Difference between revisions of "Parleyvale.com"

PLEASE PRINT THIS EMAIL FOR YOUR RECORDS AND MAKE SURE TO READ THIS EMAIL IN FULL

Dear Timothy Mckenna (Sitebuilt Systems),

We are pleased to tell you that the server you ordered has now been set up and is operational.

Nginx

quick up on server

letsencrypt

/root/README16.04.md in sitebuilt.net has the docs on letsencrypt commands that have been run

letsencrypt certonly -a webroot --webroot-path=/home/tryit/public_html -d tryit.sitebuilt.net

letsencrypt certonly -a webroot --webroot-path=/var/www/html -d sitebuilt.net -d tryit.sitebuilt.net

• put your code in some directory
• modify sites-available
• nginx -s reload

forward proxy

http://blog.abarbanell.de/raspberry/2016/01/09/arduino-nginx/

me: Doesn't the nginx proxy need crt's and key's? Will it just work like a browser and encrypt deencrypt automagically?

Tobias Abarbanell Hi Tim, in this process the nginx is a server receiving requests over http and then on the encrypted side it is a client, so it does not need to have certificates.

If you want traffic coming the other direction, from the outside to your devices you would need certificates on the nginx and I would recommend using letsencrypt (https://letsencrypt.org) for this purpose.

Hi Tobias,

Thanks. BTW I think I had already solved the "traffic coming the other direction" problem. I've been loving mqtt as a lightweight protocol to have my esp8266's converse with the world. On my outside nginx vps I am running mosca inside a node app. Mosca is a broker. Devices an clients subscribe and publish to topics and mosca routes them. So my guess is having the pi handle the tls stuff, I'd be able to get data in too.

Meanwhile if I've discovered (after lots of error and error) if I limit the ciphers and keysize I can get TLSv1.1 working rather reliably straight from the esp8266. I haven't dropped a handshake in an hour now. Having WiFiClientSecure just use a fingerprint of the certificate (512 bit certificate) it verifies and accepts the cert. Instead of letting node run with its TLSv1.2 super secure big bloated ciphers I start node like this: node --tls-cipher-list='TLS_RSA_WITH_AES_128_CBC_SHA:RC4-MD5' lib/index.js. Ok so I won't win any awards for TLS and can't use AWS IOT(req TLSv1.2 and big ciphers), but the sensors and relays all over my house and yard will be very hard to mess with nonetheless.

Mosca sends mqtt to web clients using websockets. That's the final piece of the puzzle for me to tackle, wss for apache(windows testmachine) and nginx(ubuntu16.04vps)

Your idea is brilliant and I can't wait to try it on a pi.

tcp proxy

http://yaoweibin.github.io/nginx_tcp_proxy_module/

https://serversforhackers.com/compiling-third-party-modules-into-nginx

https://github.com/imZack/docker-nginx-tcp-proxy

wget http://github.com/yaoweibin/nginx_tcp_proxy_module/tarball/master
tar -xvf master
cd yaoweibin-nginx_tcp_proxy_module-7d70702
cp -R yaoweibin-nginx_tcp_proxy_module-7d70702 /opt
sudo apt-get install -y dpkg-dev
sudo apt-get install libpcre++-dev
sudo mkdir /opt/rebuildnginx
cd /opt/rebuildnginx
sudo apt-get source nginx
cd /opt/rebuildnginx/nginx-1.10.0/
patch -p1 < /opt/yaoweibin-nginx_tcp_proxy_module-7d70702/tcp.patch
./configure --add-module=/opt/yaoweibin-nginx_tcp_proxy_module-7d70702
make
make install

that puts it in the middle of nowhere with no systenctl or usr/sbinin

in ls -al /etc/systemd/system/multi-user.target.wants/ there should be nginx.service -> /lib/systemd/system/nginx.service and there should be the file nginx.service which looks like this

since you meessed with a systemd file

systemctl daemon-reload

# Stop dance for nginx
# =======================
#
# ExecStop sends SIGSTOP (graceful stop) to the nginx process.
# If, after 5s (--retry QUIT/5) nginx is still running, systemd takes control
# and sends SIGTERM (fast shutdown) to the main process.
# After another 5s (TimeoutStopSec=5), and if nginx is alive, systemd sends
# SIGKILL to all the remaining processes in the process group (KillMode=mixed).
#
# nginx signals reference doc:
# http://nginx.org/en/docs/control.html
#
[Unit]
Description=A high performance web server and a reverse proxy server
After=network.target
[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed
[Install]
WantedBy=multi-user.target

