/araa-docs

GNU Affero General Public License v3.0AGPL-3.0

araa-docs

Counter

Table of contents

Basic steps

To write this guide, I was using Ubuntu Server 22.04 LTS. This guide assumes you're using sudo or root.

Install required packages:

apt install nginx nginx-extras certbot python3-certbot-nginx

nginx

Configure nginx by replacing tailsx.yourdomain.com with your own domain:

cd /etc/nginx/sites-enabled/
rm default
wget -O tailsx https://raw.githubusercontent.com/Extravi/tailsx-docs/main/config/tailsx
nano tailsx

Now cd into /etc/nginx/ and replace nginx.conf; this will disable logging and improve server security:

cd /etc/nginx/
rm nginx.conf
wget -O nginx.conf https://raw.githubusercontent.com/Extravi/tailsx-docs/main/config/nginx.conf
nginx -t && nginx -s reload

Expected output:

root@ubuntu-s-1vcpu-1gb-tor1-01:/etc/nginx# nginx -t && nginx -s reload
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@ubuntu-s-1vcpu-1gb-tor1-01:/etc/nginx#

SSL/TLS certificate

Obtain an SSL/TLS certificate, but before doing so, make sure you have an A record pointed to your server's IPv4 address:

certbot --nginx -d tailsx.yourdomain.com

Once you've done that, open the crontab file:

crontab -e

Then paste this at the bottom of the crontab file. This will automatically renew your Let’s Encrypt certificate:

0 12 * * * /usr/bin/certbot renew --quiet

Firewall (Allow only HTTPS/HTTP/SSH)

Setup a firewall with UFW:

ufw default deny
ufw allow ssh
ufw allow https
ufw allow http
ufw enable

Run the status command:

ufw status verbose

You should see an output like this:

root@ubuntu-s-1vcpu-1gb-tor1-01:~/tailsx# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
80/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
443 (v6)                   ALLOW IN    Anywhere (v6)
80/tcp (v6)                ALLOW IN    Anywhere (v6)

root@ubuntu-s-1vcpu-1gb-tor1-01:~/tailsx#

Disable IPv6

Now we need to disable IPv6 because many websites, like Google, are more likely to block IPv6:

bash -c 'cat <<EOF >> /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF'

Now you need to configure your SSH daemon to only listen over IPv4:

echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config

Final setup & starting Tailsx

Clone TailsX and cd into the directory:

git clone https://github.com/Extravi/tailsx.git
cd tailsx/

You can chose to setup & start Tailsx in one of two ways;

Manually start TailsX

Install some more required apt packages;

apt install python3-venv python3-pip python3

opensearch.xml

Configure the server's opensearch.xml. You can choose 1 of the following ways to do it;

Generate the opensearch

The shell script /scripts/generate-opensearch.sh can automatically generate the server's opensearch.xml file for you. All you need to do is export a DOMAIN environmental variable before running the script;

cd tailsx/
export DOMAIN=https://your.domain.com #Modify this variable to be your domain. Note the use of https://!
sh scripts/generate-opensearch.sh

Manual configuration

Configure opensearch.xml by replacing http://127.0.0.1:5000/ with https://your.domain.com/, making sure to replace http:// with https://:

cd tailsx/
cd static/
mv opensearch.xml.example opensearch.xml
nano opensearch.xml
cd ..

Install PIP packages & start the server

Setup a Python virtual environmnent & activate it:

python3 -m venv venv/
. venv/bin/activate

Install the required PIP packages:

pip install -r requirements.txt

Finally, run this command to start TailsX:

gunicorn -w 4 __init__:app

Read the gunicorn documentation to understand more about how the server works; Running Gunicorn.

Test your server

Enter your server's domain in your browser and see if it works! The connection should always automatically upgrade to HTTPS; you can test this by explicitly using HTTP:

http://your.domain.com
Note the use of 'http://' instead of 'https://'!

If TailsX loads and automatically is using HTTPS, then you have set it up properly.

I strongly recommend testing your server's SSL/TLS certificate next using SSLLabs. You should recieve an A+ rating with the provided nginx & certbot setup.

If you'd like, you can add your server to the list of public instances! Fork the repo linked here and add your own instance to the instance list (found in /README.md).