diff options
Diffstat (limited to 'articles/2023-02-13-new-website-using-gnix.md')
| -rw-r--r-- | articles/2023-02-13-new-website-using-gnix.md | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/articles/2023-02-13-new-website-using-gnix.md b/articles/2023-02-13-new-website-using-gnix.md new file mode 100644 index 0000000..c919ad7 --- /dev/null +++ b/articles/2023-02-13-new-website-using-gnix.md @@ -0,0 +1,102 @@ +# New Website and gnix + +_fixme: probably contains a lot of errors, shouldn't have written this late_ + +Last weekend I started a new attempt writing a reverse proxy: This time, with +success! I have been able to finally replace nginx for all services. +Additionally I now have a wildcard TLS certificate for all of +`*.metamuffin.org`. + +The cgit instance is no longer available since it used CGI, which gnix does not +support nor I like. + +## The reverse-proxy + +Nginx was not optimal because I found it was hard to configure, required certbot +automatically chaning the config and was also just _too much_ for my use case. +(Who needs a http server that can also serve SMTP?!) + +My new solution ([gnix](https://codeberg.org/metamuffin/gnix)) has very limited +configuration abilities for now but just enough to work. I simplified about 540 +lines of `/etc/nginx/nginx.conf` to only 20 lines of `/etc/gnix.toml` (yesss. +TOML. of course it is.). The Proxy now only acts as a "Hostname Demultiplexer". +A configuration could look like this: + +```toml +[http] +bind = "0.0.0.0:80" + +[https] +bind = "0.0.0.0:443" +tls_cert = "/path/to/cert.pem" +tls_key = "/path/to/key.pem" + +[hosts] +"domain.tld" = { backend = "127.0.0.1:18000" } +"www.domain.tld" = { backend = "127.0.0.1:18000" } +"keksmeet.domain.tld" = { backend = "127.0.0.1:18001" } +"otherdomain.tld" = { backend = "example.org:80" } +``` + +I am running two gnix instances now, one for `:80`+`:443` and another for matrix +federation on `:8448`. Additionally this required me to move my matrix +homeserver from `https://metamuffin.org/_matrix` to +`https://matrix.metamuffin.org/_matrix` via the `.well-known/matrix/server` +file. And that intern required me to host a file there, which was nginx' job +previously. At this point I started rewriting my main website. + +## Wildcard Certificates + +Another inconvinience was that I would need `certbot` to aquire one certificate +for each subdomain. Letsencrypt offers wildcard certificates; These can be +obtained by solving a ACME challenge that requires changing DNS record (to prove +you own the domain). My current registrar (Namecheap) does not offer me an API +for automatically applying these though. They do however (through a very very +confusing, badly designed user interface) allow me to set a custom nameserver. +By setting the nameserver to `144.91.114.82` (IP address of my VPS) the server +can run its own nameserver that has authority over resolving `metamuffin.org`. I +used BIND9's `named` to do that and also dynamically update records. + +```conf +# /etc/named.conf (-rw-------; owned by named) +zone "metamuffin.org" IN { + type master; + # the zone file is trivial to configure, look it up somewhere else. :) + file "metamuffin.org.zone"; + update-policy { + # only allow certbot to change TXT records of _acme-challenge.metamuffin.org + grant certbot. name _acme-challenge.metamuffin.org. TXT; + }; +}; + +# generated with `tsig-keygen -a HMAC-SHA512 -n HOST certbot` +key "certbot" { + algorithm hmac-sha512; + secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" +} +``` + +Then certbot can be configured to use these credentials for solving challenges: + +```ini +# /etc/certbot/rfc2136.ini (-rw-------; owned by root) +dns_rfc2136_server = 127.0.0.1 +dns_rfc2136_port = 53 +dns_rfc2136_name = certbot +dns_rfc2136_secret = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +dns_rfc2136_algorithm = HMAC-SHA512 +``` + +Now you can automatically request new wildcard certificates by running +`doas certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/rfc2136.ini -d '*.domain.tld' -d 'domain.tld' --server https://acme-v02.api.letsencrypt.org/directory` + +## Rewrite of my website + +As mentioned above, I replace my former Deno + pug.js + static file server setup +with a custom rust application (using Rocket and Markup and 253 other +dependencies). I rewrote my blog rendering system too, that why you don't see +syntax highlighting right now. + +## End + +In case of questions, ask me. Have fun suffering with the modern web! |