mirror.mdwn 9.54 KB
Newer Older
Tails developers's avatar
Tails developers committed
1
[[!meta title="Set up a Tails mirror"]]
2

3
4
<div id="intro">

5
<p>Setting up a Tails BitTorrent or HTTP mirror helps Tails users
6
downloading it faster and more reliably.</p>
7
8
9

[[!toc levels=2]]

10
11
</div>

12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
BitTorrent
==========

It's really easy to help Tails users downloading it over BitTorrent...
especially if you are already a BitTorrent user.

1. Get the latest BitTorrent files
----------------------------------

Here are the latest available BitTorrent files:

[[!map pages="torrents/files/*.torrent"]]

2. Share Tails images
---------------------

Feed your preferred BitTorrent client with the `.torrent` files
downloaded at the previous step. Make sure you open and/or forward the
needed ports in your router and/or firewall configuration so that you
are a real seed.

3. Stay tuned!
--------------

As a contributor to Tails availability over BitTorrent, it is very
important you share the very latest published version, and only this
one: users need to be able to quickly download it and upgrade when we
release security fixes, and there is no need to help propagate
outdated versions with security flaws.

Tails developers's avatar
Tails developers committed
42
43
44
45
A way to do this is to configure software to [[automatically download
and seed Tails over
BitTorrent|contribute/how/mirror/automatically_download_and_seed_Tails_over_BitTorrent]].

46
47
Else, new versions are announced on:

48
* our [[news list|about/contact#amnesia-news]]
Tails developers's avatar
Tails developers committed
49
50
* our <a href='/torrents/rss/index.rss'>RSS</a> and
  <a href='/torrents/rss/index.atom'>Atom</a> feeds that announce new available
51
  BitTorrent files.
52

Tails developers's avatar
Tails developers committed
53
54
<a id="http"></a>

55
56
57
58
59
HTTP
====

To efficiently help Tails users downloading it over HTTP, one needs to
have sufficiently privileged access to a web server with decent
60
61
bandwidth: a domestic DSL connection won't help; neither will a shared
web hosting setup that provides FTP access only.
62

63
To give you an idea, a few dedicated Mb/s is a must; you must expect
emma peel's avatar
emma peel committed
64
pushing at least **50-100GB** [[!wikipedia GiB]] (bytes, not bits) on
65
a normal day, and twice as much for a short period after each release.
emma peel's avatar
emma peel committed
66
67
So, it is a must to be able to push **at least 5 [[!wikipedia TiB]]**
a month, and **preferably 6 or 8 TiB**.
68

emma peel's avatar
emma peel committed
69
You will also need around **5-10 GiB** of disk space.
70

71
72
If you satisfy these practical requirements, please read on!
Else, please consider seeding Tails images over BitTorrent instead.
73

74
Before starting doing any real work on this topic, please get in touch
75
(<tails@boum.org>, [[OpenPGP key|doc/about/openpgp_keys#private]]) and send us
76
77
your OpenPGP public key, so that any further communication between us
can be properly encrypted and authenticated.
78

79
The big picture
80
81
------------------

intrigeri's avatar
intrigeri committed
82
83
84
All downloads are currently served from a DNS Round Robin pool for the
`dl.amnesia.boum.org` host. But we are transitioning away from this
model (see the [[blueprint|blueprint/HTTP_mirror_pool]] for details).
intrigeri's avatar
intrigeri committed
85
86
This documentation is mainly about the setup we are migrating to, even
though most of it also works with the current setup.
87
88

Every HTTP mirror makes our files available under a fixed URL
89
(e.g. `http://dl.amnesia.boum.org/tails/` or `https://yourdomain.org/pub/tails/`)
90
that contains per-version sub-directories (such as
91
92
`http://dl.amnesia.boum.org/tails/stable/tails-i386-lenny-0.6.2/`).

93
94
Pick a hostname for your mirror
-------------------------------
95
96
97
98
99
100
101
102
103
104
105
106
107

Your web server needs to answer requests sent to `dl.amnesia.boum.org`
(for compatibility with our current legacy mirror pool setup).
But that's not all: to be compatible with our upcoming mirror pool
setup, your web server also needs to answer HTTP requests sent to
a _dedicated_ hostname that is unique, within our mirror pool, to
your mirror.

