Skip to content

Instantly share code, notes, and snippets.

@Wurzelmann

Wurzelmann/signal-proxy_without_docker.md

Last active October 29, 2024 17:57
Show Gist options
  • Save Wurzelmann/6bb0064f15321f5cd4a57fe09b23b605 to your computer and use it in GitHub Desktop.
Save Wurzelmann/6bb0064f15321f5cd4a57fe09b23b605 to your computer and use it in GitHub Desktop.
Download ZIP
Signal-TLS-Proxy without Docker
Raw
signal-proxy_without_docker.md

Install Signal-TLS-Proxy without Docker

(inspired by https://github.com/RainmakerRaw/Signal_TLS_Proxy_BSD/tree/main)

this guide has been tested on Debian 12.6

cd /root/Signal-TLS-Proxy
  • install certbot
apt-get install certbot
  • make backup of certs script
cp init-certificate.sh init-certificate.sh-ORIG
  • replace script with
#!/bin/bash

data_path="./data/certbot"

read -p "Enter domain name (eg. www.example.com): " domains

if [ -d "$data_path" ]; then
  read -p "Existing data found. Continue and replace existing certificate? (y/N) " decision
  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
    exit
  fi
fi


if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
  echo "### Downloading recommended TLS parameters ..."
  mkdir -p "$data_path/conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
  echo
fi

echo "### Requesting Let's Encrypt certificate for $domains ..."
#Join $domains to -d args
domain_args=""
for domain in "${domains[@]}"; do
  domain_args="$domain_args -d $domain"
done

certbot certonly --standalone \
    --register-unsafely-without-email \
    $domain_args \
    --agree-tos \
    --force-renewal && \
    ln -fs /etc/letsencrypt/live/$domains/ /etc/letsencrypt/active
  • execute cert script to obtain certs
bash /root/Signal-TLS-Proxy/init-certificate.sh
  • afterwards, install nginx
apt-get install nginx-full
  • make backup of stock nginx conf
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf-ORIG
  • replace stock /etc/nginx/nginx.conf with new one
cat > /etc/nginx/nginx.conf <<EOF
server_tokens off;
load_module /usr/lib/nginx/modules/ngx_stream_module.so;
user  www-data;
worker_processes auto;

events {
    worker_connections  1024;
    }

stream {
    map $ssl_preread_server_name $name {
        chat.signal.org                         signal-service;
        ud-chat.signal.org                      signal-service;
        storage.signal.org                      storage-service;
        cdn.signal.org                          signal-cdn;
        cdn2.signal.org                         signal-cdn2;
        cdn3.signal.org                         signal-cdn3;
        cdsi.signal.org                         cdsi;
        contentproxy.signal.org                 content-proxy;
        sfu.voip.signal.org                     sfu;
        svr2.signal.org                         svr2;
        updates.signal.org                      updates;
        updates2.signal.org                     updates2;
        backend1.svr3.signal.org                svr31;
        backend2.svr3.signal.org                svr32;
        backend3.svr3.signal.org                svr33;
        default                                 deny;
    }

    upstream signal-service {
         server chat.signal.org:443;
    }

    upstream storage-service {
        server storage.signal.org:443;
    }

    upstream signal-cdn {
        server cdn.signal.org:443;
    }

    upstream signal-cdn2 {
        server cdn2.signal.org:443;
    }

    upstream signal-cdn3 {
        server cdn3.signal.org:443;
    }

    upstream cdsi {
        server cdsi.signal.org:443;
    }

    upstream content-proxy {
        server contentproxy.signal.org:443;
    }

    upstream sfu {
        server sfu.voip.signal.org:443;
    }

    upstream svr2 {
        server svr2.signal.org:443;
    }

    upstream svr31 {
        server backend1.svr3.signal.org:443;
    }

    upstream svr32 {
        server backend2.svr3.signal.org:443;
    }

    upstream svr33 {
        server backend3.svr3.signal.org:443;
    }

    upstream updates {
        server updates.signal.org:443;
    }

    upstream updates2 {
        server updates2.signal.org:443;
    }

    upstream deny {
        server 127.0.0.1:9;
    }

    upstream relay {
         server 127.0.0.1:4433;
    }

    server {
        listen                443 ssl;
        proxy_pass            relay;

        access_log            off;
        error_log             /dev/null;

        ssl_certificate     /etc/letsencrypt/live/DOMAIN/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem;
     }

    server {
        listen                4433;
        proxy_pass            $name;
        ssl_preread           on;
        error_log             /dev/null;
        access_log            off;
     }
}
EOF
  • replace the two occurrences of DOMAIN with the domain you chose when you ran the certbot script at the beginning
  • check nginx's config
nginx -t
  • there should be no errors and you should restart nginx
  • if everything works, you can test it by pointing a Signal app to your new proxy.

If there are new releases/changes in Signal-TLS-Proxy, check file https://github.com/signalapp/Signal-TLS-Proxy/blob/main/data/nginx-relay/nginx.conf for changes and update nginx config accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment