- User ID
- 1
- Joined
- 7 Jan 2019
- Messages
- 1,126
- Reaction score
- 57
- Points
- 48
This tutorial will guide you to install The Lounge on Ubuntu server 18.04 LTS.
Log into the Ubuntu virtual machine and perform some initial setup before installing The Lounge:
Install The Lounge
Most online instructions, including the official documentation, have you first install Node.js after which you can download and install a deb package. I've found it much easier to install The Lounge using the available snap package. To install The Lounge, just run the following command:
Next, we'd need to change the owner of The Lounge home directory in the snap to the local user we want to run the lounge:
Where XX will depend on your installation.
Confirm that you can now execute thelounge commands with the current user without having to escalate privileges:
Install NGINX as a Reverse Proxy to Replace the Default HTTP Server
First, edit The Lounge config.js file to enable the reverse proxy. When using The Lounge behind a reverse proxy, set the reverseProxy option to true in your configuration file. This will instruct The Lounge to use the X-Forwarded-For header passed by your reverse proxy.
Now we can install NGINX and enable the service:
Next, create the NGINX configuration file /etc/nginx/sites-available/chat.genesis.saputra.org using the following configuration:
As we can see here, sites-enabled is a symlink of sites-available/default:
So, let's create a link between the configuration file and the sites-enabled directory which NGINX reads during startup:
Make sure that you have setup the arecord/cname of chat.genesis.saputra.org, then test the nginx:
When the test has been successful, restart the nginx:
The Lounge should now be running behind a reverse proxy and be accessible at http://chat.genesis.saputra.org
Enable HTTPS
The first step in enabling HTTPS is to install certbot:
Then apply for the certificate. Provide the required information and when prompted, select the option to redirect HTTP requests to HTTPS:
Let's Encrypt will create its /etc/letsencrypt folder under the ownership of the root user, so you might have to change the owner of these files to the user that runs The Lounge.
Verify that you can now reach your site at https://chat.genesis.saputra.org
Verifying Certbot Auto-Renewal
Let's Encrypt's certificates are only valid for 90 days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within 30 days of expiration.
To test the renewal process, you can do a dry run with certbot:
If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload NGINX to pick up the changes. If the automated renewal process ever fails, Let's Encrypt will send a message to the email you specified, warning you when your certificate is about to expire
To stop thelounge, use the following command:
Hopefully, this tutorial has been useful to you, feel free to post your questions or comments down below 
Log into the Ubuntu virtual machine and perform some initial setup before installing The Lounge:
Code:
andy@thelounge:~$ sudo apt update
andy@thelounge:~$ sudo apt upgrade
andy@thelounge:~$ sudo apt dist-upgradeInstall The Lounge
Most online instructions, including the official documentation, have you first install Node.js after which you can download and install a deb package. I've found it much easier to install The Lounge using the available snap package. To install The Lounge, just run the following command:
Code:
andy@thelounge:~$ sudo snap install theloungeNext, we'd need to change the owner of The Lounge home directory in the snap to the local user we want to run the lounge:
Code:
andy@thelounge:~$ sudo chown -Rv $USER:$USER /var/snap/thelounge/XX/homeConfirm that you can now execute thelounge commands with the current user without having to escalate privileges:
Code:
andy@thelounge:~$ thelounge list
2020-05-23 07:46:41 [INFO] There are currently no users. Create one with thelounge add <name>.
andy@thelounge:~$Install NGINX as a Reverse Proxy to Replace the Default HTTP Server
First, edit The Lounge config.js file to enable the reverse proxy. When using The Lounge behind a reverse proxy, set the reverseProxy option to true in your configuration file. This will instruct The Lounge to use the X-Forwarded-For header passed by your reverse proxy.
Code:
andy@thelounge:~$ sudo vim /var/snap/thelounge/XX/home/config.js
Code:
reverseProxy: true,Now we can install NGINX and enable the service:
Code:
andy@thelounge:~$ sudo apt install nginx
andy@thelounge:~$ sudo systemctl enable nginxNext, create the NGINX configuration file /etc/nginx/sites-available/chat.genesis.saputra.org using the following configuration:
Code:
server {
listen 80;
listen [::]:80;
server_name chat.genesis.saputra.org;
location / {
proxy_pass http://chat.genesis.saputra.org:9000/;
proxy_http_version 1.1;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1d;
}
}As we can see here, sites-enabled is a symlink of sites-available/default:
Code:
andy@thelounge:/etc/nginx/sites-enabled$ ls -al
total 8
drwxr-xr-x 2 root root 4096 May 23 19:52 .
drwxr-xr-x 8 root root 4096 May 23 19:52 ..
lrwxrwxrwx 1 root root 34 May 23 19:52 default -> /etc/nginx/sites-available/default
andy@thelounge:/etc/nginx/sites-enabled$So, let's create a link between the configuration file and the sites-enabled directory which NGINX reads during startup:
Code:
andy@thelounge:~$ sudo ln -s /etc/nginx/sites-available/chat.genesis.saputra.org /etc/nginx/sites-enabled/Make sure that you have setup the arecord/cname of chat.genesis.saputra.org, then test the nginx:
Code:
andy@thelounge:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
andy@thelounge:~$When the test has been successful, restart the nginx:
Code:
andy@thelounge:~$ sudo systemctl restart nginxThe Lounge should now be running behind a reverse proxy and be accessible at http://chat.genesis.saputra.org
Enable HTTPS
The first step in enabling HTTPS is to install certbot:
Code:
andy@thelounge:~$ sudo add-apt-repository ppa:certbot/certbot
andy@thelounge:~$ sudo apt install python-certbot-nginx
andy@thelounge:~$ sudo systemctl reload nginxThen apply for the certificate. Provide the required information and when prompted, select the option to redirect HTTP requests to HTTPS:
Code:
andy@thelounge:~$ sudo certbot --nginx -d chat.genesis.saputra.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for chat.genesis.saputra.org
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/chat.genesis.saputra.org
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/chat.genesis.saputra.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://chat.genesis.saputra.org
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=chat.genesis.saputra.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/chat.genesis.saputra.org/privkey.pem
Your cert will expire on 2020-08-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
andy@thelounge:~$Open your configuration file, located at /var/snap/thelounge/XX/home/config.js, find the https stanza, and set the following values:
For example:
- Change enable from false to true
- Set key to the private key path that was generated, privkey.pem:
- Set certificate to the certificate path, fullchain.pem
For example:
Code:
https: {
enable: true,
key: "/etc/letsencrypt/live/chat.genesis.saputra.org/privkey.pem",
certificate: "/etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem",
ca: "",
},Let's Encrypt will create its /etc/letsencrypt folder under the ownership of the root user, so you might have to change the owner of these files to the user that runs The Lounge.
Code:
andy@thelounge:~$ sudo chown -Rv $USER:$USER /etc/letsencrypt
andy@thelounge:~$ sudo systemctl restart nginxVerifying Certbot Auto-Renewal
Let's Encrypt's certificates are only valid for 90 days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within 30 days of expiration.
To test the renewal process, you can do a dry run with certbot:
Code:
andy@thelounge:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/chat.genesis.saputra.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for chat.genesis.saputra.org
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
andy@thelounge:~$If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload NGINX to pick up the changes. If the automated renewal process ever fails, Let's Encrypt will send a message to the email you specified, warning you when your certificate is about to expire
To stop thelounge, use the following command:
Code:
andy@thelounge:~$ sudo snap stop thelounge