Browse Source

Merge pull request #76 from dimaatmelodromru/mynode_deployment

Mynode deployment
push-params
Evan Feenstra 4 years ago
committed by GitHub
parent
commit
cbeacee270
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 127
      docs/myNode_deployment.md
  2. 91
      docs/raspiblitz_deployment.md

127
docs/myNode_deployment.md

@ -17,24 +17,24 @@ sqlite3: `$ sudo apt install sqlite3`
python2 (if not present): `$ sudo apt install python2`
### Open port 3001 on myNode
### Open port 53001 on myNode
**note**: This port can be whatever number you want. Just add PORT to your environment like `export PORT=5005`.
**note**: Port 3001 is now taken by one of myNode apps. In this document we use port 53001, but this port can be whatever number you want. Just add PORT to your environment like `export PORT=55005`.
Open up a console window with SSH. And login as root
```sh
$ sudo su
```
Open up port 3001 on your machine and make sure it has been added to the list.
Open up port 53001 on your machine and make sure it has been added to the list.
```sh
# ufw allow 3001 comment 'allow Sphinx-Chat'
# ufw allow 53001 comment 'allow Sphinx-Chat'
# ufw status
> Status: active
>
> To Action From
> -- ------ ----
> 3001 (v6) ALLOW Anywhere (v6) # Sphinx-Chat
> 53001 (v6) ALLOW Anywhere (v6) # Sphinx-Chat
```
### Download
@ -98,21 +98,108 @@ $ export NODE_IP=x.x.x.x:3001
```
where `x.x.x.x` is the local IP address of the machine running your Sphinx-Relay on your local network.
**note:** Sphinx client uses HTTP to communicate with **sphinx-relay**. Since setting up SSL on a local network is problematic (you don't have any domain names to authenticate with certificates), you have to rely on your local network security. Below is an example of how Sphinx/sphinx-relay communications look like in **tcpdump**:
```
{"success":true,"response":{"seen":false,"id":393,"chat_id":1,"uuid":"iJ8xow2hhR4AvLj8SGg3Eu","type":0,"sender":1,"amount":0,"date":"2020-09-15T20:49:36.000Z","message_content":"edNsPx6GmrXlM2jPwphOMaGPblpRxvkrYJcvuK2TEZDCTdFp3dFqKeZaWZS64vd/AlQCK9NQ754PWqwQHON1Ox3MMIb8SiD87WRlYSIWqAKy3PsipGiq99qDr/U5Cky7T+VKbAQyjGl4KtFo0ZWNJmzSykkjeaqj1xtsipHCAlcDIzE5KV1bomUh6z9/P22nxRfxXALCKQ7TANU0yAVqnoocvVrXNaFC77Q7t9G/zxbnf+fGU8gBEt9R/3AncpTvY7xd/bCe0EjTASj13/P9ZzZBb60LM+MEp4vxMpEwLkLCwREVBUYbac+gtznNOCoYb8u15zz9DwP9qZ49/xZwCw==","remote_message_content":"{\"3\":\"EUlLtTGQToo5MsUxsbyLDnC7jzrDX3vZjLxH48r2Fnqnyi1XWZyf9+PA84934KzqOtUXvmqmV8E5QlNtTXh1pYpOWVuO1yX+0by03BQOuoJaoHRWrRTIHZP2xOff8VufcNmb57M4PgXQaH38V+iFWQkQaBaKmagh74jVfg7kH+ZsqdTBYw7CnFSUKXdc6E8JYeEwIRuCMOHdDB9STyUVdVTm8WtEa2pB6Yagkcx4rsWJY/vbEkjYhSRGb8dO2DESB3KtYtO+J7Xs/Z/Djolk3iFcMb59XVKoIqBbxg+KZPK7Vrv06TtSr4OFSgiSnkyxm+r6TDxiNxVaisAXFWB9cg==\"}","status":0,"created_at":"2020-09-15T20:49:36.000Z","updated_at":"2020-09-15T20:49:36.555Z","status_m
```
*Message payloads are encrypted with **sphinx cypher**, but all metadata is transmitted in cleartext.*
#### If you want to connect to your Sphinx-Relay from outside of your local network
**note:** it is recommended to use SSL encryption for any communications between **Sphinx** and **sphinx-relay** outside of a trusted network. [**Docker deployment guide**](docs/docker-deployment.md) sets up SSL encryption for you automatically, you only have to obtain your domain and certificates. If you still want to set up **sphinx-relay** manually, the instructions to set up the SSL are below.
```sh
$ cd
$ cd sphinx-relay/config/
$ export NODE_IP=x.x.x.x:3001
$ export NODE_IP=x.x.x.x:53001
```
where `x.x.x.x` is the permanent public IP address of your router.
Make sure that port 3001 forwarding is properly set up.
Make sure that port 53001 forwarding is properly set up.
For extra security:
```sh
$ export USE_PASSWORD=true
```
As noted in the previous section, you might want to protect communications between your Sphinx client and **sphinx-relay** with SSL.
In order to do that, obtain a domain and an SSL certificate for your **sphinx-relay** server and set up a reverse proxy with NGINX (or a more lightweight alternative).
We recommend using Let's Encrypt service to obtain a free SSL certificate and [**acme.sh**](https://acme.sh) for setting it up and renewals.
To configure NGINX as an SSL reverse proxy:
```sh
$ sudo apt install nginx
sudo nano /etc/nginx/sites-available/YOUR-DOMAIN
```
Use the following NGINX config:
```
server {
listen 53001 ssl;
server_name YOUR-DOMAIN;
# Edit the above _YOUR-DOMAIN_ to your domain name
ssl_certificate /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem;
# If you use Lets Encrypt, you should just need to change the domain.
# Otherwise, change this to the path to full path to your domains public certificate file.
ssl_certificate_key /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem;
# If you use Let's Encrypt, you should just need to change the domain.
# Otherwise, change this to the direct path to your domains private key certificate file.
ssl_session_cache builtin:1000 shared:SSL:10m;
# Defining option to share SSL Connection with Passed Proxy
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Defining used protocol versions.
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
# Defining ciphers to use.
ssl_prefer_server_ciphers on;
# Enabling ciphers
access_log /var/log/nginx/access.log;
# Log Location. the Nginx User must have R/W permissions. Usually by ownership.
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:53001;
proxy_read_timeout 90;
}
} # Don't leave this out! It "closes" the server block we started this file with.
```
Save and exit:
`Ctrl + X`
`Y`
`Enter`
To make the file active, we will need to link the file in the sites-available folder to a location within the sites-enabled folder. Again, change YOUR-DOMAIN here with the actual name of the file you created earlier.
```sh
ln -s /etc/nginx/sites-avaialable/YOUR-DOMAIN /etc/nginx/sites-enabled/YOUR-DOMAIN.conf
```
To test your NGINX configuration:
```sh
$ nginx -t
```
To start your new NGINX SSL proxy:
```sh
$ sudo systemctl restart nginx
```
### Activate keysend
@ -172,6 +259,24 @@ Save and exit:
`Enter`
Now we have to set the environment variables `PORT` and `NODE_IP` for the new `sphinx-relay.service`:
`sudo systemctl edit sphinx-relay`
This opens `nano` editor with an empty configuration file that you should type the following text into:
```
[Service]
Environment="PORT=53001"
Environment="NODE_IP=x.x.x.x:53001"
```
Save and exit:
`Ctrl + X`
`Y`
`Enter`
Let's run!
```sh
$ sudo systemctl enable sphinx-relay
@ -268,7 +373,7 @@ Save and exit:
```sh
$ cd
$ cd sphinx-relay/config/
$ export NODE_IP=x.x.x.x:3001
$ export NODE_IP=x.x.x.x:53001
```
where `x.x.x.x` is the local IP address of the machine running your Sphinx-Relay on your local network.
@ -277,11 +382,11 @@ where `x.x.x.x` is the local IP address of the machine running your Sphinx-Relay
```sh
$ cd
$ cd sphinx-relay/config/
$ export NODE_IP=x.x.x.x:3001
$ export NODE_IP=x.x.x.x:53001
```
where `x.x.x.x` is the permanent public IP address of your router.
> Make sure that port 3001 forwarding is properly set up.
> Make sure that port 53001 forwarding is properly set up.
For extra security:
```sh
@ -307,4 +412,4 @@ $ sudo systemctl start sphinx-relay
`journalctl -u sphinx-relay -f`
[Back to README](https://github.com/dimaatmelodromru/sphinx-relay/tree/docs-edit#connecting-a-mobile-client)
[Back to README](https://github.com/dimaatmelodromru/sphinx-relay/tree/docs-edit#connecting-a-mobile-client)

91
docs/raspiblitz_deployment.md

@ -97,8 +97,18 @@ $ export NODE_IP=x.x.x.x:3001
```
where `x.x.x.x` is the local IP address of the machine running your Sphinx-Relay on your local network.
**note:** Sphinx client uses HTTP to communicate with **sphinx-relay**. Since setting up SSL on a local network is problematic (you don't have any domain names to authenticate with certificates), you have to rely on your local network security. Below is an example of how Sphinx/sphinx-relay communications look like in **tcpdump**:
```
