Setup
Server A
- Raspberry Pi 3
- Debian/Yunohost
- Nextcloud (443)
- CalDAV (443)
- CardDAV (443)
- Zerobin (443)
- Cesium (443)
- Nextcloud (443)
- Debian/Yunohost
Server B
-
LIME2
- Debian/Yunohost
- Duniter (443)
- LAN IP: 192.168.178.30
- Debian/Yunohost
Client Computer
- Desktop
- Arch Linux
- Sakia
- Arch Linux
Router
Port forwarding
- Server A
- 80
- 443
This means that I cannot access Server B on port 80 and 443.
It result into this error when I try to access https://guilder-test.eu.org/webui:
Your connection is not secure
The owner of guilder-test.eu.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.
And for running sakia:
[me@Main-computer sakia]$ sakia --currency=Guilder-Test
Error connecting to the network : Error : No peer answered in community (0 peers available)
So what to do?
I’ve tried changing port 443 to port 44344 on server B, but I’ve been told that either Yunohost or Duniter or both have port 443 hardcoded into their software.
My current configuration
Personal server (Server A)
Domains of Server A (Withheld and renamed to domain-a.tld for privacy)
admin@YunoHost:~ $ sudo yunohost domain list
domains: domain-a.tld
/etc/nginx/conf.d/domain-a.tld.conf
server {
listen 80;
listen [::]:80;
server_name domain-a.tld;
access_by_lua_file /usr/share/ssowat/access.lua;
include conf.d/domain-a.tld.d/*.conf;
location /yunohost/admin {
return 301 https://$http_host$request_uri;
}
access_log /var/log/nginx/domain-a.tld-access.log;
error_log /var/log/nginx/domain-a.tld-error.log;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name domain-a.tld;
ssl_certificate /etc/yunohost/certs/domain-a.tld/crt.pem;
ssl_certificate_key /etc/yunohost/certs/domain-a.tld/key.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
# Ciphers with intermediate compatibility
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-S$
# Ciphers with modern compatibility
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
# Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
#ssl_protocols TLSv1.2;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-$
# Uncomment the following directive after DH generation
# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;
add_header Strict-Transport-Security "max-age=31536000;";
access_by_lua_file /usr/share/ssowat/access.lua;
include conf.d/domain-a.tld.d/*.conf;
include conf.d/yunohost_admin.conf.inc;
include conf.d/yunohost_api.conf.inc;
access_log /var/log/nginx/domain-a.tld-access.log;
error_log /var/log/nginx/domain-a.tld-error.log;
}
/etc/nginx.conf.d/domain-a.tld.d/duniter.conf
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host https://domain-a.tld;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://192.168.178.30:10901;
proxy_redirect off;
# Socket.io support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
location ~ \.(js|css|woff|woff2|ttf|png) {
proxy_pass http://192.168.178.30:9220;
access_by_lua_file /usr/share/ssowat/access.lua;
}
location /cesium {
proxy_pass http://192.168.178.30:9220;
access_by_lua_file /usr/share/ssowat/access.lua;
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
}
location /webui {
proxy_pass http://192.168.178.30:9220/;
access_by_lua_file /usr/share/ssowat/access.lua;
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
}
location ~ /webmin {
proxy_pass http://192.168.178.30:9220$uri;
access_by_lua_file /usr/share/ssowat/access.lua;
}
location ~ /modules {
proxy_pass http://192.168.178.30:9220;
access_by_lua_file /usr/share/ssowat/access.lua;
}
}
Duniter server (Server B)
Some modifications are needed to make your server run smoothly.
In /etc/profile
...
--PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
++PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games"
...
In home/admin/.bashrc
...
alias tb="nc termbin.com 9999"
In /etc/ssh/sshd_config
...
--PermitRootLogin yes
++PermitRootLogin no
...
--PasswordAuthentication yes
++PasswordAuthentication no
...
--UsePAM yes
++UsePAM no
...
