!cfg - Web-Based Guild Config Editor

[JackDotJS]

Given Vector's increasingly ambitious pursuit of customization, it's looking more and more necessary to create a full-fledged GUI for managing the bot's settings.

Vector will have a web-based config editor, which can be accessed by a simple command: !cfg. This command will not have any arguments.

Upon using this command, the bot generates a temporary URL that will grant access to the current guild's config editor page.

To save on server storage space, guild configs will only store values that differ from the default config. This may pose a problem when it comes to updating configs to newer versions. That said, I plan to have a system in place to automatically convert old configs to newer formats, and as part of that process, it should be relatively trivial to simply use a copy of the related default guild config as a template before proceeding. Before the config is finally written back to the disk, it could then be stripped of all values that completely match the ones found in the current default config.

[JackDotJS]

given the complexities of a web editor, let alone the enormous can of worms that is web hosting and security, i'm starting to wonder if this part of the project is worth the effort. quite honestly, this issue has been the main cause of this large gap in development in recent months. guess i'm a little too ambitious with this project lmao

the idea up to this point was that there would be two separate servers, one for hosting the bot, and another for hosting a web server for config editing. i figured it'd be a good idea so that if the webserver was DDOS'd or something, the bot itself could continue to function normally. but this then requires a means of secure communication between the two servers, so users could safely edit bot configs without worry of leaking data or even manipulating configs during transport. the problem is i'm not that much of a networking or cybersecurity guy, so this sort of stuff is... really beyond me.

i still think having a custom GUI for editing the enormous amount of configuration options is gonna be necessary, so i'm trying to figure out something that'll be simple and decently secure enough to use.

the main problem is getting the server's existing config, if any, transferred to the editor so you obviously dont need to make a config from scratch every time. then, of course, you need to be able to transfer the modified config back to the bot to save. one of the original ideas i had was having a static webpage via something like GitHub pages, but i'm not sure how that could feasibly be done without something like... making the user manually import/export configs. of course that's a solution, but it's not really all that convenient, is it...? plus, it would ideally also have to include server data, such as channels, members, roles, etc... it's a huge mess.

of course i'm open to suggestions... and i could really use some, if this project is ever gonna have a chance to get back up to speed :v

[RobertRR11]

Not really sure about the part with having two separate servers. Yes, DOS or other attacks could be stopped if you manage to not leak the bot server's IP, but it makes things just much harder. Obviously it would require a lot of work to establish a fully secure connection between both servers and would still open a potential man in the middle, which with the proper measures can be made very hard or near impossible, but is possible.

And yes, hosting both on the same server also has its downsides, but for a project like this I think it's easier to implement securely enough.

Also, I only have partial networking and cybersecurity experience, so anyone feel free to correct me if I'm wrong.

[bdotsamir]

DDOS attacks: put both the server and web panel behind cloudflare and that problem is solved 🤷‍♂️

If Jack wants to move to linux then I can be the one to secure things. It’s not difficult when you have like three ports open ever. One for HTTP, one for HTTPS, and one for SSH. That’s all I would imagine you’d need for this project?

[JackDotJS]

And yes, hosting both on the same server also has its downsides, but for a project like this I think it's easier to implement securely enough.

aside from DDOS attacks, what would be the downsides of hosting both on the same server? because honestly that'd make things so much more simple.

DDOS attacks: put both the server and web panel behind cloudflare and that problem is solved 🤷‍♂️

is it really that simple...?

if so, what would i need to do to implement it? and how much would it cost?

It’s not difficult when you have like three ports open ever. One for HTTP, one for HTTPS, and one for SSH. That’s all I would imagine you’d need for this project?

remind me what SSH is for again?

[bdotsamir]

And yes, hosting both on the same server also has its downsides, but for a project like this I think it's easier to implement securely enough.

aside from DDOS attacks, what would be the downsides of hosting both on the same server? because honestly that'd make things so much more simple.

In terms of technicality, if the server goes down then both the panel and bot go down, thus rendering any status checking (like a dyno.gg/status thing) infeasible. It does increase security though; less of an attack surface- less machines to try to break open. This is not yet considering the possibility that vector may grow so large that we need to split her across multiple servers.

