llebout
commented
4 years ago Please test the changes on Digital Ocean. I unfortunately do not have a Digital Ocean account, neither do I want to have one.
Closed llebout closed 4 years ago
llebout
commented
4 years ago Please test the changes on Digital Ocean. I unfortunately do not have a Digital Ocean account, neither do I want to have one.
staltz
commented
4 years ago @leo-lb Thanks for this. I installed it at http://178.62.230.131/ but https://178-62-230-131.nip.io/ is not opening (for me), it just keeps loading. Any ideas?
llebout
commented
4 years ago @staltz Domain is:
https://ssb-room-178-62-230-131.nip.io/
As noted in the first comment.
To debug: Could I get SSH access to that machine?
My ssh public key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC00Qxu2IT1etOI3sUtKvs1QkJ6Z9puONItYY2xDMnQi9auRZxfq+8to2DdlBjx2MLOzci3dQoIDYGTJApZxrdQ+HzjJZOD9WV5V0tZu4Xppun+HxDxTUv+sgKDm0CDMR7FXmXD150sL8uufJyOuqfjYDbFIMIRXw03Hjr+q2wlgq/tia639SoYlPxcrrwmXYmFcr40eruSXRgoZym+kvsUdxUfKlKhoDhfL/+9WNTNGeTkQoCkQs7zr9JHT1J4X4n4Mm/tXzfGv2Nmt5u1TBEllg3+16C3kx5MYh7gqpnIpPAxs/Z9Vt+flcnlMtmsJUi3Cp3RQGaFtiWgIOPenZirOkay
To debug: Could I get SSH access to that machine?
Done, try ssh root@178.62.230.131
llebout
commented
4 years ago @staltz Are you sure you ran the script that I updated?
Can't find neither watchtower or caddy.
llebout
commented
4 years ago So, I don't think the install script of my PR was run. But I could still perform few tests:
caddy while spawning its docker imagereverse-proxy subcommand doesnt seem to support giving a different port for https, maybe find a way to do cross container communication, with networks maybe?llebout
commented
4 years ago I'll switch to nginx and certbot.
llebout
commented
4 years ago @staltz Done. Should work, test please? And this time, please double-check you run the script from my branch.
Direct URL: https://raw.githubusercontent.com/staltz/ssb-room/511d1b4f2a97585a3943d70c1a5493654bb8bd7d/install.sh
llebout
commented
4 years ago For reference:
I changed the ssb-room so that it does not use the host network anymore but instead forwards port 8007 from 127.0.0.1:8007. This is better because otherwise it binds to all interfaces while nginx should be the front facing server for everything. It should not be possible to users to access the ssb-room server directly.
llebout
commented
4 years ago Pushed one last time to update the commit message. Should be ready to merge now, if the tests are successful! 🎉
staltz
commented
4 years ago And this time, please double-check you run the script from my branch.
@leo-lb The way I ran those scripts was using the DigitalOcean installer app, in other words, this link: http://butt.nz/install?url=https://github.com/leo-lb/ssb-room/blob/improve-security/app.yml
After merged, it would be this link (which is what README currently points to): http://butt.nz/install?url=https://github.com/staltz/ssb-room
Note that this installer webapp will automatically run install.sh, so it's not up to me to manually run whatever you configured.
I'll test again by running this installer webapp on your latest PR branch, and if it all works without fiddling with any terminal, then we're ready to merge. It's important that non-developers are able to install room servers.
llebout
commented
4 years ago @staltz https://github.com/leo-lb/ssb-room/blob/improve-security/app.yml points to https://raw.githubusercontent.com/staltz/ssb-room/master/install.sh so that's not right :/
What do we do here?
staltz
commented
4 years ago Can you update app.yml for this PR? Before merging, we can revert it. Or, you can open another branch that is forking from the improve-security branch, and on that one you update app.yml. Then I can use that branch with the installer.
llebout
commented
4 years ago staltz
commented
4 years ago @leo-lb It works, but there is a regression.
