Make it automatically renew 2 days before the cert expires

add the ability for browsers to download via a one-time link with a short timeout.

Closes #1

See merge request idk/reseed-tools!4

.dockerignore

@@ -0,0 +1,8 @@
+.idea
+.git
+.gitlab-ci.yml
+.vscode
+
+# CI cache folder storing docker images
+ci-exports
+

.gitignore

@@ -5,3 +5,5 @@
 i2pseeds.su3
 *.pem
 onion.key
+tmp/
+i2p-tools-*

.gitlab-ci.yml

@@ -0,0 +1,106 @@
+image: docker:19.03.12
+
+stages:
+  - docker_test
+  - docker_push
+
+variables:
+  # When using dind service, we need to instruct docker to talk with
+  # the daemon started inside of the service. The daemon is available
+  # with a network connection instead of the default
+  # /var/run/docker.sock socket. Docker 19.03 does this automatically
+  # by setting the DOCKER_HOST in
+  # https://github.com/docker-library/docker/blob/d45051476babc297257df490d22cbd806f1b11e4/19.03/docker-entrypoint.sh#L23-L29
+  #
+  # The 'docker' hostname is the alias of the service container as described at
+  # https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#accessing-the-services.
+  #
+  # Specify to Docker where to create the certificates, Docker will
+  # create them automatically on boot, and will create
+  # `/certs/client` that will be shared between the service and job
+  # container, thanks to volume mount from config.toml
+  DOCKER_TLS_CERTDIR: "/certs"
+  # Use TLS https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-enabled
+  DOCKER_HOST: tcp://docker:2376
+
+services:
+  - docker:19.03.12-dind
+
+.docker_cache:
+  cache:
+    # The same key should be used across branches
+    key: "$CI_COMMIT_REF_SLUG"
+    paths:
+      - ci-exports/*.tar
+
+# Make sure we can build a docker image
+# It's cached for later jobs
+build_docker:
+  extends:
+    - .docker_cache
+  stage: docker_test
+  script:
+    # Try to load latest branch image from local tar or from registry
+    - docker load ci-exports/$CI_COMMIT_REF_SLUG.tar || docker pull $CI_REGISTRY_IMAGE:latest || true
+    - docker build --cache-from $CI_REGISTRY_IMAGE:latest --tag $CI_REGISTRY_IMAGE:latest .
+    - mkdir -p ci-exports/
+    - docker save $CI_REGISTRY_IMAGE:latest > ci-exports/$CI_COMMIT_REF_SLUG.tar
+
+# Publishes the configured CI registry (by default that's gitlab's registry)
+push_ci_registry:
+  extends:
+    - .docker_cache
+  stage: docker_push
+  cache:
+    policy: pull
+  before_script:
+    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+  script:
+    - cat ci-exports/$CI_COMMIT_REF_SLUG.tar | docker load
+    - docker tag $CI_REGISTRY_IMAGE:latest $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
+    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
+    - docker push $CI_REGISTRY_IMAGE:latest
+  only:
+    refs:
+      # Make sure to protect these tags!
+      - /^v(\d+\.){2,3}\d+$/
+      - /.+-release$/
+    variables:
+      - $CI_REGISTRY
+      - $CI_REGISTRY_USER
+      - $CI_REGISTRY_PASSWORD
+      - $CI_REGISTRY_IMAGE
+
+# Publishes the cached image to docker
+push_dockerhub_registry:
+  extends:
+    - .docker_cache
+  stage: docker_push
+  cache:
+    policy: pull
+  before_script:
+    - docker login -u $DOCKERHUB_REGISTRY_USER -p $DOCKERHUB_REGISTRY_PASSWORD $DOCKERHUB_REGISTRY
+  script:
+    - cat ci-exports/$CI_COMMIT_REF_SLUG.tar | docker load
+    - docker tag $CI_REGISTRY_IMAGE:latest $DOCKERHUB_REGISTRY_IMAGE:$CI_COMMIT_TAG
+    - docker tag $CI_REGISTRY_IMAGE:latest $DOCKERHUB_REGISTRY_IMAGE:latest
+    - docker push $DOCKERHUB_REGISTRY_IMAGE:$CI_COMMIT_TAG
+    - docker push $DOCKERHUB_REGISTRY_IMAGE:latest
+    # Push the readme to dockerhub
+    - >-
+      docker run -v $PWD:/workspace
+      -e DOCKERHUB_USERNAME="$DOCKERHUB_REGISTRY_USER"
+      -e DOCKERHUB_PASSWORD="$DOCKERHUB_REGISTRY_PASSWORD"
+      -e DOCKERHUB_REPOSITORY="$DOCKERHUB_REGISTRY_IMAGE"
+      -e README_FILEPATH='/workspace/README.md'
+      peterevans/dockerhub-description:2
+  only:
+    refs:
+      # Make sure to protect these tags!
+      - /^v(\d+\.){2,3}\d+$/
+      - /.+-release$/
+    variables:
+      - $DOCKERHUB_REGISTRY
+      - $DOCKERHUB_REGISTRY_USER
+      - $DOCKERHUB_REGISTRY_PASSWORD
+      - $DOCKERHUB_REGISTRY_IMAGE

CHANGELOG.md

@@ -31,4 +31,4 @@
  * numRi per su3 file: 75 --> 77
 
 2016-01
- * fork from https://github.com/MDrollette/i2p-tools
+ * fork from https://i2pgit.org/idk/reseed-tools

Dockerfile

@@ -1,8 +1,8 @@
 FROM debian:stable-backports
 ARG I2P_GID=1000
 ARG I2P_UID=1000
-COPY . /var/lib/i2p/go/src/github.com/eyedeekay/i2p-tools-1
-WORKDIR /var/lib/i2p/go/src/github.com/eyedeekay/i2p-tools-1
+COPY . /var/lib/i2p/go/src/i2pgit.org/idk/reseed-tools
+WORKDIR /var/lib/i2p/go/src/i2pgit.org/idk/reseed-tools
 RUN apt-get update && \
     apt-get dist-upgrade -y && \
     apt-get install -y git golang-1.13-go make && \
@@ -11,4 +11,4 @@ RUN apt-get update && \
 RUN /usr/lib/go-1.13/bin/go build -v -tags netgo -ldflags '-w -extldflags "-static"'
 USER $I2P_UID
 WORKDIR /var/lib/i2p/i2p-config/reseed
-ENTRYPOINT [ "/var/lib/i2p/go/src/github.com/eyedeekay/i2p-tools-1/i2p-tools-1", "reseed", "--yes=true", "--netdb=/var/lib/i2p/i2p-config/netDb" ]
+ENTRYPOINT [ "/var/lib/i2p/go/src/i2pgit.org/idk/reseed-tools/entrypoint.sh" ]

