Closed llebout closed 4 years ago
Please test the changes on Digital Ocean. I unfortunately do not have a Digital Ocean account, neither do I want to have one.
@leo-lb Thanks for this. I installed it at http://178.62.230.131/ but https://178-62-230-131.nip.io/ is not opening (for me), it just keeps loading. Any ideas?
@staltz Domain is:
https://ssb-room-178-62-230-131.nip.io/
As noted in the first comment.
To debug: Could I get SSH access to that machine?
My ssh public key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC00Qxu2IT1etOI3sUtKvs1QkJ6Z9puONItYY2xDMnQi9auRZxfq+8to2DdlBjx2MLOzci3dQoIDYGTJApZxrdQ+HzjJZOD9WV5V0tZu4Xppun+HxDxTUv+sgKDm0CDMR7FXmXD150sL8uufJyOuqfjYDbFIMIRXw03Hjr+q2wlgq/tia639SoYlPxcrrwmXYmFcr40eruSXRgoZym+kvsUdxUfKlKhoDhfL/+9WNTNGeTkQoCkQs7zr9JHT1J4X4n4Mm/tXzfGv2Nmt5u1TBEllg3+16C3kx5MYh7gqpnIpPAxs/Z9Vt+flcnlMtmsJUi3Cp3RQGaFtiWgIOPenZir
Okay
To debug: Could I get SSH access to that machine?
Done, try ssh root@178.62.230.131
@staltz Are you sure you ran the script that I updated?
Can't find neither watchtower
or caddy
.
So, I don't think the install script of my PR was run. But I could still perform few tests:
caddy
while spawning its docker imagereverse-proxy
subcommand doesnt seem to support giving a different port for https, maybe find a way to do cross container communication, with networks maybe?I'll switch to nginx and certbot.
@staltz Done. Should work, test please? And this time, please double-check you run the script from my branch.
Direct URL: https://raw.githubusercontent.com/staltz/ssb-room/511d1b4f2a97585a3943d70c1a5493654bb8bd7d/install.sh
For reference:
I changed the ssb-room
so that it does not use the host network anymore but instead forwards port 8007 from 127.0.0.1:8007. This is better because otherwise it binds to all interfaces while nginx should be the front facing server for everything. It should not be possible to users to access the ssb-room
server directly.
Pushed one last time to update the commit message. Should be ready to merge now, if the tests are successful! 🎉
And this time, please double-check you run the script from my branch.
@leo-lb The way I ran those scripts was using the DigitalOcean installer app, in other words, this link: http://butt.nz/install?url=https://github.com/leo-lb/ssb-room/blob/improve-security/app.yml
After merged, it would be this link (which is what README currently points to): http://butt.nz/install?url=https://github.com/staltz/ssb-room
Note that this installer webapp will automatically run install.sh
, so it's not up to me to manually run whatever you configured.
I'll test again by running this installer webapp on your latest PR branch, and if it all works without fiddling with any terminal, then we're ready to merge. It's important that non-developers are able to install room servers.
@staltz https://github.com/leo-lb/ssb-room/blob/improve-security/app.yml points to https://raw.githubusercontent.com/staltz/ssb-room/master/install.sh so that's not right :/
What do we do here?
Can you update app.yml
for this PR? Before merging, we can revert it. Or, you can open another branch that is forking from the improve-security
branch, and on that one you update app.yml
. Then I can use that branch with the installer.
@leo-lb It works, but there is a regression.
This page works: https://ssb-room-64-225-77-116.nip.io/
But this page should still work: http://64.225.77.116/ instead, it shows "welcome to nginx!"
Note: obviously we should prefer HTTPS over HTTP, but at the end of installer webapp, it shows a "go to my app" link that points the user to the HTTP page (see source), and we can't configure that. So the HTTP page should also show the room's website too. In the future we can improve this by either fixing do-install-button
to redirect to a configured address, or we can render the HTTPS link inside the served webpage, or both. For now, we need to support HTTP too.
I added your SSH key to 64.225.77.116 in case you need it.
@staltz HTTP is supported through the domain name (but automatically redirected to HTTPS). Maybe I can redirect http://64.225.77.116/ to https://ssb-room-64-225-77-116.nip.io/ with nginx?
Though, I would prefer to modify that DO Installer, so I'll send a PR there.
@leo-lb Even if you get that PR merged, note that we currently run the webapp on butt.nz
which is run by @ahdinosaur, who can update the software running on that server.
OK! Then I'll do both. But this first! Also, mind updating to Debian Buster by changing from 9 to 10 in app.yml?
If everything still works, sure.
@staltz
Done!
Public HTTPS URLs look like:
https://ssb-room.1-2-3-4.nip.io
(replace each . with -)https://ssb-room.fe80--3c60-5c2a-287d-5bf5.sslip.io
(replace each : with -)I put a dot after ssb-room
instead of a dash because sslip.io
doesnt support that for IPv6, and for consistency.
Re-pushed because I had forgotten to git add
.
@leo-lb Good, we're almost there (and the HTTP=>HTTPS redirection worked!), it seems now that the webapp responds with 502, see: https://ssb-room.188-166-18-201.nip.io/
Again, you have the SSH rights to login
@staltz Debian Buster upgrade seems to have changed some things around docker installation, working on it!
@staltz Done!
@staltz Would be great to output a log to the DO Installer page so users can report their issues directly, if need be.
Worked beautifully! Merging and releasing new version...
You two are awesome! Thanks for efforts. So.is it possible for me to upgrade and not have to change anything or best with creating a new installation?
@lancew I don't know the answer to that. :D
I think that if we nuke & reinstall, then the SSB id of the room will be lost. This could be recovered by just replacing the secret
file, but it's also likely that Digital Ocean would give you a different IP address, and that's important because that's how peers know how to connect to the room. A different IP would mean everyone would have to re-add the room.
I think in your case you could (if you're really interested) SSH into the server and run similar commands as are listed in this repo's install.sh
.
In other cases, such as an existing room with a real domain setup, then we'd have to ask certbot for a specific certificate for that.
@staltz
I have many ideas for a complete refactor of this if the goal is making it easy for people to open their own ssb rooms and pubs, as well as secure maintenance and updates of them.
Also, I have little interest in making it specific to a single host, as that would centralize network around it.
So I'm thinking it has to be very agnostic.
Totally agree that it should be more host-agnostic, see this FAQ answer.
I have many ideas for a complete refactor
A complete refactor will be harder for me to review and merge. If you really want to rebuild this, then I encourage you to do that in a fork, I don't mind forks and often even promote them. Otherwise, incremental pull requests are the way to go when it comes to this repo.
Public HTTPS URLs look like:
https://ssb-room.1-2-3-4.nip.io
(replace each . with -)https://ssb-room.fe80--3c60-5c2a-287d-5bf5.sslip.io
(replace each : with -)