💾 Archived View for bbs.geminispace.org › s › misfin › 19194 captured on 2024-08-31 at 15:42:26. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
A mere year and three months later...
I've gone and implemented a Misfin extension for GmCapsule. It's available in v0.9.
I made it as simple as possible: it does basic certificate checking/TOFU but then just forwards the message to an email address. The assumption here is that the destination is reachable without transmitting the message as clear text. This could be for example a local account or, in my case, Proton email that is sent encrypted to the server.
The nice thing about using email as the backend is of course that all the existing infrastructure and software exists, so I can receive these messages on, say, my phone.
Next I'll be looking at adding support for sending Misfin messages through Lagrange's upload UI. @satch, I believe you had some thoughts regarding this?
Aug 24 · 7 days ago · 👍 gritty, gemalaya, johano, istvan
If you are adding features, could we get support for proxying a subdomain to a Gemini server on a local port?
I run tootik for Fediverse Gemini and it has to be accessed on a weird port since gmcapsule is already occupying gemini port.
It would be really cool if gmcapsule could proxy “fedi.mydomain.xyz” to another gemini server running on port 2345 or whatever.
🕹️ skyjake [OP/mod...] · Aug 25 at 05:21:
Proxying is on my todo list if I can figure out how to make it work properly. The problem is with TLS client certificates. The way I've understood it, you'd have to set up the proxy connection before the TLS handshake occurs, and I'm not sure if that's possible using the pyOpenSSL APIs.
I think it might be worth looking at how Nginx handles proxy an internal https server to outside.
Looks like what it’s actually doing is reencrypting, so the internal server has to resolve the first certificate, decrypt it, and then reencypt the data with the new cert on its way out the proxy.
https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html