Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

INSTALL-UBUNTU.md #318

Open
wants to merge 380 commits into
base: doc-improove
Choose a base branch
from
Open

INSTALL-UBUNTU.md #318

wants to merge 380 commits into from

Conversation

mariojsantos
Copy link

#Matrix Installation Instructions on Ubuntu 18.04 using docker container and Apache Web Server as reverse proxy

##Author: Mário Jorge Limeira dos Santos

###Data: 2020-04-27

###The server should have a registered domain and a configured SSL certificate.

###1. Install the web server (Apache ou nginx) to be the reverse proxy of the application.

`# apt-get update` 

`# apt-get install apache2`

###2. If the server is exclusive to #matrix, configure the apache to listen only on 443 port (/etc/apache2/ports.conf).

###3. Configure the Apache security on file "/etc/apache2/conf-available/security.conf".

###4. Replace the Apache default index.html file on directory "/var/www/html".

###5. Configure the SSL certificate on Apache:

    - Create a directory named ssl inside the *"/etc/apache2/"* directory:

        `# cd /etc/apache2`

        `# mkdir ssl ; cd ssl`

    - Create the directories certs and private inside the ssl directory just created:

        `# mkdir certs private`

    - Copy the .key certificate file to the *"/etc/apache2/ssl/private/"* directory.

    - Copy the bundle.example.com.crt file to the *"/etc/apache2/ssl/certs/"* directory.

    - Edit the */etc/apache2/sites-available/default-ssl.conf* file with the following content: 

Begin of the default-ssl.conf file

<IfModule mod_ssl.c>
        <VirtualHost *:8443>
                ServerName example.com
                ServerAdmin admin@example.com
                ServerAlias www.example.com

                DocumentRoot /var/www/html

                
                SSLProxyEngine On
                SSLProxyVerify none

                ProxyPreserveHost On

                ProxyRequests Off
                ProxyVia On

                <Location />
                        ProxyPass http://localhost:8080/
                        ProxyPassReverse http://localhost:8080/
                </Location>

                <proxy *>
                 Order deny,allow
		         Allow from all
                </proxy>

                <Proxy *>
                 Require all granted
                </Proxy>


                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined


                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on


                
                SSLCertificateFile      /etc/apache2/ssl/certs/bundle.example.com.crt
                SSLCertificateKeyFile /etc/apache2/ssl/private/example.com.key

                #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                #SSL Hardening 
                SSLProtocol all -SSLv2 -SSLv3 -TLSv1
                SSLHonorCipherOrder on
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
                Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
                
		BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

</IfModule>

End of the default-ssl.conf file

###6. Install docker-ce

6.1. Follow the intructions at https://docs.docker.com/engine/install/ubuntu/

*Install a docker version equal or higher to 18.06.3

6.2. Add your non-root user to the docker group:

`$ sudo usermod -aG docker youruser`

6.3. re-login with your user to use the new group settings

`$ su youruser`

###7. Install docker-compose

###8. Install #matrix

8.1. Clone the #matrix repository using git:

`$ git clone https://github.com/ResultadosDigitais/matrix.git`

8.2. The #matrix uses Google authentication and you need to create a credential before setting the environment variables.
See how to create this credential at https://github.com/ResultadosDigitais/matrix/blob/master/docs/GOOGLE-CREDENTIAL-STEP-BY-STEP.md

8.3. Enter the matrix directory, duplicate the "variables.example.env" file and rename it to "variables.env".

`$ cd matrix`  

`$ cp variables.example.env variables.env`

8.4. Edit the variables.env file and set the environment variables

Warning: Do not copy and paste the informations into the file. Type everything. Copy and paste can bring unexpected errors.

Credentials created on step 2:

Client ID
GOOGLE_CLIENT_ID=<clientid>.apps.googleusercontent.com
Password
GOOGLE_SECRET=<secret>
Callback url
GOOGLE_CALLBACK_URL=https://example.com/auth/google/callback

Max time session password (cookie)


COOKIE_SESSION_SECRET=secret   

COOKIE_SESSION_MAX_AGE=2592000000   

Set true if the container is running ssl internally
ENFORCE_SSL=false

E-mail Domains that are allowed to enter the matrix
WHITELIST_DOMAINS="@example.com"

Definition of the location of the rooms' configuration. ENVIRONMENT defines that the configuration of the rooms is
in the ROOMS_DATA environment variable

It is possible to define ROOMS_SOURCE=REMOTE and create an external .json file with the definition of the rooms.
ROOMS_SOURCE=ENVIRONMENT

Rooms Definitions
Each room must have a unique id. "disableMeeting":true disables meetings in that room.
ROOMS_DATA=[ { "id":"0", "name":"Lounge", "disableMeeting":true }, { "id":"1", "name":"Room 01" }, { "id":"2", "name":"Room 02" }, { "id":"3", "name":"Room 03" }, { "id":"4", "name":"Kitchen" }]

The variables.env file should look like this:

GOOGLE_CLIENT_ID=<ClientId>.apps.googleusercontent.com   

GOOGLE_SECRET=<Secret>  

GOOGLE_CALLBACK_URL=https://example.com/auth/google/callback  

COOKIE_SESSION_SECRET=<SessionSecret>  

COOKIE_SESSION_MAX_AGE=2592000000  

ENFORCE_SSL=false  

WHITELIST_DOMAINS="@example.com"  

ROOMS_SOURCE=ENVIRONMENT  

ROOMS_DATA=[ { "id":"0", "name":"Lounge", "disableMeeting":true }, { "id":"1", "name":"Room 01" }, { "id":"2", "name":"Room 02" }, { "id":"3", "name":"Room 03" }, { "id":"4", "name":"Coffe Room" }]   

