[tor-commits] [flashproxy/master] move appengine and facilitator docs to facilitator subtree

Mon Oct 14 02:15:31 UTC 2013

commit e59943493584cb0c704763eadffb8802c36aebdd
Author: Ximin Luo <infinity0 at gmx.com>
Date:   Wed Sep 11 17:21:09 2013 +0100

    move appengine and facilitator docs to facilitator subtree
---
 appengine/README                      |   11 --
 appengine/app.yaml                    |    9 --
 appengine/fp-reg.go                   |   54 ---------
 doc/appengine-howto.txt               |   56 ----------
 doc/facilitator-howto.txt             |  199 ---------------------------------
 doc/gmail-setup.txt                   |   61 ----------
 facilitator/appengine/README          |   11 ++
 facilitator/appengine/app.yaml        |    9 ++
 facilitator/appengine/fp-reg.go       |   54 +++++++++
 facilitator/doc/appengine-howto.txt   |   56 ++++++++++
 facilitator/doc/facilitator-howto.txt |  199 +++++++++++++++++++++++++++++++++
 facilitator/doc/gmail-setup.txt       |   61 ++++++++++
 12 files changed, 390 insertions(+), 390 deletions(-)

diff --git a/appengine/README b/appengine/README
deleted file mode 100644
index 00d0611..0000000
--- a/appengine/README
+++ /dev/null
@@ -1,11 +0,0 @@
-This is the server-side code that runs on Google App Engine for the
-"appspot" registration method.
-
-See doc/appengine-howto.txt for information about setting up an
-application.
-
-To run with the development server:
-$ ~/google_appengine/dev_appserver.py appengine/
-
-To upload a new version:
-$ torify ~/google_appengine/appcfg.py update appengine/
diff --git a/appengine/app.yaml b/appengine/app.yaml
deleted file mode 100644
index 3b99ada..0000000
--- a/appengine/app.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-application: fp-reg-a
-version: 1
-runtime: go
-api_version: go1
-
-handlers:
-- url: /.*
-  script: _go_app
-  secure: always
diff --git a/appengine/fp-reg.go b/appengine/fp-reg.go
deleted file mode 100644
index d4f84c2..0000000
--- a/appengine/fp-reg.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package fp_reg
-
-import (
-	"io"
-	"net"
-	"net/http"
-	"path"
-
-	"appengine"
-	"appengine/urlfetch"
-)
-
-const BASE = "https://fp-facilitator.org/reg/"
-
-func robotsTxtHandler(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	w.Write([]byte("User-agent: *\nDisallow:\n"))
-}
-
-func ipHandler(w http.ResponseWriter, r *http.Request) {
-	remoteAddr := r.RemoteAddr
-	if net.ParseIP(remoteAddr).To4() == nil {
-		remoteAddr = "[" + remoteAddr + "]"
-	}
-	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	w.Write([]byte(remoteAddr))
-}
-
-func regHandler(w http.ResponseWriter, r *http.Request) {
-	dir, blob := path.Split(path.Clean(r.URL.Path))
-	if dir != "/reg/" {
-		http.NotFound(w, r)
-		return
-	}
-	client := urlfetch.Client(appengine.NewContext(r))
-	resp, err := client.Get(BASE + blob)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	for key, values := range resp.Header {
-		for _, value := range values {
-			w.Header().Add(key, value)
-		}
-	}
-	w.WriteHeader(resp.StatusCode)
-	io.Copy(w, resp.Body)
-}
-
-func init() {
-	http.HandleFunc("/robots.txt", robotsTxtHandler)
-	http.HandleFunc("/ip", ipHandler)
-	http.HandleFunc("/reg/", regHandler)
-}
diff --git a/doc/appengine-howto.txt b/doc/appengine-howto.txt
deleted file mode 100644
index 44c5324..0000000
--- a/doc/appengine-howto.txt
+++ /dev/null
@@ -1,56 +0,0 @@
-These are instructions for how to set up a Google App Engine application
-to run at appspot.com.
