Call this v1.5.2.200513

Makefile

@@ -1,7 +1,8 @@
 # Makefile for building combined pagekite.py files.
 export PYTHONPATH := .
 
-BREED_PAGEKITE = pagekite/__init__.py \
+BREED_PAGEKITE = /usr/lib/python2.7/dist-packages/six.py \
+                 pagekite/__init__.py \
 	         pagekite/common.py \
 	         pagekite/compat.py \
 	         pagekite/logging.py \

deb/control

@@ -16,7 +16,7 @@ Depends: ${misc:Depends},
          python (>= 2.3),
          python (<< 3.0),
          python-six,
-         python-socksipychain (>= 2.1.1),
+         python-socksipychain (>= 2.1.2),
          python-openssl
 Description: Make localhost servers publicly visible.
  PageKite is a system for running publicly visible servers (generally

doc/HISTORY.txt

@@ -1,9 +1,15 @@
 Version history - highlights
 ============================
 
-v1.5.1.??????
+v1.5.2.200513
 -------------
-   - Remove finger and httpfinger protocols, nobody uses them
+   - Remove obsolete finger, httpfinger and Minecraft protocols
+   - Add working front-end support for XMPP tunnels
+   - Make the auto-keepalive logic simpler and hopefully more robust
+   - Depend on pySocksipychain 2.1.2+, to pick up SSL fixes
+   - The single-file pagekite.py bundle now supports Python 2.7 and 3.x
+   - Document the forgotten `unknown` backend-of-last-resort feature
+
 
 v1.5.1.200424
 -------------

doc/MANPAGE.md

@@ -194,6 +194,25 @@ time the program defaults will Just Work.
      Explicit configuration for a service kite.  Generally kites are
      created on the command-line using the service short-hand
      described above, but this syntax is used in the config file.
+     The kitename `unknown`, if allowed by the front-end, represents
+     a backend of last resort for requests with no other match.
+
+   * <b>--authdomain</b>=`DNS-suffix`, <b>--authdomain</b>=`/path/to/app`, <b>--authdomain</b>=`kite-domain`:`DNS-suffix`, <b>--authdomain</b>=`kite-domain`:`/path/to/app` <br />
+     Use `DNS-suffix` for remote DNS-based authentication of
+     incoming tunnel requests, or invoke an external application
+     for this purpose.  If no <i>kite-domain</i> is given, use
+     this as the default authentication method.  See the section
+     below on tunnel authentication for further details.  In order
+     for the app path to be recognized as such, it must contain at
+     least one / character.
+
+   * <b>--auththreads</b>=`N` <br />
+     Start N threads to process auth requests. Default is 1.
+
+   * <b>--authfail_closed</b> <br />
+     If authentication fails, reject tunnel requests. The default is
+     to fail open and allow tunnels if the auth checks are broken.
+
 
    * <b>--service_off</b>=`proto`:`kitename`:`host`:`port`:`secret` <br />
      Same as --service_on, except disabled by default.
@@ -261,6 +280,8 @@ time the program defaults will Just Work.
      domain, using the given secret.  A * may be used as a wildcard
      for subdomains or protocols. This is for static configurations,
      for dynamic access controls use the `--authdomain` mechanism.
+     The domain `unknown`, if configured, represents a backend of
+     last resort for incoming requests with no other match.
 
    * <b>--authdomain</b>=`DNS-suffix`, <b>--authdomain</b>=`/path/to/app`, <b>--authdomain</b>=`kite-domain`:`DNS-suffix`, <b>--authdomain</b>=`kite-domain`:`/path/to/app` <br />
      Use `DNS-suffix` for remote DNS-based authentication of

doc/README.md

@@ -282,6 +282,7 @@ Replace HOST with the DNS name or IP address of your front-end, and PORT
 with one of the ports it listens for connections on.  If your front-end
 supports TLS-encrypted tunnels, add the --fe_certname=HOST argument as well.
 
+
 [ [up](#toc) ]
 
 
@@ -396,9 +397,11 @@ way to get the two to coexist:
    2. Configure pagekite.py [as a front-end](#fe) on port 80
    3. Add `--service_on` specifications for your old web-server.
 
