dircproxy: Detachable IRC Proxy Server
-------------------------------------

----------------------------------------------
WARNING : 1.2.0-RC1 is currently unstable
----------------------------------------------

dircproxy is an IRC proxy server ("bouncer") designed for people
who use IRC from lots of different workstations or clients, but wish
to remain connected and see what they missed while they were away.
You connect to IRC through dircproxy, and it keeps you connected to
the server, even after you detach your client from it.  While you're
detached, it logs channel and private messages as well as important
events, and when you re-attach it'll let you know what you missed.

This can be used to give you roughly the same functionality as
using ircII and screen together, except you can use whatever IRC
client you like, including X ones!


Features
========

 o Runs on console, as a daemon or from inetd.
 o Able to proxy many simultaneous users and IRC connections.
 o Uses IRC server passwords to authenticate.
 o Remains connected to server when you detach.  To reattach you just
   use the IRC server password again, no special commands!
 o Completely non-blocking throughout.
 o Can connect to servers that also require a password.
 o Can have a list of servers on the same network to connect to, it
   will cycle this list.
 o Throttles data sent to server to ensure you are never flooded
   off.
 o Can check servers to make sure they don't become "stoned".
 o Reconnects to servers if connection is dropped.
 o Can automatically join channels for you on first attach.
 o Rejoins channels if you are kicked off.
 o Can leave channels when you detach and rejoin when you come back.
 o Can take measures to ensure you don't appear "idle" on IRC.
 o Drop's unwanted user modes when you detached, if you forget to
   de-opper yourself.
 o Will refuse to connect to servers that set certain modes
   such as +r.
 o Can bind to any IP on your host to change your appearance on IRC.
 o Can change what username is presented on IRC without affecting
   other users its proxying for.
 o Can send a message to all channels to indicate when you detach
   and reattach.
 o Can change your nickname when you detach.
 o Sets you /AWAY when you detach, if you forget to do so.
 o Fully configurable logging support so when you reattach you
   can see what you missed.
 o Can limit the size of log files to avoid eating diskspace.
 o Log text recalled to your client is sent so your client sees
   it as ordinary IRC text.
 o Can timestamp text in log files so you know when it was sent,
   also can adjust the timestamp you see depending on how long ago
   it was sent.
 o Can make permanent log files for your own use of everything
   on channels or all private messages.
 o Can pass log text to a program of your choice (to send you
   an SMS for example).
 o Can adjust log timestamps depending on timezone difference
   between you and dircproxy.
 o Can proxy DCC chat and sends through itself.
 o Can capture DCC sends and store them on the dircproxy machine
   while you're detached, and even while you're attached.
 o Captured DCC sends can be made subject to a size limit and have
   the sender's nickname included in the filename.
 o Can tunnel DCC sends and chats through ssh tunnels.
   See the included README.dcc-via-ssh for more information.
 o Customisable message of the day for users which can include
   stats about log file sizes.
 o /DIRCPROXY command interface for users to do extra things with
   the proxy.  Fully documented through /DIRCPROXY HELP command, and
   the admin can enable and disable any command on
   a user-by-user basis.
 o Host and password based security.
 o Easy to configure and get running.

All of dircproxy's features are completely configurable and can be
enabled, disabled and adjusted through the configuration file.


Installation
============

See the file INSTALL for building and installation instructions.


Running dircproxy
=================


Once you have installed and configured dircproxy, you can run it
from the console.  It will automatically enter the background
(unless you supply the '-D' parameter) and begin listening for
incoming connections.

You should not need to modify your IRC client or add any
special scripts to support dircproxy.  Authentication is done
using the standard IRC server password, your IRC client should
support this. If you're not sure, try something like '/server
localhost:57000:password' from your IRC client's console.

Connect to it with your IRC client, supplying the same password as
you set in the config file, dircproxy will then connect to the IRC
server for you and begin proxying your session.

When you detach, dircproxy will remain running and remain connected
to the IRC server, logging any channel or private messages for you
until your return.

To re-attach, just connect with your IRC client, again supplying
the password.  dircproxy will see you have left a session running and
re-attach you to that instead of creating a new one.  Messages you
missed while you were away will be sent to you in such a way that
they will fill your IRC windows as if they'd just arrived.


You can also run dircproxy from inetd if you wish, although their
are very few reasons to do this.  See the file README.inetd for
more information on this feature.


Adjusting the Proxy
===================

While you are connected to the proxy you may perform a number of
actions to adjust your proxy session using the '/dircproxy' command.
For example, to end your proxy session, disconnecting you from the
server, use '/dircproxy quit'.  For more information on what other
commands are available, see '/dircproxy help'.


More Information
================

The dircproxy home page is at:

	http://code.google.com/p/dircproxy/


Please submit bug reports at:

	http://code.google.com/p/dircproxy/issues/entry

Also join us on the #dircproxy IRC channel on irc.freenode.org


dircproxy is distributed according to the GNU General Public License.
See the file COPYING for details.


