Hello Al,

nginx.conf:

From that setup where You use nginx for the stream proxy of ssl binkps I
would have a small comment. That's the trouble when You connect with more
than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You connect with
more than one node You got the Duplicate I.P. message. I'm uncertain if this cannot be configured otherwise. But there a solution on how to connect with more than one node at once.

The Mystic BBS can be configured to listen on multiple ports with the BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558. Then You can have 5 concurrent connections from the proxy server. The nginx can
load-balance and this is how it could be done:

stream {
upstream binkps {
server 127.0.0.1:24554 max_conns=1;
server 127.0.0.1:24555 max_conns=1;
server 127.0.0.1:24556 max_conns=1;
server 127.0.0.1:24557 max_conns=1;
server 127.0.0.1:24558 max_conns=1;
}
server {
listen 29543 ssl;
proxy_pass binkps;
ssl_certificate /etc/nginx/ssl/snake-oil.crt;
ssl_certificate_key /etc/nginx/ssl/snake-oil.key;
ssl_password_file /etc/nginx/ssl/password-file.txt;
ssl_preread on;
}
}

That will actually provide possibility of 5 concurrent connections from the nodes. The ssl_password_file parameter gives the file where the password for the certificate is stored.

In the upstream list of server the max_conns prevents load balancing of more than one client at once to the given binkp server.

Probably there is an easier solution. But this is what worked for me.

BTW: The solution can be to use stunnel as You wrote in that case the
following configuration can be used:

/etc/stunnel/stunnel.conf
[binkps]
accept = 29543
connect = 24554
cert = /etc/stunnel/stunnel.pem
protocol = proxy

However it still retains the shortcoming of just only one concurrent session from the node. The other is rejected with the BUSY message.

What I would really like to explore is the HAPROXY. However most of the solutions are made for http and https protocols. Therefore if You would like
to forward the real ip address it can be achieved only in that protocols.

I tried the configuration of nginx with the proxy option as follows:

listen 29543 ssl proxy_protocol;

and then

proxy_protocol on;

This works just for a moment when the client connects via the proxy to the BINKP. Just when the real ip address is forwarded then ... what I guess the BINKP server responds to the real ip ... but that's not accessible because
the connection is established from within the nginx... and then the response goes elsewhere. If one would use http then the directive

proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;

could be used. But that's not this case because the headers cannot be
modified when in the stream tcp nginx proxy mode.

That's about it. Correct me if I'm wrong.

Best regards

|08Shinobi <.Phenom.>
|08
|08BBS Toolbox https://bbst.neocities.org

--- Mystic BBS v1.12 A45 2020/02/18 (Linux/64)
* Origin: Infoline BBS (21:1/153)

Hello shinobi,

Long time no hear, I hope all is well with you.

The Mystic BBS can be configured to listen on multiple ports with the BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558. Then You can have 5 concurrent connections from the proxy server. The nginx can load-balance and this is how it could be done:

In my case I am using binkd. nginx is listening on port 24553 and if the tls handshake is successful it passes the connection to my running binkd on the standard port.

That's not what I would call the right way to do it.

That's about it. Correct me if I'm wrong.

I think that's all right. All this network stuff is way above my pay grade quite frankly. ;)

If it wasn't for Oli's help I wouldn't have been able to connect the dots.

It is my hope that the binkd developers will sit around a table at some point and discuss what is needed to make this happen in binkd itself in a similar way to how Mystic and Synchronet (BinkIT) handle these tls connections themselves.

Ttyl :-),
Al

--- GoldED+/LNX
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: Re: binkps
By: shinobi to Al on Fri Apr 10 2020 11:15 am

than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You

Can you put localhost in a whitelist of some sort?
...deon


... Professionals build the Titanic, amateurs built the Ark.
--- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

Al wrote (2020-04-10):

The Mystic BBS can be configured to listen on multiple ports with
the BINKP server. That means what could be done is to setup several
BINKP server listening on localhost. E.g. 24554, 24555, 24556,
24557, 24558. Then You can have 5 concurrent connections from the
proxy server. The nginx can load-balance and this is how it could
be done:

In my case I am using binkd. nginx is listening on port 24553 and if the tls handshake is successful it passes the connection to my running binkd
on the standard port.

That's not what I would call the right way to do it.

It's also not the wrong way to do it and it has some advantages (and a few disadvantages). I'm doing this with https and xmpps as well, even if the servers support TLS by themselves.

TLS support in binkd would be nice, but for incoming connections I would still use nginx or haproxy for TLS termination.

---
* Origin: (21:3/102)

Re: binkps
By: Oli to Al on Sat Apr 11 2020 10:50 am

That's not what I would call the right way to do it.

It's also not the wrong way to do it and it has some advantages (and a few disadvantages). I'm doing this with https and xmpps as
well, even if the servers support TLS by themselves.

I think Al was refering to getting around a mystic loophole, where multi connections from the same IP address are problematic (since all connections via nginx are via the nginx host's IP address).

