Closed arendvw closed 5 years ago
Wow, hello @arendvw! Really good notes, big shout for the fail2ban
reference too!!! I can't believe I've missed this for more than a month π
It's actually a good question where to put these; i think maybe in the repo wiki and we could link to it from the readme in a discrete but proper way (i got burned - as you might've noticed given a recent pr to said readme).
@arendvw Great doc. i did a good and clean install of a speckle server on a VM under windows 10. i am a linux noob i just copy paste commands and a few commands were a little hard to follow or implement. i found the following guides helpfull: for installing nodejs on debian https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-debian-9 for installing backports on debian https://backports.debian.org/Instructions/
also on my debian systemcl command is in fact systectl and on the ngix config file i fount the folllowing typos: server_name speckle.example.com - shoul be - server_name speckle.example.com;
proxy_pass http://speckle_servers; - should be - proxy_pass http://speckleserver;
Otherwise great work.
It's actually a good question where to put these; i think maybe in the repo wiki and we could link to it from the readme in a discrete but proper way
@didimitrie I would suggest to keep the documentation in the github repository, so you can easily keep the documentation up to date in github, and use something like readthedocs.io to automatically generate html/searchable documentation if needed. It makes it easier to "move fast and break things", since you can easily create versioned documentation from git tags.
That being said, I agree with you that this may be too exaustive for a README. Especially since this is specifically written for a VPS, and I can imagine that a seperate documentation for development versions on Windows WSL, under OSX or for docker/kubernetes can have their own readme's.
In other project I've found the distiction between README, INSTALL.{platform}, and UPGRADE_XX_YY quite useful. But perhaps that's too legacy unix-y, and can also be opted for a docs/ folder with humable readable filenames.
@ionutanton Great work! I've updated my comment on the top with the typo's. Thanks for the write up.
My only question is about your links for documentation: In most cases I added these apt scripts as commands, since I generally don't like to download bash scripts and execute them as root user, this is why I've added them as commands. Perhaps you can share what went wrong with the backports and nodejs scripts?
@arendvw I would add that if people are installing in VM (Hyper-V or EXSi), and are doing so far a large organization in production, they should setup a user specifically dedicated to Speckle (as you have done, not sure that was documented) with the correct perms. I would be careful giving this user perms to sudo or root. These are the guides I've used (shared via Slack too) and found extremely helpful -- although they are written for Ubuntu Server, which is in effect Debian 'X':
The rest of your instructions RE Nginx and certs are great! The one note I might add is that the Server Block could be significantly reduced (sample below, mostly same as yours):
server {
# ssl
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name speckle.example.com;
location / {
proxy_pass http://ipaddr-speckleserver:3300;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
ssl_certificate /etc/letsencrypt/live/speckle.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/speckle.example.com/privkey.pem; # managed by Certbot
}
server {
if ($host = speckle.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name speckle.example.com;
return 404; # managed by Certbot
}
@arendvw I had a problem with the command curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | sudo apt-key add - it just said OK and the next part i didnt quite understand what to do with it (version= ...). that is why i used the script in the link i provided. and for backports after the echo that writes to the list you need an apt-get update. otherwise all good.
@markcichy the digitalocean setup tutorial is great. I've added my own 'poor' version of this, but referencing this and taking it as a starting point seems great.
Different port for ssl I know its popular advice, but I don't really believe changing ports will make stuff more secure. Perhaps you will filter out lots of the automated requests. I would highly prioritize not allowing root users and only allowing public key authentication over changing ports.
Unprivileged user The user comment is great. Except I would always do it, not just in "large organisations". In step 3 a non-root, non-sudo user is added for speckle.
UFW UFW Guide, seems like a good starting guide for learning ufw.
Mongo The mongo guide is a bit verbose, but a good reference for using systemctl. (E.g. sudo apt install -y mongodb ) will work for most people out of the box. Perhaps it's a good idea to add a check if mongo is only bound to the local ip.
Nginx Thanks for the updated version of nginx, I've added parts for what I assumed was needed for what I assumed was needed for websocket support, but perhaps this is not needed at all? This was also why I did not add http2 support.
Nginx SSL Will nginx start if an ssl certificate does not exist? I know apache does not.
I added the snake oil certificates to make sure the nginx config will work tutorial style. (Otherwise you have this chicken-egg problem with certbot that need a working nginx config to authenticate, and nginx needs an elasticsearch cerficate to work to start.
Yes, @arendvw ! Nginx will indeed startup without the cert -- browser will complain initially, but once you create your certs and add them to the Block all is well. Changing SSH port just cuts out bot scanning -- a good start IMHO.
These instructions seem pretty detailed and thorough :)
I agree that a Wiki isn't the ideal place for instructions like this. But I also think that they don't all quite fit in the repo. This is because a lot of the instructions are particular to dependency installation and nginx configuration. These are things where the best practice could easily change outside of our repo, and the instructions would then need to be maintained. It also might give the impression that we're vouching for the security and reliability of a system set up in this way, when in reality there are more considerations (updates, backups, password strength/key security).
