Update raspiblitz_deployment.md

4 years ago · c41adfb9b6
1 changed files with 89 additions and 2 deletions
--- a/docs/raspiblitz_deployment.md
+++ b/docs/raspiblitz_deployment.md
@ -97,8 +97,18 @@ $ export NODE_IP=x.x.x.x:3001
 ```
 where `x.x.x.x` is the local IP address of the machine running your Sphinx-Relay on your local network.

+**note:** Sphinx client uses HTTP to communicate with **sphinx-relay**. Since setting up SSL on a local network is problematic (you don't have any domain names to authenticate with certificates), you have to rely on your local network security. Below is an example of how Sphinx/sphinx-relay communications look like in **tcpdump**:
+
+```
+{"success":true,"response":{"seen":false,"id":393,"chat_id":1,"uuid":"iJ8xow2hhR4AvLj8SGg3Eu","type":0,"sender":1,"amount":0,"date":"2020-09-15T20:49:36.000Z","message_content":"edNsPx6GmrXlM2jPwphOMaGPblpRxvkrYJcvuK2TEZDCTdFp3dFqKeZaWZS64vd/AlQCK9NQ754PWqwQHON1Ox3MMIb8SiD87WRlYSIWqAKy3PsipGiq99qDr/U5Cky7T+VKbAQyjGl4KtFo0ZWNJmzSykkjeaqj1xtsipHCAlcDIzE5KV1bomUh6z9/P22nxRfxXALCKQ7TANU0yAVqnoocvVrXNaFC77Q7t9G/zxbnf+fGU8gBEt9R/3AncpTvY7xd/bCe0EjTASj13/P9ZzZBb60LM+MEp4vxMpEwLkLCwREVBUYbac+gtznNOCoYb8u15zz9DwP9qZ49/xZwCw==","remote_message_content":"{\"3\":\"EUlLtTGQToo5MsUxsbyLDnC7jzrDX3vZjLxH48r2Fnqnyi1XWZyf9+PA84934KzqOtUXvmqmV8E5QlNtTXh1pYpOWVuO1yX+0by03BQOuoJaoHRWrRTIHZP2xOff8VufcNmb57M4PgXQaH38V+iFWQkQaBaKmagh74jVfg7kH+ZsqdTBYw7CnFSUKXdc6E8JYeEwIRuCMOHdDB9STyUVdVTm8WtEa2pB6Yagkcx4rsWJY/vbEkjYhSRGb8dO2DESB3KtYtO+J7Xs/Z/Djolk3iFcMb59XVKoIqBbxg+KZPK7Vrv06TtSr4OFSgiSnkyxm+r6TDxiNxVaisAXFWB9cg==\"}","status":0,"created_at":"2020-09-15T20:49:36.000Z","updated_at":"2020-09-15T20:49:36.555Z","status_m
+```
+*Message payloads are encrypted with **sphinx cypher**, but all metadata is transmitted in cleartext.*
+
+
 #### If you want to connect to your Sphinx-Relay from outside of your local network

+**note:** it is recommended to use SSL encryption for any communications between **Sphinx** and **sphinx-relay** outside of a trusted network. [**Docker deployment guide**](docs/docker-deployment.md) sets up SSL encryption for you automatically, you only have to obtain your domain and certificates. If you still want to set up **sphinx-relay** manually, the instructions to set up the SSL are below.
+
 ```sh 
 $ cd
 $ cd sphinx-relay/config/
@ -106,12 +116,89 @@ $ export NODE_IP=x.x.x.x:3001
 ```
 where `x.x.x.x` is the permanent public IP address of your router.

-> Make sure that port 3001 forwarding is properly set up.
+Make sure that port 3001 forwarding is properly set up.

 For extra security:
 ```sh
 $ export USE_PASSWORD=true
 ```
+As noted in the previous section, you might want to protect communications between your Sphinx client and **sphinx-relay** with SSL.
+
+In order to do that, obtain a domain and an SSL certificate for your **sphinx-relay** server and set up a reverse proxy with NGINX (or a more lightweight alternative).
+
+We recommend using Let's Encrypt service to obtain a free SSL certificate and [**acme.sh**](https://acme.sh) for setting it up and renewals.
+
+To configure NGINX as an SSL reverse proxy:
+
+```sh
+$ sudo apt install nginx
+
+sudo nano /etc/nginx/sites-available/YOUR-DOMAIN
+```
+Use the following NGINX config:
+```
+server {
+  listen 53001 ssl;
+
+  server_name YOUR-DOMAIN;                                               
+  # Edit the above _YOUR-DOMAIN_ to your domain name
+   
+  ssl_certificate /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem;       
+  # If you use Lets Encrypt, you should just need to change the domain. 
+  # Otherwise, change this to the path to full path to your domains public certificate file.
+   
+  ssl_certificate_key /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem;     
+  # If you use Let's Encrypt, you should just need to change the domain.
+  # Otherwise, change this to the direct path to your domains private key certificate file.
+   
+  ssl_session_cache builtin:1000 shared:SSL:10m;                        
+  # Defining option to share SSL Connection with Passed Proxy
+   
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;                                  
+  # Defining used protocol versions. 
+   
+  ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; 
+  # Defining ciphers to use. 
+   
+  ssl_prefer_server_ciphers on;                                         
+  # Enabling ciphers
+   
+  access_log /var/log/nginx/access.log;                                 
+  # Log Location. the Nginx User must have R/W permissions. Usually by ownership.
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_pass http://localhost:3001;
+    proxy_read_timeout 90;
+  }
+
+} # Don't leave this out! It "closes" the server block we started this file with.
+```
+Save and exit:
+`Ctrl + X`
+
+`Y`
+
+`Enter`
+
+To make the file active, we will need to link the file in the sites-available folder to a location within the sites-enabled folder. Again, change YOUR-DOMAIN here with the actual name of the file you created earlier.
+```sh
+ln -s /etc/nginx/sites-avaialable/YOUR-DOMAIN /etc/nginx/sites-enabled/YOUR-DOMAIN.conf
+```
+
+To test your NGINX configuration:
+```sh
+$ nginx -t
+```
+
+To start your new NGINX SSL proxy:
+
+```sh
+$ sudo systemctl restart nginx
+```

 ### Activate keysend

@ -291,4 +378,4 @@ $ sudo systemctl start sphinx-relay
 `journalctl -u sphinx-relay -f`


-[Back to README](https://github.com/dimaatmelodromru/sphinx-relay/tree/docs-edit#connecting-a-mobile-client)
+[Back to README](https://github.com/dimaatmelodromru/sphinx-relay/tree/docs-edit#connecting-a-mobile-client)