Proposal: http/https server and custom domain for everyone!

[mayli]

So, let's improve the nginx on shell server to next level!

Currently shell-server has a basic nginx service is nearly hard to use for new users.

So the plan is:

• [x] having a global nginx server listening on port 80 and 443

  • [x] use Let's Encrypt to obtain https certificates and auto-renew

• [x] default etc/skel to provide

  • [x] serve http://<user>.<server>.hashbang.sh from ~user/.nginx.sock
  • [x] systemd --user service and nginx config to start nginx serving Public done

• [x] optional etc/skel to provide https service

  • [x] serve https://<user>.<server>.hashbang.sh from ~user/.nginx.https.sock
  • [x] systemd --user service and nginx config to start nginx serving Public

• [ ] custom domains

  • [ ] forward custom domains to
    • [ ] /var/run/nginx/<domain>.http.sock
    • [ ] /var/run/nginx/<domain>.https.sock

The global nginx server config looks like this (the ssl part)

stream {    
    server {
        listen      443;
        proxy_protocol on;
        proxy_pass  unix:/var/run/nginx/$ssl_preread_server_name.https.sock;
        ssl_preread on;
    }
}

[benharri]

admin-tools#154 will be helpful for this as well as nginx/main.yml

[mayli]

admin-tools#154 will be helpful for this as well as nginx/main.yml

Yep, I contributed to the original nginx service, but it turns to be not very useful to most users. This issue is to track the improvements.

[RyanSquared]

This seems like a decent roadmap but I do think we should stick with Public instead of public_html (as it is currently); as-is, people don't serve just HTML.

We already do have a systemd unit that users can enable, [email protected], but that only runs HTTP and on ports >1024. Ideally, onboarding for this would be transparent as I think we already advertise that it should just work out of the box.

[benharri]

but it turns to be not very useful to most users

dns records for *..hashbang.sh haven't been deployed yet which is the main blocker

I opened a PR for shellserver wildcard records

[Arnie97]

The [email protected]does not seem to work now.

arnie97@sf1:~/Public$ systemctl start SimpleHTTPServer@8080
==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units ===
Authentication is required to start '[email protected]'.
Authenticating as: root
polkit-agent-helper-1: pam_authenticate failed: Authentication failure
==== AUTHENTICATION FAILED ===
Failed to start [email protected]: Access denied
See system logs and 'systemctl status [email protected]' for details.

arnie97@sf1:~/Public$ journalctl -q
polkit-agent-helper-1[25990]: pam_unix(polkit-1:auth): auth could not identify password for [root]

[MineRobber9000]

@Arnie97 try:

systemctl --user start SimpleHTTPServer@8080

[RyanSquared]

Also, it's likely that port 8080 is taken. All users as of right now (and probably in the future as well) will be sharing the same address space, so it would be wise to pick one that likely isn't already used.

[RyanSquared]

As of right now, HTTPS is working. I do not see a valid solution for other peoples' domains at this point other than having some kind of domain-based challenge system.

[retronav]

Did anything progress regarding custom domains? 🙂

[RyanSquared]

We currently do not have any system set up for custom domains. At this point, I believe it would require some advanced proxy logic (dynamically looking up CNAMEs for incoming records to see which user they should go to) that's more complicated than the current setup and I don't have the time to write it.