-
-General links:
-https://developers.google.com/appengine/
-https://developers.google.com/appengine/docs/whatisgoogleappengine
-https://developers.google.com/appengine/docs/go/gettingstarted/
-
-You first need to create a Google account. See gmail-howto.txt for how
-to do that.
-
-Download the SDK:
-https://developers.google.com/appengine/docs/go/gettingstarted/devenvironment
-
-Write your program and app.yaml file:
-https://developers.google.com/appengine/docs/go/gettingstarted/helloworld
-
-When you're ready to upload, log in with your Google account and follow
-the directions:
-https://appengine.google.com/
-https://developers.google.com/appengine/docs/go/gettingstarted/uploading
-
-Enter an application ID and create the application.
-
-Use the appcfg.py program to upload the program. It should look
-something like this:
-
-$ torify ./google_appengine/appcfg.py update myapp/
-07:25 PM Host: appengine.google.com
-07:25 PM Application: application-id; version: 1
-07:25 PM
-Starting update of app: application-id, version: 1
-07:25 PM Getting current resource limits.
-Email: xxx at gmail.com
-Password for xxx at gmail.com:
-07:26 PM Scanning files on local disk.
-07:26 PM Cloning 2 application files.
-07:26 PM Uploading 1 files and blobs.
-07:26 PM Uploaded 1 files and blobs
-07:26 PM Compilation starting.
-07:26 PM Compilation: 1 files left.
-07:26 PM Compilation completed.
-07:26 PM Starting deployment.
-07:26 PM Checking if deployment succeeded.
-07:26 PM Deployment successful.
-07:26 PM Checking if updated app version is serving.
-07:26 PM Completed update of app: application-id, version: 1
-
-Uploading the program in this way seems to create the files
-~/.appcfg_nag and ~/.appcfg_cookies. Running the update command again
-doesn't require you to enter your password again.
-
-Once logged in, you can disable logging for the application. Click
-"Logs" on the left panel. Under "Total Logs Storage", click "Change
-Settings". Enter "0" in the "days of logs" box and click "Save
-Settings".
diff --git a/doc/facilitator-howto.txt b/doc/facilitator-howto.txt
deleted file mode 100644
index 8bafce9..0000000
--- a/doc/facilitator-howto.txt
+++ /dev/null
@@ -1,199 +0,0 @@
-This document describes how to run a flash proxy facilitator on Debian 7.
-We will use the domain name fp-facilitator.example.com.
-
-== Overview
-
-The facilitator consists of a backend server that is essentially a
-dynamic database of client addresses, as well as helper programs that
-receive client registrations from the Internet over various means and
-pass them to the backend. There are three supported helper rendezvous
-methods: HTTP, URL, and email.
-
-The HTTP rendezvous uses an HTTP server and a CGI program. The HTTP
-server is responsible for speaking TLS and invoking the CGI program. The
-CGI program receives client registrations and proxy requests for
-clients, parses them, and forwards them to the backend. We use Apache 2
-as the HTTP server. The CGI script is facilitator.cgi. The backend is
-facilitator.
-
-The email rendezvous uses the helper program facilitator-email-poller.
-Clients use the flashproxy-reg-email program to send an encrypted
-message to a Gmail address. The poller constantly checks for new
-messages and forwards them to facilitator-reg.
-
-facilitator-reg is a simple program that forwards its standard input to
-a locally running facilitator-reg-daemon process.
-
-facilitator-reg-daemon accepts connections containing encrypted client
-registrations and forwards them to the facilitator. It exists as a
-process of its own so that only one program requires access to the
-facilitator's private key.
-
-The URL rendezvous uses the helper program flashproxy-reg-email. The
-helper program doesn't actually make a registration; rather, it prints
-out a URL which, when retrieved, makes the registration.
-
-fac.py is a Python module containing code common to the various
-facilitator programs.
-
-== Basic and security setup
-
-Install some essential packages and configure a firewall.
