Configure ssl+Nginx (secure socket.io connection)

secure the nodejs app transmissions by ssl

1. make a simplest socket.io app

ref: https://socket.io/get-started/chat/

basic nodejs app:

• use the Node.JS web framework express to html as client end.
• create a package.json manifest file that describes our project
• npm install express@4.15.2
• create an index.js file that will setup our application
  The index.js file supply the html content of "Hello world".
• create a index.html file and modify the index.js to serve the index.html.

Insert socket.io:

The socket.io has a service end (socket.io) and client end (socket.io-client).

• install: npm install socket.io
• in index.js, initialize a new instance of socket.io by passing the http (the HTTP server) object.
• listen on the connection event for incoming sockets, and I log it to the console.
• in index.html, add the snippet about var socket = io(); for loading the socket.io-client.

Emitting events:

Send and receive any events we want, with any data. Any objects that can be encoded as JSON will do, and binary data is supported too.

• make the server get user message as a chat message event, add the emitting code in index.html.
• in index.js we print out the chat message event

Broadcasting:

• send the message to everyone, including the sender: io.emit('chat message', msg);
• in client, make it capture a chat message event: socket.on('chat message', function(msg){ ...

For more details: https://socket.io/get-started/chat/

2. Take nginx as a web server, make the nodejs app accessible

Even though the Caddy is the convenient server for https and the certificate application. The nginx is still the wider used solution for web service.
ref: https://www.sitepoint.com/configuring-nginx-ssl-node-js/

Configure the nginx for nodejs service on port 3000

configure the nginx.conf file, and add a server:

server {
  listen       80;
  server_name  <your_domain_name>;

  location / {
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

The location / block tells NGINX what to do with any incoming request. We use proxy_pass to point to our Node.js application, which is running at http://localhost:3000 in this case.

3. Secure the nodejs app by https

• Install the certbot: https://certbot.eff.org/lets-encrypt/centosrhel8-nginx (select the nginx and the os of web server)
• to configure ssl by certbot, run sudo /usr/local/bin/certbot-auto --nginx
• obtain the below means success:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<yourdomain>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<yourdomain>/privkey.pem
   Your cert will expire on 2020-01-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"

• restart the service of nginx should make the ssl transmission enabled.
  Note: the ssl goes on the 443 port by default. Check the port occupy by netstat -tulnp. If the 443 is occupied, you may change the 443 into other port and specify the port when you aquire the web in web browser. e.g. : https://your_domain.com:port_num
  The transmission should be secured now.
  tip: You may need a simple CLI tool for ensuring that a given script runs continuously (i.e. forever).

4. Secure the socket.io

ref: node-js-socket-io-with-ssl

5. Bonus more: streaming binary data using socket-io

ref: streaming binary data using socket-io

6. Bonus: request-response illustration figure

---

read more about Nginx Configuration:

1. install multiple domains on a Nginx server(debian or ubuntu):

https://linuxhint.com/install-multiple-domains-nginx-server/

2. revoke certifications

https://bbs.huaweicloud.com/blogs/124303 (in Chinese)

3. handle multiple domains under nginx:

# How To Set Up Nginx Server Blocks on CentOS 7

===========
This article shows:

1. deploy web via nginx
2. multiple domains with nginx
3. configure SSL + nginx to offer https service

OS: CentOS 7 (Linux)
check centos version:
# rpm -q centos-release

===========
preparations:
your source files for web
your domain name: urdomain1.com; urdomain2.com

===========

2. install nginx
   #yum install nginx

3. configure the firewall
   depends on the firewall software installed in the system
   on centos, check status:
   # sudo systemctl status firewalld

my firewalld is in active. if it's active, ref: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-8

4. configure the file system
   Multiple domains require to have multiple directories.
   Create multiple directories to serve content through multiple domains.
   -p flag is necessary to create parent directories

 #mkdir -p /var/www/urdomain2.com/html

5. assign ownership to the directories.

  # echo $USER
  # sudo chown -R $USER:$USER /var/www/urdomain1.com/html
  # sudo chown -R $USER:$USER /var/www/urdomain2.com/html

Change the permission of the directories:

  # sudo chmod -R 755 /var/www/urdomain1.com/html
  # sudo chmod -R 755 /var/www/urdomain2.com/html

  # sudo chmod -R 755 /var/www/urdomain1.com/html
  # sudo chmod -R 755 /var/www/urdomain2.com/html

6. put the index.html into dirs created in last step

7. Create New Server Block Files
   Server block files are what specify the configuration of our separate sites and dictate how the Nginx web server will respond to various domain requests.

To begin, we will need to set up the directory that our server blocks will be stored in, as well as the directory that tells Nginx that a server block is ready to serve to visitors. The sites-available directory will keep all of our server block files, while the sites-enabled directory will hold symbolic links to server blocks that we want to publish. We can make both directories by typing:

  # mkdir /etc/nginx/sites-available
  # mkdir /etc/nginx/sites-enabled

Next, we should tell Nginx to look for server blocks in the sites-enabled directory. To accomplish this, we will edit Nginx’s main configuration file and add a line declaring an optional directory for additional configuration files:

  # sudo nano /etc/nginx/nginx.conf

Add these lines to the end of the http {} block:

    include /etc/nginx/sites-enabled/*.conf;
    server_names_hash_bucket_size 64;

8. Create the First Server Block File:

   sudo cp /etc/nginx/conf.d/default.conf /etc/nginx/sites-available/urdomain1.com.conf
   sudo nano /etc/nginx/sites-available/urdomain1.com.conf

server {
    listen  80;

    server_name urdomain1.com;

    location / {
        root  /var/www/urdomain1.com/html;
        index  index.html index.htm;
        try_files $uri $uri/ =404;
    }

    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
        root  /usr/share/nginx/html;
    }
}

9. Enable the New Server Block Files:

  ln -s /etc/nginx/sites-available/urdomain1.com.conf /etc/nginx/sites-enabled/urdomain1.com.conf
  ln -s /etc/nginx/sites-available/urdomain2.com.conf /etc/nginx/sites-enabled/urdomain2.com.conf

  sudo systemctl restart nginx

10. configure dns
    go to dns service setting, add record for the domains: urdomain1.com & urdomain2.com
    if tesing locally, use hosts file:
    sudo nano /etc/hosts

add below:

  127.0.0.1 urdomain1.com
  127.0.0.1 urdomain2.com

   # systemctl restart nginx
   # netstat -tulnp 

11. Secure Nginx with Let's Encrypt on CentOS 7

Installing the Certbot Let’s Encrypt Client

  yum install epel-release

  yum install certbot-nginx

Setting up Nginx(skip this if you've done)

 yum install nginx
 systemctl start nginx
 vi /etc/nginx/nginx.conf

follow the ref link

Updating the Firewall

follow the ref link

Obtaining a Certificate

  certbot --nginx -d example.com -d www.example.com -d yourdomain.com

Updating Diffie-Hellman Parameters

Setting Up Auto Renewal

Let’s Encrypt’s certificates are only valid for 90 days. set up a regularly run command to check and renew.

use cron, a standard system service for running periodic jobs. Tell cron what to do by opening and editing a file called a crontab.

sudo crontab -e

Your text editor will open the default crontab which is an empty text file at this point. Paste in the following line, then save and close it:

crontab

. . .
15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part of this line means “run the following command at 3:15 am, every day”. You may choose any time.

The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet tells Certbot not to output information or wait for user input.

cron will now run this command daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.

How To Secure Nginx with Let's Encrypt on CentOS 7

ref: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7

How To Set Up a Node.js Application for Production on CentOS 7

ref: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-node-js-application-for-production-on-centos-7

YourQuestion:

https://www.digitalocean.com/community/tutorials?q=yourQuestion

modify the yourQuestion in the url above, and digitalocean.com will teach you well.

---