++AllowUsers admin
Domains of Server B
admin@Gildurklaus:~ $ sudo yunohost domain list
domains: guilder-test.eu.org
/etc/nginx/conf.d/guilder-test.eu.org.d/duniter.conf
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:10901;
proxy_redirect off;
# Socket.io support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
location ~ \.(js|css|woff|woff2|ttf|png) {
proxy_pass http://localhost:9220;
access_by_lua_file /usr/share/ssowat/access.lua;
}
location /cesium {
proxy_pass http://localhost:9220;
access_by_lua_file /usr/share/ssowat/access.lua;
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
}
location /webui {
proxy_pass http://localhost:9220/;
access_by_lua_file /usr/share/ssowat/access.lua;
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
}
location ~ /webmin {
proxy_pass http://localhost:9220$uri;
access_by_lua_file /usr/share/ssowat/access.lua;
}
location ~ /modules {
proxy_pass http://localhost:9220;
access_by_lua_file /usr/share/ssowat/access.lua;
}
}
/etc/nginx/conf.d/guilder-test.eu.org.conf
server {
listen 80;
listen [::]:80;
server_name guilder-test.eu.org;
access_by_lua_file /usr/share/ssowat/access.lua;
include conf.d/guilder-test.eu.org.d/*.conf;
location /yunohost/admin {
return 301 https://$http_host$request_uri;
}
access_log /var/log/nginx/guilder-test.eu.org-access.log;
error_log /var/log/nginx/guilder-test.eu.org-error.log;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name guilder-test.eu.org;
ssl_certificate /etc/yunohost/certs/guilder-test.eu.org/crt.pem;
ssl_certificate_key /etc/yunohost/certs/guilder-test.eu.org/key.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers on;
# Ciphers with intermediate compatibility
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# Ciphers with modern compatibility
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
# Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
#ssl_protocols TLSv1.2;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# Uncomment the following directive after DH generation
# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;
add_header Strict-Transport-Security "max-age=31536000;";
access_by_lua_file /usr/share/ssowat/access.lua;
include conf.d/guilder-test.eu.org.d/*.conf;
include conf.d/yunohost_admin.conf.inc;
include conf.d/yunohost_api.conf.inc;
access_log /var/log/nginx/guilder-test.eu.org-access.log;
error_log /var/log/nginx/guilder-test.eu.org-error.log;
}
/root/.config/duniter/duniter_default/conf.json
{
"currency": "Guilder-Test",
"endpoints": [],
"rmEndpoints": [],
"upInterval": 3600000,
"c": "0.000054218",
"dt": "86400",
"dtReeval": 2629800,
"ud0": "100",
"stepMax": 3,
"sigPeriod": "0",
"sigValidity": 31536000,
"msValidity": 31536000,
"sigQty": "3",
"xpercent": 0.9,
"percentRot": 0.6666666666666666,
"powDelay": "1200",
"avgGenTime": 960,
"dtDiffEval": 10,
"medianTimeBlocks": 20,
"httplogs": false,
"udid2": false,
"timeout": 3000,
"isolate": false,
"forksize": 100,
"switchOnHeadAdvance": 3,
"sync": {},
"port": 10901,
"msPeriod": 604800,
"loglevel": "info",
"cpu": 0.6,
"ipv4": "192.168.178.10",
"remotehost": "guilder-test.eu.org",
"remoteport": "443",
"upnp": false,
"dos": {
"whitelist": [
"127.0.0.1"
],
"maxcount": 50,
"burst": 20,
"limit": 40,
"maxexpiry": 10,
"checkinterval": 1,
"trustProxy": true,
"includeUserAgent": true,
"errormessage": "Error",
"testmode": false,
"silent": false,
"silentStart": false,
"responseStatus": 429
},
"ws2p": {
"uuid": "30f438fa",
"privateAccess": true,
"publicAccess": true,
"preferedOnly": false,
"privilegedOnly": false,
"upnp": false,
"host": "127.0.0.1",
"port": 20901,
"remoteport": 443,
"remotehost": "guilder-test.eu.org"
},
"sigStock": "300000",
"sigWindow": 604800,
"idtyWindow": 604800,
"msWindow": 604800,
"rootoffset": 0,
"remoteipv6": "<global ipv6>",
"ipv6": "<global ipv6>",
}
Edit duniter’s systemd daemon service file /opt/duniter/release/extra/systemd/duniter.service
--Environment="DUNITER_WEB="
++Environment="DUNITER_WEB=web"
Enable the service and reboot
admin@Gildurklaus:~$ sudo cp /opt/duniter/release/extra/systemd/duniter.service /lib/systemd/system
admin@Gildurklaus:~$ sudo systemctl enable duniter.service
Created symlink from /etc/systemd/system/multi-user.target.wants/duniter.service to /lib/systemd/system/duniter.service.
admin@Gildurklaus:~$ sudo reboot
Client Computer
/opt/sakia/root_servers.yml
Guilder-Test:
display: European Basic Guilder Test
nodes:
AbE4R2fg4hmf6FPYuSuxx9MC9abnSMaPPenoYp8kHsf6:
- "BMAS guilder-test.eu.org 443"