-
-	# cat >/etc/apt/apt.conf.d/90suggests<<EOF
-APT::Install-Recommends "0";
-APT::Install-Suggests "0";
-EOF
-	# apt-get remove portmap
-	# apt-get update
-	# apt-get upgrade
-	# apt-get install shorewall shorewall6
-
-Away from the facilitator, generate an SSH key for authentication:
-
-	$ ssh-keygen -f ~/.ssh/fp-facilitator
-	$ ssh-copy-id -i ~/.ssh/fp-facilitator.pub root at fp-facilitator.example.com
-
-Then log in and edit /etc/ssh/sshd_config to disable password
-authentication:
-
-	PasswordAuthentication no
-
-Configure the firewall to allow only SSH and HTTPS.
-
-	# cd /etc/shorewall
-	# cp /usr/share/doc/shorewall/examples/Universal/{interfaces,policy,rules,zones} .
-	Edit /etc/shorewall/rules:
-SECTION NEW
-SSH(ACCEPT)	net	$FW
-HTTPS(ACCEPT)	net	$FW
-
-	# cd /etc/shorewall6
-	# cp /usr/share/doc/shorewall6/examples/Universal/{interfaces,policy,rules,zones} .
-	Edit /etc/shorewall6/rules:
-SECTION NEW
-SSH(ACCEPT)	all	$FW
-HTTPS(ACCEPT)	all	$FW
-
-Edit /etc/default/shorewall and /etc/default/shorewall6 and set
-
-	startup=1
-
-Restart servers.
-
-	# /etc/init.d/ssh restart
-	# /etc/init.d/shorewall start
-	# /etc/init.d/shorewall6 start
-
-== Facilitator program installation
-
-Create the user the daemons will run as.
-
-	# useradd --shell /usr/sbin/nologin --system --home /nonexistent -M facilitator-nobody
-
-Install the programs.
-
-	# cd
-	# apt-get install git python-m2crypto make
-	# git clone https://git.torproject.org/flashproxy.git
-	# cd flashproxy/facilitator
-	# make install
-
-This installs facilitator.cgi, facilitator, facilitator-email-poller,
-facilitator-reg-daemon, facilitator-reg, and fac.py to /usr/local/bin.
-It also installs System V init files to /etc/init.d/.
-
-=== Registration daemon setup
-
-The facilitator-reg-daemon program requires a private RSA key (used to
-decrypt encrypted client registrations).
-
-	# mkdir /etc/flashproxy
-	# openssl genrsa -out /etc/flashproxy/reg-daemon.key 2048
-	# chmod 600 /etc/flashproxy/reg-daemon.key
-	# openssl rsa -pubout < /etc/flashproxy/reg-daemon.key > reg-daemon.pub
-
-You will have to edit flashproxy-reg-email and copy the contents of
-reg-daemon.pub into the appropriate place.
-
-Install reg-daemon.key /etc/flashproxy to match what the init script
-expects.
-
-=== Init script setup
-
-	# update-rc.d facilitator defaults
-	# /etc/init.d/facilitator start
-	# update-rc.d facilitator-reg-daemon defaults
-	# /etc/init.d/facilitator-reg-daemon start
-
-== HTTP server setup
-
-Apache is the web server that runs the CGI program.
-
-	# apt-get install apache2 libapache2-mod-evasive
-	# a2enmod ssl headers
-
-Edit /etc/apache2/ports.conf and comment out the port 80 configuration.
-
-	# NameVirtualHost *:80
-	# Listen 80
-
-Create a new file /etc/apache2/sites-available/fp-facilitator with
-these contents:
-	MaxClients 256
-	<VirtualHost *:443>
-		ServerName fp-facilitator.example.com
-		DocumentRoot /dev/null
-		ScriptAliasMatch ^(.*) /usr/local/bin/facilitator.cgi$1
-		CustomLog /dev/null common
-		ErrorLog ${APACHE_LOG_DIR}/error.log
-		LogLevel warn
-		SSLEngine on
-		SSLCertificateFile /etc/apache2/fp-facilitator.pem
-		SSLCertificateChainFile /etc/apache2/intermediate.pem
-		Header add Strict-Transport-Security "max-age=15768000"
-	</VirtualHost>
-intermediate.pem is a possible intermediate certificate file provided by
-the CA; if you did not get one, then leave off the
-SSLCertificateChainFile line.
-
-Link the configured site into sites-enabled.
