From 433b56d2f900bb53596b7a5965adfe6d93e6385b Mon Sep 17 00:00:00 2001 From: Daenney Date: Tue, 13 Jun 2023 16:30:09 +0200 Subject: [docs] Add certificates and firewalling to advanced (#1888) * [docs] Add a certificates guide in Advanced This adds some documentation about the process of getting certificates through ACME in general. It also provides a number of links to alternative clients and certbot deployment guides that are up to date. Slightly restructure the NGINX and Apache reverse proxy documentation and insert mentions to the Provisioning TLS certificates advanced documentation in them. * [docs] Add firewall section in Advanced * [docs] Add new guides to section indexes * [docs] Fix spelling issue * [docs] Fix a few typos --- docs/getting_started/index.md | 2 +- docs/getting_started/reverse_proxy/apache-httpd.md | 60 +++++++++++----------- docs/getting_started/reverse_proxy/nginx.md | 41 ++++++--------- 3 files changed, 46 insertions(+), 57 deletions(-) (limited to 'docs/getting_started') diff --git a/docs/getting_started/index.md b/docs/getting_started/index.md index b9224b62c..0f42c5128 100644 --- a/docs/getting_started/index.md +++ b/docs/getting_started/index.md @@ -72,4 +72,4 @@ GoToSocial needs ports `80` and `443` open. If you can't leave `443` and `80` open on the machine, don't worry! You can configure these ports in GoToSocial, but you'll have to also configure port forwarding to properly forward traffic on `443` and `80` to whatever ports you choose. !!! tip - You should configure a firewall on your machine, as well as some protection against brute-force SSH login attempts and the like. A simple frontend to help you configure your firewall is [UFW](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04). You should also consider a tool like [Fail2Ban](https://linuxize.com/post/install-configure-fail2ban-on-ubuntu-20-04/) in order to automatically block malicious users. + You should configure a firewall on your machine, as well as some protection against brute-force SSH login attempts and the like. Take a look at our [firewall documentation](../advanced/security/firewall.md) for pointers on what to configure and tools that can help you out. diff --git a/docs/getting_started/reverse_proxy/apache-httpd.md b/docs/getting_started/reverse_proxy/apache-httpd.md index 9522a0001..c9446ff87 100644 --- a/docs/getting_started/reverse_proxy/apache-httpd.md +++ b/docs/getting_started/reverse_proxy/apache-httpd.md @@ -1,36 +1,10 @@ # Apache HTTP Server -## Requirements +In order to use Apache as a reverse proxy for GoToSocial you'll need to have it installed on your server. If you intend for the Apache instance to also handle TLS, you'll need to [provision TLS certificates](../../advanced/certificates.md) too. -For this you will need the Apache HTTP Server. +Apache is [packaged for many distributions](https://repology.org/project/apache/versions). It's very likely you can install it with your distribution's package manager. You can also run Apache using a container runtime with the [official Apache image](https://hub.docker.com/_/httpd) that's published to the Docker Hub. -That is a fairly popular package so your distro will probably have it. - -### Ubuntu - -```bash -sudo apt install apache2 -``` - -### Arch - -```bash -sudo pacman -S apache -``` - -### OpenSuse - -```bash -sudo zypper install apache2 -``` - -### Install modules - -You'll also need to install additional modules for Apache HTTP Server. You can do that with the following command: - -```bash -sudo a2enmod proxy_http md ssl headers rewrite -``` +In this guide we'll also show how to use certbot to provision the TLS certificates. It too is [packaged in many distributions](https://repology.org/project/certbot/versions) but many distributions tend to ship fairly old versions of certbot. If you run into trouble it may be worth considering using the [container image](https://hub.docker.com/r/certbot/certbot) instead. ## Configure GoToSocial @@ -54,7 +28,28 @@ sudo systemctl restart gotosocial.service Or if you don't have a systemd service just restart it manually. -## Set up Apache HTTP Server with SSL managed using MD module +## Set up Apache + +### Required Apache modules + +You need to ensure you have a number of Apache modules installed and enabled. All these modules *should* ship with your distribution's Apache package, but they may have been split out into separate packages. + +You can check which modules you have installed with `apachectl -M`. + +You'll need to have the following modules loaded: + +* `proxy_http` to proxy HTTP requests to GoToSocial +* `ssl` to handle SSL/TLS +* `headers` to manipulate HTTP request and response headers +* `rewrite` to rewrite HTTP requests +* `md` for Lets Encrypt, available since 2.4.30 + +On Debian, Ubuntu and openSUSE, you can use the [`a2enmod`](https://manpages.debian.org/bookworm/apache2/a2enmod.8.en.html) utility to load any additional modules. For the Red Hat/CentOS family of distributions, you'll need to add a [`LoadModule` directive](https://httpd.apache.org/docs/2.4/mod/mod_so.html#loadmodule) to your Apache configuration instead. + +### TLS with mod_md + +!!! note + `mod_md` is only available since Apache 2.4.30 and still considered experimental. It works well enough in practice and is the most convenient method. Now we'll configure Apache HTTP Server to serve GoToSocial requests. @@ -169,7 +164,10 @@ If this happens, you'll need to do one (or all) of the below: 1. Update `/etc/apache2/sites-enabled/000-default.conf` and change the `ServerAdmin` value to a valid email address (then reload Apache HTTP Server). 