diff --git a/docs/Installing CloudTube.md b/docs/Installing CloudTube.md index 4315055..d7e643e 100644 --- a/docs/Installing CloudTube.md +++ b/docs/Installing CloudTube.md @@ -78,11 +78,13 @@ This service should be run as the cloudtube user rather than as the system. You may need to adjust the paths in these files. +### As user service + If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html). ``` [Unit] -Description=cloudtube website +Description=CloudTube website [Service] Type=simple @@ -99,7 +101,38 @@ SyslogIdentifier=cloudtube WantedBy=default.target ``` -Save it to `~/.config/systemd/user/cloudtube.service`, then issue these commands: +Save to `~/.config/systemd/user/cloudtube.service`. + +### As system service + +``` +[Unit] +Description=CloudTube +After=network.target + +[Service] +Type=simple +ExecStart=/usr/local/bin/node /home/cloudtube/cloudtube/server.js +WorkingDirectory=/home/cloudtube/cloudtube +# Restart timing +Restart=always +RestartSec=60 + +# Disable logs +StandardOutput=null +StandardError=null +SyslogIdentifier=cloudtube + +# User to run service as +User=cloudtube + +[Install] +WantedBy=multi-user.target +``` + +Save to `/etc/systemd/system/cloudtube.service`. + +### Start service ``` $ systemctl daemon-reload @@ -116,116 +149,6 @@ $ systemctl enable cloudtube This will allow people to access CloudTube over HTTPS and without having to enter a port into the browser's address bar. -It's highly recommended for public instances, but if this installation is for a test or for your personal use, you don't need it. +It's highly recommended for public instances, but if this installation is for a test or for your personal use, you don't need to do it. -SSL options are from [Mozilla's SSL configuration generator.](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 -) - -Download `dhparam.pem`: ([Why?](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397)) - -``` -# mkdir -p /etc/nginx/ssl -# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem -``` - -Then create a file inside the directory /etc/nginx/sites-available (suggested name: cloudtube-proxy) with contents like this: - -``` -server { - listen 80; - listen [::]:80; - server_name cloudtube.example.com; # [1] - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name cloudtube.example.com; # [1] - - ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2] - ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2] - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; - ssl_session_tickets off; - - ssl_dhparam /etc/nginx/ssl/dhparam; # [3] - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - - location / { - proxy_pass http://127.0.0.1:10412; - } -} -``` - -- `[1]` Write your actual domain here in place of cloudtube.example.com, without capital letters. -- `[2]` Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path. -- `[3]` [More information.](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397) - -Set the configuration as enabled: - -``` -# cd /etc/nginx/sites-enabled -# ln -sv ../sites-available/cloudtube-proxy . -``` - -And delete the default "it works" server that comes with nginx: - -``` -# rm default -``` - -Check your configuration. If there are errors, find them and fix them. -This sample config should be good on its own. - -``` -# nginx -t -``` - -Once there are no errors in the configuration, start nginx: - -``` -# systemctl start nginx -``` - -Enable the nginx service to automatically start nginx after a machine reboot: - -``` -# systemctl enable nginx -``` - -If nginx is already running, you only have to reload the configuration: - -``` -# systemctl reload nginx -``` - -Now set up CAA for your DNS. You must set up DNS before you can do this. ([Why is CAA important?](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum)) - -1. First, go to the [SSLMate CAA record generator.][caa generator] -1. Enter your domain name, then press "auto-generate policy". -1. Scroll the list and make sure all boxes are unchecked _except_ for -the one that has your certificate authority. -1. If it's all good, go down to the "publish your CAA policy" section -and examine the first code block. You need to create a DNS record with -this information on your domain. - -[caa generator]: https://sslmate.com/caa/ - -Once you've set everything up, open your domain -(ex: `https://cloudtube.example.com`) in your browser and check that: - -1. The CloudTube home page appears -1. You are connected over HTTPS - -Now that that works, -[run the Qualys SSL Labs server test][ssl server test] to make sure -your configuration is secure. The test will take a few minutes to run. - -[ssl server test]: https://www.ssllabs.com/ssltest/ +Follow the steps [on the nginx documentation page →](./Proxy with nginx.md) diff --git a/docs/Installing NewLeaf.md b/docs/Installing NewLeaf.md index f86bf10..43623d8 100644 --- a/docs/Installing NewLeaf.md +++ b/docs/Installing NewLeaf.md @@ -82,6 +82,8 @@ This service should be run as the cloudtube user rather than as the system. You may need to adjust the paths in these files. +### As user service + If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html). ``` @@ -106,7 +108,38 @@ SyslogIdentifier=newleaf WantedBy=multi-user.target ``` -As above, save it to `~/.config/systemd/user/newleaf.service`, then issue these commands: +Save to `~/.config/systemd/user/newleaf.service`. + +### As system service + +``` +[Unit] +Description=NewLeaf +After=network.target + +[Service] +Type=simple +ExecStart=/home/cloudtube/newleaf-venv/bin/python3 /home/cloudtube/NewLeaf/index.py +WorkingDirectory=/home/cloudtube/NewLeaf +# Restart timing +Restart=always +RestartSec=60 + +# Disable logs +StandardOutput=null +StandardError=null +SyslogIdentifier=newleaf + +# User to run as +User=cloudtube + +[Install] +WantedBy=multi-user.target +``` + +Save to `/etc/systemd/system/newleaf.service`. + +### Start service ``` $ systemctl daemon-reload @@ -118,3 +151,16 @@ $ systemctl start newleaf ``` $ systemctl enable newleaf ``` + +## nginx reverse proxy + +This will allow people to access NewLeaf over HTTPS and without a port number in the URL. + +You should do this if: + +- You will run a public NewLeaf instance +- You will run a public CloudTube instance (NewLeaf also needs to be public) + +If this installation is a test, or for your personal use, you don't need to do this. + +Follow the steps [on the nginx documentation page →](./Proxy with nginx.md) diff --git a/docs/Proxy with nginx.md b/docs/Proxy with nginx.md new file mode 100644 index 0000000..532db02 --- /dev/null +++ b/docs/Proxy with nginx.md @@ -0,0 +1,181 @@ +# Proxy with nginx + +## Prerequisites + +Install nginx from the package manager. + +## Configuration + +``` +# cd /etc/nginx +``` + +SSL options are from [Mozilla's SSL configuration generator.](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6 +) + +Download `dhparam.pem`: ([Why?](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397)) + +``` +# mkdir -p /etc/nginx/ssl +# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem +``` + +Delete the default "it works" server that comes with nginx: + +``` +# rm sites-enabled/default +``` + +## NewLeaf + +Create a file inside the directory `/etc/nginx/sites-available` (suggested name: newleaf-proxy) with contents like this: + +``` +server { + listen 80; + listen [::]:80; + server_name newleaf.example.com; # [1] + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name newleaf.example.com; # [1] + + ssl_certificate /etc/letsencrypt/live/newleaf.example.com/fullchain.pem; # [2] + ssl_certificate_key /etc/letsencrypt/live/newleaf.example.com/privkey.pem; # [2] + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/ssl/dhparam; # [3] + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + location / { + proxy_pass http://127.0.0.1:3000; + } +} +``` + +- `[1]` Write your actual domain here in place of newleaf.example.com, without capital letters. +- `[2]` Write your actual domain here in place of newleaf.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path. +- `[3]` [More information.](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397) + +Set the configuration as enabled: + +``` +# cd /etc/nginx/sites-enabled +# ln -sv ../sites-available/newleaf-proxy . +``` + +## CloudTube + +(If you are installing NewLeaf only, you can skip this section.) + +Create a file inside the directory `/etc/nginx/sites-available` (suggested name: cloudtube-proxy) with contents like this: + +``` +server { + listen 80; + listen [::]:80; + server_name cloudtube.example.com; # [1] + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name cloudtube.example.com; # [1] + + ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2] + ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2] + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + + ssl_dhparam /etc/nginx/ssl/dhparam; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + location / { + proxy_pass http://127.0.0.1:10412; + } +} +``` + +- `[1]` Write your actual domain here in place of cloudtube.example.com, without capital letters. +- `[2]` Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path. + +Set the configuration as enabled: + +``` +# cd /etc/nginx/sites-enabled +# ln -sv ../sites-available/cloudtube-proxy . +``` + +## Apply changes + +Check your configuration. If there are errors, find them and fix them. +This sample config should be good on its own. + +``` +# nginx -t +``` + +Once there are no errors in the configuration, start nginx: + +``` +# systemctl start nginx +``` + +Enable the nginx service to automatically start nginx after a machine reboot: + +``` +# systemctl enable nginx +``` + +If nginx is already running, you only have to reload the configuration: + +``` +# systemctl reload nginx +``` + +## CAA for DNS + +Now set up CAA for your DNS. You must set up DNS before you can do this. ([Why is CAA important?](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum)) + +1. First, go to the [SSLMate CAA record generator.][caa generator] +1. Enter your domain name, then press "auto-generate policy". +1. Scroll the list and make sure all boxes are unchecked _except_ for +the one that has your certificate authority. +1. If it's all good, go down to the "publish your CAA policy" section +and examine the first code block. You need to create a DNS record with +this information on your domain. + +[caa generator]: https://sslmate.com/caa/ + +## Conclusion + +Once you've set everything up, open your domain +(ex: `https://cloudtube.example.com`) in your browser and check that: + +1. The CloudTube home page appears +1. You are connected over HTTPS + +Now that that works, +[run the Qualys SSL Labs server test][ssl server test] to make sure +your configuration is secure. The test will take a few minutes to run. + +[ssl server test]: https://www.ssllabs.com/ssltest/