Skip to content

Latest commit

 

History

History
517 lines (376 loc) · 13.7 KB

README.md

File metadata and controls

517 lines (376 loc) · 13.7 KB

Nostr relay Setup on AWS

Intro

This is a step-by-step, complete guide on how to set up a Nostr relay with Nginx reverse proxy, SSL/TSL with some extra info on how to control and administer it. And no, there is no way you can do that properly in "5 minutes" The steps are based mostly on Amazon AWS EC2 instance but it can be easily applied to any other VPS provider like DigitalOcean, OVH, Linode etc... It will use nostr-rs-relay, a Rust implementation that uses SQLite database.

Requirements

  • AWS account with some cash on it OR
    • any other cloud/VPS provider will do, just change this steps accordingly
  • root privileges
  • a domain you own and can set DNS records
    • in this guide we'll pretend is nostr.domainname.com

Please note: Unless otherwise specified all commands are executed as root.

Ec2 rollout

  • Pick your EC2 instance, for example:
    • t3micro - 2vCPU - 1GiB Ram - 8Gib HD
    • x86
    • Linux Ubuntu
  • If on AWS:
    • generate and store the keypair and store it
    • select/create a security group that allows ssh, http, https
    • launch the instance
    • connect to the instance with ssh (ex:)
ssh -i your-key.pem ubuntu@ec2-X-XXX-XXX-XXX.eu-central-1.compute.amazonaws.com
  • otherwise: (DigitalOcean, OVH...)
    • get means to access the VPS via ssh
    • check with your provider or manually setup the firewall (iptables, ufw...)
    • connect to the instance with ssh

Domain DNS configuration

Go to your Domain/DNS provider and use one of the following options:

  1. create a CNAME record that points to the public DNS of your EC2/VPS or
  2. create a A record entry that points to the public IP of your VPS

Installation Steps

Perform the updates

apt-get update
apt-get upgrade -y

Install rust tools (press 1 when asked)

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source /root/.cargo/env

Check that rust is installed and in your path

rustc --version
cargo --version

Install dependencies

apt-get install certbot build-essential sqlite3 libsqlite3-dev libssl-dev pkg-config nginx git -y
apt-get install net-tools whois -y

Compile nostr-rs

cd /opt
mkdir nostr-data
git clone https://github.com/scsibug/nostr-rs-relay.git
cd nostr-rs-relay
cargo build --release

Compilation can take about 10 minutes or so and produces a binary of about 19mb

Install nostr-rs

install target/release/nostr-rs-relay /usr/local/bin

Clean compilation artifacts

Since the instance you are using has little disk space (mine has 8Gb total) you don't want to waste valuable disk space and save it for nostr messages. Once successfully compiled the compilation artifacts can use up to 2Gb of space.

In order to reclaim that space, once the compiled binaries are installed and moved under /usr/local/bin, you can clean them up with

cargo clean

or (last ditch)

rm -Rf /opt/nostr-rs-relay/target

Uninstall compiler tools

Another surce of wasted space (other 2Gb) is in the /root/.rustup folder.

You want to remove/disinstall that too

rm -Rf /root/.rustup

Nostr Configuration

Create a nostr user to run the service and turn into that user

adduser --disabled-login nostr  # keep pressing enter until it ends 
su - nostr

Download the sample configuration file

cd /opt/nostr-rs-relay
wget https://raw.githubusercontent.com/scsibug/nostr-rs-relay/master/config.toml

Update / change the /opt/nostr-rs-relay/config.toml configuration file with your favourite editor (ex vim o nano) Parameters you might want to change:

  • relay_url : put nostr.domainname.com ( ⚠️ replace with the URL of the domain name you own and that points to the server)
  • name : don't be shy ...
  • description : ... introduce yourself
  • pubkey : your public key
  • contact : your email
  • tracing : ⚠️ leave commented otherwise it trows errors and won't start
  • data_directory : set it to /opt/nostr-data/
  • address : set it to 127.0.0.1 as we will later use nginx as a proxy
  • remote_ip_header : set it to "x-forwarded-for" for logging real client IP addresses

Go back to user root

exit

First Test / Dry-run

Start nostr-relay as a stand alone foreground process and check the logs

RUST_LOG=warn,nostr_rs_relay=info /usr/local/bin/nostr-rs-relay

Check the INFO messages, then check that the DB and other files are there

ls -al /opt/nostr-data
total 112
drwxr-xr-x 2 root root  4096 Jan  9 07:54 ./
drwxr-xr-x 4 root root  4096 Jan  8 19:53 ../
-rw-r--r-- 1 root root 73728 Jan  9 07:55 nostr.db
-rw-r--r-- 1 root root 32768 Jan  9 07:55 nostr.db-shm
-rw-r--r-- 1 root root     0 Jan  9 07:55 nostr.db-wal

Give the permissions to the user nostr

chown -R nostr:nostr /opt/nostr-data

Service Setup

Systemd run script

Create a file /etc/systemd/system/nostr-relay.service with the following content

[Unit]
Description=Nostr Relay
After=network.target

[Service]
Type=simple
User=nostr
WorkingDirectory=/home/nostr
Environment=RUST_LOG=info,nostr_rs_relay=info
ExecStart=/usr/local/bin/nostr-rs-relay
Restart=on-failure

[Install]
WantedBy=multi-user.target

Then enable and start the nostr relay service

systemctl daemon-reload
systemctl enable nostr-relay.service
systemctl start nostr-relay.service

Check that the service is running

systemctl status nostr-relay.service
netstat -tnap | grep nostr
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      37860/nostr-rs-rela 

Setup NginX proxy

Site configuration

Create a nginx configuration file for the proxy and folders for HTTPS/TLS certificate creation

mkdir -p /var/www/nostr/.well-known/acme-challenge/
chown -R 33:33 /var/www/nostr
cd /etc/nginx/sites-available
vim nostr-relay.conf

Paste this as the content of the configuration file. ⚠️ Remember to use the domain you picked

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream websocket {
    server 127.0.0.1:8080;
}

server {
    listen 80;
    server_name nostr.domainname.com;  ## <<=== CHANGE THIS

    location /.well-known/acme-challenge/ {
    root /var/www/nostr;
    allow all;
    }

    location / {
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}

Enable and start the site

ln -s /etc/nginx/sites-available/nostr-relay.conf /etc/nginx/sites-enabled/.
rm -f /etc/nginx/sites-enabled/default
nginx -t # must say "ok... test successful"
nginx -s reload

Run an external check

From another pc/server/vps (your laptop) check that you can connect to nostr through nginx

wget nostr.domainname.com  ## <<=== CHANGE THIS

this should download an index.html file. Check the content

cat index.html 
Please use a Nostr client to connect

Add HTTPS/TLS

Prepare dhparams

Create dhparams 4096 bit prime number(this will require a minute or so)

mkdir /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

Let the screen fill up with "....+..." etc

Certificate request

Try certificate request in dry-run mode

cd /var/www/nostr
certbot certonly --webroot -w . -d nostr.domainname.com --dry-run --agree-tos ## <<== Change with your domain

If all goes well do the real certificate request

cd /var/www/nostr
certbot certonly --webroot -w . -d nostr.domainname.com ## <<== Change with your domain

The issued certificates will be found in letsencrypt folder

ll /etc/letsencrypt/live/nostr.domainname.com/
total 12
drwxr-xr-x 2 root root 4096 Jan  9 09:04 ./
drwx------ 3 root root 4096 Jan  9 09:04 ../
-rw-r--r-- 1 root root  692 Jan  9 09:04 README
lrwxrwxrwx 1 root root   48 Jan  9 09:04 cert.pem -> ../../archive/nostr.domainname.com/cert1.pem
lrwxrwxrwx 1 root root   49 Jan  9 09:04 chain.pem -> ../../archive/nostr.domainname.com/chain1.pem
lrwxrwxrwx 1 root root   53 Jan  9 09:04 fullchain.pem -> ../../archive/nostr.domainname.com/fullchain1.pem
lrwxrwxrwx 1 root root   51 Jan  9 09:04 privkey.pem -> ../../archive/nostr.domainname.com/privkey1.pem

Now that you have a valid certificate set, replace the nginx configuration file to use it

cd /etc/nginx/sites-available
vim nostr-relay.conf

Update Nginx site file

Update the content as follows:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream websocket {
    server 127.0.0.1:8080;
}

server {
    listen 80;
    server_name nostr.domainname.com;

   location /.well-known/acme-challenge/ {
        root /var/www/nostr;
        allow all;
    }

    location / {
        return 301 https://nostr.domainname.com;
    }
}

server  {
    listen          443 ssl;
    server_name nostr.domainname.com;

    location / {
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }

    #### SSL ####

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy same-origin;
    add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";


    ssl_certificate /etc/letsencrypt/live/nostr.domainname.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nostr.domainname.com/privkey.pem; 
}

NOTE : remember to change all the occurrences of nostr.domainname.com with your domain

Check the new configuration and reload it into nginx

nginx -t
nginx -s reload

Now check that nginx + http + nostr are all working

netstat -tnap | grep 'nginx\|nostr'
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      37860/nostr-rs-rela 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      8545/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      8545/nginx: master 

Now check that they are reachable from the outside. Like before go to another pc/server and

wget nostr.domainname.com
--2023-01-09 10:22:05--  http://nostr.domainname.com/
Resolving nostr.domainname.com (nostr.domainname.com)... 3.123.142.158
Connecting to nostr.domainname.com (nostr.domainname.com)|3.123.142.158|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://nostr.domainname.com [following]
--2023-01-09 10:22:05--  https://nostr.domainname.com/
Connecting to nostr.domainname.com (nostr.domainname.com)|3.123.142.158|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 37 [text/plain]
Saving to: ‘index.html.1’

index.html.1                     100%[=============================>]      37  --.-KB/s    in 0s      

NOTE : the test is like the previous one, just this time it tries to connect to http first and get redirected (301) to https, then in https the file is download and its content are the same as before

cat index.html 
Please use a Nostr client to connect

See it at work

This section is mostly sysadmin related but can be very useful when trying to get "why it's not working"

Logs

Nostr relay logs

To keep an eye on what's goin on simply ask the logs

journalctl -f | grep --line-buffered nostr_rs_relay | cut -d' ' -f 10,12-100 

... you might want to set an alias for this. This will show the logs of nostr relay in real time. Press CTRL+C to stop it

Nginx logs

tail -f /var/log/nginx/*.log

You can fire up a tmux session if you don't want to start multiple consoles

Inspect Database

NOTE : ⚠️ carefull with this one as you might damage the db

Try some sqlite commands like:

cd /opt/nostr-data
sqlite3 nostr.db
...
sqlite> .databases
sqlite> .tables
sqlite> select * from event;
sqlite> select count(*) from event;
...

Connect your client

If you made it so far, congrats !!

Now is time to connect your client and see it at work !!

Just connect your client to wss://nostr.domainname.com. Send some messages, see the log get them in (almost) real time and find them in the database.

Pitfalls

  • Do not install rust, cargo etc using apt. Just use rustup

Links