-As of 0.3.14, you can make pagekite.py use a local back-end as a catch-all
-for any unrecongized domains, by using the special hostname "unknown" in
-the `--service_on` line (remember to specify a protocol).
+As of 0.3.14, you can make pagekite.py use the "unknown" back-end as a
+catch-all for any unrecongized domains, by using the special hostname
+"unknown". This can either be a local back-end, using the `--service_on`
+line (remember to specify a protocol), or added as a domain using
+`--domain` and served over a tunnel like any other kite.
 
 For example:
 

pagekite/common.py

@@ -27,7 +27,7 @@
 import time
 
 PROTOVER = '0.8'
-APPVER = '1.5.1.200424'
+APPVER = '1.5.2.200513'
 AUTHOR = 'Bjarni Runar Einarsson, https://bre.klaki.net/'
 WWWHOME = 'https://pagekite.net/'
 LICENSE_URL = 'https://www.gnu.org/licenses/agpl.html'

pagekite/manual.py

@@ -169,6 +169,28 @@
             Explicit configuration for a service kite.  Generally kites are
             created on the command-line using the service short-hand
             described above, but this syntax is used in the config file.
+            The kitename `unknown`, if allowed by the front-end, represents
+            a backend of last resort for requests with no other match.
+
+    --authdomain</b>=<a>DNS-suffix</a>,\
+ <b>--authdomain</b>=<a>/path/to/app</a>,\
+ <b>--authdomain</b>=<a>kite-domain</a>:<a>DNS-suffix</a>,\
+ <b>--authdomain</b>=<a>kite-domain</a>:<a>/path/to/app</a> __
+            Use <a>DNS-suffix</a> for remote DNS-based authentication of
+            incoming tunnel requests, or invoke an external application
+            for this purpose.  If no <i>kite-domain</i> is given, use
+            this as the default authentication method.  See the section
+            below on tunnel authentication for further details.  In order
+            for the app path to be recognized as such, it must contain at
+            least one / character.
+
+    --auththreads</b>=<a>N</a> __
+            Start N threads to process auth requests. Default is 1.
+
+    --authfail_closed</b> __
+            If authentication fails, reject tunnel requests. The default is
+            to fail open and allow tunnels if the auth checks are broken.
+
 
     --service_off</b>=<a>proto</a>:<a>kitename</a>:<a>host</a>:<a>port</a>:<a>secret</a> __
             Same as --service_on, except disabled by default.
@@ -231,6 +253,8 @@
             domain, using the given secret.  A * may be used as a wildcard
             for subdomains or protocols. This is for static configurations,
             for dynamic access controls use the `--authdomain` mechanism.
+            The domain `unknown`, if configured, represents a backend of
+            last resort for incoming requests with no other match.
 
     --authdomain</b>=<a>DNS-suffix</a>,\
  <b>--authdomain</b>=<a>/path/to/app</a>,\

scripts/qemu-rpi.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+IMAGE_IMG=2019-04-08-raspbian-stretch.img
+IMAGE_ZIP=2019-04-08-raspbian-stretch.zip
+IMAGE_URL=https://downloads.raspberrypi.org/raspbian/images/raspbian-2019-04-09/$IMAGE_ZIP
+
+set -e
+mkdir -p ~/tmp/rpi_qemu_vm
+cd ~/tmp/rpi_qemu_vm
+
+[ -e $IMAGE_ZIP ] || wget $IMAGE_URL
+[ -e $IMAGE_IMG ] || unzip $IMAGE_ZIP
+
+# See: https://github.com/lukechilds/dockerpi
+docker run -it -v $(pwd)/$IMAGE_IMG:/sdcard/filesystem.img lukechilds/dockerpi:vm

setup.py

@@ -39,5 +39,5 @@
 """,
    packages=['pagekite', 'pagekite.ui', 'pagekite.proto'],
    scripts=['scripts/pagekite', 'scripts/lapcat', 'scripts/vipagekite'],
-   install_requires=['six', 'SocksipyChain >= 2.1.1']
+   install_requires=['six', 'SocksipyChain >= 2.1.2']
 )