In Ubuntu 18.04, for the docker containers to correctly resolve external web addresses it was necessary to create the file "/etc/docker/daemon.json"
and inform dns servers in that file and then restart the docker service.
Content of "/etc/docker/daemon.json" file:

{   
	"dns": ["200.17.33.7", "8.8.8.8"]   
}   

Restart docker service:

`# systemctl restart docker`

###9. Start the matrix service

Inside the matrix directory do:

`$ docker-compose up -d`   

###10. To stop the matrix service

Inside the matrix directory do:

`$ docker-compose down --remove-orphan`

juliemar and others added 30 commits March 23, 2020 20:38
Bumps [webpack-cli](https://github.com/webpack/webpack-cli) from 3.3.8 to 3.3.11.
- [Release notes](https://github.com/webpack/webpack-cli/releases)
- [Changelog](https://github.com/webpack/webpack-cli/blob/next/CHANGELOG_v3.md)
- [Commits](webpack/webpack-cli@v3.3.8...v3.3.11)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Added instructions to README and Kubernetes example files
to docs folder.
Bumps [babel-loader](https://github.com/babel/babel-loader) from 8.0.6 to 8.1.0.
- [Release notes](https://github.com/babel/babel-loader/releases)
- [Changelog](https://github.com/babel/babel-loader/blob/master/CHANGELOG.md)
- [Commits](babel/babel-loader@v8.0.6...v8.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Bumps [nyc](https://github.com/istanbuljs/nyc) from 14.1.1 to 15.0.0.
- [Release notes](https://github.com/istanbuljs/nyc/releases)
- [Changelog](https://github.com/istanbuljs/nyc/blob/master/CHANGELOG.md)
- [Commits](istanbuljs/nyc@v14.1.1...v15.0.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
Bumps [react-redux](https://github.com/reduxjs/react-redux) from 7.1.1 to 7.2.0.
- [Release notes](https://github.com/reduxjs/react-redux/releases)
- [Changelog](https://github.com/reduxjs/react-redux/blob/master/CHANGELOG.md)
- [Commits](reduxjs/react-redux@v7.1.1...v7.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
…rn-develop-react-redux-7.2.0

Bump react-redux from 7.1.1 to 7.2.0
Bumps [webpack-manifest-plugin](https://github.com/danethurber/webpack-manifest-plugin) from 2.0.4 to 2.2.0.
- [Release notes](https://github.com/danethurber/webpack-manifest-plugin/releases)
- [Commits](shellscape/webpack-manifest-plugin@v2.0.4...v2.2.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
…rn-develop-webpack-manifest-plugin-2.2.0

Bump webpack-manifest-plugin from 2.0.4 to 2.2.0
Bumps [@babel/preset-react](https://github.com/babel/babel) from 7.0.0 to 7.9.4.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/master/CHANGELOG.md)
- [Commits](babel/babel@v7.0.0...v7.9.4)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@juliemar juliemar temporarily deployed to matrix-juli October 6, 2020 01:25 Inactive
@juliemar juliemar temporarily deployed to matrix-juli December 2, 2020 18:40 Inactive
@juliemar juliemar temporarily deployed to matrix-juli December 2, 2020 18:42 Inactive
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

Comment on lines +91 to +94
authenticationCallbackHandler({
successRedirect: routes.homePath,
failureRedirect: routes.loginPath
})

Check failure

Code scanning / CodeQL

Missing rate limiting High

This route handler performs
authorization
, but is not rate-limited.

Copilot Autofix AI about 2 months ago

To fix the problem, we need to introduce rate-limiting middleware to the Express application. The express-rate-limit package is a well-known library for this purpose. We will set up a rate limiter and apply it to the routes that handle sensitive operations, such as the authenticationCallbackHandler.

  1. Install the express-rate-limit package.
  2. Import the express-rate-limit package in the backend/app/app.routes.js file.
  3. Configure the rate limiter with appropriate settings (e.g., maximum 100 requests per 15 minutes).
  4. Apply the rate limiter to the routes that require protection.
Suggested changeset 2
backend/app/app.routes.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/backend/app/app.routes.js b/backend/app/app.routes.js
--- a/backend/app/app.routes.js
+++ b/backend/app/app.routes.js
@@ -1,2 +1,3 @@
 import express from "express";
+import RateLimit from "express-rate-limit";
 import authenticate from "./middlewares/authenticate";
@@ -14,2 +15,7 @@
 
+const limiter = RateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // max 100 requests per windowMs
+});
+
 const routes = {
@@ -90,2 +96,3 @@
   routes.loginStrategyCallbackPath,
+  limiter,
   authenticationCallbackHandler({
EOF
@@ -1,2 +1,3 @@
import express from "express";
import RateLimit from "express-rate-limit";
import authenticate from "./middlewares/authenticate";
@@ -14,2 +15,7 @@

const limiter = RateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // max 100 requests per windowMs
});

const routes = {
@@ -90,2 +96,3 @@
routes.loginStrategyCallbackPath,
limiter,
authenticationCallbackHandler({
backend/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/backend/package.json b/backend/package.json
--- a/backend/package.json
+++ b/backend/package.json
@@ -28,3 +28,4 @@
     "socket.io": "^2.2.0",
-    "uuid": "^7.0.3"
+    "uuid": "^7.0.3",
+    "express-rate-limit": "^7.4.1"
   },
EOF
@@ -28,3 +28,4 @@
"socket.io": "^2.2.0",
"uuid": "^7.0.3"
"uuid": "^7.0.3",
"express-rate-limit": "^7.4.1"
},
This fix introduces these dependencies
Package Version Security advisories
express-rate-limit (npm) 7.4.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants