fuzzy
/
dev_endboard
mirror of http://git.simp.i2p/fuzzykitten/dev_endboard
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

updated README

main
fuzzykitten 2025-02-14 09:49:39 -05:00
parent 67f7cca0d8
commit b76a10f59c
1 changed files with 70 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

123
README.md
View File

@ -1,4 +1,4 @@
Description
##Description
endboard is a textboard, intented for the use as a small service on tor
or i2p. It was written with the goal of anonymity and security, both for
@ -6,18 +6,18 @@ the users and the admin.
Some things work differently in the darknets, and the code needs
to reflect this. I developed endboard based on the codebase of smolBBS
(see below) for my site terminus.i2p. Basically I wanted something
lightweight* that would work on both tor and i2p and be easy
lightweight (1*) that would work on both tor and i2p and be easy
to setup (without an external database). I guess the big time of forums
and boards is over (making way for TikTok), anyway I couldn't find
anything that really suited me.
smolBBS came close at least in the approach, so I started from there.
*lightweight in terms of ease of installation and maintenance.
(1*) lightweight in terms of ease of installation and maintenance.
Code minification was a target in the beginning, but I had to give it up
to make space for all the features I wanted.
For the users
###For the users
The textboard allows anonymous posting only, and it has no timestamps.
Only one sub is created automatically (main), others can be created by
@ -40,7 +40,7 @@ A simple bbcode dialect can be used to display headlines, bold text,
underlined text, strikethrough text, spoilers and links.
For the admin
###For the admin
All options can be configured in one config file (or two, if the
webserver counts).
@ -67,7 +67,7 @@ unsuccessful logins (if exceeded, the interface will sent
429 - too many requests).
Technical description
###Technical description
endboard is written in php and works with the versions 7 and 8. The
modules used are php-mbstring, php-json, php-fpm and php-sqlite3.
@ -86,20 +86,23 @@ working files to /var, the actual website to /srv).
Custom paths can be used, but will need adaption of config file
and/or index.php.
Release history:
###Release history:
-0.63 : changed from hash() to password_hash() for passwords, thanks anon.
-0.64 : fixed a bug in destroy_token(), which would not log you out,
* 0.63 : changed from hash() to password_hash() for passwords, thanks anon.
* 0.64 : fixed a bug in destroy_token(), which would not log you out,
although claiming to do so
-0.65 : introduced new function filter(), to get rid of lenghty
* 0.65 : introduced new function filter(), to get rid of lenghty
substr(preg_replace constructions
fixed a bug in check_free_space()
minor optimizations (like empty instead of isset)
-0.66 : put in some additional safety for the admin & mod tokens_
-0.67 : fixed two embarrassing bugs that prevented the admin and the mods
* 0.66 : put in some additional safety for the admin & mod tokens_
* 0.67 : fixed two embarrassing bugs that prevented the admin and the mods
from logging in
* 0.68/0.69/0.70 : various bugfixes and reformatting
* 0.71 : introduction of mobile design (thanks, anon !)
Other features of endboard:
###Other features of endboard:
1) to have pretty urls (means: well readable), the request parameters
are parsed directly from $_SERVER['REQUEST_URI'], instead of using
@ -126,25 +129,25 @@ Other features of endboard:
to 'pr0n', but http://terminus.i2p/s/P will lead to 'PP'.
Opsec
##Opsec
Best practises that were followed in the coding of endboard:
###Best practises that were followed in the coding of endboard:
-all user input is checked and filtered before further use
-in particular, all tags are stripped from posted texts
-no javascript, no cookies, no tracking is used anywhere
-config file and database are not in webroot
-all passwords and keys are hashed with the bcrypt function used by php
* all user input is checked and filtered before further use
* in particular, all tags are stripped from posted texts
* no javascript, no cookies, no tracking is used anywhere
* config file and database are not in webroot
* all passwords and keys are hashed with the bcrypt function used by php
password_hash().
(except the keys for the bots, as those are not considered sensitive)
-all interactions with the db take place via prepared statements
-the panels for mods and admins can be disabled in the config file
* all interactions with the db take place via prepared statements
* the panels for mods and admins can be disabled in the config file
Best practises that were _not_ followed in the coding of endboard:
###Best practises that were _not_ followed in the coding of endboard:
-the access to the admin and mod panels (after initial authentification
* the access to the admin and mod panels (after initial authentification
with name/password) is done via a server generated token which is
transmitted in part via links to GET requests.
As such, this is a bad practise because it could enable an attacker to
@ -174,7 +177,7 @@ Best practises that were _not_ followed in the coding of endboard:
infamous textboard :-).
Changes from smolBBS
##Changes from smolBBS
Almost no original code is left from smolBBS, the leftovers are the
captcha generation and a part of the spam check. I also stayed with the
@ -185,7 +188,7 @@ comparable any longer. Thanks go to sandlind for the initial inspiration
to make a board that is just simple and working.
Installation instructions
##Installation instructions
The following instructions use debian, because I'm lazy. Adapt to your
system if needed. The setup of a tor hidden service or an eepsite is not
@ -194,43 +197,43 @@ instructions already.
The same for securing your server and making sure it doesn't blab.
Update your system and install needed components:
###Update your system and install needed components:
``` apt update && apt upgrade -y && apt install -y php php-json php-mbstring php-sqlite3 php-fpm nginx```
Make directories:
###Make directories:
``` mkdir -p /srv/endboard /etc/opt/endboard /var/opt/endboard```
Distribute files to webroot (from directory of the endboard archive):
###Distribute files to webroot (from directory of the endboard archive):
``` cp -rv ./srv/* /srv/endboard/```
Distribute config file to etc (from directory of the endboard archive):
###Distribute config file to etc (from directory of the endboard archive):
``` cp -v ./etc/config.php /etc/opt/endboard/```
Give ownership of working directory to webserver:
###Give ownership of working directory to webserver:
``` chown -R www-data:www-data /var/opt/endboard```
Copy config file for nginx (from directory of the endboard archive):
###Copy config file for nginx (from directory of the endboard archive):
``` cp ./etc/endboard /etc/nginx/sites-available/```
Edit the two config files according to your needs (at the very least,
define the landing page and the name of the admin account).
Enable the site:
###Enable the site:
``` ln -s /etc/nginx/sites-available/endboard /etc/nginx/sites-enabled/```
Then, test and restart web server:
###Then, test and restart web server:
``` nginx -t && systemctl reload nginx```
First use
###First use
Before you publish your servers address anywhere, open your browser and
go to http://youraddress.i2p/aa (or locally to http://127.0.0.1/aa).
@ -253,7 +256,7 @@ consist of only one letter.
After this procedure, you can disable the admin interface in the config
file, if you want, and only enable it when needed.
Moderators
###Moderators
If enabled in the config file (take_applications), users can apply to be
moderators under:
@ -274,10 +277,10 @@ they are not displayed any longer).
Risks when using endboard:
##Risks when using endboard:
-bugs in the code of endboard, this is still the beta version
-if you run a public server somewhere on the internet, you are
* bugs in the code of endboard, this is still the beta version
* if you run a public server somewhere on the internet, you are
responsible for the content that is posted. Although it is quite
unlikely that you can/will be held accountable (if you do the setup
right), it is still advisable to delete content that is illegal in your
@ -285,10 +288,10 @@ Risks when using endboard:
If you don't do that, this is on you.
Limits of the endboard software
##Limits of the endboard software
Admin
###Admin
Currently, there is only one admin account, the name of which is defined
in the config file. If the password is lost, it cannot be reset.
@ -303,7 +306,7 @@ Because of the length of the token this approach is very unlikely
to succeed.
Network
###Network
endboard relies on being on a darknet that provides full end-to-end
encryption between client and server (which is the case for both tor
@ -314,7 +317,7 @@ browser and the server. ssl could probably be used for this, but
clearnet is not the usecase anyway, so I will put no work into it.
Traffic
###Traffic
The php and database components of endboard are able to manage a lot of
traffic, by darknet standards. Using sqlite3 is faster than using a
@ -330,7 +333,7 @@ resources play a larger role than the potential waiting time
(but no precise measurements have been done yet).
Captcha
###Captcha
The captcha is simple, and its parameters can be read directly from the
source of the page. A moderately skilled attacker could write a bot that
@ -341,7 +344,17 @@ A postform can still be only used once, and for a limited time,
since it is preloaded with a token.
Log files
###Entry portal
The entry portal works great in general, however, it does not work properly
with lynx. And not properly means actually, not at all, unless lynx is
started a second time (after clicking the portal).
The reason is that lynx does not reload a known address, I could never
find out if this is a bug of lynx, or an intended feature.
Anyway, I will rewrite the code to work around that, but it might take a bit.
###Log files
endboard logs events like deletions, imports, authorization failures and
others to the db. The logs can be viewed on the admin panel, although
@ -350,14 +363,18 @@ Another option would be to log to /var/log or syslog. Maybe in future
versions.
Display on mobile screens
###Display on mobile screens
For some reason the display on small screens sucks. There is stuff in
the css I have not fully understood yet. I will come to it, but it is of
lower priority to me.
For some reason the display on small screens used to suck. Along came
one anon who made a working proposal. This is the current status, it is
implemented, but still experimental. More work is needed to smooth the
edges.
The mobile site can be found under /mob/. It does not include all the
functions for admins and mods, those should be used with the original
site.
Number of posts, number of subs
###Number of posts, number of subs
The theoretical maximum number of rows in a table is 2^64
(18446744073709551616 or about 1.8e+19). This limit is unreachable since
@ -372,7 +389,7 @@ like this. A terabyte of text only, that's an assload of posts.
That's as precise as it gets for now.
Changes from earlier versions
##Changes from earlier versions
The code has been almost completely rewritten. A lot of features have
been added, and a lot of bugs were fixed.
@ -382,7 +399,7 @@ All features that resided in other php files in earlier versions have
been put in index.php, this file has grown a lot as a result
(but the code is much better organized and consistent now).
Licence stuff
##Licence stuff
* The writing of the code of endboard started some time ago with another
* software called smolBBS. Although there is almost no original code
@ -421,4 +438,4 @@ Licence stuff
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
* POSSIBILITY OF SUCH DAMAGE.