-	# a2ensite fp-facilitator
-
-=== HTTPS setup
-
-The HTTP server should serve only over HTTPS and not unencrypted HTTP.
-You will need a certificate and private key from a certificate
-authority. An article on making a certificate signing request and
-getting it signed is here:
-	http://www.debian-administration.org/articles/284
-This is the basic command to generate a CSR.
-	$ openssl req -new -nodes -out fp-facilitator.csr.pem
-The instructions below assume you have an offline private key
-in fp-facilitator.key.pem and a certificate in fp-facilitator.crt.pem.
-
-Make a file containing both the private key and a certificate.
-
-	$ cat fp-facilitator.key.pem fp-facilitator.crt.pem > fp-facilitator.pem
-	$ chmod 400 fp-facilitator.pem
-
-Copy the new fp-facilitator.pem to the facilitator server as
-/etc/apache2/fp-facilitator.pem.
-
-	# /etc/init.d/apache2 restart
-
-=== Email poller setup
-
-The facilitator-email-poller program requires a password that is used to
-log in to the designated Gmail account. See the file gmail-setup.txt for
-instructions on setting up a Gmail account. After you've set up the
-account and have the password, save it to a file reg-email.pass and make
-it not readable or writable by anyone but its owner.
-
-	# chmod 600 /etc/flashproxy/reg-email.pass
-
-Install reg-email.pass to /etc/flashproxy to match what the init script
-expects.
-
-	# update-rc.d facilitator-email-poller defaults
-	# /etc/init.d/facilitator-email-poller start
diff --git a/doc/gmail-setup.txt b/doc/gmail-setup.txt
deleted file mode 100644
index b51ce90..0000000
--- a/doc/gmail-setup.txt
+++ /dev/null
@@ -1,61 +0,0 @@
-These are instructions for setting up a Gmail account for use with the
-email-based rendezvous and flashproxy-reg-email. These instructions were
-current as of May 2013.
-
-You may have trouble if you are using Tor to create the account, for two
-reasons. The first is that exit nodes are a source of abuse and Google
-is more suspicious of them. The second is that Gmail is suspicious and
-can lock you out of the account when your IP address is changing. While
-setting up the account, use a single node in your torrc ExitNodes
-configuration. Choose a U.S. exit node, one with low bandwidth.
-
-Go to https://mail.google.com/. Allow JavaScript to run (even from
-youtube.com; it seems to be necessary). Click the "CREATE AN ACCOUNT"
-button.
-
-Enter the account details. You don't need to fill in "Your current email
-address". Enter a mobile phone number for later activation of two-factor
-authentication. Solve the captcha. Click "Next Step". You may have to do
-a phone SMS verification here.
-
-At this point the Gmail account is created. If you are pushed into
-joining Google+, close everything out and go back to
-https://mail.google.com/.
-
-Log out of the account and then back in again. There will be new text in
-the lower right reading "Last account activity". Click "Details" and
-turn off the unusual activity alerts. This will keep you from getting
-locked out when you come from different IP addresses. At this point you
-should remove the temporary ExitNodes configuration from torrc.
-
-Add a filter to prevent registrations from being marked as spam. Click
-on the gear icon and select "Settings". Select "Filters" then "Create a
-new filter". For "Has the words" type "in:spam", then "Create filter
-with this search". There will be a warning that filters using "in:" will
-never match incoming mail; this appears to be false and you can just
-click OK. Check "Never send it to Spam" and click "Create filter".
-
-Enable IMAP. Click the gear icon, then "Settings", then "Forwarding and
-POP/IMAP".
-	* Disable POP
-	* Enable IMAP
-	* Auto-Expunge on
-Click "Save Changes".
-
-Enable two-factor authentication. We do this not so much for the
-two-factor, but because it allows creating an independent password that
-is used only for IMAP and does not have access to the web interface of
-Gmail. Click the email address in the upper right, then "Account". Click
-"Security". By "2-step verification" click "Edit". Click through until
-it lets you set up. The phone number you provided when the account was
-created will be automatically filled in. Choose "Text message (SMS)"
-then click "Send code". Get your text message, type it in, and hit
-"Verify". Uncheck "Trust this computer" on the next screen. Finally
-"Confirm". On the following summary page, click "Show backup codes" and
-save the codes to encrypted storage. Future codes can be generated at
-https://www.google.com/accounts/SmsAuthConfig.