There are two ways to pick that dedicated hostname:

1. Use a hostname of your choice, under a domain you control.
   For example, if you control `example.com`, you can call your Tails
   mirror `tails.example.com`. This is, by far, our preferred option:
intrigeri's avatar
intrigeri committed
108
   * it allows you to maintain that DNS record yourself, e.g. whenever you
109
110
111
112
113
114
     need to update your mirror's IP address;
   * it saves us a lot of work :)

2. Use a hostname of our choice, under `dl.amnesia.boum.org` (e.g.
   you may get `142.dl.amnesia.boum.org`). To do so, at the end of
   this set of instructions, when it's time to ask us to add your
intrigeri's avatar
intrigeri committed
115
116
   mirror to the pool, also ask us to create a dedicated hostname
   for you.
117

118
119
120
121
122
123
124
125
126
127
Manual set up
-------------------------

<div class="tip">
If you are using [[!wikipedia Puppet_(software) desc="Puppet"]] to configure
your server infrastructure, consider using the available [[HTTP mirror Puppet
module|mirror#http-puppet]].
</div>

### 1. Set up your web server
128

intrigeri's avatar
intrigeri committed
129
Set up a virtual host for the hostname chosen at the
130
previous step. The virtual host will need to
131
have indexing enabled and [[!wikipedia HTTP_ETag desc="ETags"]] disabled.
132

133
Please consider serving files over HTTPS. To be helpful in our
134
135
context, this requires a certificate that is considered valid by
mainstream web browsers; you can get such a certificate free of charge,
136
from [Let's Encrypt](https://letsencrypt.org/) for example.
137

138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#### Apache configuration example using your own domain

	<VirtualHost YOUR_WEBSERVER_IP:80>
	   ServerName yourdomain.org
	   ServerAlias dl.amnesia.boum.org
	   ServerAlias *.dl.amnesia.boum.org
	   ServerAdmin YOUR_EMAIL

	   DocumentRoot /var/www/YOUR_PATH/
	   <Directory /var/www/YOUR_PATH/>
	      Options Indexes
	      FileETag None
	      AllowOverride None
	      IndexIgnore README.html
	      IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=50
	      IndexOrderDefault Descending Date
	   </Directory>
	</VirtualHost>

And if you want to enable HTTPS:
158
159
160
161
162

	<VirtualHost YOUR_WEBSERVER_IP:80>
	   ServerName yourdomain.org
	   ServerAlias dl.amnesia.boum.org
	   ServerAlias *.dl.amnesia.boum.org
163
	   RewriteEngine On
164
	   RewriteRule ^/?(.*) https://%{SERVER_NAME}/pub/$1 [R=permanent,L]
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
	</VirtualHost>

	<VirtualHost YOUR_WEBSERVER_IP:443>
	   ServerName yourdomain.org
	   ServerAdmin YOUR_EMAIL

	   SSLEngine on
	   SSLCertificateFile /etc/apache2/ssl/apache.crt
	   SSLCertificateKeyFile /etc/apache2/ssl/apache.key

	   DocumentRoot /var/www/YOUR_PATH/
	   <Directory /var/www/YOUR_PATH/>
	      Options Indexes
	      FileETag None
	      AllowOverride None
	      IndexIgnore README.html
	      IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=50
	      IndexOrderDefault Descending Date
	   </Directory>
	</VirtualHost>

186
<div class="tip">
Ulrike Uhlig's avatar
Ulrike Uhlig committed
187
You can harden this configuration using the
188
189
190
191
<a href="https://mozilla.github.io/server-side-tls/ssl-config-generator/">
Mozilla SSL Configuration Generator</a>.
</div>

192
193
194
#### Apache configuration example using a hostname under dl.amnesia.boum.org

