An example passthru service
- Creating your VPS (ScreenCast)
- Securing Access to VPS (ScreenCast) • Securing Access to VPS (Article))
In practice this requires 3 computers, but for the sake of simplicity in the screencast only two are used (initializer and client will be on the same laptop).
- initializer https://github.com/LDSorg/passthru-initializer-example
- server https://github.com/LDSorg/passthru-server-example
- client https://github.com/LDSorg/passthru-client-example
The server must have a domain name.
You can use DynDNS or whatever, it just has to have something real.
If you want to test on localhost only you can use local.ldsconnect.org
.
Also, you may be able to use the ip address returned by node ./ifcheck.js
First you're going to create a secret on the initializer.
# Initializer
git clone https://github.com/LDSorg/passthru-initializer-example.git passthru-initializer
pushd passthru-initializer/
npm install
node bin/gen-secret.js
> 35acc236-50ea-42c2-b47b-3682419b9b86
vim config.js # store the secret
node bin/gen-shadow.js 35acc236-50ea-42c2-b47b-3682419b9b86
> GnSh3sEolPnhh0qkLxFMyBaFY5M1fGyGgk5KDpVOsHESdHK5SOOd2G3xf9SymsAS
Now you're going to save the shadow on the server (never put the initializer's secret on the server!!!) and create a secret for the server (never put the server secret on the initializer!!!).
# Server
curl -fsSL bit.ly/easy-install-node | bash
git clone https://github.com/LDSorg/passthru-server-example.git passthru-server
pushd passthru-server/
npm install
node ./ifcheck.js
> 127.0.0.1
node bin/gen-salt.js
> eaf089fe-b875-4274-9e50-6adcf618b30a
# update the salt
vim config.js
config.js
'use strict';
module.exports = {
// server-generated salt goes here
"salt": "eaf089fe-b875-4274-9e50-6adcf618b30a"
// initializer-generated shadow goes here
, "shadow": "GnSh3sEolPnhh0qkLxFMyBaFY5M1fGyGgk5KDpVOsHESdHK5SOOd2G3xf9SymsAS"
};
NOTE: You must use a real domain name or the ip address.
# Initializer
git submodule init
git submodule update
bash ssl-cert-gen/make-root-ca-and-certificates.sh local.ldsconnect.org
# put client keys on client
rsync -avhHPz ./certs/client/ client.example.com:~/passthru-client/certs/client/
rsync -avhHPz ./certs/ca/*.crt.pem client.example.com:~/passthru-client/certs/ca/
# put server keys on server
rsync -avhHPz ./certs/server/ local.ldsconnect.org:~/passthru-server/certs/server/
rsync -avhHPz ./certs/ca/*.crt.pem local.ldsconnect.org:~/passthru-server/certs/ca/
# Server
sudo ufw allow 8043/tcp
node bin/serve.js 8043
# rsync -a passthru.conf /etc/init
# sudo service passthru start
# Initializer
node init.js
> { success: true }
# test that this kills the server (and then manually restart it)
node tests/restart.js
> {"success":true}
# Client
# add username and password for lds.org
vim real-secret.js
curl https://local.ldsconnect.org:8043 --cert certs/client/my-app-client.p12:secret --cacert certs/client/my-root-ca.crt.pem
> Cannot GET /
node tests/fails-without-cert.js 2>/dev/null
> SUCCESS: Could not connect without valid certificate
node token-exchange.js
> {"individualId":1000000001,"newOption2Member":false}