-
-Still on the 2-step summary page, click "Manage application-specific
-passwords". Enter "IMAP" for the name and click "Generate password".
-Save the password to encrypted storage. This is the password that will
-be used with the --pass option of facilitator-email-poller.
diff --git a/facilitator/appengine/README b/facilitator/appengine/README
new file mode 100644
index 0000000..00d0611
--- /dev/null
+++ b/facilitator/appengine/README
@@ -0,0 +1,11 @@
+This is the server-side code that runs on Google App Engine for the
+"appspot" registration method.
+
+See doc/appengine-howto.txt for information about setting up an
+application.
+
+To run with the development server:
+$ ~/google_appengine/dev_appserver.py appengine/
+
+To upload a new version:
+$ torify ~/google_appengine/appcfg.py update appengine/
diff --git a/facilitator/appengine/app.yaml b/facilitator/appengine/app.yaml
new file mode 100644
index 0000000..3b99ada
--- /dev/null
+++ b/facilitator/appengine/app.yaml
@@ -0,0 +1,9 @@
+application: fp-reg-a
+version: 1
+runtime: go
+api_version: go1
+
+handlers:
+- url: /.*
+  script: _go_app
+  secure: always
diff --git a/facilitator/appengine/fp-reg.go b/facilitator/appengine/fp-reg.go
new file mode 100644
index 0000000..d4f84c2
--- /dev/null
+++ b/facilitator/appengine/fp-reg.go
@@ -0,0 +1,54 @@
+package fp_reg
+
+import (
+	"io"
+	"net"
+	"net/http"
+	"path"
+
+	"appengine"
+	"appengine/urlfetch"
+)
+
+const BASE = "https://fp-facilitator.org/reg/"
+
+func robotsTxtHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Write([]byte("User-agent: *\nDisallow:\n"))
+}
+
+func ipHandler(w http.ResponseWriter, r *http.Request) {
+	remoteAddr := r.RemoteAddr
+	if net.ParseIP(remoteAddr).To4() == nil {
+		remoteAddr = "[" + remoteAddr + "]"
+	}
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.Write([]byte(remoteAddr))
+}
+
+func regHandler(w http.ResponseWriter, r *http.Request) {
+	dir, blob := path.Split(path.Clean(r.URL.Path))
+	if dir != "/reg/" {
+		http.NotFound(w, r)
+		return
+	}
+	client := urlfetch.Client(appengine.NewContext(r))
+	resp, err := client.Get(BASE + blob)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	for key, values := range resp.Header {
+		for _, value := range values {
+			w.Header().Add(key, value)
+		}
+	}
+	w.WriteHeader(resp.StatusCode)
+	io.Copy(w, resp.Body)
+}
+
+func init() {
+	http.HandleFunc("/robots.txt", robotsTxtHandler)
+	http.HandleFunc("/ip", ipHandler)
+	http.HandleFunc("/reg/", regHandler)
+}
diff --git a/facilitator/doc/appengine-howto.txt b/facilitator/doc/appengine-howto.txt
new file mode 100644
index 0000000..44c5324
--- /dev/null
+++ b/facilitator/doc/appengine-howto.txt
@@ -0,0 +1,56 @@
+These are instructions for how to set up a Google App Engine application
+to run at appspot.com.
+
+General links:
+https://developers.google.com/appengine/
+https://developers.google.com/appengine/docs/whatisgoogleappengine
+https://developers.google.com/appengine/docs/go/gettingstarted/
+
+You first need to create a Google account. See gmail-howto.txt for how
+to do that.
+
+Download the SDK:
+https://developers.google.com/appengine/docs/go/gettingstarted/devenvironment
+
+Write your program and app.yaml file:
+https://developers.google.com/appengine/docs/go/gettingstarted/helloworld
+
+When you're ready to upload, log in with your Google account and follow
+the directions:
+https://appengine.google.com/
+https://developers.google.com/appengine/docs/go/gettingstarted/uploading
+
+Enter an application ID and create the application.
