Recently my neighbor moved and I lost my LAN access to his server. That also meant I got my own ports 80 & 443 though (we shared internet access).
I use IRC a lot, so one of the first things I did was to move from using his ZNC bouncer with Pidgin to a more "modern" setup using Weechat, Glowing Bear and the Weechat android app.
I have to say I'm happy with this setup, but there are a few caveats, especially on the security side:
- Weechat relays send OTR conversations in plain-text to the client
- Having access to Weechat means you can pwn the server, since you can use the
/exec
command.
I guess I can live with those for now. I don't see a way to fix the OTR problem other than to have the clients use local OTR keys, and in my opinion, having my private key on Android is way worse.
As for the /exec
command, I could always set up a chroot for Weechat to be
sure it's not able to run anything, but I'm sure it's a lot of trouble since
the relay needs to bind ports, and do other stuff.
Setting up Weechat
There's a tons of good guides on how to set Weechat on the internet and I won't be trying to replace them. I recommand you start with Weechat's Quickstart guide.
The only thing I had a little trouble finding info on was how to set my relay behind Apache. Yes, Weechat does webserver and TLS, but I trust the Apache people much more on that side. Crypto is hard.
So yeah, to achieve that I recommend reading this and adapt it to Apache using that. The result is a relay opened on a firewalled port so no one can connect to it directly and Apache proxying to it on port 443. That's even better than a simple relay configuration, since you can now access your relay everywhere without bothering with closed ports.
In the end, my Apache VHost looks like this:
<VirtualHost *:443>
ServerName foobar.org
ServerAdmin foo@foobar.org
ErrorLog ${APACHE_LOG_DIR}/error.log
ProxyPass / ws://127.0.0.1:$port/
ProxyPassReverse / ws://127.0.0.1:$port/
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/foobar.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/foobar.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/foobar.org/chain.pem
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
</VirtualHost>
# OCSP Stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
With that configuration, you can now connect to Weechat with your clients on
foobar.org
, port 443. Make sure you use an SSL Websocket connection!
Glowing Bear
Glowing Bear is awsome but the code does a few things I did not want, such as importing bootstrap and fonts from Cloudflare. Lucky for me, it's just a bunch of JavaScript and HTML, so it's really easy to do local modifications.
I also hardcoded a few things, like the relay hostname and the port my server is on and a few configurations not to have to redo them manually each time.
One of the things I disliked from the switch from Pidgin to a web client like Glowing Bear was that IRC is now part of my browser. Sometimes I have trouble finding my Glowing Bear instance in-between tabs I have opened.
I struggled a lot on this side, but after a few hours of work I got a neat replacement solution. I'm using:
- A new Firefox profile just for Glowing Bear
- A custom Firefox plugin to change the Firefox icon to the Glowing Bear one
This way, I can disable NoScript and save my password on this profile and use my more secured profile for everything else.
Most of the time I spent on this was used trying to understand how to change Firefox's icon. I really wanted to use Glowing Bear's icon instead to easily distinguish my browser from IRC and had never written a Firefox add-on before.
Using this
add-on, I was able to boil down a custom add-on using very little files. Only
2 files in fact: a config file and the logo. Here a tree
of the add-on:
└── glowing-bear-icon@veronneau.org ├── chrome │ └── icons │ └── default │ └── main-window.png └── install.rdf
Here's what the install.rdf
file looks like:
<?xml version='1.0' encoding='utf-8'?>
<RDF xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:em="http://www.mozilla.org/2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:id>glowing-bear-icon@veronneau.org</em:id>
<em:version>1.1.0</em:version>
<em:name>Glowing Bear Icon</em:name>
<em:description>Changes the main icon for the Glowing Bear one.</em:description>
<em:creator>pollo</em:creator>
<em:unpack>true</em:unpack>
<em:type>2</em:type>
<em:multiprocessCompatible>true</em:multiprocessCompatible>
<em:targetApplication>
<!--Firefox-->
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>3.0a1</em:minVersion>
<em:maxVersion>*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
</RDF>
Make sure the id
is the same as the main directory of your add-on and then put
the directory in your Firefox profile under
/home/$user/.mozilla/firefox/$profile_name/extensions
.
Firefox will bug you about the add-on not being signed: disable that feature. It's OK to do this since you won't be installing any other add-on on this profile or use it for anything else than IRC.
If you want to be sure to use this profile for Glowing Bear only, one trick is to set a bogus proxy in Firefox's network settings and whitelist your domain name in the "No proxy for" box.