lukechilds
/
sphinx-relay
mirror of https://github.com/lukechilds/sphinx-relay.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Update raspiblitz_deployment.md

push-params
dimaatmelodromru 5 years ago
committed by GitHub
parent
43d867ce62
commit
c41adfb9b6
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 89 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 89
      docs/raspiblitz_deployment.md

89
docs/raspiblitz_deployment.md
View File

@ -97,8 +97,18 @@ $ export NODE_IP=x.x.x.x:3001
``` ```
where `x.x.x.x` is the local IP address of the machine running your Sphinx-Relay on your local network. where `x.x.x.x` is the local IP address of the machine running your Sphinx-Relay on your local network.
**note:** Sphinx client uses HTTP to communicate with **sphinx-relay**. Since setting up SSL on a local network is problematic (you don't have any domain names to authenticate with certificates), you have to rely on your local network security. Below is an example of how Sphinx/sphinx-relay communications look like in **tcpdump**:
```
{"success":true,"response":{"seen":false,"id":393,"chat_id":1,"uuid":"iJ8xow2hhR4AvLj8SGg3Eu","type":0,"sender":1,"amount":0,"date":"2020-09-15T20:49:36.000Z","message_content":"edNsPx6GmrXlM2jPwphOMaGPblpRxvkrYJcvuK2TEZDCTdFp3dFqKeZaWZS64vd/AlQCK9NQ754PWqwQHON1Ox3MMIb8SiD87WRlYSIWqAKy3PsipGiq99qDr/U5Cky7T+VKbAQyjGl4KtFo0ZWNJmzSykkjeaqj1xtsipHCAlcDIzE5KV1bomUh6z9/P22nxRfxXALCKQ7TANU0yAVqnoocvVrXNaFC77Q7t9G/zxbnf+fGU8gBEt9R/3AncpTvY7xd/bCe0EjTASj13/P9ZzZBb60LM+MEp4vxMpEwLkLCwREVBUYbac+gtznNOCoYb8u15zz9DwP9qZ49/xZwCw==","remote_message_content":"{\"3\":\"EUlLtTGQToo5MsUxsbyLDnC7jzrDX3vZjLxH48r2Fnqnyi1XWZyf9+PA84934KzqOtUXvmqmV8E5QlNtTXh1pYpOWVuO1yX+0by03BQOuoJaoHRWrRTIHZP2xOff8VufcNmb57M4PgXQaH38V+iFWQkQaBaKmagh74jVfg7kH+ZsqdTBYw7CnFSUKXdc6E8JYeEwIRuCMOHdDB9STyUVdVTm8WtEa2pB6Yagkcx4rsWJY/vbEkjYhSRGb8dO2DESB3KtYtO+J7Xs/Z/Djolk3iFcMb59XVKoIqBbxg+KZPK7Vrv06TtSr4OFSgiSnkyxm+r6TDxiNxVaisAXFWB9cg==\"}","status":0,"created_at":"2020-09-15T20:49:36.000Z","updated_at":"2020-09-15T20:49:36.555Z","status_m
```
*Message payloads are encrypted with **sphinx cypher**, but all metadata is transmitted in cleartext.*
#### If you want to connect to your Sphinx-Relay from outside of your local network #### If you want to connect to your Sphinx-Relay from outside of your local network
**note:** it is recommended to use SSL encryption for any communications between **Sphinx** and **sphinx-relay** outside of a trusted network. [**Docker deployment guide**](docs/docker-deployment.md) sets up SSL encryption for you automatically, you only have to obtain your domain and certificates. If you still want to set up **sphinx-relay** manually, the instructions to set up the SSL are below.
```sh ```sh
$ cd $ cd
$ cd sphinx-relay/config/ $ cd sphinx-relay/config/
@ -106,12 +116,89 @@ $ export NODE_IP=x.x.x.x:3001
``` ```
where `x.x.x.x` is the permanent public IP address of your router. where `x.x.x.x` is the permanent public IP address of your router.
> Make sure that port 3001 forwarding is properly set up. Make sure that port 3001 forwarding is properly set up.
For extra security: For extra security:
```sh ```sh
$ export USE_PASSWORD=true $ export USE_PASSWORD=true
``` ```
As noted in the previous section, you might want to protect communications between your Sphinx client and **sphinx-relay** with SSL.
In order to do that, obtain a domain and an SSL certificate for your **sphinx-relay** server and set up a reverse proxy with NGINX (or a more lightweight alternative).
We recommend using Let's Encrypt service to obtain a free SSL certificate and [**acme.sh**](https://acme.sh) for setting it up and renewals.
To configure NGINX as an SSL reverse proxy:
```sh
$ sudo apt install nginx
sudo nano /etc/nginx/sites-available/YOUR-DOMAIN
```
Use the following NGINX config:
```
server {
listen 53001 ssl;
server_name YOUR-DOMAIN;
# Edit the above _YOUR-DOMAIN_ to your domain name
ssl_certificate /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem;
# If you use Lets Encrypt, you should just need to change the domain.
# Otherwise, change this to the path to full path to your domains public certificate file.
ssl_certificate_key /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem;
# If you use Let's Encrypt, you should just need to change the domain.
# Otherwise, change this to the direct path to your domains private key certificate file.
ssl_session_cache builtin:1000 shared:SSL:10m;
# Defining option to share SSL Connection with Passed Proxy
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Defining used protocol versions.
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
# Defining ciphers to use.
ssl_prefer_server_ciphers on;
# Enabling ciphers
access_log /var/log/nginx/access.log;
# Log Location. the Nginx User must have R/W permissions. Usually by ownership.
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3001;
proxy_read_timeout 90;
}
} # Don't leave this out! It "closes" the server block we started this file with.
```
Save and exit:
`Ctrl + X`
`Y`
`Enter`
To make the file active, we will need to link the file in the sites-available folder to a location within the sites-enabled folder. Again, change YOUR-DOMAIN here with the actual name of the file you created earlier.
```sh
ln -s /etc/nginx/sites-avaialable/YOUR-DOMAIN /etc/nginx/sites-enabled/YOUR-DOMAIN.conf
```
To test your NGINX configuration:
```sh
$ nginx -t
```
To start your new NGINX SSL proxy:
```sh
$ sudo systemctl restart nginx
```
### Activate keysend ### Activate keysend

Write Preview
Loading…
Cancel
Save