+
+Use the appcfg.py program to upload the program. It should look
+something like this:
+
+$ torify ./google_appengine/appcfg.py update myapp/
+07:25 PM Host: appengine.google.com
+07:25 PM Application: application-id; version: 1
+07:25 PM
+Starting update of app: application-id, version: 1
+07:25 PM Getting current resource limits.
+Email: xxx at gmail.com
+Password for xxx at gmail.com:
+07:26 PM Scanning files on local disk.
+07:26 PM Cloning 2 application files.
+07:26 PM Uploading 1 files and blobs.
+07:26 PM Uploaded 1 files and blobs
+07:26 PM Compilation starting.
+07:26 PM Compilation: 1 files left.
+07:26 PM Compilation completed.
+07:26 PM Starting deployment.
+07:26 PM Checking if deployment succeeded.
+07:26 PM Deployment successful.
+07:26 PM Checking if updated app version is serving.
+07:26 PM Completed update of app: application-id, version: 1
+
+Uploading the program in this way seems to create the files
+~/.appcfg_nag and ~/.appcfg_cookies. Running the update command again
+doesn't require you to enter your password again.
+
+Once logged in, you can disable logging for the application. Click
+"Logs" on the left panel. Under "Total Logs Storage", click "Change
+Settings". Enter "0" in the "days of logs" box and click "Save
+Settings".
diff --git a/facilitator/doc/facilitator-howto.txt b/facilitator/doc/facilitator-howto.txt
new file mode 100644
index 0000000..8bafce9
--- /dev/null
+++ b/facilitator/doc/facilitator-howto.txt
@@ -0,0 +1,199 @@
+This document describes how to run a flash proxy facilitator on Debian 7.
+We will use the domain name fp-facilitator.example.com.
+
+== Overview
+
+The facilitator consists of a backend server that is essentially a
+dynamic database of client addresses, as well as helper programs that
+receive client registrations from the Internet over various means and
+pass them to the backend. There are three supported helper rendezvous
+methods: HTTP, URL, and email.
+
+The HTTP rendezvous uses an HTTP server and a CGI program. The HTTP
+server is responsible for speaking TLS and invoking the CGI program. The
+CGI program receives client registrations and proxy requests for
+clients, parses them, and forwards them to the backend. We use Apache 2
+as the HTTP server. The CGI script is facilitator.cgi. The backend is
+facilitator.
+
+The email rendezvous uses the helper program facilitator-email-poller.
+Clients use the flashproxy-reg-email program to send an encrypted
+message to a Gmail address. The poller constantly checks for new
+messages and forwards them to facilitator-reg.
+
+facilitator-reg is a simple program that forwards its standard input to
+a locally running facilitator-reg-daemon process.
+
+facilitator-reg-daemon accepts connections containing encrypted client
+registrations and forwards them to the facilitator. It exists as a
+process of its own so that only one program requires access to the
+facilitator's private key.
+
+The URL rendezvous uses the helper program flashproxy-reg-email. The
+helper program doesn't actually make a registration; rather, it prints
+out a URL which, when retrieved, makes the registration.
+
+fac.py is a Python module containing code common to the various
+facilitator programs.
+
+== Basic and security setup
+
+Install some essential packages and configure a firewall.
+
+	# cat >/etc/apt/apt.conf.d/90suggests<<EOF
+APT::Install-Recommends "0";
+APT::Install-Suggests "0";
+EOF
+	# apt-get remove portmap
+	# apt-get update
+	# apt-get upgrade
+	# apt-get install shorewall shorewall6
+
+Away from the facilitator, generate an SSH key for authentication:
+
+	$ ssh-keygen -f ~/.ssh/fp-facilitator
+	$ ssh-copy-id -i ~/.ssh/fp-facilitator.pub root at fp-facilitator.example.com
+
+Then log in and edit /etc/ssh/sshd_config to disable password
+authentication:
+
+	PasswordAuthentication no
+
+Configure the firewall to allow only SSH and HTTPS.