Makefile

@@ -1,5 +1,5 @@
 
-VERSION=0.0.2
+VERSION=0.0.6
 APP=i2p-tools-1
 USER_GH=eyedeekay
 
@@ -8,12 +8,14 @@ GOARCH?="amd64"
 
 ARG=-v -tags netgo -ldflags '-w -extldflags "-static"'
 
-MIN_GO_VERSION=`ls /usr/lib/go-1.14 2>/dev/null >/dev/null && echo 1.14`
-MIN_GO_VERSION?=1.13
+#MIN_GO_VERSION=`ls /usr/lib/go-1.14 2>/dev/null >/dev/null && echo 1.14`
+MIN_GO_VERSION?=1.15
 
 I2P_UID=$(shell id -u i2psvc)
 I2P_GID=$(shell id -g i2psvc)
 
+WHOAMI=$(shell whoami)
+
 echo:
 	@echo "type make version to do release $(APP) $(VERSION) $(GOOS) $(GOARCH) $(MIN_GO_VERSION) $(I2P_UID) $(I2P_GID)"
 
@@ -60,12 +62,12 @@ build-unfork:
 	/usr/lib/go-$(MIN_GO_VERSION)/bin/go build -o i2p-tools-md
 
 fork:
-	sed -i 's|MDrollette/i2p-tools|eyedeekay/i2p-tools-1|g' main.go cmd/*.go reseed/*.go su3/*.go
+	sed -i 's|idk/reseed-tools|idk/reseed-tools|g' main.go cmd/*.go reseed/*.go su3/*.go
 	make gofmt build-fork
 
 unfork:
-	sed -i 's|eyedeekay/i2p-tools-1|MDrollette/i2p-tools|g' main.go cmd/*.go reseed/*.go su3/*.go
-	sed -i 's|RTradeLtd/i2p-tools-1|MDrollette/i2p-tools|g' main.go cmd/*.go reseed/*.go su3/*.go
+	sed -i 's|idk/reseed-tools|idk/reseed-tools|g' main.go cmd/*.go reseed/*.go su3/*.go
+	sed -i 's|RTradeLtd/i2p-tools-1|idk/reseed-tools|g' main.go cmd/*.go reseed/*.go su3/*.go
 	make gofmt build-unfork
 
 gofmt:
@@ -107,18 +109,41 @@ docker-server:
 		--publish 8443:8443 \
 		--restart=always \
 		--volume /var/lib/i2p/i2p-config/netDb:/var/lib/i2p/i2p-config/netDb:z \
-		--volume /var/lib/i2p/i2p-config/reseed-keys:/var/lib/i2p/i2p-config/reseed \
+		--volume reseed-keyss:/var/lib/i2p/i2p-config/reseed \
 		eyedeekay/reseed \
 			--signer=hankhill19580@gmail.com
 	docker logs -f reseed
 
 docker-run:
-	docker run --rm -itd \
+	docker run -itd \
 		--name reseed \
 		--user $(I2P_UID) \
 		--group-add $(I2P_GID) \
 		--publish 8443:8443 \
 		--volume /var/lib/i2p/i2p-config/netDb:/var/lib/i2p/i2p-config/netDb:z \
-		--volume /var/lib/i2p/i2p-config/reseed-keys:/var/lib/i2p/i2p-config/reseed \
+		--volume reseed-keys:/var/lib/i2p/i2p-config/reseed \
 		eyedeekay/reseed \
 			--signer=hankhill19580@gmail.com
+
+docker-homerun:
+	docker run -itd \
+		--name reseed \
+		--user 1000 \
+		--group-add 1000 \
+		--publish 8443:8443 \
+		--volume $(HOME)/i2p/netDb:/var/lib/i2p/i2p-config/netDb:z \
+		--volume reseed-keys:/var/lib/i2p/i2p-config/reseed:z \
+		eyedeekay/reseed \
+			--signer=hankhill19580@gmail.com
+
+export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre/
+export CGO_CFLAGS=-I/usr/lib/jvm/java-8-openjdk-amd64/include/ -I/usr/lib/jvm/java-8-openjdk-amd64/include/linux/
+
+gojava:
+	go get -u -v github.com/sridharv/gojava
+	cp -v ~/go/bin/gojava ./gojava
+
+jar: gojava
+	echo $(JAVA_HOME)
+	./gojava -v -o reseed.jar -s . build ./reseed
+

README.md

@@ -1,15 +1,16 @@
 I2P Reseed Tools
 ==================
 
-This tool provides a secure and efficient reseed server for the I2P network. There are several utility commands to create, sign, and validate SU3 files.
+This tool provides a secure and efficient reseed server for the I2P network. There are several utility commands to
+create, sign, and validate SU3 files. Please note that this requires at least Go version 1.13, and uses Go Modules.
 
 ## Installation
 
 If you have go installed you can download, build, and install this tool with `go get`
 
 ```
-go get github.com/MDrollette/i2p-tools
-i2p-tools -h
+go get i2pgit.org/idk/reseed-tools
+reseed-tools -h
 ```
 
 ## Usage
@@ -24,8 +25,8 @@ and group inside the container as I2P.
 
 When you run a reseed under Docker in this fashion, it will automatically
 generate a self-signed certificate for your reseed server in a Docker volume
-under your I2P directory. *Back up this directory*, if it is lost it is
-impossible to reproduce.
+mamed reseed-keys. *Back up this directory*, if it is lost it is impossible
+to reproduce.
 
