Don't have time for running server - any help?

[bvssvni]

I have a lot on my plate for the moment, and got to prioritize. My abilities to getting stuff done with servers is not among the strongest, so it will eat up time that I can use more efficiently in other projects.

If somebody wants to run the server, I can point the pluto.rs domain to it.

[sezna]

Do you want it to be a personal server or can it be a shared hosting plan? I've got the latter, I'd love to set it up.

[bvssvni]

@sezna Nice!

[sezna]

I'm getting a compile error from an old version of staticfile, and when I update the dependency from 0.1.0 to 0.2.0, some traits are no longer supported so pluto doesn't compile. I don't have the time to look at this right now, but I might take a look at it in a few days. If someone else could look at it, that would be nice as well.

[bvssvni]

I opened #36

[Lisoph]

I'm doing web dev for a living and I'd love to run the site!
Somewhere in germany sits a little root server which I am renting. This would be a neat project since I'm not using that server at all anyway, so I might as well do something with it.
It's not the most powerful beast, but it should be able to cope with Pluto just fine.

[sezna]

@Lisoph Would you like to take over from me? I was going to do it as soon as those compile issues are sorted out.

[bvssvni]

The compile issues are now fixed.

[sezna]

Ok, I'm setting it up now.

[sezna]

Unfortunately, it seems to return a 500 server error on every request now, always a whitescreen. I'm looking into it now.

Can someone else verify this is happening? I want to make sure it isn't just me.

[Bluebird45]

I just see an Apache test page at http://pluto.rs

[bvssvni]

pluto.rs is not pointed at the server yet.

[sezna]

Yes, I'm referring to when I run pluto on either my localhost or an actual server. Use cargo run, browse to the url you set, and it is blank. The JS console just has a 500 server error.

[Bluebird45]

I have it working. You can follow the steps below.

In main.rs, change this line by substituting your machine's IP address in place of "localhost":

    let url = "localhost:3000";

Specifying it as localhost is alright during local development, for safety perhaps, but for a production server you might as well put in your machine's IP.

If you are on NAT then you will need to add a forwarding rule to your router.

However, before making it public you should lock down your firewall. On Debian (I'm not sure about the others) the default is to allow anyone access to anything from anywhere. You need to replace that with a set of rules that specifies the connections permitted.

On Debian it goes like this:

sudo apt install iptables-persistent // which you need because the iptables rules are, by default, lost upon reboot. This creates /etc/iptables/rules.v4 (and rules.v6) from the current rules.

Open rules.v4 in a text editor.

The guide here is helpful to automate loading of the new iptables rules but instead of exactly following their plan, just paste their rules into the rules.v4 file.

The method automation is:

Create a shell script, /etc/network/if-pre-up.d/iptables, and make it executable, and it will load the iptables upon reboot:

#!/bin/sh
iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6

This is the rules.v4 file that I have on the test machine. Notice that it has a line for port 3000:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 3000 -j ACCEPT
# Allows SSH connections 
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access 
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
#  note that blocking other types of icmp packets is considered a bad idea by some
#  remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
#  https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

..and for rules.v6:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

..which blocks everything on IPV6.

Also, your browser on the same machine might get sluggish unless you also block IPV6 in its configuration, but from another machine it makes no difference.

EDIT: Corrected the omission of the IPV6 iptables from the startup script

[sezna]

It was the iptables! Ok, it's up and ready to go.

http://159.203.71.101/

[bvssvni]

@sezna What are the DNS server addresses I can point to?

[sezna]

Oh, sorry. Its a digitalocean account.

ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com

You'll have to remove pluto.rs from the old digitalocean account for me to be able to use it, though.

[bvssvni]

@sezna OK, done!

[sezna]

Good to go! pluto.rs is working.

[bvssvni]

Nice!

[sezna]

It is still running but has seen close to zero bandwidth usage for the past six months. Do plans exist to move forward on this project?

[bvssvni]

We could get back this project later. No plans for now.

[sezna]

Ok. It feels a bit pointless to keep it up in its current state. I'm going to suspend the droplet until this project becomes active.