How to have two Yunohosts servers at home? The second one is running Duniter

Setup

Server A
  • Raspberry Pi 3
    • Debian/Yunohost
      • Nextcloud (443)
        • CalDAV (443)
        • CardDAV (443)
      • Zerobin (443)
      • Cesium (443)
Server B
  • LIME2
    • Debian/Yunohost
      • Duniter (443)
    • LAN IP: 192.168.178.30
Client Computer
  • Desktop
    • Arch Linux
      • Sakia
Router

Port forwarding

  • Server A
    • 80
    • 443

This means that I cannot access Server B on port 80 and 443.

It result into this error when I try to access https://guilder-test.eu.org/webui:

Your connection is not secure

The owner of guilder-test.eu.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

And for running sakia:

[me@Main-computer sakia]$ sakia --currency=Guilder-Test
Error connecting to the network : Error : No peer answered in  community (0 peers available)

So what to do?
I’ve tried changing port 443 to port 44344 on server B, but I’ve been told that either Yunohost or Duniter or both have port 443 hardcoded into their software.


My current configuration

Personal server (Server A)

Domains of Server A (Withheld and renamed to domain-a.tld for privacy)

admin@YunoHost:~ $ sudo yunohost domain list
domains: domain-a.tld

/etc/nginx/conf.d/domain-a.tld.conf

server {
    listen 80;
    listen [::]:80;
    server_name domain-a.tld;

    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/domain-a.tld.d/*.conf;

    location /yunohost/admin {
        return 301 https://$http_host$request_uri;
    }

    access_log /var/log/nginx/domain-a.tld-access.log;
    error_log /var/log/nginx/domain-a.tld-error.log;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name domain-a.tld;

    ssl_certificate /etc/yunohost/certs/domain-a.tld/crt.pem;
    ssl_certificate_key /etc/yunohost/certs/domain-a.tld/key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;

    ssl_prefer_server_ciphers on;

    # Ciphers with intermediate compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-S$

    # Ciphers with modern compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
    #ssl_protocols TLSv1.2;
    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-$

    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;

    add_header Strict-Transport-Security "max-age=31536000;";

    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/domain-a.tld.d/*.conf;

    include conf.d/yunohost_admin.conf.inc;
    include conf.d/yunohost_api.conf.inc;

    access_log /var/log/nginx/domain-a.tld-access.log;
    error_log /var/log/nginx/domain-a.tld-error.log;
}

/etc/nginx.conf.d/domain-a.tld.d/duniter.conf

location / {
       proxy_set_header        X-Real-IP       $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        Host            https://domain-a.tld;
       proxy_set_header        X-NginX-Proxy  true;

       proxy_pass             http://192.168.178.30:10901;
       proxy_redirect          off;

       # Socket.io support
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 86400s; 
       proxy_send_timeout 86400s;

	location ~ \.(js|css|woff|woff2|ttf|png) {
		proxy_pass http://192.168.178.30:9220;
		access_by_lua_file /usr/share/ssowat/access.lua;
	}
	
	location /cesium {
		proxy_pass http://192.168.178.30:9220;
		access_by_lua_file /usr/share/ssowat/access.lua;
		# Include SSOWAT user panel.
		include conf.d/yunohost_panel.conf.inc;
	}

	location /webui {
		proxy_pass http://192.168.178.30:9220/;
		access_by_lua_file /usr/share/ssowat/access.lua;
		# Include SSOWAT user panel.
		include conf.d/yunohost_panel.conf.inc;
	}

	location ~ /webmin {
		proxy_pass http://192.168.178.30:9220$uri;
		access_by_lua_file /usr/share/ssowat/access.lua;
	}
	
	location ~ /modules {
		proxy_pass http://192.168.178.30:9220;
		access_by_lua_file /usr/share/ssowat/access.lua;
	}

}

Duniter server (Server B)

Some modifications are needed to make your server run smoothly.

In /etc/profile

...
--PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
++PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"
...

