💾 Archived View for omg.pebcak.club › ~freezr › gemlog › 2021-06-08-gnuserland-server-recap.gmi captured on 2024-06-20 at 12:10:32. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-09-08)
-=-=-=-=-=-=-
This guide became useless since DigitalOcean terminated the official support for FreeBSD. Because of that event I closed my account on DigitalOcean and "gnuser.land"; eventually I activated a new domain "GeminiSpace [dot] Club" and moved to another VPS: Vultr.
One of the selling point of Gemini is that it aims for simplicity, this applies on both server and client side, building up a basic but usable personal Gemini server is possible and have to be possible for all the people at any level. Being able to manage directly the contents and the platforms who serve them is extremely important from a freedom perspective; for instance I made my own server to own my content and to be sure that it will be just me the one that is going to shut down my capsule in the future.
Individuals, no profit organizations, and any other entities that work for the common good must be able to be independent and rely on themselves, escaping away from the nails of any corporate/business unwanted pressure.
When I was just figuring out about 'Gnuser.land', my personal goal was to create a Gemini capsule on my own Gemini server; however setup a basic Nginx server was necessary to create a gate into the WWW for the ones that accede on internet through HTTP.
Standard Internet is still necessary to offer services that a merely text blog would never offer, thus if you need to setup an HTTP server to host a full featured website do not rely on this page since this basic setup is only able to serve HTML files and anything else.
Indeed unfortunately; the same responsible that made HTTP awful are sitting right now around the Linux Board table. Today Linux is going in a direction that I really dislike, Gemini hence has been also the opportunity to experiment alternative operative system like FreeBSD. This latter has several advantages respect Linux that aren't just technical, let me recap some of them:
While Linux has the industry support, FreeBSD looks having more success on the academic world, and, as it happens in many other projects with fewer resources, everything in FreeBSD is made carefully with an exceptional keen for the design implementation, always following the Unix philosophy.
Read more:
Why you should migrate everything from Linux to BSD
Technical reasons to choose FreeBSD over GNU/Linux
The Hyper Text Markup Language was been a great revolution and the hypertext really made incredible navigating through pages and documentation. This magic today is totally disappear under the pressure of the big IT companies (someone else woluld say GAFAM...) that modeled the modern internet to satisfy their business needs.
The result is thousand of web pages that looks all equally to satisfy the Google Search criteria, and a small pool of social media services that try to keep you alienate from the society as well as from the real internet, wrapping everything into apps to consume on your mobile, smart TV, and even your computer; but also media streaming companies that, with the complicity of the W3C, endorsed and imposed EME/DRM to all of us. Today we learned that DRM rather than fight piracy has been only a way to control how the end users must consume those products.
The HTML5 is the common ground that all the companies that make revenue over internet had laid out to make modern internet extremely awful.
For instance to create my HTML page required more effort and time than building up all the 'gnuser.land' infrastructure. The ridiculous part is that 99% of the code is copied and pasted by other sources. To run this very basic page the browser needs to connect to 1 HTML file, 3 CSS files, 2 Javascript libraries, 1 Google Font; this is why I say that HTML5 became utterly complicated!
The code is available here, if you think you can improve and redistribute it for all the Geminauts that like me wants only an HTML gate for their capsules, please you will find my contact information at the very bottom or in the home page!
/~freezr/gemlog/media/2021/html.tar.gz
Those are not advises, I am just reporting some facts and some opinions around. I bought my domain on Big Daddy, based on a colleague suggestion, later I discovered that other Registrars had better offers; while as VPC I opted for Digital Ocean (DO). For the latter you can find special discounts that allow you to play with it, saving money, for a reasonable amount of time.
Checking at the DO prices the basic service is quite affordable but it suddenly becomes extremely expansive when you start to add just a bunch of features more.
Anyway both are big players hence you can be sure that not tomorrow either the day after tomorrow those services will shut down, we can consider those enough reliable and resilient to build a public service with. Last but not least, DO has a very good documentation with a lot of articles, guides and tutorials.
To begin I had to create my first project, and its related server; DO call virtual servers - "et similia" - droplet; then you have to connect your domain to the droplet, enabling the DNS and lastly installing your Web server and your Gemini server, these were my steps:
1. Create and setup the Droplet
2. Connect the domain to with Digital Ocean
3. Manage the DNS with Digital Ocean
4. Installing and setup Nginx
5. Installing and setup GMID
6. Installing and setup Fail2Ban
As for the time I wrote this page FreeBSD was still at 12th release, as I wrote before I used the cheapest droplet available which is based on Intel, fortunately the next FreeBSD 13 looks like is going very well over Intel CPU:
Phoronix: FreeBSD 13 BETA Benchmarks - Performance Is Much Better
Below are listed the steps required to create a FreeBSD droplet, the creation is assisted hence do not need to worry. Also remember that if you are taking advantage of the promotion you can create as many droplets your gifted credit allows:
1. Let's start with FreeBSD ZFS
2. Regular plan is fine (eventually Gemini aims for few resource consumption)
3. Do not add a block storage
4. Select the data-center: mine is NY 3
5. VPC: default-nyc3
6. IPV6: I am not using it
7. User data: I am not using it.
8. SSH Creation
9. Droplets: 1
10. Hostname: gemini-freebsd-s-1vcpu-1gb-nyc3-01
11. Add a tags if you wish
12. No backups
13. Create!
"USER DATA"
This should be something that should help you to accelerate the process to recreate/regenerate your system each time, unfortunately is outside my understanding.
