Group Details Private

administrators

Member List

  • Setup NodeBB with PostgrSQL on Fedora 33 with Nginx and HTTPS only

    Setup NodeBB with PostgrSQL on Fedora 33 with Nginx and HTTPS only

    • Why PostgreSQL? Because Mongo licensing complexities.
    • As with many of my more recent guides, I'll be using environment variables.
      • Do not log out of your Console/SSH session until this is complete.

    Create a random password for PostgreSQL's admin user account

    export DB_ROOT_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"
    

    Database name to use for application

    export DB_NAME='nodebb'
    

    Database user to use for application

    export DB_USER='nbbuser'
    

    Generate a random password for the database user

    export DB_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"
    

    The location to install the application

    export APP_PATH='/opt/nodebb'
    

    The FQDN of the application

    export FQDN='community.domain.com'
    

    Path to the SSL certificates and key

    export SSL_KEY_PATH='/etc/pki/tls/private/cforigin.domain.com.key'
    export SSL_CERT_PATH='/etc/pki/tls/certs/cforigin.domain.com.pem'
    export SSL_CA_CERT_PATH='/etc/pki/tls/certs/cfchain.domain.com.pem'
    

    Dump the environment variables to a file in the current directory for later reference.

    cat >> setup.info << EOF
    PostgreSQL Database Name    : $DB_NAME
    Database User               : $DB_USER
    Database User Password      : $DB_PASS
    Database Root Password      : $DB_ROOT_PASS
    Application Path            : $APP_PATH
    FQDN                        : $FQDN
    SSL Certificate Path        : $SSL_CERT_PATH
    SSL Key Path                : $SSL_KEY_PATH
    SSL CA Certificate Path     : $SSL_CA_CERT_PATH
    EOF
    

    Update the Operating System

    sudo dnf upgrade -y --refresh
    

    These are tools I use on pretty much every Fedora instance

    • Configuration of them, if required, is not covered here.
    sudo dnf install -y nano sysstat glances htop dnf-automatic
    

    Install the packages required for PostgreSQL backed NodeBB

    sudo dnf install -y git nginx nodejs postgresql-server policycoreutils-python-utils
    

    Initialize the PostgreSQL database

    sudo /usr/bin/postgresql-setup initdb
    

    Enable and start the database

    sudo systemctl enable --now postgresql
    

    Enable and start Nginx to be the proxy

    sudo systemctl enable --now nginx
    

    Update the firewall to allow the needed connections

    sudo firewall-cmd --add-service=https --permanent
    sudo firewall-cmd --reload
    

    Tell SELinux to allow the webserver to connect to the local network

    sudo setsebool -P httpd_can_network_connect on
    

    Create user and database to be used by NodeBB

    • this spews an error about changing directories, but still creates.
      • Need to fix that. This is my first time scripting PostgreSQL
    sudo -u postgres psql -c "create user $DB_USER with encrypted password '$DB_PASS'"
    sudo -u postgres psql -c "create database $DB_NAME"
    sudo -u postgres psql -c "grant all privileges on database $DB_NAME to $DB_USER"
    

    Set a password for the admin user (postgres)

    sudo -u postgres psql -c "alter user postgres with password '$DB_ROOT_PASS'"
    

    Update PostgreSQL to use database user login information.

    sudo sed -i 's/ident$/md5/g' /var/lib/pgsql/data/pg_hba.conf
    

    Restart PostgreSQL

    sudo systemctl restart postgresql
    

    Create application directory.

    sudo mkdir -p $APP_PATH
    

    Download NodeBB

    • As of the creation of this guide, the current branch is v1.15.x
    • Update accordingly.
    sudo git clone -b v1.15.x https://github.com/NodeBB/NodeBB.git $APP_PATH
    

    Create the user account to run the application

    sudo adduser nodebb --system --create-home
    

    Set ownership to the user that will be running the application

    sudo chown -R nodebb:nodebb $APP_PATH
    

    Setup a strong Diffie-Hellman parameter

    sudo mkdir -p /etc/nginx/dhparam
    sudo openssl dhparam -outform PEM -out /etc/nginx/dhparam/dhparam.pem -2 2048
    

    Create the SSL certificate

    • You will need to prep these steps in a vscode window or something
    • You do not want to mess this up, or else Nginx will not start.
    sudo tee $SSL_CERT_PATH > /dev/null << EOF
    -----BEGIN CERTIFICATE-----
    Put everything from your CERTIFICATE file here...
    -----END CERTIFICATE-----
    EOF
    

    Create the SSL private key

    sudo tee $SSL_KEY_PATH > /dev/null << EOF
    -----BEGIN PRIVATE KEY-----
    Put everything from your KEY file here...
    -----END PRIVATE KEY-----
    EOF
    

    Create the SSL CA certificate chain

    sudo tee $SSL_CA_CERT_PATH > /dev/null << EOF
    -----BEGIN CERTIFICATE-----
    Put everything from your CA CERT CHAIN file here...
    -----END CERTIFICATE-----
    EOF
    

    Set the permissions of the SSL files.

    sudo chmod 644 $SSL_CA_CERT_PATH
    sudo chmod 644 $SSL_CERT_PATH
    sudo chmod 600 $SSL_KEY_PATH
    

    Setup up the Nginx configuration file for the application.

    sudo tee /etc/nginx/conf.d/nodebb.conf > /dev/null << EOF
    server {
        # Based on Mozilla intermediate configuration https://ssl-config.mozilla.org/
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
    
        server_name $FQDN;
    
        ssl_certificate $SSL_CERT_PATH;
        ssl_certificate_key $SSL_KEY_PATH;
    
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;
    
        ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
    
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
    
        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
        add_header Strict-Transport-Security "max-age=63072000" always;
    
        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;
    
        # verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate $SSL_CA_CERT_PATH;
    
        # replace with the IP address of your resolver
        resolver 1.1.1.1;
    
        location / {
            proxy_set_header X-Real-IP \$remote_addr;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto \$scheme;
            proxy_set_header Host \$http_host;
            proxy_set_header X-NginX-Proxy true;
    
            proxy_pass http://127.0.0.1:4567;  # no trailing slash
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
    EOF
    

    Restart Nginx

    sudo systemctl restart nginx
    

    Show the setup.info file with the Database passwords.

    • You will need to know the DB info, as it will be used in the setup wizard during the next step.
    cat setup.info
    

    Change to the directory that NodeBB was installed to and run the NodeBB setup wizard

    • Build fails if you try to execute from your home directory with the full path
    cd $APP_PATH
    sudo -u nodebb ./nodebb setup
    
    posted in Guides & Walkthroughs