feat: Universal Linux build + redesigned ostp-guard

- Build static musl binaries (work on any Linux distro) - Redesign ostp-guard with weighted scoring system (threshold: 4 points) - HIGH (2pts): Analysis tools (gdb/ida/ghidra), sandbox artifacts - MEDIUM (1pt): Low resources (<1GB RAM), suspicious env vars - Production VPS safe (1-2 points), sandbox blocked (4+ points) - Anti-debug: Windows (IsDebuggerPresent), Linux (/proc/self/status) - Deployment packages for Linux + Windows with SHA256 checksums
2026-01-02 01:38:30 +03:00
parent 5879344336
commit 7ed4217987
23 changed files with 1045 additions and 432 deletions
--- a/dist/linux-amd64/DEPLOY.md
+++ b/dist/linux-amd64/DEPLOY.md
@@ -0,0 +1,110 @@
+# OSTP Linux Deployment Package
+
+## Contents
+
+- **ostp-server** (4.0 MB) - Stealth VPN Server Binary
+- **oncp-master** (4.7 MB) - CDN Control Plane Binary
+- **install.sh** - Automated installation script
+- **README.md** - Complete deployment guide
+- **SHA256SUMS** - Binary checksums for verification
+- **ostp-server.service** - Systemd service file
+- **oncp-master.service** - Systemd service file
+- **server.json.example** - Server configuration template
+- **server-enrollment.json.example** - Auto-enrollment config template
+
+## Quick Start
+
+### 1. Verify Checksums
+
+```bash
+sha256sum -c SHA256SUMS
+```
+
+### 2. Run Installation Script
+
+```bash
+sudo bash install.sh
+```
+
+### 3. Configure Server
+
+```bash
+# Generate PSK
+ostp-server gen-key
+
+# Edit config
+sudo nano /etc/ostp/server.json
+# Replace PSK with generated key
+
+# Start service
+sudo systemctl enable ostp-server
+sudo systemctl start ostp-server
+sudo systemctl status ostp-server
+```
+
+## System Requirements
+
+- **OS**: Debian 13+ / Ubuntu 24.04+ / RHEL 9+
+- **Architecture**: x86_64
+- **glibc**: 2.41+
+- **Libraries**: libssl3, libcrypto3
+- **Privileges**: Root/sudo required
+
+## Build Information
+
+- **Date**: January 2, 2026
+- **Rust Version**: 1.85.0
+- **Target**: x86_64-unknown-linux-gnu
+- **glibc**: 2.41 (Debian Trixie)
+- **Profile**: Release (optimized)
+
+## Features
+
+### ostp-server
+- ✅ AEAD encryption (ChaCha20-Poly1305)
+- ✅ X25519 key exchange
+- ✅ TLS mimicry
+- ✅ Anti-DPI protection
+- ✅ UDP-over-TCP framing
+- ✅ Silent PSK validation
+- ✅ Anti-debugging protection
+- ✅ Auto-enrollment to CDN
+
+### oncp-master
+- ✅ REST API for node management
+- ✅ Node enrollment system (Pending→Approved→Active)
+- ✅ CDN steering by country code
+- ✅ User billing and quota tracking
+- ✅ Dynamic SNI management
+- ✅ Real-time dashboard CLI
+- ✅ Network statistics
+- ✅ SQLite backend
+
+## Deployment Scenarios
+
+### Standalone Server
+Use `server.json.example` - manual PSK configuration
+
+### CDN Network Node
+Use `server-enrollment.json.example` - automatic enrollment with master node
+
+## Security Considerations
+
+1. **PSK Protection**: Keep PSKs secure, never commit to version control
+2. **Firewall**: Restrict master node API to known IPs
+3. **TLS**: Use reverse proxy for API TLS termination
+4. **Updates**: Keep binaries updated for security patches
+5. **Monitoring**: Use systemd logs and `oncp-master dashboard`
+
+## Documentation
+
+Full documentation in [README.md](README.md)
+
+## Support
+
+- **GitHub**: https://github.com/ospab/ospab.network
+- **Issues**: https://github.com/ospab/ospab.network/issues
+
+---
+
+**Note**: ostp-server requires root privileges for TUN device creation and port binding. Anti-debugging protection (ostp-guard) is enabled in release builds.