clearing up installation instructions
Closed this issue · 11 comments
Question description
The instructions could be improved if they listed what a finised edited config file look like. Is this correct?
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydomain.com;
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
# Various TLS hardening settings
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
# Hide nginx version
server_tokens off;
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
# It might be nice to compress JSON, but leaving that out to protect against potential
# compression+encryption information leak attacks like BREACH.
gzip on;
gzip_types text/css application/javascript image/svg+xml;
gzip_vary on;
# Only connect to this site via HTTPS for the two years
add_header Strict-Transport-Security "max-age=63072000";
# Various content security headers
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
# Add IP forwarding headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# lemmybb frontend
location / {
proxy_pass "http://0.0.0.0:8701";
rewrite ^(.+)/+$ $1 permanent;
}
# Uncomment these lines to make api publicly accessible.
# Note that this can easily be abused by spam bots
# location ~ ^/(api) {
# proxy_pass http://0.0.0.0:8703;
# # Rate limit
# limit_req zone=mydomain.com burst=30 nodelay;
#}
}
server {
listen 80;
listen [::]:80;
server_name $lemmyui_domain;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $lemmyui_domain;
ssl_certificate /etc/letsencrypt/live/$lemmyui_domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$lemmyui_domain/privkey.pem;
# You can put lemmy-ui behind HTTP auth so that only admins can access it.
# Execute `sudo htpasswd -c /srv/lemmybb/.htpasswd admin` and uncomment
# the config lines below.
# More details: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
# auth_basic "Administrator’s Area";
# auth_basic_user_file /srv/lemmybb/.htpasswd;
# Various TLS hardening settings
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
# Hide nginx version
server_tokens off;
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
# It might be nice to compress JSON, but leaving that out to protect against potential
# compression+encryption information leak attacks like BREACH.
gzip on;
gzip_types text/css application/javascript image/svg+xml;
gzip_vary on;
# Only connect to this site via HTTPS for the two years
add_header Strict-Transport-Security "max-age=63072000";
# Various content security headers
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
# Add IP forwarding headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# lemmy-ui frontend
location / {
proxy_pass http://0.0.0.0:8702;
}
# backend
location ~ ^/(api|pictrs) {
proxy_pass http://0.0.0.0:8703;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# Anonymize IP addresses
# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
127.0.0.1 $remote_addr;
::1 $remote_addr;
default 0.0.0.0;
}
access_log /var/log/nginx/access.log combined;
and are we supposed to make lemmybb.service /etc/systemd/system/lemmy_bb.service like this?
[Unit]
Description=lemmy_bb
After=network.target
[Service]
Type=simple
WorkingDirectory=/opt/lemmyBB/
Environment="LEMMYBB_BACKEND=MyLemmyBBSubdomain.com"
Environment="LEMMYBB_LISTEN_ADDRESS=LemmyUIDomain.com"
Environment="LEMMYBB_INCREASED_RATE_LIMIT=1"
Environment="LD_PRELOAD=libjemalloc.so"
ExecStart=/opt/lemmyBB/target/release/lemmy_bb
Restart=always
[Install]
WantedBy=multi-user.target
Hello,
which installation mode are you talking about?
You only need to adjust the nginx configuration if you deviate from the default configuration. Otherwise you can follow the installation instructions.
When I tried with LemmyBB I found that calls via the local address are more stable. In addition, a call via the domain does not work if the server is behind a NAT.
Are you asking because there is some error or problem with your installation? Can you describe what exactly is going wrong?
You also need to replace $lemmyui_domain with your actual domain for lemmyui (different from lemmybb domain, but can be a subdomain). Or you can remove that whole section to run without lemmyui, but note that lemmybb doesnt have any mod tools yet.
ok here are some specific parts of the instructions I think is missing.
Copy the nginx config into the sites-enabled folder and edit it
cp docker/nginx.conf /etc/nginx/sites-enabled/lemmybb.conf
is missing the nano command to edit the lemmybb.conf
insert the following content and adapt 'LEMMYBB_BACKEND' and 'LEMMYBB_LISTEN_ADDRESS' to your installation`
what does adapting them to my installation mean? do i need to change the words `LEMMYBB_BACKEND`
so instead of listing the ip and port number I'm supposed to put my domain name and port number? is this only if i changed something in the previous .conf file?
I'm unsure how I screwed up the installation, I'm probably gonna wipe the server and install lemmy and then lemmybb again from scratch. but heres the error i get now if i try to run the ansible
FAILED! => {"changed": true, "cmd": "nginx -s reload", "delta": "0:00:00.012663", "end": "2022-11-30 21:27:38.489940", "msg": "non-zero return code", "rc": 1, "start": "2022-11-30 21:27:38.477277", "stderr": "nginx: [emerg] unknown directive \"sdlimit_req_zone\" in /etc/nginx/sites-enabled/lemmybb.conf.save:1", "stderr_lines": ["nginx: [emerg] unknown directive \"sdlimit_req_zone\" in /etc/nginx/sites-enabled/lemmybb.conf.save:1"], "stdout": "", "stdout_lines": []}
is missing the nano command to edit the lemmybb.conf
what if the user does not use Nano or it is not preinstalled on the device?
So it's just clear the file must be edited, use the tool you prefer to use, for many that is vim rather than nano
it says where the error is in the nginx config:
\"sdlimit_req_zone\" in /etc/nginx/sites-enabled/lemmybb.conf.save:1"]
so in the file lemmybb.conf.save in line 1
there you have specified a variable that is not defined anywhere sdlimit_req_zone
don't know where you got this, in the standard configuration you don't find this
https://github.com/LemmyNet/lemmyBB/blob/main/docker/nginx.conf
every step in the instructions is perfect and can be copy pasted one by one but then it breaks down in the last 3 steps.
Copy the nginx config into the sites-enabled folder and edit it
cp docker/nginx.conf /etc/nginx/sites-enabled/lemmybb.conf
there are no instructions on what to "edit" and no command to "edit" it. you use nano in the next command and its usually used so please include the nano command after it like
cp docker/nginx.conf /etc/nginx/sites-enabled/lemmybb.conf
nano /etc/nginx/sites-enabled/lemmybb.conf
and please add a code block with the .conf we can copy paste
the next step says adapt LEMMYBB_BACKEND' and 'LEMMYBB_LISTEN_ADDRESS to your installation I dont understand what "adapt 'LEMMYBB_BACKEND" means to my installation means. do i change those words to be my domain name? my sub domain name? can LEMMYBB_BACKEND and LEMMYBB_LISTEN_ADDRESS be replaced with something like "yoursubdomain.com"
The two points you mentioned are not so easy to generalize, it's very system specific.
When creating the tutorial i assumed that the admin has basic knowledge of nginx and systemd.
and please add a code block with the .conf we can copy paste
This would not be a smart solution, if the configuration changes, you must always remember to also change the readme.
the next step says
adapt LEMMYBB_BACKEND' and 'LEMMYBB_LISTEN_ADDRESS to your installationI dont understand what "adapt 'LEMMYBB_BACKEND" means to my installation means.
Also here I thought that an admin knows how to deal with variables.
I will think about how far you can adapt the instructions.