4 Hippotat is written in Rust.
5 The documentation is procssed with Sphinx.
7 It is most convenient to install (especailly the server) as a `.deb`.
12 On a system with a new enough `cargo` and `rustc`:
16 CARGO='cargo --locked' dpkg-buildpackage -uc -b
19 Sadly, Debian bullseye is not new enough;
20 to build there you will need to install Rust from upstream e.g.
21 [using Rustup](https://www.rust-lang.org/learn/get-started).
23 In any case, the build runes above will download dependencies
24 from the upstream Rust package repository.
25 The precise versions of those dependencies, and their precise contents,
26 are controlled and checked
27 by the `Cargo.lock` file shipped in the Hippotat source tree,
28 provided that `cargo --locked` is used.
34 * On the server: `apt install hippotat-{server,common}_*.deb`
35 * On the client: `apt install hippotat-{client,common}_*.deb`
37 This will also install the `userv` privsep tool,
38 and the `userv-ipif` utility for unprivileged network interface management.
46 1. Choose a suitable URL that Hippotat will be able to listen on.
47 This should be port 80, or 443 with TLS.
48 You can use a reverse proxy
49 (but you may want to suppress some of the logging).
50 If using a reverse proxy,
51 you must choose an internal IP port for the Hippotat server to use.
53 2. Select a private network range for use by the IP-over-HTTP system,
54 and assign addresses to the server and to each client.
56 3. Configure your firewalls to restrict access from that range
58 (eg, which might otherwise trust Hippotat addresses due to them
59 being in RFC1918 private use ranges).
61 **Hippotat does not provide strong authentication or confidentiality**.
63 4. Configure `authbind` to allow the service user `_hippotat`
64 (created by the package installation)
65 to bind to the port you have chosen,
68 5. Configure `ipif` to allow
69 the service user `_hippotat` (on the server)
70 or your own user (on the client)
71 to create network interfaces
72 using addresses in the range you have assigned.
74 6. Configure `hippotat` itself, at both ends.
80 The `hippotat-server` package
81 supplies an init script
82 will start the `hippotatd` server program,
83 if `/etc/hippotat/main.cfg` exists.
84 If you just configured it, `service hippotatd start` will start it.
86 Consult the init script to see options you can put in
87 `/etc/default/hippotat`.
93 It is not usual to have hippotat running all the time,
94 since its approach is rather wasteful,
95 and not needed in a sensible network environment.
97 When you find yourself in a bad network environment,
98 run `hippotat` from a shell.
99 It will bring up the hippotat link.
100 When you don't need Hippotat any more, simply `^C` it.
102 With the link up you can `ssh` (or, maybe, `mosh`) to the server,
103 using the server's Hippotat IP address.
104 If you are using [secnet](https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git/secnet.git/)'s polypath feature,
105 secnet will automatically start to use hippotat.
107 Don't send traffic you care about unencrypted over Hippotat.
108 Hippotat's security mechanisms are designed
109 to try to minimise denial of service,
110 especially by off-path entities,
111 but **data confidentiality and integrity are not provided**.
117 The server will log to syslog, facility `daemon`, by default.
119 The client will report its progress to stderr.