💾 Archived View for tilde.pink › ~maria › log › 2021-08-20_sad_panda.gmi captured on 2022-06-11 at 20:52:15. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
Anyone that has never heard of this phenomenon, it's a website that shows a sad panda unless you have a certain cookie set. The panda site will usually feature content that is arguably interesting for a certain crowd.
The last sad panda I found was related to a bunch of japanese adult comics. Not something "critical" to state security. Just a place where people could share them and comment and rate them.
In geminispace this is a lot easier to achieve than doing cookie-magic. You can just create your own root cert authority and distribute the client certificates. I did this whole think out of curiosity. And so I thought I'd document this here, maybe someone feels inspired to build something from it. Who knows.
Regarding authorization: when you terminate ssl within your load balancer, you have no way to get the certificate into your application. Maybe this doesn't matter, maybe it does. I'll be suggesting something later.
Assume your door is hosted here:
gemini://panda.example.com
Proxying I did with haproxy
frontend main
bind :1965 ssl verify optional crt /my/path/cert/haproxy/panda.pem ca-file /my/path/cert/haproxy/capanda.pem
mode tcp
log global
option dontlognull
maxconn 80
timeout client 30s
use_backend panda if { ssl_fc_sni -i panda.example.com } { ssl_fc_has_crt } { ssl_c_verify 0 }
use_backend sadpanda if { ssl_fc_sni -i panda.example.com } !{ ssl_fc_has_crt } || !{ ssl_c_verify 0 }
backend panda
mode tcp
balance roundrobin
timeout connect 5s
timeout server 5s
server panda1 127.0.0.1:9002 check
backend sadpanda
mode tcp
balance roundrobin
timeout connect 5s
timeout server 5s
server sadpanda1 127.0.0.1:9003 check
This uses verification on client certificates when they are presented. The ca-file is the self-signed ca authority. And it only lets those certificates in that verify against the ca. There is also a deny-list for certificates that have no longer access, which I didn't implement here, but it's in the haproxy documentation.
When a client certificate is verified the request will route to the panda backend, otherwise it will route to the sadpanda backend.
To build your own certication authority, well. There's tutorials on that. Or send me mail, I can provide a script.
Finally, regarding authentication. There is such a thing called wildcard DNS record. It takes a DNS and every subdomain get relayed to the parent. Basically a catch-all. Together with SNI you can do something like this:
gemini://<client cert sha1>.panda.example.com
And haproxy can check via SNI whether the client cert verifies and its sha1 matches the wildcard. In your application you then access the request and know from which "user" this is. This way every certificate has its own door through the gate.
While this is pretty neat, I am not sure if geminispace needs a walled off, secret community. We're pretty small and have discovery issues as it is. Small communities generally have less need to shard into smaller, exclusive communities. Any how, if you have an idea, how to use this, let me know.