As a (much larger, but) comparable project, the official NextCloud documentation only provides high level instructions for installing dependencies. They also provide some high level hardening and security guidance.
I think that the current instructions in the readme cover all of the Speckle-specific steps, and everything else is probably out of scope of any officially maintained documentation. We could perhaps add a list with some high level security guidance.
I think that a good place to put instructions like these would be as a blog post over here, with a caveat like "These instructions were tested and worked as of [date], but we can't guarantee they'll work in the future".
It also might give the impression that we're vouching for the security and reliability of a system set up in this way, when in reality there are more considerations (updates, backups, password strength/key security).
Is this not already solved by the MIT Licence? This contains a very clear notice this software is delivered AS IS. Adding a notice that following these steps does not guarantee the safety of your server if of course a good idea.
Nextcloud only provides high level instructions for installing dependencies.
I think it's an excellent outline for an installation document, but did you read the whole document?
The document you referenced contains:
Also note keep in mind:
All file system / file permissions in nextcloud are scripted. Which folders should be writable by the webserver, and which not? (This is missing for specke). Even if nothing needs to be world writeable, it should be documented.
The comparison is not completely fair, because PHP by definition will run under apache as an unpriviledged user, and nodejs will run once as whatever user you start it with, and when it crashes it's the end.
I think that the current instructions in the readme cover all of the Speckle-specific steps
I cannot disagree more. It took me a day to figure out how to get this to work in a way that any other project I've ever installed has decent documentation for. I would argue that getting this project to work in production does not have to be masochistic undertaking only for seasoned nodejs devops guru's.
Yet all the current readme has on this front is the cynical and non-encouraging notice that if you wish to use it in production and don't get it, it's because you're confused and stupid and should find and ask someone smarter.
Sorry if the instructions seem masochistic. They're not meant to be. But, so far, their terseness comes from several reasons, which are mentioned in the PR that modified them. And it seems they had the desired effect so far (with the not desired effect of annoying you @arendvw π¬, but there's a price for everything i guess...).
Is this not already solved by the MIT Licence?
Legally yes, practically no: see, for example, this tweet. I've personally received more feedback and discovering more every day (if i'm lucky I get to hear about it). Other anecdotal stories (but bear in mind i have to deal with this stuff!):
The above rant aside, this boils down to a very simple fact: the speckle community, so far, does not have the resources to maintain this level of detail in a potentially dangerous set of instructions. Even more, we can't even maintain basic docs about the core plugins. Not to mention the online clients. Or the sdk. We just have a bunch of old docs that I and a few others wrote ages ago. Nevertheless, with positive contributions like yours, and the rest from the above, and as the project matures, my hope is that this will change for the better.
Next steps (as i see them):
As an aside, I'm trying to transition the speckle website to something more approachable and editable, with less of a headache inducing front page, and with a proper CD pipeline (right now it's broken, and before it relied on a cron git pull), so perhaps the discourse option is safer. Happy for either options though.
@didimitrie @logan12358 This makes sense. I can imagine your reluctance in endorsing installation instructions.
I'm willing to maintain a living document on the discourse if that helps you in the short term from endorsing installation instructions and or implied SLA's.
@arendvw, thanks, that would be absolutely lovely. Thinking a bit back, i do believe i was a bit drastic in the readme refresh, and didn't allow for a graceful "migration" (ie, move the old instructions somewhere and link to them). Once you've done this, and redeemed my above sin, do throw a PR with the link to it.
π
Discourse's also connected to the slack channel, so it gets quite a bit of visibility too.
Ok, I've editted it to take into account the comments here and posted it on discourse
Here are my notes for installing speckle on a vps like server, using Debian 9.
I'm not sure if these instructions should be part of a readme, an install file, or if this should be a general advice. This is how I did it, this may also benefit others.
Related to #72 #123 #124 and https://github.com/speckleworks/SpeckleServer/pull/124#issuecomment-470711562_
This document assumes you have DNS setup for speckle.example.com
0. Setup
sudo
This document assumes all commands are done from a non-root user. Make sure you have a non root user, and this user is allowed to use sudo. We install & configure nano as the default editor.
The rest of this documentation assumes you're signed in as yourname
1. Install
ufw
Setup ufw (Uncomplicated firewall)
Setup fail2ban (Bans ips that try to login too many times for 15 minutes)
3. Install
nodejs
Add nodejs apt repository
Install speckle
Update configuration
You can close/kill the node server again, because we will use pm2 in the next steps.
TODO: Add documentation to allow the nodjes server only write to the folders it needs to write to? (E.g. logs?)
Install pm2 process manager
This will start the node server again if it crashes, and makes sure it will start on boot.
Install nginx as a reverse proxy
Add this config to the file
Enable the config file:
Your speckle server should now be reachable through http and https on port 80 and port 443.
Install SSL certificate with letsencrypt
Replace the commented lines in the nginx config file (ssl_certificate, ssl_certificate_key)