 Please note that Docker is not currently compatible with .onion reseeds unless
 you pass the --network=host tag.
@@ -37,7 +38,7 @@ you pass the --network=host tag.
             --publish 443:8443 \
             --restart always \
             --volume $HOME/.i2p/netDb:$HOME/.i2p/netDb:z \
-            --volume $HOME/i2p/reseed-keys:/var/lib/i2p/i2p-config/reseed \
+            --volume reseed-keys:/var/lib/i2p/i2p-config/reseed \
             eyedeekay/reseed \
                 --signer $YOUR_EMAIL_HERE
 
@@ -50,7 +51,7 @@ you pass the --network=host tag.
             --publish 443:8443 \
             --restart always \
             --volume /PATH/TO/USER/I2P/HERE/netDb:/var/lib/i2p/i2p-config/netDb:z \
-            --volume /PATH/TO/USER/I2P/HERE/reseed-keys:/var/lib/i2p/i2p-config/reseed \
+            --volume reseed-keys:/var/lib/i2p/i2p-config/reseed \
             eyedeekay/reseed \
                 --signer $YOUR_EMAIL_HERE
 
@@ -68,20 +69,20 @@ work for you. In that case, just copy-and-paste:
             --publish 443:8443 \
             --restart always \
             --volume /var/lib/i2p/i2p-config/netDb:/var/lib/i2p/i2p-config/netDb:z \
-            --volume /var/lib/i2p/i2p-config/reseed-keys:/var/lib/i2p/i2p-config/reseed \
+            --volume reseed-keys:/var/lib/i2p/i2p-config/reseed \
             eyedeekay/reseed \
                 --signer $YOUR_EMAIL_HERE
 
 ### Locally behind a webserver (reverse proxy setup), preferred:
 
 ```
-i2p-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --port=8443 --ip=127.0.0.1 --trustProxy
+reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --port=8443 --ip=127.0.0.1 --trustProxy
 ```
 
 ### Without a webserver, standalone with TLS support
 
 ```
-i2p-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --tlsHost=your-domain.tld
+reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --tlsHost=your-domain.tld
 ```
 
 If this is your first time running a reseed server (ie. you don't have any existing keys),
@@ -96,61 +97,61 @@ http://j7xszhsjy7orrnbdys7yykrssv5imkn4eid7n5ikcnxuhpaaw6cq.b32.i2p/
 
 also a short guide and complete tech info.
 
-## Experimental, currently only available from eyedeekay/i2p-tools-1 fork
+## Experimental, currently only available from idk/reseed-tools fork
 
-Requires ```go mod``` and at least go 1.13. To build the eyedeekay/i2p-tools-1
+Requires ```go mod``` and at least go 1.13. To build the idk/reseed-tools
 fork, from anywhere:
 
-        git clone https://github.com/eyedeekay/i2p-tools-1
-        cd i2p-tools-1
+        git clone https://i2pgit.org/idk/reseed-tools
+        cd reseed-tools
         make build
 
 ### Without a webserver, standalone, self-supervising(Automatic restarts)
 
 ```
-./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --restart=start
+./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --littleboss=start
 ```
 
 ### Without a webserver, standalone, automatic OnionV3 with TLS support
 
 ```
-./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --i2p --p2p
+./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --i2p --p2p
 ```
 
 ### Without a webserver, standalone, serve P2P with LibP2P
 
 ```
-./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --p2p
+./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --p2p
 ```
 
 ### Without a webserver, standalone, upload a single signed .su3 to github
 
-* This one isn't working yet, look for it by ~Monday.
+* This one isn't working yet, I'll get to it eventually, I've got a cooler idea now.
 
 ```
-./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --github --ghrepo=i2p-tools-1 --ghuser=eyedeekay
+./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --github --ghrepo=reseed-tools --ghuser=eyedeekay
 ```
 
 ### Without a webserver, standalone, in-network reseed
 
 ```
-./i2p-tools-1 reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --i2p
+./reseed-tools reseed --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --i2p
 ```
 
 ### Without a webserver, standalone, Regular TLS, OnionV3 with TLS
 
 ```
-./i2p-tools-1 reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion
+./reseed-tools reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion
 ```
 
 ### Without a webserver, standalone, Regular TLS, OnionV3 with TLS, and LibP2P
 
 ```
-./i2p-tools-1 reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p
+./reseed-tools reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p
 ```
 
