Dedicated Server

Armin Burgmeier edited this page Aug 12, 2015 · 13 revisions

Gobby Dedicated Server

The libinfinity package, which is the library the core functionality of Gobby is based on, includes a dedicated Gobby server, which is called infinoted. It is included in the Windows installer at the Download page, and available in all major Linux distributions.

The instructions below target version 0.6 of the infinoted server, which is somewhat different from previous versions due to the introduced plugin infrastructure. For previous versions, please consult the old trac page. To find out which version you are using, see whether your executable binary is called infinoted-0.5 or infinoted-0.6.

Configuration

The infinoted server reads its configuration from a configuration file. The configuration file is searched at in the following directories, in order:

  • /etc/xdg/infinoted.conf
  • $HOME/.config/infinoted.conf

If there exist valid files at more than one locations, then settings in a file further down the list overwrite the corresponding option from a previously loaded file. On Windows, the location for the configuration files are

  • %LOCALAPPDATA%\infinoted.conf

The location of the configuration file can also be overridden with the --config-file command-line parameter. The format of the configuration file is known as GKeyFile format, which is very similar to .ini files on Windows. The main program options must be given in the [infinoted] group. All these options can also be overriden by command line argument with the same name. The following settings are recognized by infinoted:

  • log-file: If set, write the server log to the given file, in addition to stderr.
  • key-file: Specifies the path to the private key of the server for TLS.
  • certificate-file: Specifies the path to the server certificate. Can be the same as key-file if the key and certificate are present in the same file.
  • certificate-chain: If the certificate file does not contain the chain to the root CA certificate, then this option can be used to specify another file that contains the rest of the certificate chain.
  • port: The TCP port number to listen on for incoming connections. The default is port 6523.
  • security-policy: This setting can take one of the three values no-tls, allow-tls or require-tls. If no-tls is used, the key-file, certificate-file, and certificate-chain options are ignored and the server accepts only unsecured connections. If allow-tls or require-tls are used, then key-file and certificate-file must be set to point to the certificate to use for secure connections. While allow-tls still allows clients to make an unsecure connection, the require-tls option enforces the use of Transport Layer Security (TLS) for all connections. If TLS is enabled, infinoted automatically uses Perfect Forward Secrecy (PFS) as well. See the section Secure Connections below for more details on how to set up infinoted for secure connections.
  • root-directory: Points to a directory in which the infinoted server stores the directory tree. The directory is created if it does not exist. When the server is stopped, it makes sure that all documents are stored in this directory, so that when it is started again all data is available in the same state in which it was when the server was shut down. The format in which the files are saved is a custom XML format which not only stores the plain document text but also which user wrote what parts of the text. The default value is $HOME/.infinote.
  • plugins: A semicolon-separated list of additional plugins to load. The infinoted package ships with a number of additional plugins, and it also supports third-party plugins which enhance the server functionality. The plugin infrastructure is discussed the section Plugin Infrastructure below in more detail. The default value is note-text, which loads one plugin called note-text that is responsible for handling text documents. When this value is changed to load additional plugins, the note-text plugin should always be included in the list of plugins.
  • password: A password that has to be entered by clients before being allowed to connect to the server.

Below is an example of a simple infinoted configuration file.

[infinoted]
key-file=/home/ck/infinoted-key.pem
certificate-file=/home/ck/infinoted-cert.pem
security-policy=require-tls

Command Line Parameters

All configuration options mentioned above can also be given on the command line. In that case they override the values read from the configuration files. In addition, the following command line parameters are available:

  • --config-file: Specifies an alternative configuration file to load.
  • --create-key: Create a new 4096-bit RSA private key, and store it at the path given by the key-file setting.
  • --create-certificate: Create a new self-signed certificate that is valid for one year and signed with the key given in key-file (possibly newly created, if create-key is also given). The certificate is stored at the path given by the certificate-file setting.
  • --plugin-parameter: Override a parameter of a plugin. This option can be given multiple times to override more than one parameter. The syntax is plugin:key:value, where plugin is the name of the plugin for which to override a parameter, key is the name of the parameter to override and value is the new value for the parameter. See the Plugin Infrastructure section below for more details on plugins.
  • --daemonize, -d: Run the server in the background.
  • --kill-daemon, -D: Kill a running daemon and exit.
  • --version, -v: Print version information and exit.

Secure Connections

It is recommended to always use connections secured with Transport Layer Security (TLS), i.e. set the security-policy setting to require-tls. There is no significant drawback in doing so, and all compatible Gobby versions support it. In order to use TLS, a private key and a certificate are needed. If your server does not already have a certificate, or if you want to use the server on your local machine, infinoted can create a simple self-signed certificate automatically. For this to happen, set the key-file and certificate-file options to the location where the private key and the certificate should be stored. Then, run infinoted-0.6 --create-key --create-certificate to create the private key and certificate. You can then press Ctrl+C to exit infinoted, and run it without the --create-key and --create-certificate options the next time.

While the certificate can be public, the corresponding private key should be kept secret and not be accessible by other persons. Gobby users will have to accept the self-signed certificate the first time they connect to the server (in a similar way as when connecting with SSH for the first time). Subsequent connections work without user interaction. A warning message will be shown to users when a server at the same address shows a different certificate and the first certificate has not yet expired.

Plugin Infrastructure

The infinoted server can be extended with additional functionality provided by plugins. The plugins configuration option (see the Configuration section) specifies what plugins are loaded. Plugins can have additional options that steer their behavior. Options for plugins are provided in an additional section in the configuration file which has the name of the corresponding plugin. An example is given in the following:

[infinoted]
key-file=/home/ck/infinoted-key.pem
certificate-file=/home/ck/infinoted-cert.pem
security-policy=require-tls
plugins=note-text;autosave;certificate-auth

[autosave]
interval=10

[certificate-auth]
ca-list=/home/ck/infinoted-cert.pem
accept-unauthenticated-clients=false

Plugin options can be overridden on the command line with the --plugin-parameter option. One example would be --plugin-parameter=autosave:interval:20 to set the autosave interval to 20 seconds, overriding the value 10 from the above configuration file.

Below is a list of available plugins with links to a description and available options. Instructions for developers how to create their own infinoted plugins can be found at this page.

Available Plugins

The following plugins ship with the core infinoted distribution.

  • autosave: Save the documents periodically to the server's root-directory.
  • certificate-auth: Allow clients to authenticate themselves with client certificates.
  • directory-sync: Periodically save a copy of the document tree in plain text format.
  • document-stream: Provide a simple API to text and chat documents via unix domain sockets.
  • linekeeper: Make sure there is always a fixed number of newlines at the end of the document.
  • logging: Enable logging of additional events.
  • note-chat: Add support for chat documents in the directory tree.
  • note-text: Add support for text documents in the directory tree (default).
  • record: Save recordings of text sessions as they happen, for later playback and debugging.
  • traffic-logging: Write out all ingoing and outgoing traffic in unencrypted format, for debugging.
  • transformation-protection: Protect the server from malicious client requests or extremly lagging clients.