blog.mirabellette.eu

A blog about digital independence and autonomy

Installing and configuring Ethercalc in a LXC container

Written by Mirabellette / / no comments

Disclaimer
Installing and configuring a server is not something easy. It requires time, perseverance, money and knowledge. Don't forget that your server , Raspberry or I don't know stuff could be compromised and used, for example, against yourself or in a botnet network (like Mirai).

Since years, I used an instance of Ethercalc hosted by framasoft. EtherCalc is a web spreadsheet wh ich could be used by multiple user. It is quite powerful and you can, for example, manage most of your accountability with it. If you want to know more, yo u can test Ethercalc here.

If you have to give it back, feel free to do a little donation to Framasoft. They host a lot of very usefull services and works to empowered people. Even 10 (dollars, euros, something) could make a difference. You can also help in developing Ethercalc features in or helping to fix bugs.

In order to understand and control services I use, I decided to install an instance of Ethercalc. To give back to the community, I create this article in order to explain how I did.

System Configuration:
@host Debian Stretch (with apache as reverse proxy)
@installation_container Installation container (lxc)
@production_container Production container (lxc)

It is quite similar if you only have once environment.

Advices

  • Test this tutorial in a local network which is not directly connected to internet. I mean, protected by firewall.
  • Use a dedicated machine to do all of your test. A dedicated machine could be an unused computer, a virtual machine or a container. Be ready to reinstall your system, this could happened, especially when you begin with computer science.
  • I recommended to use another Linux container to build an application. In general, you have to avoid to install compilator and building application in a production machine. You must only have in production what it is required to work, nothing more! This reduce significantly the risk to be hacked.
  • In a container, I copy everything I need in /opt. It helps me to easily administrate container because I know everything I need to run the application is stored here.
  • All variable that you have to change are prefixed with $, you have to remove the $ too.

Let's get started!
First of all, before installing Ethercalc, it is recommended to use a Redis server to manage Ethercalc data.

Information

All information stored by Redis are stored in clear. That means if someone is able to access to the dump.rdb file, he will be able to read all informations stored in your Ethercalc. I didn't find a solution to encrypt data from Redis and it doesn't seem to be developed yet.

# @installation_container

cd /opt
apt install xz-utils gcc make tar
wget http://download.redis.io/releases/redis-4.0.7.tar.gz
tar xvf redis-4.0.7.tar.gz
cd redis-4.0.7
cd deps
make hiredis jemalloc linenoise lua geohash-int
cd ..
make install

cd /opt
wget https://nodejs.org/dist/v8.9.4/node-v8.9.4-linux-x64.tar.xz
tar xvf node-v8.9.4-linux-x64.tar.xz
ln -s /opt/node-v8.9.4-linux-x64/bin/node /bin/node
/opt/node-v8.9.4-linux-x64/bin/npm install ethercalc
vim /opt/node-v8.9.4-linux-x64/lib/node_modules/ethercalc/bin/ethercalc
replace #!/bin/node by /opt/node-v8.9.4-linux-x64/bin/node/bin/node
# we don't need that node is available for all now, we will delete the symbolic link. rm /bin/node

mkdir /container_path/opt/redis-4.0.7 cp -r /opt/redis-4.0.7/src/redis-server /container_path/opt/redis-4.0.7/
cp -r /opt/node-v8.9.4-linux-x64/ /container_path/opt/node-v8.9.4-linux-x64/
# you can delete original source instead of just copying it

We are going to configure Redis in order to store data from Ethercalc where we want. As usual, I stored everything I need in /opt.

mkdir /container_path/opt/redis_data
wget http://download.redis.io/redis-stable/redis.conf -O /container_path/opt/redis.conf
# replace dir ./ by dir /opt/redis.conf

WARNING Redis doesn't implement server side encryption, that means that all your data are accessible from someone who can read the dump .rdb file.

Now, we will create two systemd script to start Ethercalc and Redis automatically each time the container start. We also configure iptables in order to avoid that Redis server is accessible from everywhere.

# @production_container

useradd redis
useradd nodejs
# we will now modify /etc/passwd in order to reduce user right to the strict minimum.
vim /etc/passwd
nodejs:x:1000:1000::/opt/node-v8.9.4-linux-x64/bin/node:/bin/false
redis:x:1001:1001::/opt/redis-4.0.7/redis-server:/bin/false

cd /opt/
chown redis:redis -R redis*
chown nodejs:nodejs -R node-v8.9.4-linux-x64/

vim /etc/systemd/system/redis.service
[Unit]
Description=Redis
After=network.target
[Service]
Type=simple
ExecStart=/opt/redis-4.0.7/redis-server /opt/redis.conf
RemainAfterExit=yes
User=nodejs
Group=nodejs

[Install]
WantedBy=multi-user.target
systemctl enable redis.service
vim /etc/systemd/system/ethercalc.service
[Unit]
Description=Ethercalc
After=network.target

[Service]
Type=simple
ExecStart=/opt/node-v8.9.4-linux-x64/lib/node_modules/ethercalc/bin/ethercalc --host $container_ip
RemainAfterExit=yes
User=nodejs
Group=nodejs

[Install]
WantedBy=multi-user.target

systemctl enable redis.service
# don't forget to change $container_ip by your own interface

In order to have iptables automatically loads when the container start, you have to install the package iptables-persistent. Of course, we will configure it in order to only have Ethercalc accessible from outside.

apt install iptables-persistent
vim /etc/iptables/rules.v4
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [1:328]
-A INPUT -i lo -j ACCEPT
-A INPUT -s $container_ip -p tcp --dport 8000 -j ACCEPT
-A INPUT -s $apt_cache_or_lxc_network -m conntrack --ctstate ESTABLISHED -j ACCEPT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Now we will configure the apache2 reverse proxy. I choose not to use HTTPS communication between $host and $production_container. The main reason is that both of them are hosted in the same computer. If $production_container was somewhere else on Internet, you MUST configure the proxy in order to have HTTPS communication between your container/virtual machine/whatever or all your traffic will be send in clear text on the network. I also added a web authentication in order to be the only one who can access to it. Feel free to change the $your_name by one of your choice. You have to change the appache2 configuration too. I will not explain how to deploy TLS on your web server, you can find a lot of tutorial in Internet.

# @host
# generate a password for $your_name
htpasswd -c /etc/apache2/password_ethercalc $your_name

vim /etc/apache2/site-available/ethercalc.conf
<VirtualHost *:443>
 ServerName www.example.com

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined


  AuthType Basic
  AuthName "Restricted Files"
  AuthBasicProvider file
  AuthUserFile "/etc/apache2/password_ethercalc"
  Require user $your_name


 SSLEngine on
 SSLCertificateFile /path/to/apache/crt
 SSLCertificateKeyFile /path/to/apache/key

 ProxyPass / "http://$container_ip:8000/"
 ProxyPassReverse / "http://$container_ip:8000/"

</VirtualHost>

ln -s /etc/apache2/site-available/ethercalc.conf /etc/apache2/site-enabled/ethercalc.conf
service apache2 reload

It took me hours to make this article. I hope you will find it useful and interesting Don't hesitate to comment, even if it is about mistake or something that could be improved.
Thank you for reading.

sources

Social media

If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Write a comment

What is the first letter of the word vmpjxy?