DDOS attacks: put both the server and web panel behind cloudflare and that problem is solved 🤷‍♂️

is it really that simple...?

if so, what would i need to do to implement it? and how much would it cost?

Afaik it's free. There are paid versions but the DDOS protection is free. I use cloudflare for a service I'm running right now. Getting it configured depends on where you host the domain. If you buy it from cloudflare, I think it's built-in. But if you register it with some other registrar all you need to do is change the nameservers.

It’s not difficult when you have like three ports open ever. One for HTTP, one for HTTPS, and one for SSH. That’s all I would imagine you’d need for this project?

remind me what SSH is for again?

Remote access. Secure shell. Terminal over the internet. Very very handy.

(pardon any formatting issues, i am on mobile unfortunately)

[JackDotJS]

In terms of technicality, if the server goes down then both the panel and bot go down, thus rendering any status checking (like a dyno.gg/status thing) infeasible.

couldn't this be circumvented via a subdomain? i.e status.vectorbot.com

iirc subdomains could be set up to be entirely seperate servers

Afaik it's free. There are paid versions but the DDOS protection is free. I use cloudflare for a service I'm running right now. Getting it configured depends on where you host the domain. If you buy it from cloudflare, I think it's built-in. But if you register it with some other registrar all you need to do is change the nameservers.

i typically use namecheap whenever i buy domains. apparently they have their own DDOS protection service at a premium

but if cloudflare DDOS protection is rly free, that'd be fuckin awesome. and i could definitely do nameserver changes through namecheap, i remember having to do smt like that for amazon AWS a while back.

Remote access. Secure shell. Terminal over the internet. Very very handy.

ok yeah i'll definitely need that lmao

[bdotsamir]

In terms of technicality, if the server goes down then both the panel and bot go down, thus rendering any status checking (like a dyno.gg/status thing) infeasible.

couldn't this be circumvented via a subdomain? i.e status.vectorbot.com

iirc subdomains could be set up to be entirely seperate servers

it can be, yes :) just means two more ports to open, which shouldn't be too much of an issue. (another ssh port for the second server plus the websocket port.)

[JackDotJS]

alright so

summary of the discussion so far:

• web editor server and bot server can be merged and hosted on the same cloud server, which should help simplify the technical design a bit
• we'll add DDOS protection via cloudflare
• we could potentially keep a separate server specifically for status checks, which can be accessed via subdomain.
• both servers will most likely be on linux now (fun fact for those unaware: old versions of this bot ran on windows server cus linux/terminals scared me lol)

[bdotsamir]

Would the web server and bot be hosted in the same process? Or would they be separately started and maintained (with pm2 for example) and connected through an API/websocket?

[JackDotJS]

"the same process" as in like, the same node instance? because uhhh.... i mean, idk. technically i already do this with the bot's internal filesystem API, and in theory, it'd be possible to just add the web editor to that same script (which, consequentially, would make it open-source)

but it might be better for them to be separate instances on the same machine, so one can start/restart without having to worry about the other. also means the whole thing doesn't fall apart if one crashes lol

[RobertRR11]

but if cloudflare DDOS protection is rly free, that'd be fuckin awesome. and i could definitely do nameserver changes through namecheap, i remember having to do smt like that for amazon AWS a while back.

Cloudflare offers a lot of free features in addition to DDOS protection. You can also transfer domains directly to Cloudflare, which as far as I know doesn't have any additional costs except the base domain cost.

And by the way I'd recommend https://github.com/louislam/uptime-kuma as uptime status

[JackDotJS]

And by the way I'd recommend https://github.com/louislam/uptime-kuma as uptime status

why specifically do you recommend this over something like atlassian statuspage (which is what discord uses)? https://www.atlassian.com/software/statuspage

[RobertRR11]

Generally because I prefer open source software and that I hate Atlassians services because they either just didn't work for me or are hard to use. And now I also can't delete my Atlassian account even though I'm not even using it anymore

[JackDotJS]

fair x)