summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGab <24553253+gabrix73@users.noreply.github.com>2025-12-02 02:06:43 +0100
committerGitHub <noreply@github.com>2025-12-02 02:06:43 +0100
commit9a4b1b07e7efd4a1d1e74c85ed01cb5496b52108 (patch)
tree35b27a43d3d60649d30d7603d65278aab4312e75
parentea1a0b58c6c5cf9b6ab73796322f2c9cb624afde (diff)
downloadonion-newsreader-9a4b1b07e7efd4a1d1e74c85ed01cb5496b52108.tar.gz
onion-newsreader-9a4b1b07e7efd4a1d1e74c85ed01cb5496b52108.tar.xz
onion-newsreader-9a4b1b07e7efd4a1d1e74c85ed01cb5496b52108.zip
Rename to Onion Newsreader and update features
Updated project name and enhanced security features in README.
-rw-r--r--README.md510
1 files changed, 190 insertions, 320 deletions
diff --git a/README.md b/README.md
index 4f44e27..0a69dcb 100644
--- a/README.md
+++ b/README.md
@@ -1,381 +1,251 @@
-# πŸ§… Secure NNTP Newsreader
+# πŸ§… Onion Newsreader
+
+A minimal, privacy-focused NNTP client that operates entirely within the Tor network.
+
+## Overview
+
+Onion Newsreader is a web-based Usenet client designed for anonymous access. The entire data path stays on Tor - from reading articles to posting replies, no traffic ever touches the clearnet.
+
+```
+β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
+β”‚ Onion Reader │────▢│ m2usenet │────▢│ SMTP Relay β”‚
+β”‚ (.onion) β”‚ β”‚ (.onion) β”‚ β”‚ (.onion) β”‚
+β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
+ β”‚
+ β–Ό
+β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
+β”‚ NNTP Server │◀────│ Mail2News β”‚β—€β”€β”€β”€β”€β”˜
+β”‚ (.onion) β”‚ β”‚ (.onion) β”‚
+β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
+```
+
+## Features
+
+### πŸ§… Full Tor Operation
+- Connects to NNTP servers via SOCKS5 proxy (127.0.0.1:9050)
+- Primary server: Tor hidden service (.onion)
+- Fallback server: Clearnet via Tor exit node
+- All HTTP traffic stays local (127.0.0.1:8080)
+
+### 🧡 Threaded View
+- Articles organized by thread hierarchy
+- Visual indentation with colored borders per depth level
+- Parent-child relationships built from References header
+- Root threads (depth 0) clearly distinguished from replies
+
+### πŸ“ Quote Reply
+- Click Reply on any article to compose a response
+- Automatic quote formatting: `On [date], [author] wrote:`
+- Original message quoted with `>` prefix
+- Signature stripped from quotes
+- Pre-fills newsgroup, subject, and references
+
+### ⭐ Favorite Newsgroups
+- Star any newsgroup for quick access
+- Dedicated Favorites page
+- Persistent storage in `favorites.json`
+- One-click access to post or browse
+
+### πŸ”” Thread Notifications
+- Watch any thread starter for new replies
+- Bell icon on root posts (depth 0) to toggle watching
+- Manual check for new replies across all watched threads
+- Badge shows count of new responses
+- Persistent storage in `watched.json`
+
+### πŸ”— m2usenet Integration
+- Seamless posting via m2usenet gateway
+- Pre-filled fields: newsgroups, subject, references, quoted body
+- Supports hashcash proof-of-work
+- Ed25519 signature for sender verification
+- Cross-origin redirect with all reply data
+
+### πŸ”„ Robust Connectivity
+- Automatic reconnection on Tor circuit changes
+- 3 retry attempts for active file download
+- Extended timeouts for .onion connections (180s)
+- Graceful fallback to secondary server
+- Connection keepalive with periodic checks
+
+### πŸ’Ύ Local Persistence
+- `favorites.json` - Starred newsgroups
+- `watched.json` - Watched threads with notification state
+- No external database required
+- Human-readable JSON format
+
+## Installation
+
+### Requirements
+- Go 1.19+
+- Tor running with SOCKS5 proxy on 127.0.0.1:9050
+
+### Build
-[![Go Version](https://img.shields.io/badge/Go-1.19+-blue.svg)](https://golang.org)
-[![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
-[![Security](https://img.shields.io/badge/Security-Hardened-red.svg)](#security-features)
-
-A **privacy-focused**, **security-hardened** NNTP newsreader designed for anonymous Usenet access with integrated posting capabilities via [m2usenet](https://github.com/gabrix73/m2usenet-go).