 ### Without a webserver, standalone, Regular TLS, OnionV3 with TLS, I2P In-Network reseed, and LibP2P, self-supervising
 
 ```
-./i2p-tools-1 reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p --restart=start
-```
+./reseed-tools reseed --tlsHost=your-domain.tld --signer=you@mail.i2p --netdb=/home/i2p/.i2p/netDb --onion --p2p --littleboss=start
+```

cmd/keygen.go

@@ -3,7 +3,7 @@ package cmd
 import (
 	"fmt"
 
-	"github.com/codegangsta/cli"
+	"github.com/urfave/cli"
 )
 
 func NewKeygenCommand() cli.Command {

cmd/reseed.go

@@ -13,8 +13,6 @@ import (
 	"time"
 
 	//"crawshaw.io/littleboss"
-	"github.com/MDrollette/i2p-tools/reseed"
-	"github.com/codegangsta/cli"
 	"github.com/cretz/bine/tor"
 	"github.com/cretz/bine/torutil"
 	"github.com/cretz/bine/torutil/ed25519"
@@ -22,6 +20,8 @@ import (
 	"github.com/eyedeekay/sam3/i2pkeys"
 	"github.com/libp2p/go-libp2p"
 	"github.com/libp2p/go-libp2p-core/host"
+	"github.com/urfave/cli"
+	"i2pgit.org/idk/reseed-tools/reseed"
 )
 
 func NewReseedCommand() cli.Command {
@@ -133,6 +133,15 @@ func NewReseedCommand() cli.Command {
 				Value: "start",
 				Usage: "Self-Supervise this application",
 			},
+			cli.BoolFlag{
+				Name:  "acme",
+				Usage: "Automatically generate a TLS certificate with the ACME protocol, defaults to Let's Encrypt",
+			},
+			cli.StringFlag{
+				Name:  "acmeserver",
+				Value: "https://acme-staging-v02.api.letsencrypt.org/directory",
+				Usage: "Use this server to issue a certificate with the ACME protocol",
+			},
 		},
 	}
 }
@@ -208,13 +217,53 @@ func reseedAction(c *cli.Context) {
 	var i2pTlsCert, i2pTlsKey string
 	var i2pkey i2pkeys.I2PKeys
 
+	if tlsHost != "" {
+		onionTlsHost = tlsHost
+		i2pTlsHost = tlsHost
+		tlsKey = c.String("tlsKey")
+		// if no key is specified, default to the host.pem in the current dir
+		if tlsKey == "" {
+			tlsKey = tlsHost + ".pem"
+			onionTlsKey = tlsHost + ".pem"
+			i2pTlsKey = tlsHost + ".pem"
+		}
+
+		tlsCert = c.String("tlsCert")
+		// if no certificate is specified, default to the host.crt in the current dir
+		if tlsCert == "" {
+			tlsCert = tlsHost + ".crt"
+			onionTlsCert = tlsHost + ".crt"
+			i2pTlsCert = tlsHost + ".crt"
+		}
+
+		// prompt to create tls keys if they don't exist?
+		auto := c.Bool("yes")
+		// use ACME?
+		acme := c.Bool("acme")
+		if acme {
+			acmeserver := c.String("acmeserver")
+			err := checkUseAcmeCert(tlsHost, signerID, acmeserver, &tlsCert, &tlsKey, auto)
+			if nil != err {
+				log.Fatalln(err)
+			}
+		} else {
+			err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey, auto)
+			if nil != err {
+				log.Fatalln(err)
+			}
+		}
+
+	}
+
 	if c.Bool("i2p") {
 		var err error
 		i2pkey, err = LoadKeys("reseed.i2pkeys", c)
 		if err != nil {
 			log.Fatalln(err)
 		}
-		i2pTlsHost = i2pkey.Addr().Base32()
+		if i2pTlsHost == "" {
+			i2pTlsHost = i2pkey.Addr().Base32()
+		}
 		if i2pTlsHost != "" {
 			// if no key is specified, default to the host.pem in the current dir
 			if i2pTlsKey == "" {
@@ -227,7 +276,7 @@ func reseedAction(c *cli.Context) {
 			}
 
 			// prompt to create tls keys if they don't exist?
-            auto := c.Bool("yes")
+			auto := c.Bool("yes")
 			err := checkOrNewTLSCert(i2pTlsHost, &i2pTlsCert, &i2pTlsKey, auto)
 			if nil != err {
 				log.Fatalln(err)
@@ -250,7 +299,9 @@ func reseedAction(c *cli.Context) {
 			}
 			ok = []byte(key.PrivateKey())
 		}
-		onionTlsHost = torutil.OnionServiceIDFromPrivateKey(ed25519.PrivateKey(ok)) + ".onion"
+		if onionTlsHost == "" {
+			onionTlsHost = torutil.OnionServiceIDFromPrivateKey(ed25519.PrivateKey(ok)) + ".onion"
+		}
 		err = ioutil.WriteFile(c.String("onionKey"), ok, 0644)
 		if err != nil {
 			log.Fatalln(err.Error())
@@ -267,7 +318,7 @@ func reseedAction(c *cli.Context) {
 			}
 
 			// prompt to create tls keys if they don't exist?
-            auto := c.Bool("yes")
+			auto := c.Bool("yes")
 			err := checkOrNewTLSCert(onionTlsHost, &onionTlsCert, &onionTlsKey, auto)
 			if nil != err {
 				log.Fatalln(err)
@@ -275,27 +326,6 @@ func reseedAction(c *cli.Context) {
 		}
 	}
 
-	if tlsHost != "" {
-		tlsKey = c.String("tlsKey")
-		// if no key is specified, default to the host.pem in the current dir
-		if tlsKey == "" {
-			tlsKey = tlsHost + ".pem"
-		}
-
-		tlsCert = c.String("tlsCert")
-		// if no certificate is specified, default to the host.crt in the current dir
-		if tlsCert == "" {
-			tlsCert = tlsHost + ".crt"
-		}
-
-		// prompt to create tls keys if they don't exist?
-        auto := c.Bool("yes")
-		err := checkOrNewTLSCert(tlsHost, &tlsCert, &tlsKey, auto)
-		if nil != err {
-			log.Fatalln(err)
-		}
-	}
-
 	reloadIntvl, err := time.ParseDuration(c.String("interval"))
 	if nil != err {
 		fmt.Printf("'%s' is not a valid time interval.\n", reloadIntvl)
@@ -309,7 +339,7 @@ func reseedAction(c *cli.Context) {
 	}
 
 	// load our signing privKey
-    auto := c.Bool("yes")
+	auto := c.Bool("yes")
 	privKey, err := getOrNewSigningCert(&signerKey, signerID, auto)
 	if nil != err {
 		log.Fatalln(err)
@@ -362,7 +392,7 @@ func reseedAction(c *cli.Context) {
 	}
 }
 
-func reseedHTTPS(c *cli.Context, tlsCert, tlsKey string, reseeder reseed.Reseeder) {
+func reseedHTTPS(c *cli.Context, tlsCert, tlsKey string, reseeder *reseed.ReseederImpl) {
 	server := reseed.NewServer(c.String("prefix"), c.Bool("trustProxy"))
 	server.Reseeder = reseeder
 	server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))
@@ -391,7 +421,7 @@ func reseedHTTPS(c *cli.Context, tlsCert, tlsKey string, reseeder reseed.Reseede
 	}
 }
 
-func reseedHTTP(c *cli.Context, reseeder reseed.Reseeder) {
+func reseedHTTP(c *cli.Context, reseeder *reseed.ReseederImpl) {
