Please read the introduction blog post.
- Create custom HTTP responses to exploit various types of web vulnerabilities.
- Support templates and delivery payloads
- Log DNS requests
- Support custom subdomains per project
- Scoped mode to reduce traffic noise
- Receive notifications in Discord
lorito is a web app written in Elixir that uses a postgres database to store its information. It provides a HTTP server to receive and respond HTTP requests. Optionally, a DNS server can be configured to receive DNS requests.
There's a .devcontainer setup to run lorito for development purposes, which includes both an app container and a PostgreSQL container.
If you load this repository in VSCode, it will detect the devcontainer setup and prompt you to open the project inside a Docker container.
Once inside the container, run mix add_user to create a user.
Then, execute mix phx.server to run lorito at http://localhost:4000
and its dashboard is available at http://localhost:4000/_lorito.
To create a production-ready package,
a Dockerfile is used to build an Elixir release.
There are two prerequisites to run lorito:
- The postgres database must support SSL
- lorito must run over HTTPS because of the Clipboard API
lorito needs two secrets (environment variables) to work:
DATABASE_URL: postgres connection URI of your databaseSECRET_KEY_BASE: the secret key to sign cryptographic material such as session tokens
You can use docker-compose to run lorito
using the provided docker-compose.yml file.
To configure secrets,
create a .env file to declare:
DATABASE_URL:postgresql://connection URISECRET_KEY_BASE: you can generate one withhead -c 66 /dev/urandom | base64 -w 0PHX_HOST:localhostby default, then you can modify it with a custom domain.
docker-compose up will run lorito at http://localhost:4000
and its dashboard at http://localhost:4000/_lorito.
To add a user, follow this steps:
- Enter into the container with
docker-compose exec elixir /bin/bash - Run the database migrations with
./bin/migrate - Then, enter IEX with
./bin/lorito remote - Add your user with
Lorito.Release.add_user("email@domain.tld")
If you want to take a look at lorito, you can use this setup. Beware that it uses default distro SSL keys to set up SSL and containers aren't recommended for production databases.
You can execute docker-compose -f docker-compose.with-db.yml up
and update .env with DATABASE_URL=postgresql://postgres:postgres@db:5432/app.
Then, follow the same instructions to add a user as outlined in the previous section.
Root domains help keep URLs shorter. However, they might receive a lot of automated requests. Additionally, new lorito DNS capability is complicated to set up at root level due to several reasons (presence of DNS manager, other DNS records, etc).
Then, my suggestion is to use a subdomain to host lorito.
lorito provides DNS capabilities to receive DNS requests.
The DNS server can be enabled at https://subdomain.domain.tld/_lorito/settings.
IP configuration is required to route the HTTP requests to your lorito instance.
To be able to receive DNS requests at subdomain.domain.tld,
you should add two DNS records in your DNS manager:
| Type | Name | Content |
|---|---|---|
| NS | subdomain | ns1.domain.tld |
| A | ns1 | <subdomain.domain.tld IP> |
Once everything is setup and changes are propagated,
you can test with dig A abc.subdomain.domain.tld
and the DNS requests should appear on the main logs.
The SSL certificate should be emitted for *.subdomain.domain.tld
to respond successfully to HTTPS requests.
This will publish your subdomain to Certificate Transparency logs and your instance would become reachable by bots. To stay focus, enable the new scoped mode in Settings.
My suggestion is to go with fly.io. It takes care of secrets, SSL certificates, custom domains, monitoring, etc.
There's a little guide here.
The issue is that you're accessing lorito dashboard
from an IP/host different than PHX_HOST from .env file.
They must match and the issue should be resolved.