- Thoughts should be on the paper
- My messy server in terms of nginx config
- How to create a systemd service
- How to register a domain name
- How to serve via HTTPS
- How to proxy websocket
So I decided to write in english to practice composing my thoughts into sentences. Also I feel the need of protocoling stuff I do rarely. Registering domain names, running nginx and even openresty to use lua + nginx, serving different apps on different ports and proxy all these stuff via nginx and subdomain names, creating systemd services and preserve nodejs app running forever via pm2. Actually I did a lot of this stuff for the first time. Later, when I came back to work on besokind, to the server and its structure I felt distracted. Because I couldn't remember how everything structured, how to add new server etc.
Well, here we go.
My websocket server for hnefatafl is hosted at hnef.besokind.ru on a digitalocean droplet and is served via nginx. There are bunch of servers running on this single $10 droplet for now: besokind.ru, vk bot bmo written in python.
upstream app_besokind {
server 127.0.0.1:3000;
keepalive 8;
}
upstream app_bmo {
server 127.0.0.1:5000;
keepalive 8;
}
upstream hnef_server {
server 127.0.0.1:3030;
keepalive 8;
}
server {
listen 443 ssl;
server_name besokind.ru;
access_log /var/log/openresty/access_besokind.log;
error_log /var/log/openresty/error_besokind.log;
location / {
proxy_pass http://app_besokind/;
}
location /onpush {
content_by_lua_file /home/besokind/besokind-droplet/onpush.lua;
}
ssl on;
ssl_certificate /etc/letsencrypt/live/besokind.ru/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/besokind.ru/privkey.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name besokind.ru;
return 301 https://$host$request_uri;
}
server {
listen 80;
server_name bmo.besokind.ru;
access_log /var/log/nginx/bmo.log;
location / {
proxy_pass http://app_bmo/;
}
}
server {
listen 80;
server_name hnef.besokind.ru;
access_log /var/log/openresty/access_hnef.log;
error_log /var/log/openresty/error_hnef.log;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://hnef_server;
}
}
bmo is running through systemd service. To create a systemd service I just created a text file bmo.service
[Unit]
Description=Python VK bot
After=network.target
[Service]
WorkingDirectory=/home/besokind/bmo/
ExecStart=/usr/bin/python3 /home/besokind/bmo/app.py
Restart=on-failure
KillMode=process
[Install]
WantedBy=multi-user.target
Alias=bmo.service
and symlinked it into /etc/systemd/system
ln -s /home/besokind/bmo/bmo.service /etc/systemd/system/bmo.service
I have some aliases for bmo in my ~/.bashrc on the droplet
alias bmo='cd /home/besokind/bmo'
alias bmo-restart='systemctl restart bmo'
alias bmo-status='systemctl status bmo'
Today I registered tafl.website domain name on namecheap.com.
custom DNS nameservers for digitalocean:
ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com
- A record @
- CNAME for www is an alias of tafl.website
To serve via HTTPS you need 2 thins:
- Signed SSL Certificate
- Listen to 443 port instead of 80, enable ssl and attach the certificate
I use a certificate signed by lets encrypt. I created it via certbot.
But before running the certbot I prepared nginx conf to serve static by my new domain name:
server {
listen 80;
server_name tafl.website;
root /home/besokind/hnefatafl;
}
And restarted the server.
Then run certbot:
certbot certonly
I already prepared my server so I authenticate ACME CA by
2. Placing files in webroot directory
It places a file into the webdir (/home/besokind/hnefatafl) /.well-known/acme-challenge/123abc and requests it from letsencrypt's servers.
Then entered my new domain name tafl.website, web directory for it /home/besokind/hnefatafl and here we go.
My new certificate is located at /etc/letsencrypt/live/tafl.website. Now I use cert.pem and privkey.pem in my server:
server {
listen 443 ssl;
server_name tafl.website;
root /home/besokind/hnefatafl/public;
ssl on;
ssl_certificate /etc/letsencrypt/live/tafl.website/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/tafl.website/privkey.pem;
access_log /var/log/openresty/access_hnef.log;
error_log /var/log/openresty/error_hnef.log;
}
That's it. After 3 months I'll came to the droplet and will make:
certbot renew
You could also make a cronjob, but I'm okay with manual renewal for now.
In nginx we need headers Upgrade and Connection. They are available from http version 1.1, so set the version too:
location /server/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://hnef_server;
}
To be able to serve client index.html at tafl.website without any path additions I serve socket.io at path /server.
To do that we add {path: '/server/socket.io'} option after url.
On the server
io.listen(3030, {path: '/server/socket.io'});and on the client
var socket = require('socket.io-client')(url, {path: '/server/socket.io'});/170928/