 	server := reseed.NewServer(c.String("prefix"), c.Bool("trustProxy"))
 	server.Reseeder = reseeder
 	server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))
@@ -428,7 +458,7 @@ func makeRandomHost(port int) (host.Host, error) {
 	return host, nil
 }
 
-func reseedP2P(c *cli.Context, reseeder reseed.Reseeder) {
+func reseedP2P(c *cli.Context, reseeder *reseed.ReseederImpl) {
 	server := reseed.NewServer(c.String("prefix"), c.Bool("trustProxy"))
 	server.Reseeder = reseeder
 	server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))
@@ -466,7 +496,7 @@ func reseedP2P(c *cli.Context, reseeder reseed.Reseeder) {
 	}
 }
 
-func reseedOnion(c *cli.Context, onionTlsCert, onionTlsKey string, reseeder reseed.Reseeder) {
+func reseedOnion(c *cli.Context, onionTlsCert, onionTlsKey string, reseeder *reseed.ReseederImpl) {
 	server := reseed.NewServer(c.String("prefix"), c.Bool("trustProxy"))
 	server.Reseeder = reseeder
 	server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))
@@ -541,7 +571,7 @@ func reseedOnion(c *cli.Context, onionTlsCert, onionTlsKey string, reseeder rese
 	log.Printf("Onion server started on %s\n", server.Addr)
 }
 
-func reseedI2P(c *cli.Context, i2pTlsCert, i2pTlsKey string, i2pIdentKey i2pkeys.I2PKeys, reseeder reseed.Reseeder) {
+func reseedI2P(c *cli.Context, i2pTlsCert, i2pTlsKey string, i2pIdentKey i2pkeys.I2PKeys, reseeder *reseed.ReseederImpl) {
 	server := reseed.NewServer(c.String("prefix"), c.Bool("trustProxy"))
 	server.Reseeder = reseeder
 	server.Addr = net.JoinHostPort(c.String("ip"), c.String("port"))

cmd/utils.go

@@ -2,10 +2,12 @@ package cmd
 
 import (
 	"bufio"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -16,8 +18,15 @@ import (
 	"strings"
 	"time"
 
-	"github.com/MDrollette/i2p-tools/reseed"
-	"github.com/MDrollette/i2p-tools/su3"
+	"i2pgit.org/idk/reseed-tools/reseed"
+	"i2pgit.org/idk/reseed-tools/su3"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge/http01"
+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/registration"
 )
 
 func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
@@ -35,6 +44,24 @@ func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
 	return privKey, nil
 }
 
+// Taken directly from the lego example, since we need very minimal support
+// https://go-acme.github.io/lego/usage/library/
+type MyUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+func (u *MyUser) GetEmail() string {
+	return u.Email
+}
+func (u MyUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
 func signerFile(signerID string) string {
 	return strings.Replace(signerID, "@", "_at_", 1)
 }
@@ -42,14 +69,14 @@ func signerFile(signerID string) string {
 func getOrNewSigningCert(signerKey *string, signerID string, auto bool) (*rsa.PrivateKey, error) {
 	if _, err := os.Stat(*signerKey); nil != err {
 		fmt.Printf("Unable to read signing key '%s'\n", *signerKey)
-        if !auto {
-		fmt.Printf("Would you like to generate a new signing key for %s? (y or n): ", signerID)
-		reader := bufio.NewReader(os.Stdin)
-		input, _ := reader.ReadString('\n')
-		if []byte(input)[0] != 'y' {
-			return nil, fmt.Errorf("A signing key is required")
+		if !auto {
+			fmt.Printf("Would you like to generate a new signing key for %s? (y or n): ", signerID)
+			reader := bufio.NewReader(os.Stdin)
+			input, _ := reader.ReadString('\n')
+			if []byte(input)[0] != 'y' {
+				return nil, fmt.Errorf("A signing key is required")
+			}
 		}
-        }
 		if err := createSigningCertificate(signerID); nil != err {
 			return nil, err
 		}
@@ -60,6 +87,165 @@ func getOrNewSigningCert(signerKey *string, signerID string, auto bool) (*rsa.Pr
 	return loadPrivateKey(*signerKey)
 }
 
+func checkUseAcmeCert(tlsHost, signer, cadirurl string, tlsCert, tlsKey *string, auto bool) error {
+	_, certErr := os.Stat(*tlsCert)
+	_, keyErr := os.Stat(*tlsKey)
+	if certErr != nil || keyErr != nil {
+		if certErr != nil {
+			fmt.Printf("Unable to read TLS certificate '%s'\n", *tlsCert)
+		}
+		if keyErr != nil {
+			fmt.Printf("Unable to read TLS key '%s'\n", *tlsKey)
+		}
+
+		if !auto {
+			fmt.Printf("Would you like to generate a new certificate with Let's Encrypt or a custom ACME server? '%s'? (y or n): ", tlsHost)
+			reader := bufio.NewReader(os.Stdin)
+			input, _ := reader.ReadString('\n')
+			if []byte(input)[0] != 'y' {
+				fmt.Println("Continuing without TLS")
+				return nil
+			}
+		}
+	} else {
+		TLSConfig := &tls.Config{}
+		TLSConfig.NextProtos = []string{"http/1.1"}
+		TLSConfig.Certificates = make([]tls.Certificate, 1)
+		var err error
+		TLSConfig.Certificates[0], err = tls.LoadX509KeyPair(*tlsCert, *tlsKey)
+		if err != nil {
+			return err
+		}
+		if time.Now().Sub(TLSConfig.Certificates[0].Leaf.NotAfter) < (time.Hour * 48) {
+			ecder, err := ioutil.ReadFile(tlsHost + signer + ".acme.key")
+			if err != nil {
+				return err
+			}
+			privateKey, err := x509.ParseECPrivateKey(ecder)
+			if err != nil {
+				return err
+			}
+			user := MyUser{
+				Email: signer,
+				key:   privateKey,
+			}
+			config := lego.NewConfig(&user)
+			config.CADirURL = cadirurl
+			config.Certificate.KeyType = certcrypto.RSA2048
+			client, err := lego.NewClient(config)
+			if err != nil {
+				return err
+			}
+			renewAcmeIssuedCert(client, user, tlsHost, tlsCert, tlsKey)
+		} else {
+			return nil
+		}
+	}
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return err
+	}
+	ecder, err := x509.MarshalECPrivateKey(privateKey)
+	if err != nil {
+		return err
+	}
+	filename := tlsHost + signer + ".acme.key"
+	keypem, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer keypem.Close()
+	err = pem.Encode(keypem, &pem.Block{Type: "EC PRIVATE KEY", Bytes: ecder})
+	if err != nil {
+		return err
+	}
+	user := MyUser{
+		Email: signer,
+		key:   privateKey,
+	}
+	config := lego.NewConfig(&user)
+	config.CADirURL = cadirurl
+	config.Certificate.KeyType = certcrypto.RSA2048
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return err
+	}
+	return newAcmeIssuedCert(client, user, tlsHost, tlsCert, tlsKey)
+}
+
+func renewAcmeIssuedCert(client *lego.Client, user MyUser, tlsHost string, tlsCert, tlsKey *string) error {
+	var err error
+	err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", "8000"))
+	if err != nil {
+		return err
+	}
+	err = client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", "8443"))
+	if err != nil {
+		return err
+	}
+
+	// New users will need to register
+	if user.Registration, err = client.Registration.QueryRegistration(); err != nil {
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return err
+		}
+		user.Registration = reg
+	}
+	resource, err := client.Certificate.Get(tlsHost, true)
+	if err != nil {
+		return err
+	}
+	certificates, err := client.Certificate.Renew(*resource, true, false, "")
+	if err != nil {
+		return err
+	}
+
+	ioutil.WriteFile(tlsHost+".pem", certificates.PrivateKey, 0600)
+	ioutil.WriteFile(tlsHost+".crt", certificates.Certificate, 0600)
+	//	ioutil.WriteFile(tlsHost+".crl", certificates.PrivateKey, 0600)
+	*tlsCert = tlsHost + ".crt"
+	*tlsKey = tlsHost + ".pem"
+	return nil
+}
+
+func newAcmeIssuedCert(client *lego.Client, user MyUser, tlsHost string, tlsCert, tlsKey *string) error {
+	var err error
+	err = client.Challenge.SetHTTP01Provider(http01.NewProviderServer("", "8000"))
+	if err != nil {
+		return err
+	}
+	err = client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", "8443"))
+	if err != nil {
+		return err
+	}
+
+	// New users will need to register
+	if user.Registration, err = client.Registration.QueryRegistration(); err != nil {
+		reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return err
+		}
+		user.Registration = reg
+	}
+
+	request := certificate.ObtainRequest{
+		Domains: []string{tlsHost},
+		Bundle:  true,
+	}
+	certificates, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return err
+	}
+
+	ioutil.WriteFile(tlsHost+".pem", certificates.PrivateKey, 0600)
+	ioutil.WriteFile(tlsHost+".crt", certificates.Certificate, 0600)
+	//	ioutil.WriteFile(tlsHost+".crl", certificates.PrivateKey, 0600)
+	*tlsCert = tlsHost + ".crt"
+	*tlsKey = tlsHost + ".pem"
+	return nil
+}
+
 func checkOrNewTLSCert(tlsHost string, tlsCert, tlsKey *string, auto bool) error {
 	_, certErr := os.Stat(*tlsCert)
 	_, keyErr := os.Stat(*tlsKey)
@@ -71,7 +257,7 @@ func checkOrNewTLSCert(tlsHost string, tlsCert, tlsKey *string, auto bool) error
 			fmt.Printf("Unable to read TLS key '%s'\n", *tlsKey)
 		}
 
-		if auto {
+		if !auto {
 			fmt.Printf("Would you like to generate a new self-signed certificate for '%s'? (y or n): ", tlsHost)
 			reader := bufio.NewReader(os.Stdin)
 			input, _ := reader.ReadString('\n')

cmd/verify.go

@@ -4,9 +4,9 @@ import (
 	"fmt"
 	"io/ioutil"
 
-	"github.com/MDrollette/i2p-tools/reseed"
-	"github.com/MDrollette/i2p-tools/su3"
-	"github.com/codegangsta/cli"
+	"github.com/urfave/cli"
+	"i2pgit.org/idk/reseed-tools/reseed"
+	"i2pgit.org/idk/reseed-tools/su3"
 )
 
 func NewSu3VerifyCommand() cli.Command {

content/lang/en/homepage.md

@@ -0,0 +1,18 @@
+You have found an I2P Reseed
+============================
+
+Maybe it was by accident, or maybe you visited the URL because you saw it in the software somewhere. While we've got
+your attention, we're going to take this opportunity to tell you a little about what we do here. I2P is a peer-to-peer
+network which uses "Garlic Routing" to maintain privacy. Reseed nodes help you get connected to I2P for the first time,
+and even though you should only have to use them once in a great while, they are very important services.
+
+[To learn more about I2P, visit the project website](https://geti2p.net)
+------------------------------------------------------------------------
+
+[![Help reseed](images/reseed.png)](https://geti2p.net)
+
+ - [Learn more about reseeds here:](https://geti2p.net/en/docs/reseed)
+ - [Learn how to run a reseed here:](https://geti2p.net/en/get-involved/guides/reseed)
+ - [Read the reseed server code and learn about more reseed options here:](https://i2pgit.org/idk/reseed-tools)
+
+### Here on purpose? Here's a one-time link to a reseed bundle for you.

content/style.css

@@ -0,0 +1,37 @@
+body {
+	font-family: monospace;
+	text-align: justify;
+}
+
+h1 {
+	text-align: center;
+}
+
+img {
+	display: block;
+	margin-left: auto;
+	margin-right: auto;
+	width: 50%;
+}
+
+.inline {
+	display: inline;
+}
+
+.link-button {
+	background: none;
+	border: none;
+	color: blue;
+	text-decoration: underline;
+	cursor: pointer;
+	font-size: 1em;
+	font-family: serif;
+}
+
+.link-button:focus {
+	outline: none;
+}
+
+.link-button:active {
+	color:red;
+}

entrypoint.sh

@@ -0,0 +1,5 @@
+#! /usr/bin/env sh
+
+cp -r /var/lib/i2p/go/src/i2pgit.org/idk/reseed-tools/content ./content
+
+/var/lib/i2p/go/src/i2pgit.org/idk/reseed-tools/reseed-tools reseed --yes=true --netdb=/var/lib/i2p/i2p-config/netDb $@

go.mod

@@ -1,25 +1,19 @@
-module github.com/eyedeekay/i2p-tools-1
+module i2pgit.org/idk/reseed-tools
 
 go 1.13
 
 require (
-	crawshaw.io/littleboss v0.0.0-20190317185602-8957d0aedcce // indirect
-	github.com/MDrollette/i2p-tools v0.0.0
-	github.com/codegangsta/cli v1.22.1
 	github.com/cretz/bine v0.1.0
-	github.com/eyedeekay/sam3 v0.32.2
-	github.com/gomodule/redigo v1.8.0 // indirect
-	github.com/gorilla/handlers v1.4.2
-	github.com/justinas/alice v0.0.0-20171023064455-03f45bd4b7da
-	github.com/libp2p/go-libp2p v0.6.0
-	github.com/libp2p/go-libp2p-core v0.5.0