and since nginx isn't there you need

ln -s /usr/local/nginx/sbin/nginx /usr/sbin/

websocket reverse proxy

https://www.nginx.com/blog/websocket-nginx/

http://stackoverflow.com/questions/36521858/nginx-reverse-proxying-wss-client-sent-invalid-method-while-reading-client-req

restart nginx

   nginx -s reload

allow directory reads

edit

  /etc/nginx/sites-available/default

add autoindex on here

   location / {
       try_files $uri $uri/ =404;
       autoindex on;
   }  

restart

   nginx -s reload 

install

https://anturis.com/blog/nginx-vs-apache/

http://superuser.com/questions/93437/aptitude-vs-apt-get-which-is-the-recommended-aka-the-right-tool-to-use

https://www.digitalocean.com/community/tutorials/how-to-host-multiple-node-js-applications-on-a-single-vps-with-nginx-forever-and-crontab

SSL

https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com sudo ln -s /etc/nginx/sites-available/cascada.parleyvale.com /etc/nginx/sites-enabled/cascada.parleyvale.com

server {

        listen   443;
        server_name stuff2get.parleyvale.com;

        root /home/stuff2get/www;
        index index.html index.htm;

        ssl on;
        ssl_certificate /etc/nginx/ssl/stuff2get.parleyvale.com/server.crt;
        ssl_certificate_key /etc/nginx/ssl/stuff2get.parleyvale.com/server.key;
}

server {

        listen   443;
        server_name stuff2get.parleyvale.com;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

        ssl on;
        ssl_certificate /etc/nginx/ssl/stuff2get.parleyvale.com/server.crt;
        ssl_certificate_key /etc/nginx/ssl/stuff2get.parleyvale.com/server.key;
}

New VPS Information - Self-Managed 150GB VPS

Main IP Address: 198.23.150.36 Additional IP Address(es): Root Password: nji9ol SolusVM Control Panel URL: http://vps.hudsonvalleyhost.com:5353/login.php SolusVM Username: vmuser3377 SolusVM Password: nji9ol

Please note: The account information we provide is for 'root' only. This is the user with the highest system privileges. Any additional users will need to be created manually.

Notes about Addons

Addons are not provisioned instantly and a delay of up to 24 hours may occur. All addons must be paid for in full before they're activated. Once activated, we'll send you an email with the relevant information. We offer a free (optional) installation service for all addons. If you would like us to install an addon for you, please open a support ticket. Additional resources or gigabit port upgrades can only be performed by us, and we'll notify you via email when complete.

Custom DNS Server Addresses

The custom DNS addresses you should set for your domain to use are:

Primary DNS: ns1.parleyvale.com Secondary DNS: ns2.parleyvale.com

You will have to login to your domain registrar and register your name servers first. Following that, you can set the name servers to the ones you just registered for the domain(s) of your choice. After adding these custom nameservers to your domain registrar control panel, it can take up to 72 hours for DNS Propagation to take place and thus website(s) under your server may not load.

We strongly recommend using a free website called IntoDNS to try and find any errors in your DNS configuration. This is one of the best tools available to find problems for domains. You can then either try and diagnose the issues yourself, or contact your domain registrar who should be able to help you with the errors. Most domain registrars are familiar with IntoDNS and will help you. You can also contact us if you have any questions or concerns.

SSH Access Information

Main IP Address: 198.23.150.36 Username: root Password: nji9ol

You can access your server using a free simple SSH client. We recommend PuTTY which is free and the Windows installer can be downloaded by clicking here.

Support

If you need support, we recommend viewing our Support page, which can be found here. That page contains links to software documentation, our knowledgebase and several other options. That page page should be the first place you head to if you need help as it contains many helpful resources.

Do you want to accept credit cards? Need a Merchant Account? Click here to check out CDG Commerce. Free Setup!

Kindest Regards, Hudson Valley Host www.hudsonvalleyhost.com