ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Setup NodeBB on Fedora 33 with PostgreSQL and Nginx with HTTPS only

    IT Discussion
    nodebb nodebb 1.15.x fedora fedora 33 postgresql nginx https
    2
    9
    2.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by JaredBusch

      Setup NodeBB on Fedora 33 with PostgreSQL and Nginx with HTTPS only

      • Why PostgreSQL? Because screw Mongo licensing complexities.
      • As with many of my more recent guides, I'll be using environment variables.
        • Do not log out of your Console/SSH session until this is complete.

      Create a random password for PostgreSQL's admin user account

      export DB_ROOT_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"
      

      Database name to use for application

      export DB_NAME='nodebb'
      

      Database user to use for application

      export DB_USER='nbbuser'
      

      Generate a random password for the database user

      export DB_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"
      

      The location to install the application

      export APP_PATH='/opt/nodebb'
      

      The FQDN of the application

      export FQDN='community.domain.com'
      

      Path to the SSL certificates and key

      export SSL_KEY_PATH='/etc/pki/tls/private/cforigin.domain.com.key'
      export SSL_CERT_PATH='/etc/pki/tls/certs/cforigin.domain.com.pem'
      export SSL_CA_CERT_PATH='/etc/pki/tls/certs/cfchain.domain.com.pem'
      

      Dump the environment variables to a file in the current directory for later reference.

      cat >> setup.info << EOF
      PostgreSQL Database Name    : $DB_NAME
      Database User               : $DB_USER
      Database User Password      : $DB_PASS
      Database Root Password      : $DB_ROOT_PASS
      Application Path            : $APP_PATH
      FQDN                        : $FQDN
      SSL Certificate Path        : $SSL_CERT_PATH
      SSL Key Path                : $SSL_KEY_PATH
      SSL CA Certificate Path     : $SSL_CA_CERT_PATH
      EOF
      

      Update the Operating System

      sudo dnf upgrade -y --refresh
      

      These are tools I use on pretty much every Fedora instance

      • Configuration of them, if required, is not covered here.
      sudo dnf install -y nano sysstat glances htop dnf-automatic
      

      Install the packages required for PostgreSQL backed NodeBB

      sudo dnf install -y git nginx nodejs npm postgresql-server policycoreutils-python-utils
      

      Initialize the PostgreSQL database

      sudo /usr/bin/postgresql-setup initdb
      

      Enable and start the database

      sudo systemctl enable --now postgresql
      

      Enable and start Nginx to be the proxy

      sudo systemctl enable --now nginx
      

      Update the firewall to allow the needed connections

      sudo firewall-cmd --add-service=https --permanent
      sudo firewall-cmd --reload
      

      Tell SELinux to allow the webserver to connect to the local network

      sudo setsebool -P httpd_can_network_connect on
      

      Create user and database to be used by NodeBB

      • this spews an error about changing directories, but still creates.
        • Need to fix that. This is my first time scripting PostgreSQL
      sudo -u postgres psql -c "create user $DB_USER with encrypted password '$DB_PASS'"
      sudo -u postgres psql -c "create database $DB_NAME"
      sudo -u postgres psql -c "grant all privileges on database $DB_NAME to $DB_USER"
      

      Set a password for the admin user (postgres)

      sudo -u postgres psql -c "alter user postgres with password '$DB_ROOT_PASS'"
      

      Update PostgreSQL to use database user login information.

      sudo sed -i 's/ident$/md5/g' /var/lib/pgsql/data/pg_hba.conf
      

      Restart PostgreSQL

      sudo systemctl restart postgresql
      

      Create application directory.

      sudo mkdir -p $APP_PATH
      

      Download NodeBB

      • As of the creation of this guide, the current branch is v1.15.x
      • Update accordingly.
      sudo git clone -b v1.15.x https://github.com/NodeBB/NodeBB.git $APP_PATH
      

