diff --git a/blog/site-to-site-wireguard-part-4-2019-04-19.markdown b/blog/site-to-site-wireguard-part-4-2019-04-19.markdown new file mode 100644 index 0000000..c7b1578 --- /dev/null +++ b/blog/site-to-site-wireguard-part-4-2019-04-19.markdown @@ -0,0 +1,346 @@ +--- +title: "Site to Site WireGuard: Part 4 - HTTPS" +date: 2019-04-16 +series: site-to-site-wireguard +--- + +# Site to Site WireGuard: Part 4 - HTTPS + +This is the fourth post in my Site to Site WireGuard VPN series. You can read the other articles here: + +- [Part 1 - Names and Numbers](https://christine.website/blog/site-to-site-wireguard-part-1-2019-04-02) +- [Part 2 - DNS](https://christine.website/blog/site-to-site-wireguard-part-2-2019-04-07) +- [Part 3 - Custom TLS Certificate Authority](https://christine.website/blog/site-to-site-wireguard-part-3-2019-04-11) +- Part 4 - HTTPS (this post) +- Setting up additional iOS, macOS, Android and Linux clients +- Other future fun things (seamless tor2web routing, etc) + +In this article, we are going to install [Caddy](https://caddyserver.com) and set up the following: + +- A plaintext markdown site to demonstrate the process +- A URL shortener at https://g.o/ (with DNS and TLS certificates too) + +## HTTPS and Caddy + +[Caddy](https://caddyserver.com) is a general-purpose HTTP server. One of its main features is automatic [Let's Encrypt](https://letsencrypt.org) support. We are using it here to serve HTTPS because it has a very, very simple configuration file format. + +Caddy doesn't have a stable package in Ubuntu yet, but it is fairly simple to install it by hand. + +## Installing Caddy + +One of the first things you should do when installing Caddy is picking the list of extra plugins you want in addition to the core ones. I generally suggest the following plugins: + +- [`http.cors`](https://caddyserver.com/docs/http.cors) - [Cross-Origin Resource Sharing](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS), because we can't trust browsers +- [`http.git`](https://caddyserver.com/docs/http.git) - it facilitates automatic deployment +- [`http.supervisor`](https://caddyserver.com/docs/http.supervisor) - run background processes + +First we are going to need to download Caddy (please do this as root): + +```console +curl https://getcaddy.com > install_caddy.sh +bash install_caddy.sh -s personal http.cors,http.git,http.supervisor +chown root:root /usr/local/bin/caddy +chmod 755 /usr/local/bin/caddy +``` + +These permissions are set as such: + +| Facet | Read | Write | Directory Listing | +| :--------------- | :--- | :---- | :---------------- | +| User (www-data) | Yes | Yes | Yes | +| Group (www-data) | Yes | No | Yes | +| Others | Yes | No | Yes | + +In order for Caddy to bind to the standard HTTP and HTTPS ports as non-root (this is a workaround for the fact that [Go can't currently drop permissions with suid() cleanly](https://github.com/golang/go/issues/1435)), run the following: + +```console +setcap 'cap_net_bind_service=+eip' /usr/local/bin/caddy +``` + +Caddy expects configuration file/s to exist at `/etc/caddy`, so let's create the folders for them: + +```console +mkdir -p /etc/caddy +touch /etc/caddy/Caddyfile +chown -R root:www-data /etc/caddy +``` + +### Let's Encrypt Certificate Permissions + +Caddy's systemd unit expects to be able to create new certificates at `/etc/ssl/caddy`: + +```console +mkdir -p /etc/ssl/caddy +chown -R www-data:root /etc/ssl/caddy +chmod 770 /etc/ssl/caddy +``` + +These permissions are set as such: + +| Facet | Read | Write | Directory Listing | +| :--------------- | :--- | :---- | :---------------- | +| User (www-data) | Yes | Yes | Yes | +| Group (root) | Yes | Yes | Yes | +| Others | No | No | No | + +This will allow only Caddy and root to manage certificates in that folder. + +### Custom CA Certificate Permissions + +In the [last post](https://christine.website/blog/site-to-site-wireguard-part-3-2019-04-11), custom certificates were created at `/srv/within/certs`. Caddy is going to need to have the correct permissions in order to be able to read them. + +```shell +#!/bin/sh +chmod -R 750 . +chown -R root:www-data . +chmod 600 minica-key.pem +``` + +Then mark it executable: + +``` +chmod +x fixperms.sh +``` + +These permissions are set as such: + +| Facet | Read | Write | Execute/Directory Listing | +| :--------------- | :--- | :---- | :------------------------ | +| User (root) | Yes | Yes | Yes | +| Group (www-data) | Yes | No | Yes | +| Others | No | No | No | + +This will allow Caddy to be able to read the certificates later in the post. Run this after certificates are created. + +``` +cd /srv/within/certs +./fixperms.sh +``` + +### HTTP Root Permissions + +I dypically store all of my websites under `/srv/http/domain.name.here`. To create a folder like this: + +```console +mkdir -p /srv/http +chown www-data:www-data /srv/http +chmod 755 /srv/http +``` + +These permissions are set as such: + +| Facet | Read | Write | Directory Listing | +| :--------------- | :--- | :---- | :---------------- | +| User (www-data) | Yes | Yes | Yes | +| Group (www-data) | Yes | No | Yes | +| Others | Yes | No | Yes | + +### Systemd + +To install the [upstream systemd unit](https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service), run the following: + +```console +curl -L https://github.com/mholt/caddy/raw/master/dist/init/linux-systemd/caddy.service \ + | sed "s/;CapabilityBoundingSet/CapabilityBoundingSet/" \ + | sed "s/;AmbientCapabilities/AmbientCapabilities/" \ + | sed "s/;NoNewPrivileges/NoNewPrivileges/" \ + | tee /etc/systemd/system/caddy.service +chown root:root /etc/systemd/system/caddy.service +chmod 744 /etc/systemd/system/caddy.service +systemctl daemon-reload +systemctl enable caddy.service +``` + +These permissions are set as such: + +| Facet | Read | Write | Execute | +| :----------- | :--- | :---- | :------ | +| User (root) | Yes | Yes | Yes | +| Group (root) | Yes | No | No | +| Others | Yes | No | No | + +This will also configure Caddy to start on boot. + + * Configure Caddy for static file serving for aloha.pele + * root directive + * browse directive + * Link to Caddy documentation + +## Configure aloha.pele + +In the last post, we created the domain and TLS certificates for `aloha.pele`. Let's create a website for it. + +Open `/etc/caddy/Caddyfile` and add the following: + +``` +# /etc/caddy/Caddyfile + +aloha.pele:80 { + tls off + redir / https://aloha.pele:443 +} + +aloha.pele:443 { + tls /srv/within/certs/aloha.pele/cert.pem /srv/within/certs/aloha.pele/key.pem + + internal /templates + + markdown / { + template templates/page.html + } + + ext .md + browse / + + root /srv/http/aloha.pele +} +``` + +And create `/srv/http/aloha.pele/templates`: + +```console +mkdir -p /srv/http/aloha.pele/templates +chown -R www-data:www-data /srv/http/aloha.pele/templates +``` + +And open `/srv/http/aloha.pele/templates/page.html`: + +```html + + + + + {{ .Doc.title }} + + + +
+ + + {{ .Doc.body }} +
+ + +``` + +This will give a nice [simple style kind of like this](https://jrl.ninja/etc/1/) using [Caddy's built-in markdown templating support](https://caddyserver.com/docs/markdown). Now create `/srv/http/aloha.pele/index.md`: + +```markdown + + +# Aloha! + +This is an example page, but it doesn't have anything yet. If you see me, HTTPS is probably working. +``` + +Now let's enable and test it: + +``` +systemctl restart caddy +systemctl status caddy +``` + +If Caddy shows as running, then testing it via [LibTerm](https://itunes.apple.com/us/app/libterm/id1380911705?ls=1&mt=8) should work: + +``` +curl -v https://aloha.pele +``` + +## URL Shortener + +I have created a simple [URL shortener backend](https://github.com/Xe/surl) on my GitHub. I personally have it accessible at https://g.o for my internal network. It is very simple to configure: + +| Environment Variable | Value | +| :------------------- | :--------------------------------- | +| `DOMAIN` | `g.o` | +| `THEME` | `solarized.css` (or `gruvbox.css`) | + +surl requires a SQLite database to function. To store it, create a docker volume: + +```console +docker volume create surl +``` + +And to create the surl container and register it for automatic restarts: + +```console +docker run --name surl -dit -p 10.55.0.1:5000 \ + --restart=always \ + -e DOMAIN=g.o \ + -e THEME=solarized.css \ + -v surl:/data xena/surl:v0.4.0 +``` + +Now create a DNS record for `g.o.`: + +``` +; pele.zone + +;; URL shortener +g.o. IN CNAME oho.pele. +``` + +And a TLS certificate: + +```console +cd /srv/within/certs +minica -domains g.o +./fixperms.sh +``` + +And add Caddy configuration for it: + +``` +# /etc/caddy/Caddyfile + +g.o:80 { + tls off + + redir / https://g.o +} + +g.o:443 { + tls /srv/within/certs/g.o/cert.pem /srv/within/certs/g.o/key.pem + + proxy / http://10.55.0.1:5000 +} +``` + +Now restart Caddy to load the configuration and make sure it works: + +```console +systemctl restart caddy +systemctl status caddy +``` + +And open [https://g.o](https://g.o) on your iOS device: + + + +![An image of the URL shortener in action](/static/img/site-to-site-part-4-gdoto.jpg) + +You can use the other [directives](https://caddyserver.com/docs) in the Caddy documentation to do more elaborate things. [When Then Zen](https://when-then-zen.christine.website) is hosted completely with [Caddy using the markdown directive](https://github.com/Xe/when-then-zen/blob/master/Caddyfile); but even this is ultimately a simple configuration. + +--- + +This seems like enough for this time. Next time we are going to approach adding other devices of yours to this network: iOS, Android, macOS and Linux. + +Please give me [feedback](/contact) on my approach to this. I also have a [Patreon](https://www.patreon.com/cadey) and a [Ko-Fi](https://ko-fi.com/A265JE0) in case you want to support this series. I hope this is useful to you all in some way. Stay tuned for the future parts of this series as I build up the network infrastructure from scratch. If you would like to give feedback on the posts as they are written, please watch [this page](https://github.com/Xe/site/pulls) for new pull requests. + +Be well. The sky is the limit, Creator! +