Copyright (C) 2000-2003 Scott James Remnant <scott at netsplit dot com>

Copyright (C) 2004-2008 Francois Harvey <contact at francoisharvey dot ca>

Copyright (C) 2008-2009 Noel Shrum <noel dot w8tvi at gmail dot com>
                        Francois Harvey <contact at francoisharvey dot ca>

Tunneling DCC over ssh using dircproxy
---------------------------------------

WARNING, THIS IS NOT EASY TO DO.
Don't read any further unless you are a fully qualified UNIX guru,
complete with the long hair and sandals.


Why do this?
============

DCC chats and sends will not work if your desktop is behind a
firewall if that firewall prevents you from freely accessing the
Internet, or prevents people from connecting to you.

There are normal three ways around this.

 o Placing rules in the firewall that allow certain ports such as IRC
   through, and using the `dcc_proxy_ports` config option to limit
   dircproxy's port range to that which you've allowed.

   You probably don't have that kind of access to the firewall though,
   or wouldn't be allowed to if you did.

 o Install dircproxy on the firewall itself, so it can freely proxy
   between both networks without being affected by the rules on the
   firewall.

   Again, you probably don't have that kind of access.  Its also not
   good practice anyway.

 o Piggy back your IRC traffic on something that the firewall does
   let through.

   Most firewalls let ssh traffic through, at least in the out-bound
   direction, and that's perfect.  This is what this file tells you
   how to do.


What do I need?
===============

For this to work, the firewall must allow ssh traffic through
and must allow connections to be made from inside the firewall
to outside.  It probably does, or you can probably persuade the
firewall admin to let ssh through, its secure after all.


You will also need two UNIX machines, one inside the firewall and
one outside.

The inside one must have dircproxy installed and ssh installed.
The best choice is probably your desktop if that runs UNIX.
(You *could* use a Windows machine if you can get dircproxy to
compile on it and use something like SecureCRT of F-Secure SSH to
do the tunnels).

The outside machine must also have dircproxy installed, and must
have the ssh daemon (sshd) installed and running.


Setting up the Tunnels
======================

You'll need three different tunnels across the firewall from
the machine inside to the machine outside.  One to forward the
IRC connection itself, and a further two for DCC traffic, one
for incoming and one for outgoing.  You can do this with one ssh
command, specifying all three tunnels at the same time.  (Replace
'outside.firewall' with the hostname of the machine outside).

	$ ssh -L 57010:localhost:57000 \
	      -L 57110:localhost:57100 \
	      -R 57110:localhost:57100 outside.firewall

This will actually start a shell on the remote machine.  Exiting from
it will end the tunnels.  For safety you may want to run this under
screen or something (if you've got that), as it doesn't run in the
background either.  Its perfectly safe to close the tunnels while you
are detatched though - so you could put these in a shell script or
something instead and just run that when you want to attach.


Configuring dircproxy on the Outside machine
============================================

This will be the master dircproxy, connecting to the IRC server
itself and doing all the normal things such as logging etc.
Configure it as you normally would, except for the following two
options which need to be set as shown.

	dcc_proxy_ports 57100
	dcc_tunnel_outgoing 57110

This tells dircproxy to listen for DCC connections on port 57100,
which is pointed to by a tunnel, and that all outgoing DCCs from you
(which require a connection to you) should be sent through the tunnel
on port 57110.

This dircproxy is probably best run as a daemon (i.e. normally).


Configuring dircproxy on the Inside machine
===========================================

This dircproxy will be a simple slave, forwarding to the one outside
without doing anything clever.  The configuration file should be left
untouched, only add a connection class, which should look like this.

	connection {
		password "encpass"
		server "localhost:57010:pass"

		disconnect_on_detach yes

		dcc_proxy_ports 57100
		dcc_tunnel_incoming 57110
	}

Replace "encpass" with an encrypted password that should match
that you configure the IRC client with, and replace "pass" with
the unencrypted version of whatever you set the password to on the
dircproxy outside the firewall.

This tells dircproxy that incoming DCC requests to you (which require
you to connect to the remote server) should be sent through the tunnel
on port 57110.

You can run this dircproxy as a daemon or from inetd, whichever
suits you best.


Using dircproxy now
===================

Connect your IRC client to the dircproxy inside the firewall.
This will then connect through the tunnels to the dircproxy outside
the firewall which will connect to the IRC server for you.

When you detach your IRC client, the dircproxy inside the firewall
will disconnect from the one on the outside.  This means you can
also exit the ssh session running the tunnels (thereby closing them).
When you want to reconnect, just start up the tunnels and dircproxy
again before you do (having left the one outside well alone).  This
means that if you are using your desktop, you can still switch it off
over night etc without worrying about loosing your IRC link.

Small note: Because you can only use one listening port, you will only
be able to have one queued DCC request at a time.  Others will be
rejected until the outstanding request either times out or is
accepted by you.

Another worthy note is that when using tunnels, you will see two sets
of messages from dircproxy informing you of its connections to remote
peers.  The first set is the link between the two proxies being
established, the second set is the link being established to the
remote peer itself.  This is normal and nothing to worry about.