This page works: https://ssb-room-64-225-77-116.nip.io/
But this page should still work: http://64.225.77.116/ instead, it shows "welcome to nginx!"
Note: obviously we should prefer HTTPS over HTTP, but at the end of installer webapp, it shows a "go to my app" link that points the user to the HTTP page (see source), and we can't configure that. So the HTTP page should also show the room's website too. In the future we can improve this by either fixing do-install-button to redirect to a configured address, or we can render the HTTPS link inside the served webpage, or both. For now, we need to support HTTP too.
staltz
commented
4 years ago I added your SSH key to 64.225.77.116 in case you need it.
llebout
commented
4 years ago @staltz HTTP is supported through the domain name (but automatically redirected to HTTPS). Maybe I can redirect http://64.225.77.116/ to https://ssb-room-64-225-77-116.nip.io/ with nginx?
Though, I would prefer to modify that DO Installer, so I'll send a PR there.
staltz
commented
4 years ago @leo-lb Even if you get that PR merged, note that we currently run the webapp on butt.nz which is run by @ahdinosaur, who can update the software running on that server.
llebout
commented
4 years ago OK! Then I'll do both. But this first! Also, mind updating to Debian Buster by changing from 9 to 10 in app.yml?
staltz
commented
4 years ago If everything still works, sure.
llebout
commented
4 years ago @staltz
Done!
Public HTTPS URLs look like:
https://ssb-room.1-2-3-4.nip.io
(replace each . with -)https://ssb-room.fe80--3c60-5c2a-287d-5bf5.sslip.io
(replace each : with -)I put a dot after ssb-room instead of a dash because sslip.io doesnt support that for IPv6, and for consistency.
llebout
commented
4 years ago Re-pushed because I had forgotten to git add.
staltz
commented
4 years ago @leo-lb Good, we're almost there (and the HTTP=>HTTPS redirection worked!), it seems now that the webapp responds with 502, see: https://ssb-room.188-166-18-201.nip.io/
Again, you have the SSH rights to login
llebout
commented
4 years ago @staltz Debian Buster upgrade seems to have changed some things around docker installation, working on it!
llebout
commented
4 years ago @staltz Done!
llebout
commented
4 years ago @staltz Would be great to output a log to the DO Installer page so users can report their issues directly, if need be.
staltz
commented
4 years ago Worked beautifully! Merging and releasing new version...
lancew
commented
4 years ago You two are awesome! Thanks for efforts. So.is it possible for me to upgrade and not have to change anything or best with creating a new installation?
staltz
commented
4 years ago @lancew I don't know the answer to that. :D
I think that if we nuke & reinstall, then the SSB id of the room will be lost. This could be recovered by just replacing the secret file, but it's also likely that Digital Ocean would give you a different IP address, and that's important because that's how peers know how to connect to the room. A different IP would mean everyone would have to re-add the room.
I think in your case you could (if you're really interested) SSH into the server and run similar commands as are listed in this repo's install.sh.
In other cases, such as an existing room with a real domain setup, then we'd have to ask certbot for a specific certificate for that.
llebout
commented
4 years ago @staltz
I have many ideas for a complete refactor of this if the goal is making it easy for people to open their own ssb rooms and pubs, as well as secure maintenance and updates of them.
llebout
commented
4 years ago Also, I have little interest in making it specific to a single host, as that would centralize network around it.
So I'm thinking it has to be very agnostic.
staltz
commented
4 years ago Totally agree that it should be more host-agnostic, see this FAQ answer.
I have many ideas for a complete refactor
A complete refactor will be harder for me to review and merge. If you really want to rebuild this, then I encourage you to do that in a fork, I don't mind forks and often even promote them. Otherwise, incremental pull requests are the way to go when it comes to this repo.
Public HTTPS URLs look like:
https://ssb-room.1-2-3-4.nip.io(replace each . with -)https://ssb-room.fe80--3c60-5c2a-287d-5bf5.sslip.io(replace each : with -)