I am using GoDaddy but in the following link are described the procedures for the most common registrars.
DO Tutorial: how to point to DigitalOcean nameservers from common domain registrars
DO manages the DNS in its dashboard, as a matter of fact the droplet has a bunch of customized service in the 'rc.conf' file, everything related with the DNS must be done in the dashboard.
DO Docs: How to manage records
The documentation hasn't anything about Gemini yet but I am pretty sure it will be arrived soon, to setup the DNS for GMID you need to operate at the SRV tab.
SRV records specify the location (hostname and port number) of servers for specific services. You can use service records to direct certain types of traffic to particular servers.
Eventually I figured out the correct string is this:
_gemini._tcp.gnuser.land
A screenshot is worth of thousand words:
Before to install Nginx and GMID I recommend to read this documentation:
DO Tutorials: How to Get Started with FreeBSD
DO Tutorials: Recommended Steps For New FreeBSD 12.0 Servers
Extremely important:
DO Tutorials: Recommended Steps To Harden Apache HTTP on FreeBSD 12.0
I strongly recommend to disable root access over ssh, I did this revoking the key and probably also locking root as well
I created another user, installed SUDO and added it to the sudoers group. That means that I had to create a new ssh key for this user.
For more information to how create a SSH key you can read these articles:
DO Tutorials: How To Configure SSH Key-Based Authentication on a FreeBSD Server
DO Tutorials: Understanding the SSH Encryption and Connection Process
This very basic setup will just allow to manage HTML files and anything else.
Don't forget that in FreeBSD system configurations are in '/etc/' but user configurations are in '/usr/local/etc/'
I did this later but it would be smarter doing this before to setting up Nginx. By the default Nginx uses this folder:
/usr/local/www/
But, since I come from Linux, I preferred put it in "/var/www" and since the moment my FreeBSD droplet is using ZFS I just added this location on the existing 'zroot' pool
sudo zfs create zroot/var/www sudo mkdir -p /var/www/your.domain/{html,gem} sudo chown [your-user]:[your-user] -R /var/www/your.domain/
Now I can create regular snapshot of my website/capsule, which I haven't done yet, in case I have to recover any unwanted disaster.
I followed this tutorial, it will allow any person to create a very basic HTTP server, for me that was more than enough:
DO Tutorials: How to Install Nginx on FreeBSD 11.2
Eventually this is my server block with the opportune changes:
server { access_log /var/log/nginx/your.domain.access.log; error_log /var/log/nginx/your.domain.error.log; listen 80; server_name your.domain www.your.domain; location / { root /var/www/your.domain/html; index index.html index.htm; } }
I followed the same logic of the article hence even though the domain is 'gnuser.land' I split the HTML content into 'gnuser.land/html/' and the Gemini content into 'gnuser.land/gem/'; the idea was also to create 'gnuser.land/media/' for sharing content any not HTML/GMI content between Nginx and GMID, but I'll probably do it when I'll move to FreeBSD 13.
This configuration only allows to run HTTP on port 80 but modern WWW runs over HTTPS mostly, hence to enable it you need to get a certificate, "let's encrypt" allows you to get a valid certificate:
DO Tutorials: How To Secure Nginx with Let's Encrypt on FreeBSD
Update: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
"certbot" is available as binary package hence there is not need to compile it through ports.
pkg search certbot py37-certbot-1.13.0,1 Let's Encrypt client [ a lot of other results] py37-certbot-nginx-1.13.0 NGINX plugin for Certbot
I am pretty sure I just installed the package for Nginx and it automatically downloaded all the relevant dependencies.
Once you installed it, creating a certificate is pretty simple much simpler than with Apache, I just launched this command, you don't need to be in a specific folder:
sudo certbot --nginx -d example.com -d www.example.com
Where in "example.com" I used "gnuser.land" instead.
Certbot will automatically modify your Nginix configuration file for you, and it will be able to serve HTTPS pages properly, although I am not really interested in delivering mt content through HTTP/S.
The code below is an output that I copied just to remember about it:
> In order to automatically renew the certificates, add this line to > /etc/periodic.conf: > > weekly_certbot_enable="YES" > > More config details in the certbot periodic script: > > /usr/local/etc/periodic/weekly/500.certbot-3.7
GMID, thanks to the effort of its creator (Yumh) it is available as port for FreeBSD as well as for OpeBSD.