+
+	# cd /etc/shorewall
+	# cp /usr/share/doc/shorewall/examples/Universal/{interfaces,policy,rules,zones} .
+	Edit /etc/shorewall/rules:
+SECTION NEW
+SSH(ACCEPT)	net	$FW
+HTTPS(ACCEPT)	net	$FW
+
+	# cd /etc/shorewall6
+	# cp /usr/share/doc/shorewall6/examples/Universal/{interfaces,policy,rules,zones} .
+	Edit /etc/shorewall6/rules:
+SECTION NEW
+SSH(ACCEPT)	all	$FW
+HTTPS(ACCEPT)	all	$FW
+
+Edit /etc/default/shorewall and /etc/default/shorewall6 and set
+
+	startup=1
+
+Restart servers.
+
+	# /etc/init.d/ssh restart
+	# /etc/init.d/shorewall start
+	# /etc/init.d/shorewall6 start
+
+== Facilitator program installation
+
+Create the user the daemons will run as.
+
+	# useradd --shell /usr/sbin/nologin --system --home /nonexistent -M facilitator-nobody
+
+Install the programs.
+
+	# cd
+	# apt-get install git python-m2crypto make
+	# git clone https://git.torproject.org/flashproxy.git
+	# cd flashproxy/facilitator
+	# make install
+
+This installs facilitator.cgi, facilitator, facilitator-email-poller,
+facilitator-reg-daemon, facilitator-reg, and fac.py to /usr/local/bin.
+It also installs System V init files to /etc/init.d/.
+
+=== Registration daemon setup
+
+The facilitator-reg-daemon program requires a private RSA key (used to
+decrypt encrypted client registrations).
+
+	# mkdir /etc/flashproxy
+	# openssl genrsa -out /etc/flashproxy/reg-daemon.key 2048
+	# chmod 600 /etc/flashproxy/reg-daemon.key
+	# openssl rsa -pubout < /etc/flashproxy/reg-daemon.key > reg-daemon.pub
+
+You will have to edit flashproxy-reg-email and copy the contents of
+reg-daemon.pub into the appropriate place.
+
+Install reg-daemon.key /etc/flashproxy to match what the init script
+expects.
+
+=== Init script setup
+
+	# update-rc.d facilitator defaults
+	# /etc/init.d/facilitator start
+	# update-rc.d facilitator-reg-daemon defaults
+	# /etc/init.d/facilitator-reg-daemon start
+
+== HTTP server setup
+
+Apache is the web server that runs the CGI program.
+
+	# apt-get install apache2 libapache2-mod-evasive
+	# a2enmod ssl headers
+
+Edit /etc/apache2/ports.conf and comment out the port 80 configuration.
+
+	# NameVirtualHost *:80
+	# Listen 80
+
+Create a new file /etc/apache2/sites-available/fp-facilitator with
+these contents:
+	MaxClients 256
+	<VirtualHost *:443>
+		ServerName fp-facilitator.example.com
+		DocumentRoot /dev/null
+		ScriptAliasMatch ^(.*) /usr/local/bin/facilitator.cgi$1
+		CustomLog /dev/null common
+		ErrorLog ${APACHE_LOG_DIR}/error.log
+		LogLevel warn
+		SSLEngine on
+		SSLCertificateFile /etc/apache2/fp-facilitator.pem
+		SSLCertificateChainFile /etc/apache2/intermediate.pem
+		Header add Strict-Transport-Security "max-age=15768000"
+	</VirtualHost>
+intermediate.pem is a possible intermediate certificate file provided by
+the CA; if you did not get one, then leave off the
+SSLCertificateChainFile line.
+
+Link the configured site into sites-enabled.
+	# a2ensite fp-facilitator
+
+=== HTTPS setup
+
+The HTTP server should serve only over HTTPS and not unencrypted HTTP.
+You will need a certificate and private key from a certificate
+authority. An article on making a certificate signing request and
+getting it signed is here:
+	http://www.debian-administration.org/articles/284
+This is the basic command to generate a CSR.
+	$ openssl req -new -nodes -out fp-facilitator.csr.pem
+The instructions below assume you have an offline private key
+in fp-facilitator.key.pem and a certificate in fp-facilitator.crt.pem.