      Create the user account to run the application

      sudo adduser nodebb --system --create-home
      

      Set ownership to the user that will be running the application

      sudo chown -R nodebb:nodebb $APP_PATH
      

      Setup a strong Diffie-Hellman parameter

      sudo mkdir -p /etc/nginx/dhparam
      sudo openssl dhparam -outform PEM -out /etc/nginx/dhparam/dhparam.pem -2 2048
      

      Create the SSL certificate

      • You will need to prep these steps in a vscode window or something
      • You do not want to mess this up, or else Nginx will not start.
      sudo tee $SSL_CERT_PATH > /dev/null << EOF
      -----BEGIN CERTIFICATE-----
      Put everything from your CERTIFICATE file here...
      -----END CERTIFICATE-----
      EOF
      

      Create the SSL private key

      sudo tee $SSL_KEY_PATH > /dev/null << EOF
      -----BEGIN PRIVATE KEY-----
      Put everything from your KEY file here...
      -----END PRIVATE KEY-----
      EOF
      

      Create the SSL CA certificate chain

      sudo tee $SSL_CA_CERT_PATH > /dev/null << EOF
      -----BEGIN CERTIFICATE-----
      Put everything from your CA CERT CHAIN file here...
      -----END CERTIFICATE-----
      EOF
      

      Set the permissions of the SSL files.

      sudo chmod 644 $SSL_CA_CERT_PATH
      sudo chmod 644 $SSL_CERT_PATH
      sudo chmod 600 $SSL_KEY_PATH
      

      Setup up the Nginx configuration file for the application.

      sudo tee /etc/nginx/conf.d/nodebb.conf > /dev/null << EOF
      server {
          # Based on Mozilla intermediate configuration https://ssl-config.mozilla.org/
          listen 443 ssl http2;
          listen [::]:443 ssl http2;
      
          server_name $FQDN;
      
          ssl_certificate $SSL_CERT_PATH;
          ssl_certificate_key $SSL_KEY_PATH;
      
          ssl_session_timeout 1d;
          ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
          ssl_session_tickets off;
      
          ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
      
          ssl_protocols TLSv1.2 TLSv1.3;
          ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
          ssl_prefer_server_ciphers off;
      
          # HSTS (ngx_http_headers_module is required) (63072000 seconds)
          add_header Strict-Transport-Security "max-age=63072000" always;
      
          # OCSP stapling
          ssl_stapling on;
          ssl_stapling_verify on;
      
          # verify chain of trust of OCSP response using Root CA and Intermediate certs
          ssl_trusted_certificate $SSL_CA_CERT_PATH;
      
          # replace with the IP address of your resolver
          resolver 1.1.1.1;
      
          location / {
              proxy_set_header X-Real-IP \$remote_addr;
              proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto \$scheme;
              proxy_set_header Host \$http_host;
              proxy_set_header X-NginX-Proxy true;
      
              proxy_pass http://127.0.0.1:4567;  # no trailing slash
              proxy_redirect off;
      
              # Socket.IO Support
              proxy_http_version 1.1;
              proxy_set_header Upgrade \$http_upgrade;
              proxy_set_header Connection "upgrade";
          }
      }
      EOF
      

      Restart Nginx

      sudo systemctl restart nginx
      

      Show the setup.info file with the Database passwords.

      • You will need to know the DB info, as it will be used in the setup wizard during the next step.
      cat setup.info
      

      Change to the directory that NodeBB was installed to and run the NodeBB setup wizard

      • Build fails if you try to execute from your home directory with the full path
      cd $APP_PATH
      sudo -u nodebb ./nodebb setup
      

      After you are all setup, you control it with the nodebb executable.

      sudo -u nodebb /opt/nodebb/nodebb stop
      sudo -u nodebb /opt/nodebb/nodebb start
      sudo -u nodebb /opt/nodebb/nodebb log
      
      1 Reply Last reply Reply Quote 3
      • JaredBuschJ
        JaredBusch
        last edited by JaredBusch

        Once you have NodeBB up and running, you will likely want to set it up to start on boot.

        The best way to handle this is to create a systemd service in order to manage it just like any other service on the system.