In home/admin/.bashrc

...
alias tb="nc termbin.com 9999"

In /etc/ssh/sshd_config

...
--PermitRootLogin yes
++PermitRootLogin no
...
--PasswordAuthentication yes
++PasswordAuthentication no
...
--UsePAM yes
++UsePAM no
...
++AllowUsers admin

Domains of Server B

admin@Gildurklaus:~ $ sudo yunohost domain list
domains: guilder-test.eu.org

/etc/nginx/conf.d/guilder-test.eu.org.d/duniter.conf

location / {
       proxy_set_header        X-Real-IP       $remote_addr;
       proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header        Host            $http_host;
       proxy_set_header        X-NginX-Proxy  true;

       proxy_pass             http://127.0.0.1:10901;
       proxy_redirect          off;

       # Socket.io support
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 86400s; 
       proxy_send_timeout 86400s;

	location ~ \.(js|css|woff|woff2|ttf|png) {
		proxy_pass http://localhost:9220;
		access_by_lua_file /usr/share/ssowat/access.lua;
	}
	
	location /cesium {
		proxy_pass http://localhost:9220;
		access_by_lua_file /usr/share/ssowat/access.lua;
		# Include SSOWAT user panel.
		include conf.d/yunohost_panel.conf.inc;
	}

	location /webui {
		proxy_pass http://localhost:9220/;
		access_by_lua_file /usr/share/ssowat/access.lua;
		# Include SSOWAT user panel.
		include conf.d/yunohost_panel.conf.inc;
	}

	location ~ /webmin {
		proxy_pass http://localhost:9220$uri;
		access_by_lua_file /usr/share/ssowat/access.lua;
	}
	
	location ~ /modules {
		proxy_pass http://localhost:9220;
		access_by_lua_file /usr/share/ssowat/access.lua;
	}

}

/etc/nginx/conf.d/guilder-test.eu.org.conf

server {
    listen 80;
    listen [::]:80;
    server_name guilder-test.eu.org;

    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/guilder-test.eu.org.d/*.conf;

    location /yunohost/admin {
        return 301 https://$http_host$request_uri;
    }

    access_log /var/log/nginx/guilder-test.eu.org-access.log;
    error_log /var/log/nginx/guilder-test.eu.org-error.log;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name guilder-test.eu.org;

    ssl_certificate /etc/yunohost/certs/guilder-test.eu.org/crt.pem;
    ssl_certificate_key /etc/yunohost/certs/guilder-test.eu.org/key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;

    ssl_prefer_server_ciphers on;

    # Ciphers with intermediate compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    # Ciphers with modern compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
    #ssl_protocols TLSv1.2;
    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;

    add_header Strict-Transport-Security "max-age=31536000;";

    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/guilder-test.eu.org.d/*.conf;

    include conf.d/yunohost_admin.conf.inc;
    include conf.d/yunohost_api.conf.inc;

    access_log /var/log/nginx/guilder-test.eu.org-access.log;
    error_log /var/log/nginx/guilder-test.eu.org-error.log;
}

/root/.config/duniter/duniter_default/conf.json

{
 "currency": "Guilder-Test",
 "endpoints": [],
 "rmEndpoints": [],
 "upInterval": 3600000,
 "c": "0.000054218",
 "dt": "86400",
 "dtReeval": 2629800,
 "ud0": "100",
 "stepMax": 3,
 "sigPeriod": "0",
 "sigValidity": 31536000,
 "msValidity": 31536000,
 "sigQty": "3",
 "xpercent": 0.9,
 "percentRot": 0.6666666666666666,
 "powDelay": "1200",
 "avgGenTime": 960,
 "dtDiffEval": 10,
 "medianTimeBlocks": 20,
 "httplogs": false,
 "udid2": false,
 "timeout": 3000,
 "isolate": false,
 "forksize": 100,
 "switchOnHeadAdvance": 3,
 "sync": {},
 "port": 10901,
 "msPeriod": 604800,
 "loglevel": "info",
 "cpu": 0.6,
 "ipv4": "192.168.178.10",
 "remotehost": "guilder-test.eu.org",
 "remoteport": "443",
 "upnp": false,
 "dos": {
  "whitelist": [
   "127.0.0.1"
  ],
  "maxcount": 50,
  "burst": 20,
  "limit": 40,
  "maxexpiry": 10,
  "checkinterval": 1,
  "trustProxy": true,
  "includeUserAgent": true,
  "errormessage": "Error",
  "testmode": false,
  "silent": false,
  "silentStart": false,
  "responseStatus": 429
 },
"ws2p": {
  "uuid": "30f438fa",
  "privateAccess": true,
  "publicAccess": true,
  "preferedOnly": false,
  "privilegedOnly": false,
  "upnp": false,
  "host": "127.0.0.1",
  "port": 20901,
  "remoteport": 443,
  "remotehost": "guilder-test.eu.org"
 },
 "sigStock": "300000",
 "sigWindow": 604800,
 "idtyWindow": 604800,
 "msWindow": 604800,
 "rootoffset": 0,
 "remoteipv6": "<global ipv6>",
 "ipv6": "<global ipv6>",
}

