Big bang

.gitignore

@@ -0,0 +1 @@
+/data/certbot

LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2018 Philipp Schmieder
+Copyright (c) 2021 Signal
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,10 @@
+# Signal TLS Proxy
+
+To run a Signal TLS proxy, you will need a host with a domain name that has ports 80 and 443 available.
+
+1. Install docker and docker-compose (`apt update && apt install docker docker-compose`)
+1. Clone this repository
+1. `./init-certificate.sh`
+1. `docker-compose up --detach`
+
+Your proxy is now running! You can share this with the URL `https://signal.tube/#<your_host_name>` 

data/nginx-relay/nginx.conf

@@ -0,0 +1,77 @@
+
+user  nginx;
+worker_processes  auto;
+
+
+events {
+    worker_connections  1024;
+}
+
+stream {
+    map $ssl_preread_server_name $name {
+        textsecure-service.whispersystems.org	signal-service;
+	storage.signal.org			storage-service;
+	cdn.signal.org				signal-cdn;
+	cdn2.signal.org				signal-cdn2;
+	api.directory.signal.org		directory;
+	contentproxy.signal.org			content-proxy;
+	uptime.signal.org			uptime;
+	api.backup.signal.org                   backup;
+        sfu.voip.signal.org                     sfu;
+        updates.signal.org                      updates;
+        updates2.signal.org                     updates2;
+        default					deny;
+    }
+
+    upstream signal-service {
+         server textsecure-service.whispersystems.org:443;
+    }
+
+    upstream storage-service {
+        server storage.signal.org:443;
+    }
+
+    upstream signal-cdn {
+        server cdn.signal.org:443;
+    }
+
+    upstream signal-cdn2 {
+        server cdn2.signal.org:443;
+    }
+
+    upstream directory {
+        server api.directory.signal.org:443;
+    }
+
+    upstream content-proxy {
+        server contentproxy.signal.org:443;
+    }
+
+    upstream backup {
+	server api.backup.signal.org:443;
+    }
+
+    upstream sfu {
+        server sfu.voip.signal.org:443;
+    }
+
+    upstream updates {
+        server updates.signal.org:443;
+    }
+
+    upstream updates2 {
+        server updates2.signal.org:443;
+    }
+
+    upstream deny {
+        server 127.0.0.1:9;
+    }
+
+    server {
+        listen                4433;
+        proxy_pass            $name;
+        ssl_preread	      on;
+        error_log             /dev/null;
+        access_log            off;
+     }
+}

data/nginx-terminate/nginx.conf

@@ -0,0 +1,37 @@
+user  nginx;
+worker_processes  auto;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    server {
+        listen 80;
+
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+    }
+}
+
+stream {
+
+    upstream relay {
+         server nginx-relay:4433;
+    }
+
+    server {
+        listen                443 ssl;
+        proxy_pass            relay;
+
+        access_log            off;
+        error_log             /dev/null;
+
+        ssl_certificate /etc/letsencrypt/active/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/active/privkey.pem;
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+     }
+
+}

docker-compose.yml

@@ -0,0 +1,26 @@
+version: '3'
+
+services:
+  nginx-terminate:
+    build: ./nginx-terminate/
+    restart: unless-stopped
+    volumes:
+      - ./data/nginx-terminate:/etc/nginx/conf.d
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+    ports:
+      - "443:443"
+    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'"
+  nginx-relay:
+    build: ./nginx-relay/
+    restart: unless-stopped
+    volumes:
+      - ./data/nginx-relay:/etc/nginx/conf.d
+    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'"
+  certbot:
+    image: certbot/certbot
+    restart: unless-stopped
+    volumes:
+      - ./data/certbot/conf:/etc/letsencrypt
+      - ./data/certbot/www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

init-certificate.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+data_path="./data/certbot"
+
+read -p "Enter domain name (eg. www.example.com): " domains
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+docker-compose run -p 80:80 --rm --entrypoint "\
+  sh -c \"certbot certonly --standalone \
+    --register-unsafely-without-email \
+    $domain_args \
+    --agree-tos \
+    --force-renewal && \
+    ln -fs /etc/letsencrypt/live/$domains/ /etc/letsencrypt/active\"" certbot
+echo
+echo "After running 'docker-compose up --detach' you can share your proxy as: https://signal.tube/#$domains"

nginx-relay/Dockerfile

@@ -0,0 +1,22 @@
+FROM ubuntu:20.04
+
+RUN apt-get update && apt-get -y upgrade && \
+    apt-get install -y wget libpcre3-dev build-essential libssl-dev zlib1g-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt
+
+RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz && \
+    tar -zxvf nginx-1.*.tar.gz && \
+    cd nginx-1.* && \
+    ./configure --prefix=/opt/nginx --user=nginx --group=nginx --with-http_ssl_module --with-ipv6 --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module && \
+    make && make install && \
+    cd .. && rm -rf nginx-1.*
+
+RUN adduser --system --no-create-home --disabled-login --disabled-password --group nginx
+
+WORKDIR /
+
+EXPOSE 443
+
+CMD ["/opt/nginx/sbin/nginx", "-c", "/etc/nginx/conf.d/nginx.conf", "-g", "daemon off;"]

nginx-terminate/Dockerfile

@@ -0,0 +1,22 @@
+FROM ubuntu:20.04
+
+RUN apt-get update && apt-get -y upgrade && \
+    apt-get install -y wget libpcre3-dev build-essential libssl-dev zlib1g-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt
+
+RUN wget http://nginx.org/download/nginx-1.18.0.tar.gz && \
+    tar -zxvf nginx-1.*.tar.gz && \
+    cd nginx-1.* && \
+    ./configure --prefix=/opt/nginx --user=nginx --group=nginx --with-http_ssl_module --with-ipv6 --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module && \
+    make && make install && \
+    cd .. && rm -rf nginx-1.*
+
+RUN adduser --system --no-create-home --disabled-login --disabled-password --group nginx
+
+WORKDIR /
+
+EXPOSE 443
+
+CMD ["/opt/nginx/sbin/nginx", "-c", "/etc/nginx/conf.d/nginx.conf", "-g", "daemon off;"]