        The documentation pretty much nails it.
        https://docs.nodebb.org/configuring/running/#systemd

        This file matches this guide.

        sudo tee /etc/systemd/system/nodebb.service > /dev/null << EOF
        [Unit]
        Description=NodeBB
        Documentation=https://docs.nodebb.org
        After=system.slice multi-user.target postgresql
        
        [Service]
        Type=forking
        User=nodebb
        
        StandardOutput=syslog
        StandardError=syslog
        SyslogIdentifier=nodebb
        
        WorkingDirectory=/opt/nodebb
        ExecStart=/usr/bin/env node loader.js
        Restart=always
        
        [Install]
        WantedBy=multi-user.target
        EOF
        

        Now you can control things with normal systemd commands.

        First if you manually started NodeBB, stop it.

        sudo -u nodebb /opt/nodebb/nodebb stop
        

        Now control it with normal systemctl commands

        sudo systemctl start nodebb
        sudo systemctl stop nodebb
        sudo systemctl enable nodebb
        sudo systemctl status nodebb
        
        1 Reply Last reply Reply Quote 1
        • JaredBuschJ
          JaredBusch
          last edited by

          When you are done, you should have a working system.
          f43ad36d-d24b-4cb6-add6-040ed3781304-image.png

          1 Reply Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch
            last edited by

            As could be inferred, I am using the cloudflare origin certificate.
            25163241-70e5-4e60-a436-c7699927e211-image.png

            But Cloudflare is not a a requirement. Get your SSL however you want, just update those variables appropriately, or fix the Nginx config file manually.

            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch
              last edited by

              When you execute the psql commands, it complains about changing directory to the current user, but still works.
              6800b139-7a9e-4795-9bb2-36cd32698236-image.png

              1 Reply Last reply Reply Quote 0
              • JaredBuschJ
                JaredBusch
                last edited by

                Updated post 2 with instructions for using systemd to control the service
                https://www.mangolassi.it/topic/22497/setup-nodebb-on-fedora-33-with-postgresql-and-nginx-with-https-only/2

                1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch
                  last edited by

                  A simplified version of this guide just got merged into the official docs.
                  cfaa473b-50d4-4adf-bde8-9db3c0c7d002-image.png

                  1 Reply Last reply Reply Quote 2
                  • gotwfG
                    gotwf
                    last edited by

                    @JaredBusch So... now that you've had this up and running for a while, care to report on how that is going? Inquiring minds are curious. Particularly w.r.t. resource utilization comparison, performance differences, etc. comparatively. I think you were on Mongo previously, correct? Cuz I am right there with you on the license bullshit. All it takes is one bump in the road, merger, and wham, history repeats and next major version changes license again - only this time to something closed. Have no interest in betting on community to fork and continue. Need a safer bet. It would appear that percona may have already done so w/their percona mongodb offering but I wonder if that would continue as a full fork if/when upstream became closed source.

                    TIA-- o/

                    JaredBuschJ 1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @gotwf
                      last edited by

                      @gotwf said in Setup NodeBB on Fedora 33 with PostgreSQL and Nginx with HTTPS only:

                      @JaredBusch So... now that you've had this up and running for a while, care to report on how that is going? Inquiring minds are curious. Particularly w.r.t. resource utilization comparison, performance differences, etc. comparatively. I think you were on Mongo previously, correct? Cuz I am right there with you on the license bullshit. All it takes is one bump in the road, merger, and wham, history repeats and next major version changes license again - only this time to something closed. Have no interest in betting on community to fork and continue. Need a safer bet. It would appear that percona may have already done so w/their percona mongodb offering but I wonder if that would continue as a full fork if/when upstream became closed source.

                      TIA-- o/

                      Well 2 years in, i do not run any NobeBB instances with heavy traffic so performance is not even something I look at. I have like 5 of these running for tiny personal projects that people I know have asked for my help with.

                      1 Reply Last reply Reply Quote 0
                      • 1 / 1
                      • First post
                        Last post