M docs/Installing CloudTube.md => docs/Installing CloudTube.md +33 -110
@@ 78,11 78,13 @@ This service should be run as the cloudtube user rather than as the system.
You may need to adjust the paths in these files.
+### As user service
+
If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html).
```
[Unit]
-Description=cloudtube website
+Description=CloudTube website
[Service]
Type=simple
@@ 99,133 101,54 @@ SyslogIdentifier=cloudtube
WantedBy=default.target
```
-Save it to `~/.config/systemd/user/cloudtube.service`, then issue these commands:
-
-```
-$ systemctl daemon-reload
-$ systemctl start cloudtube
-```
-
-...and if all is successful...
-
-```
-$ systemctl enable cloudtube
-```
-
-## nginx reverse proxy
-
-This will allow people to access CloudTube over HTTPS and without having to enter a port into the browser's address bar.
-
-It's highly recommended for public instances, but if this installation is for a test or for your personal use, you don't need it.
-
-SSL options are from [Mozilla's SSL configuration generator.](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6
-)
-
-Download `dhparam.pem`: ([Why?](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397))
-
-```
-# mkdir -p /etc/nginx/ssl
-# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem
-```
-
-Then create a file inside the directory /etc/nginx/sites-available (suggested name: cloudtube-proxy) with contents like this:
+Save to `~/.config/systemd/user/cloudtube.service`.
-```
-server {
- listen 80;
- listen [::]:80;
- server_name cloudtube.example.com; # [1]
-
- location / {
- return 301 https://$host$request_uri;
- }
-}
-
-server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name cloudtube.example.com; # [1]
-
- ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2]
- ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2]
- ssl_session_timeout 1d;
- ssl_session_cache shared:MozSSL:10m;
- ssl_session_tickets off;
+### As system service
- ssl_dhparam /etc/nginx/ssl/dhparam; # [3]
-
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
- ssl_prefer_server_ciphers off;
-
- location / {
- proxy_pass http://127.0.0.1:10412;
- }
-}
-```
-
-- `[1]` Write your actual domain here in place of cloudtube.example.com, without capital letters.
-- `[2]` Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.
-- `[3]` [More information.](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397)
-
-Set the configuration as enabled:
-
-```
-# cd /etc/nginx/sites-enabled
-# ln -sv ../sites-available/cloudtube-proxy .
```
+[Unit]
+Description=CloudTube
+After=network.target
-And delete the default "it works" server that comes with nginx:
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/node /home/cloudtube/cloudtube/server.js
+WorkingDirectory=/home/cloudtube/cloudtube
+# Restart timing
+Restart=always
+RestartSec=60
-```
-# rm default
-```
+# Disable logs
+StandardOutput=null
+StandardError=null
+SyslogIdentifier=cloudtube
-Check your configuration. If there are errors, find them and fix them.
-This sample config should be good on its own.
+# User to run service as
+User=cloudtube
-```
-# nginx -t
+[Install]
+WantedBy=multi-user.target
```
-Once there are no errors in the configuration, start nginx:
+Save to `/etc/systemd/system/cloudtube.service`.
-```
-# systemctl start nginx
-```
-
-Enable the nginx service to automatically start nginx after a machine reboot:
+### Start service
```
-# systemctl enable nginx
+$ systemctl daemon-reload
+$ systemctl start cloudtube
```
-If nginx is already running, you only have to reload the configuration:
+...and if all is successful...
```
-# systemctl reload nginx
+$ systemctl enable cloudtube
```
-Now set up CAA for your DNS. You must set up DNS before you can do this. ([Why is CAA important?](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum))
-
-1. First, go to the [SSLMate CAA record generator.][caa generator]
-1. Enter your domain name, then press "auto-generate policy".
-1. Scroll the list and make sure all boxes are unchecked _except_ for
-the one that has your certificate authority.
-1. If it's all good, go down to the "publish your CAA policy" section
-and examine the first code block. You need to create a DNS record with
-this information on your domain.
-
-[caa generator]: https://sslmate.com/caa/
-
-Once you've set everything up, open your domain
-(ex: `https://cloudtube.example.com`) in your browser and check that:
+## nginx reverse proxy
-1. The CloudTube home page appears
-1. You are connected over HTTPS
+This will allow people to access CloudTube over HTTPS and without having to enter a port into the browser's address bar.
-Now that that works,
-[run the Qualys SSL Labs server test][ssl server test] to make sure
-your configuration is secure. The test will take a few minutes to run.
+It's highly recommended for public instances, but if this installation is for a test or for your personal use, you don't need to do it.
-[ssl server test]: https://www.ssllabs.com/ssltest/
+Follow the steps [on the nginx documentation page →](./Proxy with nginx.md)
M docs/Installing NewLeaf.md => docs/Installing NewLeaf.md +47 -1
@@ 82,6 82,8 @@ This service should be run as the cloudtube user rather than as the system.
You may need to adjust the paths in these files.
+### As user service
+
If you find that these processes terminate when you log out, see the documentation for [`libpam-systemd`](https://manpages.debian.org/stretch/libpam-systemd/pam_systemd.8.en.html) and [`logind.conf`](https://manpages.debian.org/stretch/systemd/logind.conf.5.en.html).
```
@@ 106,7 108,38 @@ SyslogIdentifier=newleaf
WantedBy=multi-user.target
```
-As above, save it to `~/.config/systemd/user/newleaf.service`, then issue these commands:
+Save to `~/.config/systemd/user/newleaf.service`.