-
-## πŸ”’ Security Features
-
-- **HTML Escaping**: All user content is properly escaped to prevent XSS attacks
-- **Input Validation**: Strict validation of group names, article numbers, and headers
-- **Connection Isolation**: Each request uses isolated NNTP connections
-- **No Data Persistence**: No logs, cookies, or user data stored on server
-- **Rate Limiting Ready**: Designed for integration with reverse proxy rate limiting
-- **Tor-Friendly**: Optimized for .onion deployment and Tor hidden services
-- **CSRF Protection**: Stateless design prevents cross-site request forgery
-- **Memory Safety**: Go's memory safety prevents buffer overflows and injection attacks
-
-## πŸ“‹ Features
-
-### Core Functionality
-- πŸ“° **Group Browsing**: Browse available newsgroups with article counts
-- πŸ“– **Article Reading**: Read individual articles with proper threading
-- πŸ” **Header Analysis**: Full RFC-compliant header parsing and display
-- πŸ’¬ **Reply Integration**: Seamless integration with m2usenet posting service
-- 🎨 **Responsive Design**: Mobile-friendly interface with dark/light themes
-
-### Advanced Features
-- **Quote Detection**: Automatic styling of quoted text in replies
-- **Signature Handling**: Proper display of message signatures
-- **URL Highlighting**: Safe URL detection without clickable links
-- **Thread Navigation**: Navigate between articles in the same thread
-- **Multi-Group Support**: Handle crossposted articles correctly
-
-## πŸš€ Installation
-
-### Prerequisites
-```bash
-# Debian/Ubuntu
-sudo apt update
-sudo apt install golang-go git
-
-# CentOS/RHEL/Fedora
-sudo dnf install golang git
-
-# Arch Linux
-sudo pacman -S go git
-```
-
-### 1. Clone Repository
```bash
-git clone https://github.com/gabrix73/onion-newsreader.git
-cd newsreader
+CGO_ENABLED=0 go build -o onion-newsreader onion-newsreader.go
```
-### 2. Security-Hardened Compilation
+### Run
-#### Standard Compilation
```bash
-# Basic build
-go build -o newsreader main.go
+./onion-newsreader
```
-#### Production Security Build
-```bash
-# Security-hardened build with all protections
-go build -ldflags="-s -w -extldflags=-static" \
- -a -installsuffix cgo \
- -tags netgo,osusergo \
- -trimpath \
- -buildmode=exe \
- -o newsreader main.go
-
-# Strip additional symbols (optional)
-strip newsreader
-```
-
-#### Build Flags Explained
-- `-ldflags="-s -w"`: Strip debugging info and symbol table
-- `-extldflags=-static`: Static linking for isolated deployment
-- `-a -installsuffix cgo`: Force rebuild of all packages
-- `-tags netgo,osusergo`: Pure Go networking (no C dependencies)
-- `-trimpath`: Remove absolute paths from binary
-- `-buildmode=exe`: Explicit executable mode
-- `strip`: Remove additional symbols for smaller binary
-
-### 3. Configuration
-
-Create configuration file:
-```bash
-cp config.example.json config.json
-```
-
-Edit `config.json`:
-```json
-{
- "nntp_server": "peannyjkqwqfynd24p6dszvtchkq7hfkwymi5by5y332wmosy5dwfaqd.onion:119",
- "nntp_username": "your_username",
- "nntp_password": "your_password",
- "listen_port": 8080,
- "listen_address": "127.0.0.1",
- "m2usenet_url": "http://itcxzfm2h36hfj6j7qxksyfm4ipp3co4rkl62sgge7hp6u77lbretiyd.onion:8880",
- "max_articles_per_group": 500,
- "connection_timeout": 30,
- "read_timeout": 60
-}
-```
+The web interface will be available at `http://127.0.0.1:8080`
-## πŸ”§ SystemD Service
-
-### 1. Create Service User
-```bash
-# Create dedicated system user (security best practice)
-sudo useradd --system --shell /usr/sbin/nologin --home-dir /var/lib/newsreader newsreader
-sudo mkdir -p /var/lib/newsreader
-sudo chown newsreader:newsreader /var/lib/newsreader
-```
-
-### 2. Install Binary and Config
-```bash
-# Install binary
-sudo cp newsreader /usr/local/bin/
-sudo chmod 755 /usr/local/bin/newsreader
-sudo chown root:root /usr/local/bin/newsreader
-
-# Install configuration
-sudo mkdir -p /etc/newsreader
-sudo cp config.json /etc/newsreader/
-sudo chmod 640 /etc/newsreader/config.json
-sudo chown root:newsreader /etc/newsreader/config.json
-```
-
-### 3. SystemD Service File
-
-Create `/etc/systemd/system/newsreader.service`:
+### Systemd Service (optional)
```ini
[Unit]
-Description=Secure NNTP Newsreader Service
-Documentation=https://github.com/gabrix73/onion-newsreader
-After=network-online.target
-Wants=network-online.target
-ConditionFileNotEmpty=/etc/newsreader/config.json
+Description=Onion Newsreader
+After=tor.service
+Requires=tor.service
[Service]
Type=simple
User=newsreader
-Group=newsreader
-ExecStart=/usr/local/bin/newsreader -config=/etc/newsreader/config.json
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=mixed
-KillSignal=SIGTERM
-TimeoutStopSec=30
+WorkingDirectory=/opt/onion-newsreader
+ExecStart=/opt/onion-newsreader/bin/onion-newsreader
Restart=always
-RestartSec=10
-
-# Security Hardening
-NoNewPrivileges=yes
-ProtectSystem=strict
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectKernelLogs=yes
-ProtectControlGroups=yes
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-RemoveIPC=yes
-PrivateTmp=yes
-PrivateDevices=yes
-ProtectHostname=yes
-ProtectClock=yes
-RestrictNamespaces=yes
-LockPersonality=yes
-MemoryDenyWriteExecute=yes
-RestrictAddressFamilies=AF_INET AF_INET6
-SystemCallFilter=@system-service
-SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @reboot @swap @privileged @resources
-SystemCallErrorNumber=EPERM
-
-# Resource Limits
-LimitNOFILE=1024
-LimitNPROC=512
-MemoryMax=512M
-CPUQuota=50%
-
-# Logging
-StandardOutput=journal
-StandardError=journal
-SyslogIdentifier=newsreader
-
-# Working Directory
-WorkingDirectory=/var/lib/newsreader
-ReadWritePaths=/var/lib/newsreader
+RestartSec=5
[Install]
WantedBy=multi-user.target
```
-### 4. Enable and Start Service
-
-```bash
-# Reload systemd configuration
-sudo systemctl daemon-reload
+## Usage
-# Enable service to start on boot
-sudo systemctl enable newsreader
+### First Run
-# Start service
-sudo systemctl start newsreader
+1. Open `http://127.0.0.1:8080` in Tor Browser
+2. Click **πŸ“₯ Download Active File** to fetch newsgroup list
+3. Wait 2-10 minutes (large file over Tor)
+4. Use **πŸ” Search** to find groups (wildcards: `comp.*`, `*linux*`)
-# Check status
-sudo systemctl status newsreader
+### Reading
-# View logs
-sudo journalctl -u newsreader -f
-```
+1. Click a group name to view articles
+2. Articles displayed in threaded view
+3. Click article subject to read full content
+4. Indentation shows reply hierarchy
-## πŸ›‘οΈ SystemD Security Features Explained
-
-### Process Isolation
-- **`NoNewPrivileges=yes`**: Prevents privilege escalation
-- **`PrivateTmp=yes`**: Isolated /tmp directory
-- **`PrivateDevices=yes`**: No access to /dev devices
-- **`ProtectHome=yes`**: No access to user home directories
-
-### System Protection
-- **`ProtectSystem=strict`**: Read-only access to /usr, /boot, /efi
-- **`ProtectKernelTunables=yes`**: No access to kernel parameters
-- **`ProtectKernelModules=yes`**: Cannot load kernel modules
-- **`ProtectControlGroups=yes`**: No access to cgroup filesystem
-
-### Network & System Calls
-- **`RestrictAddressFamilies=AF_INET AF_INET6`**: Only IPv4/IPv6 networking
-- **`SystemCallFilter=@system-service`**: Whitelist essential system calls
-- **`SystemCallFilter=~@debug @mount...`**: Blacklist dangerous system calls
-- **`MemoryDenyWriteExecute=yes`**: Prevents code injection attacks
-
-### Resource Limits
-- **`MemoryMax=512M`**: Maximum memory usage
-- **`CPUQuota=50%`**: Maximum CPU usage