+
+Make a file containing both the private key and a certificate.
+
+	$ cat fp-facilitator.key.pem fp-facilitator.crt.pem > fp-facilitator.pem
+	$ chmod 400 fp-facilitator.pem
+
+Copy the new fp-facilitator.pem to the facilitator server as
+/etc/apache2/fp-facilitator.pem.
+
+	# /etc/init.d/apache2 restart
+
+=== Email poller setup
+
+The facilitator-email-poller program requires a password that is used to
+log in to the designated Gmail account. See the file gmail-setup.txt for
+instructions on setting up a Gmail account. After you've set up the
+account and have the password, save it to a file reg-email.pass and make
+it not readable or writable by anyone but its owner.
+
+	# chmod 600 /etc/flashproxy/reg-email.pass
+
+Install reg-email.pass to /etc/flashproxy to match what the init script
+expects.
+
+	# update-rc.d facilitator-email-poller defaults
+	# /etc/init.d/facilitator-email-poller start
diff --git a/facilitator/doc/gmail-setup.txt b/facilitator/doc/gmail-setup.txt
new file mode 100644
index 0000000..b51ce90
--- /dev/null
+++ b/facilitator/doc/gmail-setup.txt
@@ -0,0 +1,61 @@
+These are instructions for setting up a Gmail account for use with the
+email-based rendezvous and flashproxy-reg-email. These instructions were
+current as of May 2013.
+
+You may have trouble if you are using Tor to create the account, for two
+reasons. The first is that exit nodes are a source of abuse and Google
+is more suspicious of them. The second is that Gmail is suspicious and
+can lock you out of the account when your IP address is changing. While
+setting up the account, use a single node in your torrc ExitNodes
+configuration. Choose a U.S. exit node, one with low bandwidth.
+
+Go to https://mail.google.com/. Allow JavaScript to run (even from
+youtube.com; it seems to be necessary). Click the "CREATE AN ACCOUNT"
+button.
+
+Enter the account details. You don't need to fill in "Your current email
+address". Enter a mobile phone number for later activation of two-factor
+authentication. Solve the captcha. Click "Next Step". You may have to do
+a phone SMS verification here.
+
+At this point the Gmail account is created. If you are pushed into
+joining Google+, close everything out and go back to
+https://mail.google.com/.
+
+Log out of the account and then back in again. There will be new text in
+the lower right reading "Last account activity". Click "Details" and
+turn off the unusual activity alerts. This will keep you from getting
+locked out when you come from different IP addresses. At this point you
+should remove the temporary ExitNodes configuration from torrc.
+
+Add a filter to prevent registrations from being marked as spam. Click
+on the gear icon and select "Settings". Select "Filters" then "Create a
+new filter". For "Has the words" type "in:spam", then "Create filter
+with this search". There will be a warning that filters using "in:" will
+never match incoming mail; this appears to be false and you can just
+click OK. Check "Never send it to Spam" and click "Create filter".
+
+Enable IMAP. Click the gear icon, then "Settings", then "Forwarding and
+POP/IMAP".
+	* Disable POP
+	* Enable IMAP
+	* Auto-Expunge on
+Click "Save Changes".
+
+Enable two-factor authentication. We do this not so much for the
+two-factor, but because it allows creating an independent password that
+is used only for IMAP and does not have access to the web interface of
+Gmail. Click the email address in the upper right, then "Account". Click
+"Security". By "2-step verification" click "Edit". Click through until
+it lets you set up. The phone number you provided when the account was
+created will be automatically filled in. Choose "Text message (SMS)"
+then click "Send code". Get your text message, type it in, and hit
+"Verify". Uncheck "Trust this computer" on the next screen. Finally
+"Confirm". On the following summary page, click "Show backup codes" and
+save the codes to encrypted storage. Future codes can be generated at
+https://www.google.com/accounts/SmsAuthConfig.
+
+Still on the 2-step summary page, click "Manage application-specific
+passwords". Enter "IMAP" for the name and click "Generate password".
+Save the password to encrypted storage. This is the password that will
+be used with the --pass option of facilitator-email-poller.



