blog.mirabellette.eu

A blog about digital independence and autonomy

Digital independence

Why and when install a custom Android distribution?

Written by Mirabellette / 04 september 2018 / no comments

Hello guys,

Sorry for the little delay but I was not sure about what I wanted to write for the month of September.

android_logo

Introduction

Today, I would like to talk about operating system for mobile and especially those based on Android. For those who do not know, Android is an open-source operating system and each manufacturer may customise it with features or tweaks. A customise Android operating system is called a distribution. I do not know the IOS environment that is why I will not talk about it here.

A little lexicon below:

  • IOS: Iphone operating system
  • FAD: Factory Android Distributions
  • CAD: Custom Android Distributions
  • Why and when install a custom Android distribution?

    The issues with the Factory Android Distribution (FAD)

    manufacturers make a lot of work to provide a good mobile phone. However, they are motivated by money contrary to the users who are motivated by good experience and good products.

    Firstly, the most important issue is about updates. Android mobile phone tends to be in general updated for only two years. After this period, your smartphone will not be updated anymore. That means it will contain known vulnerabilities without any possibility to fix it.

    As your phone has very sensitive features (GPS, microphone, camera, sensitive personal data). A mobile phone compromise could create a lot of issues. For example, the GPS could be used in an abusive way. An example with the recent vulnerability published the 29th of August.

    You can find below the list of Android system deploy on smartphones.

    android_version_distribution

    You can see in February 2018, there are:

    • Around 10% in Android 4.4 (published in October 31, 2013)
    • Around 25% in Android 5.0-51 (published in November 12, 2014)
    • Around 28% in Android 6.0 (published in October 5, 2015)
    • Around 25% in Android 7.0-7.1 (published in August 22, 2016)

    I do not know if you understand how bad it is. That just means around 90% of the FAD are not up to date and contain known vulnerabilities. Or, if we are less exigent, it is 65% which is obsolete. For me, that just means one thing. Never trust your Android smartphone or the Android smartphone of your friends. IOS (the operating system for Apple phone) is better but not perfect about security update. I do not find the chart but most of the devices are "up to date".

    Secondly, as they are interested mainly by benefits or have to follow government rules. It appears that some device tracks phone calls, contacts, data and phone usage.

    Pros

    • Custom Android Distribution (CAD) generally tends to provide a more recent Android version. That means better security, better performance, better features and better autonomy
    • CAD do not contain manufacturers features and improvements. You are also free not to install Google applications. That means no tracking features.
    • CAD generally add features which are able to improve the management of your cellular phone. That means, for example, have a better tool to manage backup, update or security. They often have features to manage privacy more precisely. Some applications are made by the maintainers and are free to install.
    • I do not know about the other distributions but LineageOS community provides a very good tutorial about how to install it on your smartphone. An example can be found here with the Galaxy S3.

    Cons

    • Replacing the Factory Android Distribution by one of your choices is not easy and required time. You need to understand the different steps of the process and how an Android operating system works in the main line. Contrary to what you could think, you will not develop at all. You also need to do a little analyse about what you will earn and lose and you need to make the required backup. It required me approximately 12 hours to do it and have a mobile phone which was fully operational whereas I had not a lot of knowledge about the process.
    • CAD do not contain manufacturer features and improvement. It could be positive but it could also be negative. You could lose manufacturer tweaks and have worse performance. You will never know before making a try.
    • Most of the time, unlocking the bootloader (which is a step required to replace your Android distribution) will stop the guaranty.
    • Some features may not work properly (high consumption energy, cameras which do not work or even crash sometimes). However, it could be fixed in the next release which is published each week on LineageOS. For example, I was for one month without a front camera and GPS.
    • Less stable than FAD, the mobile phone may crash and have a higher possibility to lose your data when update. Hopefully, you also have a better tool to get it back but it could not work all the time.

    When to replace the factory Android distribution?

    lineageos_logo replicant_logo

    For casual users or users who do not want a lot of issues,
    when your mobile phone is not updated anymore. When you are in this situation, that means your mobile phone is older than 2 years and the CAD should be quite stable. The tutorial should be quite complete. Issues should be known, fixed or with some work around available.

    For expert users and experimental users,
    some months after the manufacturer releases the new phone. It should let to the maintainers the time to develop enough stable version for your phone. In case of issues, you should be able to roll back to the previous release on your own.

    Advice and warning about a mobile phone with CAD

    • Choose a mobile phone quite popular. The most you have people who use it, the most it is probable than a custom Android distribution will support it well. Quite popular does not mean with a lot of hardware backdoors, you have some choices.
    • Do as little as possible with your phone. First of all, because the mobile phone environment is far more dangerous than the desktop environment. Proprietary applications can literally siphon your data, track your location, use your camera, heard around you.

      Even if you are up to date with a recent phone, your mobile phone could be exploited to hear what it is around you, to locate you, to film around you. Secondly, because you use a CAD, it means less stability, you should be ready for it.

    • Each custom Android distribution has his own purpose. Choose carefully the one you will install regarding stability, performance, security and maintainability.

    Conclusion

    You now have some arguments to make your decision.

    Sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Héberger les marques pages Firefox - French version

Written by Mirabellette / 21 may 2018 / 2 comments

Contrairement à ce qui a été écrit, syncserver héberge également les préférences, les mots de passe, les onglets, les marques pages, les addons et l'historique.

Introduction

Afin d'avancer dans mon projet d'indépendance numérique, j'ai décidé d'héberger moi même les marques-pages Firefox. J'utilise le navigateur Firefox de la fondation Mozilla et la fondation a mis à disposition sur Github le dépôt qui contient le nécessaire pour héberger les marques pages. Syncserver héberge uniquement les marques pages, il ne s'occupe pas de l'authentification. Cela signifie qu'en utilisant Syncserver, vous devrez toujours vous authentifiez auprès de Firefox puis vous récupérerez les marques-pages sur le serveur de votre choix. Pour également gérer le processus d'authentification, il faut installer Firefox Accounts Server.

firefox_logo

Syncserver a été assez pénible à déployer pour deux raisons. La première est que l'on ne trouve pas beaucoup d'information sur son fonctionnement, sur ce qu'il fait avec un dépôt Github assez brut de fonderie. La seconde est qu'il manque des éléments basique qui rendent le travail de déploiement un peu fastidieux. Pour déployer Syncserver correctement et faire ce tutorial, cela m'a pris environ 15 heures. Dans tous les cas, cela fonctionne désormais et vous avez désormais la possibilité de lire cet article. J'espère que vous le trouverai utile. :)

Le dépôt Github n'est pas très active, une version en 2018, 2017, 2016 et deux versions en 2015 et 2014. Pour suivre les mises-à-jours, vous pouvez ajouter le lien dudépôt à votre agrégateur RSS. Si l'on se réfère au passé, les mises-à-jours ne devraient pas être trop fréquentes.

Configurer Syncserver

  • L'installation a été faite sur une Debian Stretch 9.1
  • Pour compiler l'application, vous devez pouvoir vous connectez à internet ou à un dépôt Python afin de télécharger toutes les dépendances présentes dans le fichier requirements.txt
  • Installation des dépendences

    adduser --system --shell /usr/sbin/nologin --no-create-home firefox
    apt-get install python-dev git-core python-virtualenv g++ sqlite
    cd /opt
    sudo -u firefox git clone https://github.com/mozilla-services/syncserver

    Configuration de base

    La configuration de Syncserver se trouve dans le fichier syncserver.ini. Vous devez le modifier avant de compiler l'application sans quoi les paramètres ne seront pas pris en compte. Dans le fichier syncserver.ini, vous pouvez modifier la section [server:main] si le besoin s'en fait sentir. La configuration de base est fonctionnelle pour cette partie là. Afin de vous facilitez la vie, j'ai créé un fichier syncserver.ini presque bien configuré. Vous pouvez le trouver à cette adresse here (quelques modifications sont toujours nécessaires).

    Le paramètre public_url. Modifiez ce paramètre afin qu'il corresponde à l'url publique à travers laquelle sera accessible Syncserver même s'il s'agit d'une machine virtuelle ou un conteneur placé derrière un reverse proxy.

    public_url = https://example.com

    Le paramètre sqluri. J'ai décidé d'utiliser une base de données de type Sqlite pour conserver les marques pages car il utilise un moteur de base de données facile à sauvegarder. Vous pouvez choisir la base de données avec le moteur que vous voulez. Attention, si vous n'en définissez aucun, les marques pages seront stockés en mémoire RAM et supprimer au redémarrage de la machine. Pour utiliser une base de données Sqlite, vous devez remplacer le paramètre sqluri = sqlite:////tmp/syncserver.db by :

    sqluri = sqlite:////opt/syncserver/syncserver_data.db
    *//// signifie chemin absolu

    Le paramètre secret. Il est très vivement recommandé de générer une clé secrête. Cette clé est utilisé par les tokens d'authentification. Si vous ne le faites pas, Syncserver générera lui-même cette clé à chaque démarrage. Il peut arriver que la clé générée automatiquement soit faible, en cas de faible disponibilité de valeurs aléatoires. Pour générer une clé de façon solide, vous pouvez utiliser la commande suivante.

    head -c 20 /dev/urandom | sha1sum

    Le paramètre allowed_issuers. Dans le cas où vous utilisez le système d'authentification par défaut, vous pouvez n'autoriser que celui de Firefox ou bien le votre si vous en avez un à disposition.

    allowed_issuers = api.accounts.firefox.com

    Le paramètre force_wsgi_environ. J'ai configuré le serveur derrière un reverse proxy Apache2. J'ai fais quelques essais avec la valeur false mais cela ne fonctionnait pas. J'ai par conséquence créé une erreur sur le dépôt Github officiel du projet. On m'a alors conseillé de changer la valeur pour true, cela a fonctionne pour moi.

    force_wsgi_environ = true

    Compilation de l'application et démarrage de l'application

    chown -R firefox:firefox /opt/syncserver
    cd /opt/syncserver
    sudo -H -u firefox make build
    sudo -H -u firefox make test

    Après cela, si vous executez la commande sudo -u firefox make serve, vous devriez voir quelques lignes indiquant que Syncserver est correctement lancé et écoute sur le port par défaut (si c'est le cas). Pour information, vous ne verrez pas de texte si la synchronisation de vos marques pages fonctionne ou non. Une fois que syncserver a bien collecté les marques-page de votre navigateur. Vous pouvez modifier le fichier syncserver.ini et changer le paramètre allowed_issuers = api.accounts.firefox.com pour allowed_issuers = false afin d'être certain d'être le seul utilisateur du logiciel.

    Mise-à-jour

    Après avoir compilé l'application, vous devriez mainteant voir deux répertoires: syncserver.egg-info et local. Dans le cas où vous souhaitez mettre à jour Syncserver, vous devrez penser à bien les supprimer.

    rm -r syncserver.egg-info
    rm -r local

    Apache2 virtualhost

    J'ai créé un virtualhost basique de type reverse proxy avec Apache2. Il redirige juste les flux vers l'adresse ip de votre choix. Vous pouvez trouver le script ici. Je n'ai pas eu besoin de le configurer avec wsgi car je redirige tous les flux directement vers le daemon python.

    Configuration du navigateur

    La procédure varie un petit peu selon que vous utilisiez Firefox sur mobile ou ordinateur de bureau. Cela peut également ne pas fonctionner pour les versions très anciennes du navigateur. Je vais uniquement présenté le processus pour la version bureau. Plus d'informations pour la configuration des autres versions accessibles ici

    • Saissisez “about:config” dans le champs url de votre navigateur

      about_config

      Vous devriez voir un écran d'avertissement, confirmer votre choix.

      warranty

    • Faite une recherche pour la clé qui porte le nom “identity.sync.tokenserver.uri”. Double cliquer sur la ligne et remplacer la valeur attribuée à cette clé par la valeur selon l'image et le texte ci-dessous.

      tokenserver_uri

      La syntaxe de la valeur doit être la suivante https://example.com/token/1.0/sync/1.5. Bien que la version actuelle soit la version 1.8, le chemin vers le fichier est resté avec la valeur token/1.0/sync/1.5 ... * en cas de soucis, la valeur originale de votre navigateur est celle qui est affichée dans l'image ci-dessus: https://token.services.mozilla.com/1.0/sync/1.5

    • Déconnectez vous de votre compte Firefox puis redémarrez Mozilla Firefox afin que les modifications soient prises en compte. Une fois que la navigateur a redémarré, reconnectez-vous à votre compte firefox.

    Durcissement de la configuration et nettoyage

    Verrouillage de Syncserver

    Comme vous pouvez le voir, vous pouvez désormais enregistrer vos marques-pages sur le Syncserver de votre choix. Il est probable que vous souhaitiez limité l'accès à Syncserver à vous-même. Pour éviter qu'une autre personne puisse enregistrer ses données sur votre Syncserver, vous devez modifier le fichier syncserver.ini en modifiant le paramètre allow_new_users = false, supprimer les deux répetoires syncserver.egg-info et local et compilez une nouvelle fois l'application.

    vim syncserver.ini
    rm -r syncserver.egg-info
    rm -r local
    sudo -u firefox make build

    Script Systemd

    De façon surprenante, il n'y a pas de script Systemd, there is no Systemd script mis-à-disposition par le dépôt officiel. Vous pouvez utiliser celui que j'ai créé ici. Vous devez le mettre dans le répertoire /etc/systemd/system/ et executer systemctl daemon-reload then systemctl enable syncserver.service pour l'activer. Après cela, Syncserver démarrera automatiquement à chaque démarrage de la machine.

    Nettoyage

    Si vous avez installé le programme make et g++ pour compiler l'application, vous pouvez désormais le supprimer.

    apt purge make g++

    Bien sur, configurer le pare-feu correctement

    Sources

    Réseaux sociaux

    Si vous avez trouvé cet article interessant, vous pouvez vous abonnez au flux rss du blog et de me suivre sur Mastodon. Comme à l'usage, si vous pensez que cela peut intéresser une personne, vous pouvez le lui partager.

    Host Firefox booksmarks with syncserver

    Written by Mirabellette / 01 may 2018 / 8 comments

    I received some demands to translate in French the article I made about hosting Firefox bookmarks with Syncserver. You can find here the French version of this article.

    Contrary to what was written, syncserver also hosts preferences, passwords, tabs, bookmarks (of course), addons, forms and history.

    Introduction

    In order to be more and more independent about my digital ecosystem. I decided to manage my bookmarks by myself. I use the browser Mozilla Firefox and Mozilla allows you to manage your own synchronization server. Syncserver stores only bookmarks, it didn't manage your Firefox account or the authentication mechanism. This could be done in installing Firefox Accounts Server but it is not the purpose of this tutorial.

    firefox_logo

    It was pretty annoying to deploy it because there aren't a lot of information available and it requires to me to do some basic stuff by myself. It took me something like 10 or 15 hours to make this article. By the way, it works now and you can read this tutorial and I hope you will find it useful :)

    The Github repository isn't very active, one release in 2017 and 2016, two release in 2015 and 2014. Just add the Github repository to your RSS agregator to get news about update. If we trust the past, it shouldn't be done very often.

    Configure the Firefox Synchronization Server

  • This setup was made on Debian stretch
  • To build the application, you need to be able to access to internet or to the python repository in order to download all dependencies includes in requirements.txt
  • Dependencies

    adduser --system --shell /usr/sbin/nologin --no-create-home firefox
    apt-get install python-dev git-core python-virtualenv g++ sqlite
    cd /opt
    sudo -u firefox git clone https://github.com/mozilla-services/syncserver

    Basic configuration

    The server is configured using an .ini file to specify various runtime settings. The file “syncserver.ini” is this file for the application. There is some setting that you must specify before building the application. Feel free to adjust the [server:main] part to your configuration. You can find the final syncserver.ini file here (some adjustment still required).

    The parameter public_url. You should modify it in order to match the interface where syncserver will be accessed by. Even if you run it inside a container or a virtual machine, you have to setup the public url.

    public_url = https://example.com

    The parameter sqluri. I choose to use a Sqlite database to store bookmarks because it is easy to backup. Feel free to use the one you want and modify the syncserver.ini. If you don't specify a Sql database, your bookmarks will be store in RAM and be reset each time you restart the server.Replace sqluri = sqlite:////tmp/syncserver.db by :

    sqluri = sqlite:////opt/syncserver/syncserver_data.db
    *//// means absolute path

    The parameter secret. It is better to generate a secret key for signing authentication tokens. If you don't, the server will generate it each time it start. That could mean a weak key if the random generator seed isn't good enough. Uncomment the parameter and set the value with the result of the next command:

    head -c 20 /dev/urandom | sha1sum

    The parameter allowed_issuers. If you are using the account system offered by Mozilla Firefox, you may want to restrict access to just that domain like so:

    allowed_issuers = api.accounts.firefox.com

    Don't forget to set it to false after the first successful synchronization or everybody will be able to use your syncserver as bookmarks server.

    The parameter force_wsgi_environ. I setup the server behind an Apache2 reverse proxy. I make some try with false but it didn't work. I even open an issue in the official Github repository. The only to make it works was to set the force_wsgi_environ to true.

    force_wsgi_environ = true

    Build

    Don't skip the configuration step or your syncserver will not work as expected. As you build the application, you should configure syncserver.ini BEFORE build the application. If you don't, the modifications did to syncserver.ini will not be read.

    chown -R firefox:firefox /opt/syncserver
    cd /opt/syncserver
    sudo -H -u firefox make build
    sudo -H -u firefox make test

    After that, if you run sudo -u firefox make serve, you should be able to see some lines about syncserver listening. It could tell you if something go wrong.

    Update

    After building the application, you could now see two new folder : syncserver.egg-info and local. You should delete them to be able to build the server again, for example for an update.

    rm -r syncserver.egg-info
    rm -r local

    Apache2 virtualhost

    I create a classic reverse proxy Apache2 virtual host. It just redirects flux to the virtual machine interface. You can find the script here.

    Configure your browser

    The procedure varies a little between desktop and mobile Firefox, and may not work on older versions of the browser. I will only describe the process for desktop version of firefox. Feel free to find more informations here

    • Enter “about:config” in the URL bar picture.

      about_config

      You should display this warranty screen, confirm your choice to continue.

      warranty

    • Made a research for “identity.sync.tokenserver.uri” as name. Double click on the line and replace the string by your public URL.

      tokenserver_uri

      The syntax should be like this https://example.com/token/1.0/sync/1.5.The current version is 1.7 but the endpoint didn't change ... * the original one is the one display in the previous picture https://token.services.mozilla.com/1.0/sync/1.5

    • Restart Firefox for the change to take effect.

    Note that this must be set prior to loading the sign-up or sign-in page in order to take effect, and its effects are reset on sign-out.

    Hardening and clean up

    Lock the instance for your own usage

    As you can see, you now use your own server to store your bookmarks. To avoid someone else could do that, you have to set the parameter allow_new_users to false in syncserver.ini and build the application again.

    vim syncserver.ini
    rm -r syncserver.egg-info
    rm -r local
    sudo -u firefox make build

    Systemd script

    Astonishingly, there is no Systemd script provides by the official tutorial. You could find the one I created here. You have to put it in /etc/systemd/system/ and execute systemctl daemon-reload then systemctl enable syncserver.service. It will start syncserver at each boot.

    Cleanup

    If you install make and g++ just for building this application, feel free to remove them.

    apt purge make g++

    Of course, setup the firewall in the correct way.

    Sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

    Installing and configuring Ethercalc in a LXC container

    Written by Mirabellette / 09 february 2018 / no comments

    Disclaimer: Installing and configuring a server is not something easy. It requires time, perseverance, money and knowledge. Don't forget that your server , Raspberry or I don't know stuff could be compromised and used, for example, against yourself or in a botnet network (like Mirai).

    Since years, I used an instance of Ethercalc hosted by framasoft. EtherCalc is a web spreadsheet wh ich could be used by multiple user. It is quite powerful and you can, for example, manage most of your accountability with it. If you want to know more, yo u can test Ethercalc here.

    If you have to give it back, feel free to do a little donation to Framasoft. They host a lot of very usefull services and works to empowered people. Even 10 (dollars, euros, something) could make a difference. You can also help in developing Ethercalc features in or helping to fix bugs.

    In order to understand and control services I use, I decided to install an instance of Ethercalc. To give back to the community, I create this article in order to explain how I did.

    System Configuration:
    @host Debian Stretch (with apache as reverse proxy)
    @installation_container Installation container (lxc)
    @production_container Production container (lxc)

    It is quite similar if you only have once environment.

    Advices

    • Test this tutorial in a local network which is not directly connected to internet. I mean, protected by firewall.
    • Use a dedicated machine to do all of your test. A dedicated machine could be an unused computer, a virtual machine or a container. Be ready to reinstall your system, this could happened, especially when you begin with computer science.
    • I recommended to use another Linux container to build an application. In general, you have to avoid to install compilator and building application in a production machine. You must only have in production what it is required to work, nothing more! This reduce significantly the risk to be hacked.
    • In a container, I copy everything I need in /opt. It helps me to easily administrate container because I know everything I need to run the application is stored here.
    • All variable that you have to change are prefixed with $, you have to remove the $ too.

    Let's get started!
    First of all, before installing Ethercalc, it is recommended to use a Redis server to manage Ethercalc data.

    Information

    All information stored by Redis are stored in clear. That means if someone is able to access to the dump.rdb file, he will be able to read all informations stored in your Ethercalc. I didn't find a solution to encrypt data from Redis and it doesn't seem to be developed yet.

    # @installation_container

    cd /opt
    apt install xz-utils gcc make tar
    wget http://download.redis.io/releases/redis-4.0.7.tar.gz
    tar xvf redis-4.0.7.tar.gz
    cd redis-4.0.7
    cd deps
    make hiredis jemalloc linenoise lua geohash-int
    cd ..
    make install

    cd /opt
    wget https://nodejs.org/dist/v8.9.4/node-v8.9.4-linux-x64.tar.xz
    tar xvf node-v8.9.4-linux-x64.tar.xz
    ln -s /opt/node-v8.9.4-linux-x64/bin/node /bin/node
    /opt/node-v8.9.4-linux-x64/bin/npm install ethercalc
    vim /opt/node-v8.9.4-linux-x64/lib/node_modules/ethercalc/bin/ethercalc
    replace #!/bin/node by /opt/node-v8.9.4-linux-x64/bin/node/bin/node
    # we don't need that node is available for all now, we will delete the symbolic link. rm /bin/node

    mkdir /container_path/opt/redis-4.0.7 cp -r /opt/redis-4.0.7/src/redis-server /container_path/opt/redis-4.0.7/
    cp -r /opt/node-v8.9.4-linux-x64/ /container_path/opt/node-v8.9.4-linux-x64/
    # you can delete original source instead of just copying it

    We are going to configure Redis in order to store data from Ethercalc where we want. As usual, I stored everything I need in /opt.

    mkdir /container_path/opt/redis_data
    wget http://download.redis.io/redis-stable/redis.conf -O /container_path/opt/redis.conf
    # replace dir ./ by dir /opt/redis.conf

    WARNING Redis doesn't implement server side encryption, that means that all your data are accessible from someone who can read the dump .rdb file.

    Now, we will create two systemd script to start Ethercalc and Redis automatically each time the container start. We also configure iptables in order to avoid that Redis server is accessible from everywhere.

    # @production_container

    useradd redis
    useradd nodejs
    # we will now modify /etc/passwd in order to reduce user right to the strict minimum.
    vim /etc/passwd
    nodejs:x:1000:1000::/opt/node-v8.9.4-linux-x64/bin/node:/bin/false
    redis:x:1001:1001::/opt/redis-4.0.7/redis-server:/bin/false

    cd /opt/
    chown redis:redis -R redis*
    chown nodejs:nodejs -R node-v8.9.4-linux-x64/

    vim /etc/systemd/system/redis.service
    [Unit]
    Description=Redis
    After=network.target
    [Service]
    Type=simple
    ExecStart=/opt/redis-4.0.7/redis-server /opt/redis.conf
    RemainAfterExit=yes
    User=nodejs
    Group=nodejs

    [Install]
    WantedBy=multi-user.target
    systemctl enable redis.service
    vim /etc/systemd/system/ethercalc.service
    [Unit]
    Description=Ethercalc
    After=network.target

    [Service]
    Type=simple
    ExecStart=/opt/node-v8.9.4-linux-x64/lib/node_modules/ethercalc/bin/ethercalc --host $container_ip
    RemainAfterExit=yes
    User=nodejs
    Group=nodejs

    [Install]
    WantedBy=multi-user.target

    systemctl enable redis.service
    # don't forget to change $container_ip by your own interface

    In order to have iptables automatically loads when the container start, you have to install the package iptables-persistent. Of course, we will configure it in order to only have Ethercalc accessible from outside.

    apt install iptables-persistent
    vim /etc/iptables/rules.v4
    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT

    *filter
    :INPUT DROP [1:328]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -s $container_ip -p tcp --dport 8000 -j ACCEPT
    -A INPUT -s $apt_cache_or_lxc_network -m conntrack --ctstate ESTABLISHED -j ACCEPT
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT

    Now we will configure the apache2 reverse proxy. I choose not to use HTTPS communication between $host and $production_container. The main reason is that both of them are hosted in the same computer. If $production_container was somewhere else on Internet, you MUST configure the proxy in order to have HTTPS communication between your container/virtual machine/whatever or all your traffic will be send in clear text on the network. I also added a web authentication in order to be the only one who can access to it. Feel free to change the $your_name by one of your choice. You have to change the appache2 configuration too. I will not explain how to deploy TLS on your web server, you can find a lot of tutorial in Internet.

    # @host
    # generate a password for $your_name
    htpasswd -c /etc/apache2/password_ethercalc $your_name

    vim /etc/apache2/site-available/ethercalc.conf
    <VirtualHost *:443>
     ServerName www.example.com

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined


      AuthType Basic
      AuthName "Restricted Files"
      AuthBasicProvider file
      AuthUserFile "/etc/apache2/password_ethercalc"
      Require user $your_name


     SSLEngine on
     SSLCertificateFile /path/to/apache/crt
     SSLCertificateKeyFile /path/to/apache/key

     ProxyPass / "http://$container_ip:8000/"
     ProxyPassReverse / "http://$container_ip:8000/"

    </VirtualHost>

    ln -s /etc/apache2/site-available/ethercalc.conf /etc/apache2/site-enabled/ethercalc.conf
    service apache2 reload

    It took me hours to make this article. I hope you will find it useful and interesting Don't hesitate to comment, even if it is about mistake or something that could be improved.
    Thank you for reading.

    sources

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

    Searx 0.12 to 0.13.1 and configuration

    Written by Mirabellette / 18 december 2017 / no comments

    Hello everyone,

    I just upgraded the version of Searx from 0.12 to 0.13.1. The upgrade was quite easy, it needed me around 30 minutes to upgrade it and to verify if everything was ok. If you followed the standard installation, you just have to follow these steps bellow to upgrade it:

    sudo -u searx -i
    cd /usr/local/searx
    mv searx/settings.yml searx/settings.yml.old #(to keep your previous configuration
    git pull
    # copy your own settings from searx/settings.yml.old to searx/settings.yml
    rm searx/settings.yml.old #not needed anymore virtualenv searx-ve
    . ./searx-ve/bin/activate
    pip install -r requirements.txt
    python setup.py install
    #exit the virtual_env

    Now your application is upgraded, you just have to restart the service with:

    sudo /etc/init.d/uwsgi restart

    I also add some search engine which respect privacy enable by default like duckduckgo, xquick, qwant, startpage, ixquick.

    I hope this article was useful for you to upgrade your version of Searx. I am aware I have a Captcha issue with Google, I am working on it.

    Have a nice day

    Social media

    If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.