-- **`LimitNOFILE=1024`**: Maximum open files
-- **`LimitNPROC=512`**: Maximum processes
-
-## πŸ” Security Best Practices
-
-### Server Deployment
-1. **Reverse Proxy**: Deploy behind nginx/apache with HTTPS
-2. **Rate Limiting**: Implement connection and request rate limits
-3. **Tor Integration**: Consider .onion deployment for privacy
-4. **Firewall**: Restrict access to necessary ports only
-5. **Updates**: Keep Go runtime and dependencies updated
-
-### Configuration Security
-```bash
-# Secure configuration file permissions
-sudo chmod 640 /etc/newsreader/config.json
-sudo chown root:newsreader /etc/newsreader/config.json
+### Posting
-# Verify service isolation
-sudo systemd-analyze security newsreader
-```
+1. Click **πŸ“ New Post** or **πŸ’¬ Reply**
+2. m2usenet opens with pre-filled fields
+3. Generate hashcash token (proof-of-work)
+4. Sign message with Ed25519 key
+5. Submit to post via Tor
-### Monitoring Commands
-```bash
-# Monitor service status
-sudo systemctl status newsreader
+### Favorites
-# View real-time logs
-sudo journalctl -u newsreader -f
+1. Open any group
+2. Click **β˜†** next to group name to add favorite
+3. Access favorites via **⭐ Favorites** in navigation
+4. Click **β˜…** to remove from favorites
-# Check resource usage
-sudo systemctl show newsreader --property=MemoryCurrent,CPUUsageNSec
+### Notifications
-# Verify security settings
-sudo systemd-analyze security newsreader
-```
+1. In group view, click **πŸ”•** on a thread starter
+2. Thread shows **πŸ””** when watched
+3. Go to **πŸ”” Notifications** page
+4. Click **πŸ”„ Check for new replies**
+5. Badge shows new reply count
+6. Click **βœ“ Mark read** to clear
-## 🌐 Integration with m2usenet
+## Configuration
-This newsreader seamlessly integrates with [m2usenet](https://github.com/gabrix73/m2usenet-go) for posting:
+Edit constants in source code:
-1. **Read Articles**: Browse and read Usenet content
-2. **Reply Function**: Click "REPLY TO POST" button
-3. **Auto-redirect**: Opens m2usenet with reply context
-4. **Secure Posting**: Uses hashcash PoW and Ed25519 signatures
+```go
+const (
+ M2UsenetURL = "http://[your-m2usenet].onion:8880"
+ TorProxyAddr = "127.0.0.1:9050"
+ PrimaryNNTP = "[your-nntp].onion:119"
+ FallbackNNTP = "news.example.net:119"
+ FavoritesFile = "favorites.json"
+ WatchedFile = "watched.json"
+)
+```
-### Reply Integration Features
-- βœ… Automatic subject handling (avoids "Re: Re:" duplicates)
-- βœ… Proper Message-ID references for threading
-- βœ… Quoted content formatting
-- βœ… Cross-group posting support
+## NNTP Server Compatibility
-## πŸ“š Usage Examples
+Tested with:
+- INN (InterNetNews)
+- Leafnode
+- Any RFC 3977 compliant server
-### Basic Usage
-```bash
-# Start the service
-sudo systemctl start newsreader
+Required commands:
+- `LIST` - Active file download
+- `GROUP` - Select newsgroup
+- `XOVER` - Article overview (subject, from, date, message-id, references)
+- `ARTICLE` - Full article retrieval
-# Access via web browser
-curl http://localhost:8080
+## Tor Browser Notes
-# View specific group
-curl http://localhost:8080/group/alt.privacy
-```
+### NoScript Warning
-### Security Testing
-```bash
-# Test service isolation
-sudo systemd-run --uid=newsreader --gid=newsreader \
- --property=ProtectSystem=strict \
- --property=PrivateTmp=yes \
- /usr/local/bin/newsreader -config=/etc/newsreader/config.json
-
-# Verify no privilege escalation
-sudo -u newsreader /usr/local/bin/newsreader -config=/etc/newsreader/config.json
-```
+When clicking Reply, NoScript may show an XSS warning due to the cross-origin redirect with quoted text in URL parameters. This is a **false positive** - the data is just the quoted message for the reply form.
-## πŸ› Troubleshooting
+Solutions:
+- Click "Temporarily allow"
+- Add both .onion addresses to NoScript whitelist
-### Common Issues
+### Recommended Settings
-**Service won't start:**
-```bash
-# Check configuration
-sudo newsreader -config=/etc/newsreader/config.json -test
+- Security Level: Standard or Safer
+- JavaScript: Enabled (required for hashcash mining)
+- Cookies: Allow for session
-# Verify permissions
-ls -la /etc/newsreader/config.json
-ls -la /usr/local/bin/newsreader
+## File Structure
-# Check service logs
-sudo journalctl -u newsreader -n 50
```
-
-**NNTP connection issues:**
-```bash
-# Test network connectivity
-telnet news.server.com 119
-
-# Check firewall
-sudo ufw status
-sudo iptables -L
+onion-newsreader/
+β”œβ”€β”€ onion-newsreader.go # Single-file source
+β”œβ”€β”€ onion-newsreader # Compiled binary
+β”œβ”€β”€ favorites.json # Saved favorite groups
+β”œβ”€β”€ watched.json # Watched threads state
+└── README.md
```
-**Permission issues:**
-```bash
-# Reset permissions
-sudo chown root:newsreader /etc/newsreader/config.json
-sudo chmod 640 /etc/newsreader/config.json
-sudo chown newsreader:newsreader /var/lib/newsreader
-```
+## Technical Details
+
+### Threading Algorithm
-## 🀝 Contributing
+1. Parse XOVER response to extract References header
+2. Build map of Message-ID β†’ Article
+3. Extract parent ID (last Message-ID in References)
+4. Link children to parents
+5. Orphaned replies (parent not in set) become roots
+6. Flatten tree with depth annotation
+7. Sort: roots by date desc, children by date asc
-1. Fork the repository
-2. Create feature branch (`git checkout -b feature/amazing-feature`)
-3. Commit changes (`git commit -m 'Add amazing feature'`)
-4. Push to branch (`git push origin feature/amazing-feature`)
-5. Open Pull Request
+### Notification Check
-### Security Issues
-Report security vulnerabilities privately to: [security@yourdomain.com](mailto:security@yourdomain.com)
+1. Group watched posts by newsgroup
+2. Fetch recent articles (XOVER) for each group
+3. For each article, check if References contains watched Message-ID
+4. Increment reply counter for matches
+5. Update last-checked timestamp
-## πŸ“„ License
+### Security Model
-This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+- No authentication stored (stateless)
+- No cookies required
+- No external requests except Tor SOCKS5
+- Local-only HTTP binding
+- JSON files readable only by owner
-## πŸ”— Related Projects
+## License
-- [m2usenet](https://github.com/gabrix73/m2usenet-go) - Anonymous Usenet posting gateway
-- [Tor Project](https://www.torproject.org/) - Anonymous networking
+MIT License
-## ⚠️ Disclaimer
+## Links
-This software is intended for legitimate Usenet access and educational purposes. Users are responsible for complying with their local laws and the terms of service of their NNTP providers. The authors assume no responsibility for misuse of this software.
+- **Newsreader**: `http://qgaswy4ebtrhaargqvoboutky7xoyyx5rq5nhydixemkniresdze5dyd.onion:8043`
+- **m2usenet**: `http://itcxzfm2h36hfj6j7qxksyfm4ipp3co4rkl62sgge7hp6u77lbretiyd.onion:8880`
+- **Source**: `https://github.com/gabrix73/onion-newsreader`
---
-**πŸ”’ Built with Security in Mind | πŸ§… Tor-Ready | πŸ“° RFC-Compliant**
+*Because Usenet deserves privacy too.* πŸ§…πŸ“°