	<VirtualHost YOUR_WEBSERVER_IP:80>
intrigeri's avatar
intrigeri committed
195
	   ServerName dl.amnesia.boum.org
196
197
198
199
200
201
202
203
204
205
206
207
208
209
	   ServerAlias *.dl.amnesia.boum.org
	   ServerAdmin YOUR_EMAIL

	   DocumentRoot /var/www/YOUR_PATH/
	   <Directory /var/www/YOUR_PATH/>
	      Options Indexes
	      FileETag None
	      AllowOverride None
	      IndexIgnore README.html
	      IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=50
	      IndexOrderDefault Descending Date
	   </Directory>
	</VirtualHost>

210
#### Lighttpd configuration example
211

212
	static-file.etags = "disable"
213
	$HTTP["host"] =~ "^(\d+\.)?dl\.amnesia\.boum\.org$" {
sajolida's avatar
sajolida committed
214
		server.document-root = "/var/www/YOUR_PATH/"
215
216
217
		server.dir-listing = "enable"
	}

218
#### nginx configuration example
219
220

	server {
221
		server_name dl.amnesia.boum.org *.dl.amnesia.boum.org;
222
		etag off;
sajolida's avatar
sajolida committed
223
		root /var/www/YOUR_PATH;
224
225
226
227
228
		location / {
			autoindex on;
		}
	}

229
### 2. Download the files
230
231
232

Download a snapshot of the current Tails files:

233
	rsync -rt --delete \
sajolida's avatar
sajolida committed
234
	         rsync.torproject.org::amnesia-archive /var/www/YOUR_PATH/
235

236
237
238
239
If you have disk space limitations, you might want to exclude the
`/tails/obsolete` folder (which contains old versions of Tails) from the
download:

240
	rsync -rt --delete --exclude=/tails/obsolete --delete-excluded \
sajolida's avatar
sajolida committed
241
	         rsync.torproject.org::amnesia-archive /var/www/YOUR_PATH/
242

243
### 3. Schedule the pulling of the files
244

sajolida's avatar
sajolida committed
245
Your mirror should sync every hour + 15 minutes (at 00:15, 01:15, 02:15, etc.).
246
247
Use `cron` or equivalent to schedule the same `rsync` command
as above.
248

sajolida's avatar
sajolida committed
249
    15 * * * * root rsync -rt --delete rsync.torproject.org::amnesia-archive /var/www/YOUR_PATH/
250

251
252
You can now [[ask for your mirror to be added to the pool|mirror#http-pool]].

253
254
<a id="http-puppet"></a>

intrigeri's avatar
intrigeri committed
255
Set up with Puppet
256
257
-----------------

258
It is assumed that Puppet is already installed and configured to function well
259
260
for your infrastructure.

261
### 1. Clone the `tails` Puppet module
262

263
Clone the module inside the puppet modules' directory of your puppetmaster. On
264
265
266
267
268
269
270
271
272
273
274
275
276
277
Debian, this directory should be `/etc/puppet/modules`.

     git clone https://git-tails.immerda.ch/puppet-tails /etc/puppet/modules/tails

### 2. Use the tails::mirror class

On a node where you wish setup the mirror you should include the class like

     include tails::mirror

If you need to adjust any parameters of the class, you should declare it like

     class { 'tails::mirror':
       webserver   => 'apache2',
278
       server_name => 'tails.example.com',
279
280
281
282
283
       mirror_path => '/srv/tails/mirror',
     }

#### Configurable parameters

284
285
See the documentation on top of
[the module](https://git-tails.immerda.ch/puppet-tails/tree/manifests/mirror.pp).
286

287
288
<a id="http-pool"></a>

intrigeri's avatar
intrigeri committed
289
290
Go wild: ask for your mirror to be added to the pool
----------------------------------------------------
291
292

As soon as your web server is ready, please e-mail us its IP address
intrigeri's avatar
intrigeri committed
293
294
295
296
so that we can add it to the Round Robin pool.

Also, if you decided to use a hostname under `dl.amnesia.boum.org`,
please ask us to create it at the same time.
297
298
299

# Talk to us

300
You can subscribe to [[tails-dev@boum.org|about/contact#tails-dev]],
sajolida's avatar
sajolida committed
301
our development mailing list.