-	github.com/libp2p/go-libp2p-gostream v0.2.1
-	github.com/libp2p/go-libp2p-http v0.1.5
-	github.com/shurcooL/go v0.0.0-20190704215121-7189cc372560 // indirect
-	github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041 // indirect
-	github.com/throttled/throttled v2.2.4+incompatible
+	github.com/eyedeekay/sam3 v0.32.32
+	github.com/go-acme/lego/v4 v4.3.1
+	github.com/gorilla/handlers v1.5.1
+	github.com/justinas/alice v1.2.0
+	github.com/libp2p/go-libp2p v0.13.0
+	github.com/libp2p/go-libp2p-core v0.8.0
+	github.com/libp2p/go-libp2p-gostream v0.3.1
+	github.com/libp2p/go-libp2p-http v0.2.0
+	github.com/throttled/throttled/v2 v2.7.1
+	github.com/urfave/cli v1.22.5
+	gitlab.com/golang-commonmark/markdown v0.0.0-20191127184510-91b5b3c99c19
+	golang.org/x/text v0.3.5
 )
-
-replace github.com/MDrollette/i2p-tools v0.0.0 => ./
-
-replace github.com/codegangsta/cli v1.22.1 => github.com/urfave/cli v1.22.1

history.txt

@@ -41,4 +41,4 @@
  * numRi per su3 file: 75 --> 77
 
 2016-01
- * fork from https://github.com/MDrollette/i2p-tools
+ * fork from https://i2pgit.org/idk/reseed-tools

main.go

@@ -4,8 +4,8 @@ import (
 	"os"
 	"runtime"
 
-	"github.com/MDrollette/i2p-tools/cmd"
-	"github.com/codegangsta/cli"
+	"github.com/urfave/cli"
+	"i2pgit.org/idk/reseed-tools/cmd"
 )
 
 func main() {

reseed/homepage.go

@@ -0,0 +1,132 @@
+package reseed
+
+import (
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"gitlab.com/golang-commonmark/markdown"
+	"golang.org/x/text/language"
+)
+
+var SupportedLanguages = []language.Tag{
+	language.English,
+}
+var CachedLanguagePages = map[string]string{}
+var CachedDataPages = map[string][]byte{}
+
+var BaseContentPath, ContentPathError = ContentPath()
+
+var matcher = language.NewMatcher(SupportedLanguages)
+
+var header = []byte(`<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <title>This is an I2P Reseed Server</title>
+    <link rel="stylesheet" href="style.css">
+    <script src="script.js"></script>
+  </head>
+  <body>`)
+var footer = []byte(`  </body>
+</html>`)
+
+var md = markdown.New(markdown.XHTMLOutput(true), markdown.HTML(true))
+
+func ContentPath() (string, error) {
+	exPath, err := os.Getwd()
+	if err != nil {
+		return "", err
+	}
+	//exPath := filepath.Dir(ex)
+	if _, err := os.Stat(filepath.Join(exPath, "content")); err != nil {
+		return "", err
+	}
+	return filepath.Join(exPath, "content"), nil
+}
+
+func (srv *Server) HandleARealBrowser(w http.ResponseWriter, r *http.Request) {
+	if ContentPathError != nil {
+		http.Error(w, "403 Forbidden", http.StatusForbidden)
+		return
+	}
+	lang, _ := r.Cookie("lang")
+	accept := r.Header.Get("Accept-Language")
+	tag, _ := language.MatchStrings(matcher, lang.String(), accept)
+	base, _ := tag.Base()
+
+	switch r.URL.Path {
+	case "/style.css":
+		w.Header().Set("Content-Type", "text/css")
+		HandleAFile(w, "", "style.css")
+	case "/script.js":
+		w.Header().Set("Content-Type", "text/javascript")
+		HandleAFile(w, "", "script.js")
+	default:
+		image := strings.Replace(r.URL.Path, "/", "", -1)
+		if strings.HasPrefix(image, "images") {
+			w.Header().Set("Content-Type", "image/png")
+			HandleAFile(w, "images", strings.TrimPrefix(strings.TrimPrefix(r.URL.Path, "/"), "images"))
+		} else {
+			w.Header().Set("Content-Type", "text/html")
+			w.Write([]byte(header))
+			HandleALocalizedFile(w, base.String())
+			w.Write([]byte(`<ul><li><form method="post" action="/i2pseeds" class="inline">
+			<input type="hidden" name="onetime" value="` + srv.Acceptable() + `">
+			<button type="submit" name="submit_param" value="submit_value" class="link-button">
+			Bundle
+			</button>
+			</form></li></ul>`))
+			w.Write([]byte(footer))
+		}
+	}
+}
+
+func HandleAFile(w http.ResponseWriter, dirPath, file string) {
+	file = filepath.Join(dirPath, file)
+	if _, prs := CachedDataPages[file]; prs == false {
+		path := filepath.Join(BaseContentPath, file)
+		f, err := ioutil.ReadFile(path)
+		if err != nil {
+			w.Write([]byte("Oops! Something went wrong handling your language. Please file a bug at https://i2pgit.org/idk/reseed-tools\n\t" + err.Error()))
+			return
+		}
+		CachedDataPages[file] = f
+		w.Write([]byte(CachedDataPages[file]))
+	} else {
+		w.Write(CachedDataPages[file])
+	}
+}
+
+func HandleALocalizedFile(w http.ResponseWriter, dirPath string) {
+	if _, prs := CachedLanguagePages[dirPath]; prs == false {
+		dir := filepath.Join(BaseContentPath, "lang", dirPath)
+		files, err := ioutil.ReadDir(dir)
+		if err != nil {
+			w.Write([]byte("Oops! Something went wrong handling your language. Please file a bug at https://i2pgit.org/idk/reseed-tools\n\t" + err.Error()))
+		}
+		var f []byte
+		for _, file := range files {
+			if !strings.HasSuffix(file.Name(), ".md") {
+				return
+			}
+			trimmedName := strings.TrimSuffix(file.Name(), ".md")
+			path := filepath.Join(dir, file.Name())
+			b, err := ioutil.ReadFile(path)
+			if err != nil {
+				w.Write([]byte("Oops! Something went wrong handling your language. Please file a bug at https://i2pgit.org/idk/reseed-tools\n\t" + err.Error()))
+				return
+			}
+			f = append(f, []byte(`<div id="`+trimmedName+`">`)...)
+			f = append(f, []byte(md.RenderToString(b))...)
+			f = append(f, []byte(`</div>`)...)
+
+		}
+		CachedLanguagePages[dirPath] = string(f)
+		w.Write([]byte(CachedLanguagePages[dirPath]))
+	} else {
+		w.Write([]byte(CachedLanguagePages[dirPath]))
+	}
+}

reseed/server.go

@@ -3,6 +3,7 @@ package reseed
 import (
 	"bytes"
 	"context"
+	"crypto/rand"
 	"crypto/tls"
 	"io"
 	"log"
@@ -20,8 +21,8 @@ import (
 	"github.com/libp2p/go-libp2p-core/host"
 	gostream "github.com/libp2p/go-libp2p-gostream"
 	p2phttp "github.com/libp2p/go-libp2p-http"
-	"github.com/throttled/throttled"
