• Health tips to prevent the spread of COVID-19:
    • Wash your hands frequently;
    • Maintain 2 meters social distancing;
    • Minimise outdoor activities.
    Stay safe in your bubble!

How to install The Lounge web IRC chat on Ubuntu server with Let's Encrypt https

Andy

Administrator
User ID
1
Joined
7 Jan 2019
Messages
175
Reaction score
7
Points
18
This tutorial will guide you to install The Lounge on Ubuntu server 18.04 LTS.

Log into the Ubuntu virtual machine and perform some initial setup before installing The Lounge:
Code:
andy@thelounge:~$ sudo apt update
andy@thelounge:~$ sudo apt upgrade
andy@thelounge:~$ sudo apt dist-upgrade
Install The Lounge
Most online instructions, including the official documentation, have you first install Node.js after which you can download and install a deb package. I've found it much easier to install The Lounge using the available snap package. To install The Lounge, just run the following command:

Code:
andy@thelounge:~$ sudo snap install thelounge
Next, we'd need to change the owner of The Lounge home directory in the snap to the local user we want to run the lounge:
Code:
andy@thelounge:~$ sudo chown -Rv $USER:$USER /var/snap/thelounge/XX/home
Where XX will depend on your installation.

Confirm that you can now execute thelounge commands with the current user without having to escalate privileges:

Code:
andy@thelounge:~$ thelounge list
2020-05-23 07:46:41 [INFO] There are currently no users. Create one with thelounge add <name>.
andy@thelounge:~$
Install NGINX as a Reverse Proxy to Replace the Default HTTP Server
First, edit The Lounge config.js file to enable the reverse proxy. When using The Lounge behind a reverse proxy, set the reverseProxy option to true in your configuration file. This will instruct The Lounge to use the X-Forwarded-For header passed by your reverse proxy.
Code:
andy@thelounge:~$ sudo vim /var/snap/thelounge/XX/home/config.js
Code:
reverseProxy: true,
Now we can install NGINX and enable the service:
Code:
andy@thelounge:~$ sudo apt install nginx
andy@thelounge:~$ sudo systemctl enable nginx
Next, create the NGINX configuration file /etc/nginx/sites-available/irc.example.com using the following configuration:
Code:
server {
        listen 80;
        listen [::]:80;

        server_name chat.genesis.saputra.org;

        location / {
                proxy_pass http://chat.genesis.saputra.org:9000/;
                proxy_http_version 1.1;
                proxy_set_header Connection "upgrade";
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_read_timeout 1d;
        }
}
As we can see here, sites-enabled is a symlink of sites-available/default:
Code:
andy@thelounge:/etc/nginx/sites-enabled$ ls -al
total 8
drwxr-xr-x 2 root root 4096 May 23 19:52 .
drwxr-xr-x 8 root root 4096 May 23 19:52 ..
lrwxrwxrwx 1 root root   34 May 23 19:52 default -> /etc/nginx/sites-available/default
andy@thelounge:/etc/nginx/sites-enabled$
So, let's create a link between the configuration file and the sites-enabled directory which NGINX reads during startup:
Code:
andy@thelounge:~$ sudo ln -s /etc/nginx/sites-available/chat.genesis.saputra.org /etc/nginx/sites-enabled/
Make sure that you have setup the arecord/cname of chat.genesis.saputra.org, then test the nginx:
Code:
andy@thelounge:~$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
andy@thelounge:~$
When the test has been successful, restart the nginx:
Code:
andy@thelounge:~$ sudo systemctl restart nginx
The Lounge should now be running behind a reverse proxy and be accessible at http://chat.genesis.saputra.org

Enable HTTPS
The first step in enabling HTTPS is to install certbot:
Code:
andy@thelounge:~$ sudo add-apt-repository ppa:certbot/certbot
andy@thelounge:~$ sudo apt install python-certbot-nginx
andy@thelounge:~$ sudo systemctl reload nginx
Then apply for the certificate. Provide the required information and when prompted, select the option to redirect HTTP requests to HTTPS:
Code:
andy@thelounge:~$ sudo certbot --nginx -d chat.genesis.saputra.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): hostmaster@genesis.saputra.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for chat.genesis.saputra.org
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/chat.genesis.saputra.org

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/chat.genesis.saputra.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://chat.genesis.saputra.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=chat.genesis.saputra.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/chat.genesis.saputra.org/privkey.pem
   Your cert will expire on 2020-08-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

andy@thelounge:~$

Open your configuration file, located at /var/snap/thelounge/XX/home/config.js, find the https stanza, and set the following values:
  • Change enable from false to true
  • Set key to the private key path that was generated, privkey.pem:
  • Set certificate to the certificate path, fullchain.pem

For example:
Code:
https: {
        enable: true,
        key: "/etc/letsencrypt/live/chat.genesis.saputra.org/privkey.pem",
        certificate: "/etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem",
        ca: "",
},

Let's Encrypt will create its /etc/letsencrypt folder under the ownership of the root user, so you might have to change the owner of these files to the user that runs The Lounge.
Code:
andy@thelounge:~$ sudo chown -Rv $USER:$USER /etc/letsencrypt
andy@thelounge:~$ sudo systemctl restart nginx
Verify that you can now reach your site at https://chat.genesis.saputra.org

Verifying Certbot Auto-Renewal
Let's Encrypt's certificates are only valid for 90 days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within 30 days of expiration.

To test the renewal process, you can do a dry run with certbot:

Code:
andy@thelounge:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/chat.genesis.saputra.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for chat.genesis.saputra.org
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/chat.genesis.saputra.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
andy@thelounge:~$
If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload NGINX to pick up the changes. If the automated renewal process ever fails, Let's Encrypt will send a message to the email you specified, warning you when your certificate is about to expire 👍

Hopefully, this tutorial has been useful to you, feel free to post your questions or comments down below 👇
 
 Short URL:
Top