Edit duniter’s systemd daemon service file /opt/duniter/release/extra/systemd/duniter.service

--Environment="DUNITER_WEB="
++Environment="DUNITER_WEB=web"

Enable the service and reboot

admin@Gildurklaus:~$ sudo cp /opt/duniter/release/extra/systemd/duniter.service /lib/systemd/system
admin@Gildurklaus:~$ sudo systemctl enable duniter.service
Created symlink from /etc/systemd/system/multi-user.target.wants/duniter.service to /lib/systemd/system/duniter.service.
admin@Gildurklaus:~$ sudo reboot

Client Computer

/opt/sakia/root_servers.yml

Guilder-Test:
  display: European Basic Guilder Test 
  nodes:
    AbE4R2fg4hmf6FPYuSuxx9MC9abnSMaPPenoYp8kHsf6:
    - "BMAS guilder-test.eu.org 443"

I think you will have to add /etc/nginx/conf.d/domain-a.tld.d/duniter.conf and copy the content of /etc/nginx/conf.d/duniter-folatt.nohost.me.d/duniter.conf to it changing the localhost and 127.0.0.1 to the server ip of B.

Add /etc/nginx/conf.d/domain-a.tld.d/duniter.conf on which server?

To the server A at /etc/nginx/conf.d/domain-a.tld.d/duniter.conf

1 Like

That makes sense. I’ll implement that when I get home.

Hello,
I think about it because of the same question for me i want to put another server in order to do something similar like you.
And the problem is about the connexion secured by the Front server and the proxy pass to the secondary secure connexion on the back server.
I think my English is bad don’t hesitate to tell me if i write badly.

@madmaxlamenace You just have to set reverse proxy to the second device with Lets encrypt install on the first server. You can use the YunoHost redirect app too.

Merely adding duniter.conf to /etc/nginx/conf.d/domain-a.tld.d and changing ip’s is not working.

In fact, I now have the problem that https://duniter-folatt.nohost.me/webui is leading to Server A instead of Server B.

You will have to change more rules according to your need. I guessproxy_set_header Host $http_host; needs to be changed to proxy_set_header Host $host; or proxy_set_header Host https://domain-a.tld;

Try using Yunohost redirect app.

Updating the duniter.conf on Server A…
No change in sakia connection.

Installing redirect on Server A…
Other than the domain name are these settings correct?

I tried it with /webui and 192.168.178.10/webui instead the above settings. No success.

I can’t even access webui on 192.168.178.10/webui

I can’t even seem to access 192.168.178.10. Perhaps that’s the problem, but I’m off to work.

Okay, I can access 192.168.178.10 again, but not 192.168.178.10/webui for some reason.

192.168.178.10/webui is bringing me back to https://192.168.178.10/yunohost/admin/#/.

https://duniter-folatt.nohost.me/webui does work when the port is forwarded.
Without forwarding the connection says this:

Your connection is not secure

The owner of duniter-folatt.nohost.me has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Even when porting, I still can’t connect to the network via sakia.

So while https://duniter-folatt.nohost.me/webui works, sakia still doesn’t.

Hey @folaht thanks for all these tests ! I currently do not have time for this but would certainly like to have my main Internet Cube run my stable server with my NextCloud and also a Duniter node for G1, but I would also like to have another Internet Cube run test apps and a G1-Test Duniter node.
Sometime after the Capitole du Libre and Rencontres Monnaie Libre and Framasoft Contribution Camp… What a life ! \o/