either socat or stunnel4 to set up the encrypted +## tunnel. +## o Note that stunnel will not verify the peer certificate's name +## (It will check that it's a valid certificate signed by a CA, but not +## if it is actually for the host you want to connect to.) +## o socat will verify the peer certificate name only starting with version +## 1.7.3 (Debian 9.0). +## To test if things work, you can run +## RSYNC_SSL_PORT=1873 RSYNC_SSL_CAPATH=/etc/ssl/certs RSYNC_SSL_METHOD=socat rsync -e 'bin/rsync-ssl-tunnel' <server>:: #RSYNC_SSL=false #RSYNC_SSL_PORT=1873 #RSYNC_SSL_CAPATH=/etc/ssl/certs +#RSYNC_SSL_METHOD=socat ## In which directory should logfiles end up ## Note that BASEDIR defaults to $HOME, but can be set before calling the |