To enable and install Ports packages, please read the link below:
FreeBSD Handbook: Using the Ports Collection
The configuration of GMID resembles the one of Nginx, you can read all the information you need through the "Man Pages" or following this link:
It is important to create the auto-signed certification before otherwise GMID will create a basic one by itself, future versions will be able to renewal the certificate automatically.
Advise: do not mess up with the certificate, create just one, one time only, in the desired folder.
I put the certificate in my $HOME but it is possible put it every where in the filesystem (to be precise are two files the cert and the key). This is my block with the opportune changes:
openssl req -new -subj "/CN=your.domain" -x509 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -days 365 -nodes -out your.domain.cert.pem -keyout your.domain.key.pem
To read more:
DO Tutorials: OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs
Now that GMID is installed and the certificate is created, the only part missing is to setup the server block in '/usr/local/etc/gmid.conf ':
This is mine just slightly modified for convenience:
# ipv6 on # only if you want enable ipv6 mime "application/rtf" "rtf" server "your.domain" { cert "/your/folder/of/choice/your.domain.cert.pem" key "/your/folder/of/choice/your.domain.key.pem" root "/var/www/your.domain/gemini/" cgi "/cgi-bin/*" lang "en" # or any other language }
It is important to mention that, while inside the root, GMID can serve any kind of file, if you want put the location for the file outside the root please refer to the documentation.
If you finish and everything went OK, it is possible testing out the server without running it with this command:
gmid -vv -n
If the test passed fine hence the last thing to do is to enable and run GMID.
sudo sysrc gmid_enable="YES" sudo service gmid start
Hopefully everything went fine thus as last recap this is how the 'rc.conf' should look alike:
# NGNIX nginx_enable="YES" # IPFW firewall_enable="YES" firewall_quiet="YES" firewall_type="workstation" firewall_myservices="22/tcp 80/tcp 443/tcp 1965/tcp" firewall_allowservices="any" firewall_logdeny="YES" # GMID gmid_enable="YES"
GMID brings along itself a simple, but useful, Gemini client called "GG" that you can use for testing your server and your capsule through the SSH session:
gg gemini://your.domain
Did it work out?
Nice!
Gnuser.land doesn't do anything special, it servers only GMI files, there is not any sensible data stored in it, therefore the only gate exposed to the public is the SSH service.
Although my password is pretty strong I am going to enable "Fail2Ban" on the server to increase a little bit the security and to prevent brute force attack as well as SSH congestion.
All the information for this section comes from this tutorial:
https://www.adminbyaccident.com/freebsd/how-to-freebsd/how-to-install-fail2ban-on-freebsd/
Please refer to the link above for further explanation.
pkg search fail2ban py38-fail2ban-0.11.2_1 Scans log files and bans IP that makes too many password failures
On my server is available only "py38-fail2ban-0.11.2_1"
sudo pkg install py38-fail2ban-0.11.2_1
First step is to create the rules:
sudo ee /usr/local/etc/fail2ban/jail.d/ssh-ipfw.local
Second step is to paste the following settings
[ssh-ipfw] enabled = true filter = sshd action = ipfw[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/auth.log findtime = 600 maxretry = 3 bantime = 3600
Third step is to configure the rule for the firewall but it is needed to know which is the public IP:
ifconfig | grep inet
My public domain begin with 167.99.xx.xx, I will add this IP in the following conf file:
sudo ee /usr/local/etc/fail2ban/action.d/ipfw.conf
Specifically at the bottom of the file, the local host entry must be changed with the one obtained previously.
Fail2ban must be enable by default at every boot, it easy to add the rules to RC.CONF with this command:
sudo sysrc fail2ban_enable="YES"
Let’s start the service.
sudo service fail2ban onestart
The quoted article ends with a test to check if fail2ban works properly. I tested it but I am not going to show up the results; for a depth reading about this topic, please refer to link above or:
Fail2Ban Official Documentantion
Consider this a dirty and quick reference to put your Capsule online as quick as possible!
Unfortunately a lot of documentation is available on standard internet only, and I understand that switching from a client to another can be annoying.
Duckling Proxy is an utility that let you navigate the small web through a compatible client like, for instance, Lagrange and Telescope, learn more here:
/~freezr/gemlog/2021-07-23-telescope-part-three.gmi
Also has passed quite time since the Capsule was actually online and my memories fade out a bit, most likely I totally missed some important step.
By the way at this time there is not any FreeBSD 13 droplet available, I guess at DO are simply waiting for the 13.1 release, but when the droplet is going to be available I am going to do this:
1. switching to FreeBSD 13;
2. preparing a better and complete documentation entirely in Gemini;
3. hardening FreeBSD through PF rather than IPFW;
4. Jailing Nginx, GMID and FTP;
5. better Nginx setup with full static website support and virtual hosting;
6. better GMID implementation with support for virtual hosting;
7. adding a FTP server.
That's it for comments or suggestion write me at: