path: root/README.md



# Installing

Make sure you have the following dependencies:

Python3 Modules:
random, threading, time, hashlib, json, zlib, base64, mysql.connector, syslog

You need Python 3.6, other versions were not tested and may not work at all.
You'll also need a local instance of MySQL running. MariaDB should also work.

mysql.connector can be installed with `pip3 install mysql-connector`.

The websocket library is available [here](https://pypi.org/project/simple-websocket-server/) and **comes pre-installed**, no need to use pip.

## Before all

Create a database, SQL User and SQL Password, granting all rights to it.
Remember to configure pass.json accordingly.

Then, execute `main.sql` against the newly created SQL Database.
It's installed now.

### Alternative
You can also run this command to prepare MySQL for you. You need to have mysql
installed to run this command!

```sh
make initdb
```

Do note it'll try to create "username", identified by "password", owner of
"database" in your SQL, and it might mess up badly, but should do for a test.

## Other things you'll need

You need a file called salt.txt, with 1~5 random alphanumeric characters.
If you used `make initdb`, this file was created to you with a random 0~999 number.
You probably should change it, but it is fine as long as it can't be guessed.

If you plan in support SSL, you will need a pair of files: key.pem and certificate.pem
`make initdb` will make these files for you; But if you don't want to support SSL,
update the relevant setting on server.py file.

Remember: Clients may attempt SSL connection if they can download certificate.pem!

# Running the server
Simply run server.py and vóila.

Spheres Server will be running on port provided by pass.json
Remember to configure server.py if you plan on running this outside localhost.

# Securing the server

You should, besides changing default sql user/password combination, use Fail2Ban.
Fail2Ban will block harmful clients which could otherwise DoS your server.

See also their official website: https://www.fail2ban.org

The server will read (one IP per line) the files called Z-Line, G-Line and K-Line
in this order during startup, and won't read them again at runtime.
They will issue "bans", which causes connection to be dropped right after being
established with status 1011.

It is advised dropping IPs at Z-Line on a firewall level, but that is not done
automatically, nor are the files distinguished among themselves.

You can, for example, download a
[Tor Exit Nodes List](https://check.torproject.org/torbulkexitlist?ip=1.1.1.1)
and auto-fill one of the three files, while still keeping two ban lists for your
own management.

# The client
The client should work out-of-the-box, but a few concerns are to be made.

1. Only localhost is accepted right now,
2. You must serve several files under localhost:80, eg.
  * version.txt
  * units.json
  * quests.json
3. You must have Update Server running and properly configured,

Remember to run the server along Fail2ban and other technologies.

Client auto-updater is not provided, but is possible.

# The Update Server

The client will request images missing on it to the update server.

It should be served at 443 port of the main host, under the assets/ folder.
HTTPS support is mandatory, but the certificate is not validated.

The user token will also be sent as a GET parameter on every request. While the
update server may safely ignore this parameter, verifying the token allows you to
limit who can download the data to only authenticated users. The benefits of doing
this are still not proven.

If you use Apache or Nginx, remember to disable directory listing.

# Limitations

This software can reliably send 4091 bytes at once. The biggest payload ever
tested was a Lorem Ipsum with about 20,000 bytes, which was delivered correctly.
Even so, we do not advise going past the 4091 bytes.
# Installing

Make sure you have the following dependencies:

Python3 Modules:
random, threading, time, hashlib, json, zlib, base64, mysql.connector, syslog

You need Python 3.6, other versions were not tested and may not work at all.
You'll also need a local instance of MySQL running. MariaDB should also work.

mysql.connector can be installed with `pip3 install mysql-connector`.

The websocket library is available [here](https://pypi.org/project/simple-websocket-server/) and **comes pre-installed**, no need to use pip.

## Before all

Create a database, SQL User and SQL Password, granting all rights to it.
Remember to configure pass.json accordingly.

Then, execute `main.sql` against the newly created SQL Database.
It's installed now.

### Alternative
You can also run this command to prepare MySQL for you. You need to have mysql
installed to run this command!

```sh
make initdb
```

Do note it'll try to create "username", identified by "password", owner of
"database" in your SQL, and it might mess up badly, but should do for a test.

## Other things you'll need

You need a file called salt.txt, with 1~5 random alphanumeric characters.
If you used `make initdb`, this file was created to you with a random 0~999 number.
You probably should change it, but it is fine as long as it can't be guessed.

If you plan in support SSL, you will need a pair of files: key.pem and certificate.pem
`make initdb` will make these files for you; But if you don't want to support SSL,
update the relevant setting on server.py file.

Remember: Clients may attempt SSL connection if they can download certificate.pem!

# Running the server
Simply run server.py and vóila.

Spheres Server will be running on port provided by pass.json
Remember to configure server.py if you plan on running this outside localhost.

# Securing the server

You should, besides changing default sql user/password combination, use Fail2Ban.
Fail2Ban will block harmful clients which could otherwise DoS your server.

See also their official website: https://www.fail2ban.org

The server will read (one IP per line) the files called Z-Line, G-Line and K-Line
in this order during startup, and won't read them again at runtime.
They will issue "bans", which causes connection to be dropped right after being
established with status 1011.

It is advised dropping IPs at Z-Line on a firewall level, but that is not done
automatically, nor are the files distinguished among themselves.

You can, for example, download a
[Tor Exit Nodes List](https://check.torproject.org/torbulkexitlist?ip=1.1.1.1)
and auto-fill one of the three files, while still keeping two ban lists for your
own management.

# The client
The client should work out-of-the-box, but a few concerns are to be made.

1. Only localhost is accepted right now,
2. You must serve several files under localhost:80, eg.
  * version.txt
  * units.json
  * quests.json
3. You must have Update Server running and properly configured,

Remember to run the server along Fail2ban and other technologies.

Client auto-updater is not provided, but is possible.

# The Update Server

The client will request images missing on it to the update server.

It should be served at 443 port of the main host, under the assets/ folder.
HTTPS support is mandatory, but the certificate is not validated.

The user token will also be sent as a GET parameter on every request. While the
update server may safely ignore this parameter, verifying the token allows you to
limit who can download the data to only authenticated users. The benefits of doing
this are still not proven.

If you use Apache or Nginx, remember to disable directory listing.

# Limitations

This software can reliably send 4091 bytes at once. The biggest payload ever
tested was a Lorem Ipsum with about 20,000 bytes, which was delivered correctly.
Even so, we do not advise going past the 4091 bytes.