-	"github.com/throttled/throttled/store"
+	throttled "github.com/throttled/throttled/v2"
+	"github.com/throttled/throttled/v2/store"
 )
 
 const (
@@ -34,9 +35,10 @@ type Server struct {
 	I2PSession    *sam3.StreamSession
 	I2PListener   *sam3.StreamListener
 	I2PKeys       i2pkeys.I2PKeys
-	Reseeder      Reseeder
+	Reseeder      *ReseederImpl
 	Blacklist     *Blacklist
 	OnionListener *tor.OnionService
+	acceptables   map[string]time.Time
 }
 
 func NewServer(prefix string, trustProxy bool) *Server {
@@ -65,6 +67,7 @@ func NewServer(prefix string, trustProxy bool) *Server {
 	server := Server{Server: h, Reseeder: nil}
 
 	th := throttled.RateLimit(throttled.PerHour(4), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000))
+	thw := throttled.RateLimit(throttled.PerHour(30), &throttled.VaryBy{RemoteAddr: true}, store.NewMemStore(200000))
 
 	middlewareChain := alice.New()
 	if trustProxy {
@@ -79,13 +82,85 @@ func NewServer(prefix string, trustProxy bool) *Server {
 	})
 
 	mux := http.NewServeMux()
-	mux.Handle("/", middlewareChain.Append(disableKeepAliveMiddleware, loggingMiddleware).Then(errorHandler))
+	mux.Handle("/", middlewareChain.Append(disableKeepAliveMiddleware, loggingMiddleware, thw.Throttle, server.browsingMiddleware).Then(errorHandler))
 	mux.Handle(prefix+"/i2pseeds.su3", middlewareChain.Append(disableKeepAliveMiddleware, loggingMiddleware, verifyMiddleware, th.Throttle).Then(http.HandlerFunc(server.reseedHandler)))
 	server.Handler = mux
 
 	return &server
 }
 
+// See use of crypto/rand on:
+// https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-go
+const (
+	letterBytes   = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" // 52 possibilities
+	letterIdxBits = 6                                                      // 6 bits to represent 64 possibilities / indexes
+	letterIdxMask = 1<<letterIdxBits - 1                                   // All 1-bits, as many as letterIdxBits
+)
+
+func SecureRandomAlphaString() string {
+	length := 16
+	result := make([]byte, length)
+	bufferSize := int(float64(length) * 1.3)
+	for i, j, randomBytes := 0, 0, []byte{}; i < length; j++ {
+		if j%bufferSize == 0 {
+			randomBytes = SecureRandomBytes(bufferSize)
+		}
+		if idx := int(randomBytes[j%length] & letterIdxMask); idx < len(letterBytes) {
+			result[i] = letterBytes[idx]
+			i++
+		}
+	}
+	return string(result)
+}
+
+// SecureRandomBytes returns the requested number of bytes using crypto/rand
+func SecureRandomBytes(length int) []byte {
+	var randomBytes = make([]byte, length)
+	_, err := rand.Read(randomBytes)
+	if err != nil {
+		log.Fatal("Unable to generate random bytes")
+	}
+	return randomBytes
+}
+
+//
+
+func (srv *Server) Acceptable() string {
+	if srv.acceptables == nil {
+		srv.acceptables = make(map[string]time.Time)
+	}
+	if len(srv.acceptables) > 50 {
+		for val := range srv.acceptables {
+			srv.CheckAcceptable(val)
+		}
+		for val := range srv.acceptables {
+			if len(srv.acceptables) < 50 {
+				break
+			}
+			delete(srv.acceptables, val)
+		}
+	}
+	acceptme := SecureRandomAlphaString()
+	srv.acceptables[acceptme] = time.Now()
+	return acceptme
+}
+
+func (srv *Server) CheckAcceptable(val string) bool {
+	if srv.acceptables == nil {
+		srv.acceptables = make(map[string]time.Time)
+	}
+	if timeout, ok := srv.acceptables[val]; ok {
+		checktime := time.Now().Sub(timeout)
+		if checktime > (4 * time.Minute) {
+			delete(srv.acceptables, val)
+			return false
+		}
+		delete(srv.acceptables, val)
+		return true
+	}
+	return false
+}
+
 func (srv *Server) ListenAndServe() error {
 	addr := srv.Addr
 	if addr == "" {
@@ -245,7 +320,7 @@ func (srv *Server) ListenAndServeI2P(samaddr string, I2PKeys i2pkeys.I2PKeys) er
 	if err != nil {
 		return err
 	}
-	log.Printf("I2P server started on http://%v.onion\n", srv.OnionListener.ID)
+	log.Printf("I2P server started on http://%v.b32.i2p\n", srv.I2PListener.Addr().(i2pkeys.I2PAddr).Base32())
 	return srv.Serve(srv.I2PListener)
 }
 
@@ -291,6 +366,20 @@ func loggingMiddleware(next http.Handler) http.Handler {
 	return handlers.CombinedLoggingHandler(os.Stdout, next)
 }
 
+func (srv *Server) browsingMiddleware(next http.Handler) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		if srv.CheckAcceptable(r.FormValue("onetime")) {
+			srv.reseedHandler(w, r)
+		}
+		if i2pUserAgent != r.UserAgent() {
+			srv.HandleARealBrowser(w, r)
+			return
+		}
+		next.ServeHTTP(w, r)
+	}
+	return http.HandlerFunc(fn)
+}
+
 func verifyMiddleware(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		if i2pUserAgent != r.UserAgent() {

reseed/service.go

@@ -15,7 +15,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/MDrollette/i2p-tools/su3"
+	"i2pgit.org/idk/reseed-tools/su3"
 )
 
 type routerInfo struct {
@@ -33,13 +33,13 @@ func (p Peer) Hash() int {
 	return int(crc32.ChecksumIEEE(c))
 }
 
-type Reseeder interface {
+/*type Reseeder interface {
 	// get an su3 file (bytes) for a peer
 	PeerSu3Bytes(peer Peer) ([]byte, error)
-}
+}*/
 
 type ReseederImpl struct {
-	netdb NetDbProvider
+	netdb *LocalNetDbImpl
 	su3s  chan [][]byte
 
 	SigningKey      *rsa.PrivateKey
@@ -49,7 +49,7 @@ type ReseederImpl struct {
 	NumSu3          int
 }
 
-func NewReseeder(netdb NetDbProvider) *ReseederImpl {
+func NewReseeder(netdb *LocalNetDbImpl) *ReseederImpl {
 	return &ReseederImpl{
 		netdb:           netdb,
 		su3s:            make(chan [][]byte),
@@ -224,10 +224,10 @@ func (rs *ReseederImpl) createSu3(seeds []routerInfo) (*su3.File, error) {
 	return su3File, nil
 }
 
-type NetDbProvider interface {
+/*type NetDbProvider interface {
 	// Get all router infos
 	RouterInfos() ([]routerInfo, error)
-}
+}*/
 
 type LocalNetDbImpl struct {
 	Path string