~cadence/tube-docs

cd382ea5947cc44da92f7ade954671ed1e174f63 — Cadence Ember 3 years ago edd207b
Add system services; split nginx to a separate file
3 files changed, 261 insertions(+), 111 deletions(-)

M docs/Installing CloudTube.md
M docs/Installing NewLeaf.md
A docs/Proxy with nginx.md
M docs/Installing CloudTube.md => docs/Installing CloudTube.md +33 -110
@@ 78,11 78,13 @@ This service should be run as the cloudtube user rather than as the system.

You may need to adjust the paths in these files.

### As user service

If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html).

```
[Unit]
Description=cloudtube website
Description=CloudTube website

[Service]
Type=simple


@@ 99,133 101,54 @@ SyslogIdentifier=cloudtube
WantedBy=default.target
```

Save it to `~/.config/systemd/user/cloudtube.service`, then issue these commands:

```
$ systemctl daemon-reload
$ systemctl start cloudtube
```

...and if all is successful...

```
$ systemctl enable cloudtube
```

## nginx reverse proxy

This will allow people to access CloudTube over HTTPS and without having to enter a port into the browser's address bar.

It's highly recommended for public instances, but if this installation is for a test or for your personal use, you don't need it.

SSL options are from [Mozilla's SSL configuration generator.](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6
)

Download `dhparam.pem`: ([Why?](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397))

```
# mkdir -p /etc/nginx/ssl
# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem
```

Then create a file inside the directory /etc/nginx/sites-available (suggested name: cloudtube-proxy) with contents like this:
Save to `~/.config/systemd/user/cloudtube.service`.

```
server {
    listen 80;
    listen [::]:80;
    server_name cloudtube.example.com; # [1]

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloudtube.example.com; # [1]

    ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2]
    ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2]
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
### As system service

    ssl_dhparam /etc/nginx/ssl/dhparam; # [3]

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    location / {
        proxy_pass http://127.0.0.1:10412;
    }
}
```

- `[1]` Write your actual domain here in place of cloudtube.example.com, without capital letters.
- `[2]` Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.
- `[3]` [More information.](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397)

Set the configuration as enabled:

```
# cd /etc/nginx/sites-enabled
# ln -sv ../sites-available/cloudtube-proxy .
```
[Unit]
Description=CloudTube
After=network.target

And delete the default "it works" server that comes with nginx:
[Service]
Type=simple
ExecStart=/usr/local/bin/node /home/cloudtube/cloudtube/server.js
WorkingDirectory=/home/cloudtube/cloudtube
# Restart timing
Restart=always
RestartSec=60

```
# rm default
```
# Disable logs
StandardOutput=null
StandardError=null
SyslogIdentifier=cloudtube

Check your configuration. If there are errors, find them and fix them.
This sample config should be good on its own.
# User to run service as
User=cloudtube

```
# nginx -t
[Install]
WantedBy=multi-user.target
```

Once there are no errors in the configuration, start nginx:
Save to `/etc/systemd/system/cloudtube.service`.

```
# systemctl start nginx
```

Enable the nginx service to automatically start nginx after a machine reboot:
### Start service

```
# systemctl enable nginx
$ systemctl daemon-reload
$ systemctl start cloudtube
```

If nginx is already running, you only have to reload the configuration:
...and if all is successful...

```
# systemctl reload nginx
$ systemctl enable cloudtube
```

Now set up CAA for your DNS. You must set up DNS before you can do this. ([Why is CAA important?](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum))

1. First, go to the [SSLMate CAA record generator.][caa generator]
1. Enter your domain name, then press "auto-generate policy".
1. Scroll the list and make sure all boxes are unchecked _except_ for
the one that has your certificate authority.
1. If it's all good, go down to the "publish your CAA policy" section
and examine the first code block. You need to create a DNS record with
this information on your domain.

[caa generator]: https://sslmate.com/caa/

Once you've set everything up, open your domain
(ex: `https://cloudtube.example.com`) in your browser and check that:
## nginx reverse proxy

1. The CloudTube home page appears
1. You are connected over HTTPS
This will allow people to access CloudTube over HTTPS and without having to enter a port into the browser's address bar.

Now that that works,
[run the Qualys SSL Labs server test][ssl server test] to make sure
your configuration is secure. The test will take a few minutes to run.
It's highly recommended for public instances, but if this installation is for a test or for your personal use, you don't need to do it.

[ssl server test]: https://www.ssllabs.com/ssltest/
Follow the steps [on the nginx documentation page →](./Proxy with nginx.md)

M docs/Installing NewLeaf.md => docs/Installing NewLeaf.md +47 -1
@@ 82,6 82,8 @@ This service should be run as the cloudtube user rather than as the system.

You may need to adjust the paths in these files.

### As user service

If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html).

```


@@ 106,7 108,38 @@ SyslogIdentifier=newleaf
WantedBy=multi-user.target
```

As above, save it to `~/.config/systemd/user/newleaf.service`, then issue these commands:
Save to `~/.config/systemd/user/newleaf.service`.

### As system service

```
[Unit]
Description=NewLeaf
After=network.target

[Service]
Type=simple
ExecStart=/home/cloudtube/newleaf-venv/bin/python3 /home/cloudtube/NewLeaf/index.py
WorkingDirectory=/home/cloudtube/NewLeaf
# Restart timing
Restart=always
RestartSec=60

# Disable logs
StandardOutput=null
StandardError=null
SyslogIdentifier=newleaf

# User to run as
User=cloudtube

[Install]
WantedBy=multi-user.target
```

Save to `/etc/systemd/system/newleaf.service`.

### Start service

```
$ systemctl daemon-reload


@@ 118,3 151,16 @@ $ systemctl start newleaf
```
$ systemctl enable newleaf
```

## nginx reverse proxy

This will allow people to access NewLeaf over HTTPS and without a port number in the URL.

You should do this if:

- You will run a public NewLeaf instance
- You will run a public CloudTube instance (NewLeaf also needs to be public)

If this installation is a test, or for your personal use, you don't need to do this.

Follow the steps [on the nginx documentation page →](./Proxy with nginx.md)

A docs/Proxy with nginx.md => docs/Proxy with nginx.md +181 -0
@@ 0,0 1,181 @@
# Proxy with nginx

## Prerequisites

Install nginx from the package manager.

## Configuration

```
# cd /etc/nginx
```

SSL options are from [Mozilla's SSL configuration generator.](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6
)

Download `dhparam.pem`: ([Why?](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397))

```
# mkdir -p /etc/nginx/ssl
# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem
```

Delete the default "it works" server that comes with nginx:

```
# rm sites-enabled/default
```

## NewLeaf

Create a file inside the directory `/etc/nginx/sites-available` (suggested name: newleaf-proxy) with contents like this:

```
server {
    listen 80;
    listen [::]:80;
    server_name newleaf.example.com; # [1]

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name newleaf.example.com; # [1]

    ssl_certificate /etc/letsencrypt/live/newleaf.example.com/fullchain.pem; # [2]
    ssl_certificate_key /etc/letsencrypt/live/newleaf.example.com/privkey.pem; # [2]
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/ssl/dhparam; # [3]

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    location / {
        proxy_pass http://127.0.0.1:3000;
    }
}
```

- `[1]` Write your actual domain here in place of newleaf.example.com, without capital letters.
- `[2]` Write your actual domain here in place of newleaf.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.
- `[3]` [More information.](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397)

Set the configuration as enabled:

```
# cd /etc/nginx/sites-enabled
# ln -sv ../sites-available/newleaf-proxy .
```

## CloudTube

(If you are installing NewLeaf only, you can skip this section.)

Create a file inside the directory `/etc/nginx/sites-available` (suggested name: cloudtube-proxy) with contents like this:

```
server {
    listen 80;
    listen [::]:80;
    server_name cloudtube.example.com; # [1]

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cloudtube.example.com; # [1]

    ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2]
    ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2]
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/ssl/dhparam;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    location / {
        proxy_pass http://127.0.0.1:10412;
    }
}
```

- `[1]` Write your actual domain here in place of cloudtube.example.com, without capital letters.
- `[2]` Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.

Set the configuration as enabled:

```
# cd /etc/nginx/sites-enabled
# ln -sv ../sites-available/cloudtube-proxy .
```

## Apply changes

Check your configuration. If there are errors, find them and fix them.
This sample config should be good on its own.

```
# nginx -t
```

Once there are no errors in the configuration, start nginx:

```
# systemctl start nginx
```

Enable the nginx service to automatically start nginx after a machine reboot:

```
# systemctl enable nginx
```

If nginx is already running, you only have to reload the configuration:

```
# systemctl reload nginx
```

## CAA for DNS

Now set up CAA for your DNS. You must set up DNS before you can do this. ([Why is CAA important?](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum))

1. First, go to the [SSLMate CAA record generator.][caa generator]
1. Enter your domain name, then press "auto-generate policy".
1. Scroll the list and make sure all boxes are unchecked _except_ for
the one that has your certificate authority.
1. If it's all good, go down to the "publish your CAA policy" section
and examine the first code block. You need to create a DNS record with
this information on your domain.

[caa generator]: https://sslmate.com/caa/

## Conclusion

Once you've set everything up, open your domain
(ex: `https://cloudtube.example.com`) in your browser and check that:

1. The CloudTube home page appears
1. You are connected over HTTPS

Now that that works,
[run the Qualys SSL Labs server test][ssl server test] to make sure
your configuration is secure. The test will take a few minutes to run.

[ssl server test]: https://www.ssllabs.com/ssltest/