Copyright (C) 2000-2003 Scott James Remnant <scott at netsplit dot com>

Copyright (C) 2004-2008 Francois Harvey <contact at francoisharvey dot ca>

Copyright (C) 2008-2009 Noel Shrum <noel dot w8tvi at gmail dot com>
                        Francois Harvey <contact at francoisharvey dot ca>

Running dircproxy from inetd
----------------------------

If you are so inclined, you can run dircproxy from the standard
UNIX inetd daemon.  This means you can do things like wrap it with
tcpd etc and add all your own perverse security restrictions on top.
However you loose the automatic ability to detach and reattach to
your session, which makes it slightly more inconvenient to use.


To run from inetd add a line to /etc/services for the port you
want to listen on, and give it a service name of "dircproxy".
This is actually good practice anyway.

dircproxy	57000/tcp		# Detachable IRC Proxy


Now add a line to /etc/inetd.conf for dircproxy.  You'll need to
decide a username to run dircproxy as, "nobody" will probably do,
don't run dircproxy as "root" unless you plan to use the
"switch_user" configuration directive!  Also change the PATH/TO
to point to where you installed dircproxy.  The -I parameter tells
it its running from inetd.  You can specify any other options here,
such as to specify the configuration file (dircproxy will only
check the system-wide configuration file when running under inetd).

dircproxy  stream  tcp  nowait  USERNAME  /PATH/TO/dircproxy  dircproxy -I


You can connect to it as normal, however when you disconnect you will
be disconnected from IRC too, and won't be able to reattach to your
session.  To keep your session connected use the /DIRCPROXY PERSIT
command.  This will tell you which port you can reconnect to your
session at.


Copyright (C) 2000-2003 Scott James Remnant <scott at netsplit dot com>

Copyright (C) 2004-2008 Francois Harvey <contact at francoisharvey dot ca>

Copyright (C) 2008-2009 Noel Shrum <noel dot w8tvi at gmail dot com>
                        Francois Harvey <contact at francoisharvey dot ca>

NO SSL IN 1.2.X RELEASE

SSL IS PLANNED IN 1.3.X RELEASE


--------------------------
[ Using SSL with dircproxy ]
 --------------------------

* DISCLAIMER :
*
* THIS IS AN UNSTABLE DEVELOPMENT RELEASE OF DIRCPROXY.  IT HAS HIGHER
* THAN USUAL RISK OF DESTROYING YOUR SYSTEM OR LOSING YOUR DATA OR
* CORRUPTING YOUR BOX.
*
* DO NOT USE IT IF YOU DO NOT ACCEPT THE RISKS
*
* RESPONSABILITY OF DIRCPROXY STAFF COULD NOT BE ENGAGED IN ANY CASE


What has changed in this branch
===============================

This branch adds SSL support for both client-side and server-side.
Both features may be used independently.

  o Client-side : dircproxy connects to SSL-enabled servers, allowing
    you to identify the IRC server you are connecting to, eventually
    identifying yourself to the server  and securing communications with
    a crypted socket.
  o Server-side : dircproxy offers SSL services, allowing you to identify
    the dircproxy server you are connecting to, eventually identifying
    yourself to the server and securing communications with a crypted socket.

These changes are useful for people worried about their talk privacy.

What has been done
==================

- Client-side :
  o Connecting to any SSL-enabled server, using the "server_ssl" var in
  config-file

- Server-side :
  o Presenting the certificate to any client and allow any client to connect

What needs to be done
=====================

[P] = Priority   [E] = Enhancement

- Client-side :
  o [E] Checking the certificate validity (date, server name, fingerprint)
  o [E] Allow users to manually validate certificate
  o [E] Allow dircproxy to present a certificate to identify user on server

- Server-side :
  o [P] dircproxy hangs when SSL is enabled and client connects without
        SSL (due to "while(SSL_accept(p->cliSSL.ssl) != 1);" in irc_net.c on
        line 235, need to find a smarter way to handle this)
  o [E] Allow user to present a certificate to identify user on server

How to use dircproxy-SSL
========================

- Client-side : Add 'server_ssl yes' (without quotes) to your config file
  and dircproxy will connect to server using a SSL socket

- Server-side : Add 'pk_file "/path/to/privkey.pem"' and
  'cert_file "/path/to/cacert.pem"' (both without simple quotes) and
  dircproxy will present the certificate to connecting users.

To generate a test certificate with OpenSSL (http://www.openssl.org/),
generate a private key with "openssl genrsa -out privkey.pem 2048" then
generate a self-signed certificate
"openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095"

* BEWARE NOT TO USE SELF-SIGNED CERTIFICATE IN PRODUCTION ENVIRONMENT *


More Information
================

The dircproxy home page is at:
  http://code.google.com/p/dircproxy/

Please submit bug reports at:
  http://code.google.com/p/dircproxy/issues/list

Also join us on the #dircproxy IRC channel on irc.freenode.net.

dircproxy is distributed according to the GNU General Public License.
See the file COPYING for details.


Copyright (C) 2000-2003 Scott James Remnant <scott at netsplit dot com>

Copyright (C) 2004-2008 Francois Harvey <contact at francoisharvey dot ca>

Copyright (C) 2008-2009 Noel Shrum <noel dot w8tvi at gmail dot com>
                        Francois Harvey <contact at francoisharvey dot ca>