From 00916460c8261473b2afce60853c406f10aee6c0 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor@ccxvii.net>
Date: Wed, 23 Nov 2022 16:59:45 +0100
Subject: Simplify server.

Only listen to HTTP. Use reverse proxy server to handle SSL,
compression, etc.
---
 INSTALL.md | 59 ++++++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 36 insertions(+), 23 deletions(-)

(limited to 'INSTALL.md')

diff --git a/INSTALL.md b/INSTALL.md
index e83cb31..57364a2 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -19,41 +19,22 @@ sqlite3 db < schema.sql
 sqlite3 db < public/julius-caesar/title.sql
 ```
 
-Redirect port 80 and 443 to 8080 and 8443:
-
-```
-sudo iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-ports 8080
-sudo iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 8443
-```
-
-Create SSL certificate with Let's Encrypt certbot, or self-signed with OpenSSL:
-
-```
-openssl req -nodes -new -x509 -keyout key.pem -out cert.pem
-```
-
 Configure the server using the .env file:
 
 ```
 NODE_ENV=production
 
-SITE_NAME=YOUR_SITE_NAME
-SITE_HOST=YOUR_DOMAIN
-SITE_URL=https://YOUR_DOMAIN
+SITE_NAME=Example
+SITE_URL=https://example.com
 
+HTTP_HOST=localhost
 HTTP_PORT=8080
 
-HTTPS_PORT=8443
-SSL_KEY=/etc/letsencrypt/live/YOUR_DOMAIN/privkey.com
-SSL_CERT=/etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
-
-MAIL_FROM=YOUR_SITE_NAME <notifications@YOUR_DOMAIN>
+MAIL_FROM=Example <notifications@example.com>
 MAIL_HOST=localhost
 MAIL_PORT=25
 ```
 
-If the HTTPS_PORT is missing, the server will only serve HTTP.
-
 If MAIL_HOST/PORT/FROM are not present, the server will not send notification emails.
 
 Start the server:
@@ -61,3 +42,35 @@ Start the server:
 ```
 node server.js
 ```
+
+To use SSL you should run the site behind a reverse proxy server, such as Nginx.
+Here is an example Nginx configuration:
+
+```
+server {
+	listen 80;
+	server_name example.com www.example.com;
+	return 301 https://$host$request_uri;
+}
+
+server {
+	listen 443 ssl;
+	server_name example.com www.example.com;
+	ssl_certificate /path/to/ssl/certificate/fullchain.cer;
+	ssl_certificate_key /path/to/ssl/certificate/example.com.key;
+	root /path/to/server/public;
+	location / {
+		try_files $uri @rally;
+	}
+	location @rally {
+                proxy_pass http://127.0.0.1:8080;
+                proxy_http_version 1.1;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                proxy_read_timeout 3600s;
+                proxy_send_timeout 3600s;
+        }
+}
+```
-- 
cgit v1.2.3