I wonder if setting 127.0.0.1 (or the nginx host's ip address) in a whitelist of some sort would get around this issue?
...deon


... There are always alternatives. Spock, The Galileo Seven, stardate 2822.3. --- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)

shinobi wrote (2020-04-10):

Hello Al,

nginx.conf:

From that setup where You use nginx for the stream proxy of ssl binkps I would have a small comment. That's the trouble when You connect with more than one node concurrently. The ip address is not forwarded through the proxy and You basically connect from localhost. That means when You
connect with more than one node You got the Duplicate I.P. message. I'm uncertain if this cannot be configured otherwise. But there a solution on how to connect with more than one node at once.

The Mystic BBS can be configured to listen on multiple ports with the
BINKP server. That means what could be done is to setup several BINKP server listening on localhost. E.g. 24554, 24555, 24556, 24557, 24558.
Then You can have 5 concurrent connections from the proxy server. The
nginx can load-balance and this is how it could be done:

you could also tell nginx to use different IPs for the connection. I haven't tried it and I cannot provide a configuration example, but I think it's doable

proxy_bind 127.0.0.2;
....
proxy_bind 127.0.0.3;
....
proxy_bind 127.0.0.4;


You can also try to running it as a transparent proxy.

https://www.nginx.com/blog/ip-transparency-direct-server-return-nginx-plus-transparent-proxy/#ip-transparency

---
* Origin: (21:3/102)

On Saturday, April 11th Oli muttered...

TLS support in binkd would be nice, but for incoming connections I would still use nginx or haproxy for TLS termination.

+1 for TLS termination. nginx/HAProxy/Caddy/etc. are all heavily peer reviewed in terms of security. Various BBS packages are not. I had to enable some older cipher suites and lessen security just to allow some paritcular BBS terminals to connect to my b
...just kind of jumping in here. What did the "binkps" proto end up looking like? Just bink proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)





--

NuSkooler
Xibalba BBS @ xibalba.l33t.codes / 44510(telnet) 44511(ssh)
ENiGMA 1/2 BBS WHQ | Phenom | 67 | iMPURE | ACiDic

--- ENiGMA 1/2 v0.0.11-beta (linux; x64; 12.13.1)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

NuSkooler wrote (2020-04-11):

On Saturday, April 11th Oli muttered...

TLS support in binkd would be nice, but for incoming connections I
would still use nginx or haproxy for TLS termination.

+1 for TLS termination. nginx/HAProxy/Caddy/etc. are all heavily peer reviewed in terms of security. Various BBS packages are not. I had to enable some older cipher suites and lessen security just to allow some paritcular BBS terminals to connect to my b

A Mystic hub truncated the line again ...

..just kind of jumping in
here. What did the "binkps" proto end up looking like? Just bink proxied over TLS?

Yes, but besides that we haven't agreed on anything. If I had to define it, it would most likely like this:

- must support TLS 1.3
- client must not send an unencrypted hostname (SNI) without prior agreement
- it shouldn't rely on CAs. Pinned certs with TOFU, DANE or nodelist flag

I'd like to get this set up (I'll be TLS terminating with Caddy
personally)

I haven't used Caddy as a TCP proxy, only nginx, haproxy and stunnel. Would be nice, if you could try it with binkp.

---
* Origin: (21:3/102)

Hello NuSkooler,

What did the "binkps" proto end up looking like? Just bink
proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)

There is no binkps proto, at least such a thing hasn't happened yet.

In my own pondering I think CRAM-MD5 and crypt could be removed if a binkps proto ever did come to be but that is for binkps developers to look at and decide on.

I have not heard anything from the binkd developers about any of this. Maybe they are not interested or maybe there is no one on the binkd team to bring this forward.

It would be a good thing if they were part of all this but I am not seeing them.

Ttyl :-),
Al

--- GoldED+/LNX
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

Re: Re: binkps
By: alterego to shinobi on Sat Apr 11 2020 08:10 am

Can you put localhost in a whitelist of some sort?

I gues why not
127.0.0.1
192.168.0.65 (so to speak)

How about anyone else?

Just a thought...





Havok

... Not one hundred percent efficient, of course.but nothing ever is.

---
■ Synchronet ■ Gray Matter BBS | graymatterbbs.com:2332
* Origin: fsxNet FTN<>QWK Gateway (21:4/10)

Re: RE: binkps
By: NuSkooler to Oli on Sat Apr 11 2020 12:56 pm

here. What did the "binkps" proto end up looking like? Just bink proxied over TLS? I'd like to get this set up (I'll be TLS terminating with Caddy personally)

Yup, my implementation on Hub 3 is via nginx - so caddy should be OK to do the same thing.

On my node 2/116, its with binkit, and I think DM just put in a TLS call before running the main binkit code.

If you need help, yell out. You can poll Hub 3 or me if need to test :)
...deon


... There are always alternatives. Spock, The Galileo Seven, stardate 2822.3. --- SBBSecho 3.10-Linux
* Origin: I'm playing with ANSI+videotex - wanna play too? (21:2/116)