{"success":true,"response":{"seen":false,"id":393,"chat_id":1,"uuid":"iJ8xow2hhR4AvLj8SGg3Eu","type":0,"sender":1,"amount":0,"date":"2020-09-15T20:49:36.000Z","message_content":"edNsPx6GmrXlM2jPwphOMaGPblpRxvkrYJcvuK2TEZDCTdFp3dFqKeZaWZS64vd/AlQCK9NQ754PWqwQHON1Ox3MMIb8SiD87WRlYSIWqAKy3PsipGiq99qDr/U5Cky7T+VKbAQyjGl4KtFo0ZWNJmzSykkjeaqj1xtsipHCAlcDIzE5KV1bomUh6z9/P22nxRfxXALCKQ7TANU0yAVqnoocvVrXNaFC77Q7t9G/zxbnf+fGU8gBEt9R/3AncpTvY7xd/bCe0EjTASj13/P9ZzZBb60LM+MEp4vxMpEwLkLCwREVBUYbac+gtznNOCoYb8u15zz9DwP9qZ49/xZwCw==","remote_message_content":"{\"3\":\"EUlLtTGQToo5MsUxsbyLDnC7jzrDX3vZjLxH48r2Fnqnyi1XWZyf9+PA84934KzqOtUXvmqmV8E5QlNtTXh1pYpOWVuO1yX+0by03BQOuoJaoHRWrRTIHZP2xOff8VufcNmb57M4PgXQaH38V+iFWQkQaBaKmagh74jVfg7kH+ZsqdTBYw7CnFSUKXdc6E8JYeEwIRuCMOHdDB9STyUVdVTm8WtEa2pB6Yagkcx4rsWJY/vbEkjYhSRGb8dO2DESB3KtYtO+J7Xs/Z/Djolk3iFcMb59XVKoIqBbxg+KZPK7Vrv06TtSr4OFSgiSnkyxm+r6TDxiNxVaisAXFWB9cg==\"}","status":0,"created_at":"2020-09-15T20:49:36.000Z","updated_at":"2020-09-15T20:49:36.555Z","status_m
```
*Message payloads are encrypted with **sphinx cypher**, but all metadata is transmitted in cleartext.*
#### If you want to connect to your Sphinx-Relay from outside of your local network
**note:** it is recommended to use SSL encryption for any communications between **Sphinx** and **sphinx-relay** outside of a trusted network. [**Docker deployment guide**](docs/docker-deployment.md) sets up SSL encryption for you automatically, you only have to obtain your domain and certificates. If you still want to set up **sphinx-relay** manually, the instructions to set up the SSL are below.
```sh
$ cd
$ cd sphinx-relay/config/
@ -106,12 +116,89 @@ $ export NODE_IP=x.x.x.x:3001
```
where `x.x.x.x` is the permanent public IP address of your router.
> Make sure that port 3001 forwarding is properly set up.
Make sure that port 3001 forwarding is properly set up.
For extra security:
```sh
$ export USE_PASSWORD=true
```
As noted in the previous section, you might want to protect communications between your Sphinx client and **sphinx-relay** with SSL.
In order to do that, obtain a domain and an SSL certificate for your **sphinx-relay** server and set up a reverse proxy with NGINX (or a more lightweight alternative).
We recommend using Let's Encrypt service to obtain a free SSL certificate and [**acme.sh**](https://acme.sh) for setting it up and renewals.
To configure NGINX as an SSL reverse proxy:
```sh
$ sudo apt install nginx
sudo nano /etc/nginx/sites-available/YOUR-DOMAIN
```
Use the following NGINX config:
```
server {
listen 53001 ssl;
server_name YOUR-DOMAIN;
# Edit the above _YOUR-DOMAIN_ to your domain name
ssl_certificate /etc/letsencrypt/live/YOUR-DOMAIN/fullchain.pem;
# If you use Lets Encrypt, you should just need to change the domain.
# Otherwise, change this to the path to full path to your domains public certificate file.
ssl_certificate_key /etc/letsencrypt/live/YOUR-DOMAIN/privkey.pem;
# If you use Let's Encrypt, you should just need to change the domain.
# Otherwise, change this to the direct path to your domains private key certificate file.
ssl_session_cache builtin:1000 shared:SSL:10m;
# Defining option to share SSL Connection with Passed Proxy
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Defining used protocol versions.
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
# Defining ciphers to use.
ssl_prefer_server_ciphers on;
# Enabling ciphers
access_log /var/log/nginx/access.log;
# Log Location. the Nginx User must have R/W permissions. Usually by ownership.
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3001;
proxy_read_timeout 90;
}
} # Don't leave this out! It "closes" the server block we started this file with.
```
Save and exit:
`Ctrl + X`
`Y`
`Enter`
To make the file active, we will need to link the file in the sites-available folder to a location within the sites-enabled folder. Again, change YOUR-DOMAIN here with the actual name of the file you created earlier.
```sh
ln -s /etc/nginx/sites-avaialable/YOUR-DOMAIN /etc/nginx/sites-enabled/YOUR-DOMAIN.conf
```
To test your NGINX configuration:
```sh
$ nginx -t
```
To start your new NGINX SSL proxy:
```sh
$ sudo systemctl restart nginx
```
### Activate keysend
@ -291,4 +378,4 @@ $ sudo systemctl start sphinx-relay
`journalctl -u sphinx-relay -f`
[Back to README](https://github.com/dimaatmelodromru/sphinx-relay/tree/docs-edit#connecting-a-mobile-client)
[Back to README](https://github.com/dimaatmelodromru/sphinx-relay/tree/docs-edit#connecting-a-mobile-client)

Loading…
Cancel
Save