2. Add the line `MDContactEmail your.email.address@whatever.com` below the `MDomain` line in `/etc/apache2/sites-available/example.com.conf`, replacing `your.email.address@whatever.com` with a valid email address, and `example.com` with your GtS host name. -## Set up Apache HTTP Server with SSL managed manually or by an external software (e.g. Certbot or acme.sh) +### TLS with externally managed certificates + +!!! note + We have additional documentation on how to [provision TLS certificates](../../advanced/certificates.md) that also provides links to additional content and tutorials for different distributions that may be good to review. If you prefer to have a manual setup or setting SSL using a different service to manage it (Certbot, etc), then you can use a simpler setup for your Apache HTTP Server. diff --git a/docs/getting_started/reverse_proxy/nginx.md b/docs/getting_started/reverse_proxy/nginx.md index fd9a42941..2cfd9020a 100644 --- a/docs/getting_started/reverse_proxy/nginx.md +++ b/docs/getting_started/reverse_proxy/nginx.md @@ -1,28 +1,10 @@ # NGINX -## Requirements +In order to use NGINX as a reverse proxy for GoToSocial you'll need to have it installed on your server. If you intend for the NGINX instance to also handle TLS, you'll need to [provision TLS certificates](../../advanced/certificates.md) too. -For this you will need [Certbot](https://certbot.eff.org/), the Certbot NGINX plugin and of course [NGINX](https://www.nginx.com/) itself. +NGINX is [packaged for many distributions](https://repology.org/project/nginx/versions). It's very likely you can install it with your distribution's package manager. You can also run NGINX using a container runtime with the [official NGINX image](https://hub.docker.com/_/nginx) that's published to the Docker Hub. -These are popular packages so your distro will probably have them. - -### Ubuntu - -```bash -sudo apt install certbot python3-certbot-nginx nginx -``` - -### Arch - -```bash -sudo pacman -S certbot certbot-nginx nginx -``` - -### OpenSuse - -```bash -sudo zypper install nginx python3-certbot python3-certbot-nginx -``` +In this guide we'll also show how to use certbot to provision the TLS certificates. It too is [packaged in many distributions](https://repology.org/project/certbot/versions) but many distributions tend to ship fairly old versions of certbot. If you run into trouble it may be worth considering using the [container image](https://hub.docker.com/r/certbot/certbot) instead. ## Configure GoToSocial @@ -34,11 +16,17 @@ sudo systemctl stop gotosocial Or if you don't have a systemd service just stop it manually. -In your GoToSocial config turn off letsencrypt by setting `letsencrypt-enabled` to `false`. +Tweak your GoToSocial configuration like so: -If you we running GoToSocial on port 443, change the `port` value back to the default `8080`. +```yaml +letsencrypt-enabled: false +port: 8080 +bind-address: 127.0.0.1 +``` + +The first setting disables the built-in provisioning of TLS certificates. Since NGINX will now be handling that traffic GoToSocial no longer needs to be bound to port 443, or any privileged port. -If the reverse proxy will be running on the same machine, set the `bind-address` to `"localhost"` so that the GoToSocial server is only accessible via loopback. Otherwise it may be possible to bypass your proxy by connecting to GoToSocial directly, which might be undesirable. +By setting the `bind-address` to `127.0.0.1` GoToSocial will no longer be accessible directly from the outside. If your NGINX and GoToSocial instance aren't running on the same server you'll need to bind to an IP address that lets your reverse proxy reach your GoToSocial instance. By binding to a private IP address you can be sure GoToSocial can't be accessed except through NGINX. ## Set up NGINX @@ -119,7 +107,10 @@ Everything working? Great! Then restart nginx to load your new config file. sudo systemctl restart nginx ``` -## Setting up SSL with certbot +## Set up TLS + +!!! note + We have additional documentation on how to [provision TLS certificates](../../advanced/certificates.md) that also provides links to additional content and tutorials for different distributions that may be good to review. You should now be able to run certbot and it will guide you through the steps required to enable https for your instance. -- cgit v1.2.3