wireproxy/systemd/README.md
J. Dekker 4f066d050a
systemd: tight sandboxing (#103)
wireproxy needs very little permissions, we can restrict it to basically
nothing. DynamicUser means the system will generate a UID on demand
for service, also CAP_NET_BIND_SERVICE can be used to allow this user
to bind to a port < 1024 if desired. Also LoadCredential lets us read
a file with tight permissions i.e. root:root 0400 and pass it to only
wireproxy in an ephemeral and constrained manner.

Signed-off-by: J. Dekker <jdek@itanimul.li>
2024-03-18 16:42:03 +00:00

1.8 KiB

Running wireproxy with systemd

If you're on a systemd-based distro, you'll most likely want to run Wireproxy as a systemd unit.

The provided systemd unit assumes you have the wireproxy executable installed on /opt/wireproxy/wireproxy and a configuration file stored at /etc/wireproxy.conf. These paths can be customized by editing the unit file.

Setting up the unit

  1. Copy the wireproxy.service file from this directory to /etc/systemd/system/, or use the following cURL command to download it:

    sudo curl https://raw.githubusercontent.com/pufferffish/wireproxy/master/systemd/wireproxy.service > /etc/systemd/system/wireproxy.service
    
  2. If necessary, customize the unit.

    Edit the parts with LoadCredential, ExecStartPre= and ExecStart= to point to the executable and the configuration file. For example, if wireproxy is installed on /usr/bin and the configuration file is located in /opt/myfiles/wireproxy.conf do the following change:

    LoadCredential=conf:/opt/myfiles/wireproxy.conf
    ExecStartPre=/usr/bin/wireproxy -n -c ${CREDENTIALS_DIRECTORY}/conf
    ExecStart=/usr/bin/wireproxy -c ${CREDENTIALS_DIRECTORY}/conf
    
  3. Reload systemd and enable the unit.

    sudo systemctl daemon-reload
    sudo systemctl enable --now wireproxy.service
    
  4. Make sure it's working correctly.

    Finally, check out the unit status to confirm wireproxy.service has started without problems. You can use commands like systemctl status wireproxy.service and/or sudo journalctl -u wireproxy.service.

Additional notes

If you want to disable the extensive logging that's done by Wireproxy, simply add -s parameter to ExecStart=. This will enable the silent mode that was implemented with pull/67.