+
+### As system service
+
+```
+[Unit]
+Description=NewLeaf
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/home/cloudtube/newleaf-venv/bin/python3 /home/cloudtube/NewLeaf/index.py
+WorkingDirectory=/home/cloudtube/NewLeaf
+# Restart timing
+Restart=always
+RestartSec=60
+
+# Disable logs
+StandardOutput=null
+StandardError=null
+SyslogIdentifier=newleaf
+
+# User to run as
+User=cloudtube
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Save to `/etc/systemd/system/newleaf.service`.
+
+### Start service
```
$ systemctl daemon-reload
@@ 118,3 151,16 @@ $ systemctl start newleaf
```
$ systemctl enable newleaf
```
+
+## nginx reverse proxy
+
+This will allow people to access NewLeaf over HTTPS and without a port number in the URL.
+
+You should do this if:
+
+- You will run a public NewLeaf instance
+- You will run a public CloudTube instance (NewLeaf also needs to be public)
+
+If this installation is a test, or for your personal use, you don't need to do this.
+
+Follow the steps [on the nginx documentation page →](./Proxy with nginx.md)
A docs/Proxy with nginx.md => docs/Proxy with nginx.md +181 -0
@@ 0,0 1,181 @@
+# Proxy with nginx
+
+## Prerequisites
+
+Install nginx from the package manager.
+
+## Configuration
+
+```
+# cd /etc/nginx
+```
+
+SSL options are from [Mozilla's SSL configuration generator.](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&hsts=false&ocsp=false&guideline=5.6
+)
+
+Download `dhparam.pem`: ([Why?](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397))
+
+```
+# mkdir -p /etc/nginx/ssl
+# wget https://ssl-config.mozilla.org/ffdhe2048.txt -O /etc/nginx/ssl/dhparam.pem
+```
+
+Delete the default "it works" server that comes with nginx:
+
+```
+# rm sites-enabled/default
+```
+
+## NewLeaf
+
+Create a file inside the directory `/etc/nginx/sites-available` (suggested name: newleaf-proxy) with contents like this:
+
+```
+server {
+ listen 80;
+ listen [::]:80;
+ server_name newleaf.example.com; # [1]
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name newleaf.example.com; # [1]
+
+ ssl_certificate /etc/letsencrypt/live/newleaf.example.com/fullchain.pem; # [2]
+ ssl_certificate_key /etc/letsencrypt/live/newleaf.example.com/privkey.pem; # [2]
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ ssl_dhparam /etc/nginx/ssl/dhparam; # [3]
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ location / {
+ proxy_pass http://127.0.0.1:3000;
+ }
+}
+```
+
+- `[1]` Write your actual domain here in place of newleaf.example.com, without capital letters.
+- `[2]` Write your actual domain here in place of newleaf.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.
+- `[3]` [More information.](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters/94397#94397)
+
+Set the configuration as enabled:
+
+```
+# cd /etc/nginx/sites-enabled
+# ln -sv ../sites-available/newleaf-proxy .
+```
+
+## CloudTube
+
+(If you are installing NewLeaf only, you can skip this section.)
+
+Create a file inside the directory `/etc/nginx/sites-available` (suggested name: cloudtube-proxy) with contents like this:
+
+```
+server {
+ listen 80;
+ listen [::]:80;
+ server_name cloudtube.example.com; # [1]
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name cloudtube.example.com; # [1]
+
+ ssl_certificate /etc/letsencrypt/live/cloudtube.example.com/fullchain.pem; # [2]
+ ssl_certificate_key /etc/letsencrypt/live/cloudtube.example.com/privkey.pem; # [2]
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:MozSSL:10m;
+ ssl_session_tickets off;
+
+ ssl_dhparam /etc/nginx/ssl/dhparam;
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers off;
+
+ location / {
+ proxy_pass http://127.0.0.1:10412;
+ }
+}
+```
+
+- `[1]` Write your actual domain here in place of cloudtube.example.com, without capital letters.
+- `[2]` Write your actual domain here in place of cloudtube.example.com. If your certificate is not from Let's Encrypt, you'll have to replace the entire path.
+
+Set the configuration as enabled:
+
+```
+# cd /etc/nginx/sites-enabled
+# ln -sv ../sites-available/cloudtube-proxy .
+```
+
+## Apply changes
+
+Check your configuration. If there are errors, find them and fix them.
+This sample config should be good on its own.
+
+```
+# nginx -t
+```
+
+Once there are no errors in the configuration, start nginx:
+
+```
+# systemctl start nginx
+```
+
+Enable the nginx service to automatically start nginx after a machine reboot:
+
+```
+# systemctl enable nginx
+```
+
+If nginx is already running, you only have to reload the configuration:
+
+```
+# systemctl reload nginx
+```
+
+## CAA for DNS
+
+Now set up CAA for your DNS. You must set up DNS before you can do this. ([Why is CAA important?](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum))
+
+1. First, go to the [SSLMate CAA record generator.][caa generator]
+1. Enter your domain name, then press "auto-generate policy".
+1. Scroll the list and make sure all boxes are unchecked _except_ for
+the one that has your certificate authority.
+1. If it's all good, go down to the "publish your CAA policy" section
+and examine the first code block. You need to create a DNS record with
+this information on your domain.
+
+[caa generator]: https://sslmate.com/caa/
+
+## Conclusion
+
+Once you've set everything up, open your domain
+(ex: `https://cloudtube.example.com`) in your browser and check that:
+
+1. The CloudTube home page appears
+1. You are connected over HTTPS
+
+Now that that works,
+[run the Qualys SSL Labs server test][ssl server test] to make sure
+your configuration is secure. The test will take a few minutes to run.
+
+[ssl server test]: https://www.ssllabs.com/ssltest/