Title: HBSC Basics: setting up Port Forwarding on your home router
Date: 2019-01-14
Category: self-hosting basics
Tags: port forwarding, router, introduction, lan, wan
Slug: basics-port-forwarding
Description: How to set up a spare computer as a server and make it reachable over the internet.
@ -12,15 +11,15 @@ Status: draft
##Introduction
The whole premise of the homebrewserver.club is the simple - yet often overlooked - fact that your home internet subscription theoretically also allows you to host on-line services. Since the internet is in its essence a bi-directional medium, anyone with an internet connection can not only look up on-line content but also host it!
The whole premise of the homebrewserver.club is the simple - yet often overlooked - fact that your home internet subscription theoretically also allows you to host on-line services. Since the internet is in its essence a bi-directional medium, anyone with an internet connection can not only look up on-line content but also host it!
In times of *cloud providers* and *virtual private servers* it is an easy thing to forget. Internet service providers (ISP) don't make it easy on you either. However, a homebrew server can be as simple as an old laptop connected directly to your home router.
In this article you will learn how to change the settings of the router provided by your ISP in order to make your homebrew server accessible from the internet!
In this article you will learn how to change the settings of the router provided by your ISP in order to make your homebrew server accessible from the internet!
##Requirements
To begin serving from home you need the following:
To begin serving from home you need the following:
- Make sure you have physical access to your home router.
- Get to know the password of the admin user (this is usually provided in the box or written on the label on the underside of the router).
@ -32,21 +31,21 @@ To begin serving from home you need the following:
 A schematic representation depicting network address translation between a local area network and a wide area network, where ports are being forwarded from the WAN to home server on the LAN. The IP-addresses indicated in this schematic are used throught the article as for reference but might differ from your own situation.
Most home routers are configured by default to make the devices behind your router inaccessible to the internet using their inbuilt firewall. This is to prevent your private network from being public.
Most home routers are configured by default to make the devices behind your router inaccessible to the internet using their inbuilt firewall. This is to prevent your private network from being public.
Machines behind your router (called your local area network or `LAN`) can make connections to the wider internet (known as `WAN`) but not the other way around.
In the case of hosting a server at home though, we DO want that server to be reachable from the internet. In order to do that we need to open so-called *ports*.
In the case of hosting a server at home though, we DO want that server to be reachable from the internet. In order to do that we need to open so-called *ports*.
Ports are logical 'gates' that are open or closed to connections. These ports have numbers and are [standardized](https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports) for specific protocols or applications.
For example, HTTP traffic from a website would default to port `80`. HTTPS defaults to `443` and SSH defaults to port `22`.
For example, HTTP traffic from a website would default to port `80`. HTTPS defaults to `443` and SSH defaults to port `22`.
To make our server accessible we need to open and forward those ports on the router/firewall to our server in a process called port-forwarding.
The exact method of port-forwarding differs from router to router. However, it always follows a similar scheme where you designate inbound traffic on a certain port to be forwarded to the IP address your server has on the local area network.
The exact method of port-forwarding differs from router to router. However, it always follows a similar scheme where you designate inbound traffic on a certain port to be forwarded to the IP address your server has on the local area network.
The effect of this is that all traffic with your home connection's IP-adress as a destination and bound for those ports will not be rejected by the firewall but forwarded to your server instead.
The effect of this is that all traffic with your home connection's IP-adress as a destination and bound for those ports will not be rejected by the firewall but forwarded to your server instead.
For this you need to have access to the administrative panel of your router.
@ -62,16 +61,16 @@ If you get a command not found warning try this:
`$ ip address`
This will return information on your network connection. Look for the line saying `inet`
This will return information on your network connection. Look for the line saying `inet`
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.1.11/24 brd 192.168.1.255 scope global wlp3s0
valid_lft forever preferred_lft forever
inet6 fe80::eab1:fcff:acab:374e/64 scope link
inet6 fe80::eab1:fcff:acab:374e/64 scope link
valid_lft forever preferred_lft forever
In this case the IP-address of the machine is `192.168.1.11`. As a rule of thumb you can then change the last digit of your IP-address to either `1` or `254` to find the router.
In this case the IP-address of the machine is `192.168.1.11`. As a rule of thumb you can then change the last digit of your IP-address to either `1` or `254` to find the router.
### Log in to your home router and get to know your LAN
@ -86,7 +85,7 @@ Use an ethernet cable to connect your homeserver to your router. In case that it
Have a look at your router's interface again and look for the IP-address that your server was assigned. In this guide I'll assume it was 192.168.1.10 as displayed in the graph above.
Next try to find an option called "Static (DHCP) Lease" or "DHCP Binding" or something similar in your router interface's LAN view. Then make sure to assign your server a static DHCP lease. The IP-address it has now is probably fine for that! This will make sure that the server is always reachable under the same IP-addres.
Next try to find an option called "Static (DHCP) Lease" or "DHCP Binding" or something similar in your router interface's LAN view. Then make sure to assign your server a static DHCP lease. The IP-address it has now is probably fine for that! This will make sure that the server is always reachable under the same IP-addres.
## Forward the ports
@ -98,4 +97,4 @@ Once you've set up a static lease to your homeserver you can start port forwardi
## Additional Resources
* [https://portforward.com/](https://portforward.com/router.htm) has a large list of routers and visual instructions on how to set up port forwarding on them.
* [https://portforward.com/](https://portforward.com/router.htm) has a large list of routers and visual instructions on how to set up port forwarding on them.
Description: XMPP terminology, translated to plain english. Did you know you can use OMEMO E2E with MAM in a MUC?
<aname='xmpp'></a>
##XMPP
##XMPP
[Extensible Messaging and Presence Protocol](https://xmpp.org/about). - A communications protocol based on XML that has been in development since 1999. Ever since the standard has been incrementally developed to add more functionality. It is the underlying technology that powers a lot of well known chat applications such as WhatsApp and Google Talk.
[Extensible Messaging and Presence Protocol](https://xmpp.org/about). - A communications protocol based on XML that has been in development since 1999. Ever since the standard has been incrementally developed to add more functionality. It is the underlying technology that powers a lot of well known chat applications such as WhatsApp and Google Talk.
<aname='jabber'></a>
<spanstyle="color:#fe4a49">Jabber</span> -
The original trademarked name of the Jabber service. [Jabber.org](https://en.wikipedia.org/wiki/Jabber.org) is the original instant messaging (IM) service based on XMPP. Afterwards many different servers and clients have emerged. "Jabber" is to "XMPP", what "email" is to "SMTP" and what "web" is to "HTTP"[^jabber].
The original trademarked name of the Jabber service. [Jabber.org](https://en.wikipedia.org/wiki/Jabber.org) is the original instant messaging (IM) service based on XMPP. Afterwards many different servers and clients have emerged. "Jabber" is to "XMPP", what "email" is to "SMTP" and what "web" is to "HTTP"[^jabber].
<aname='muc'></a>
<spanstyle="color:#fe4a49">MUC</span> -
<spanstyle="color:#fe4a49">MUC</span> -
"Multi-User Chat", the jargon for groupchat in XMPP world. This feature needs to be supported by both the clients and the servers. See [XEP-0045](#xep).
<aname='roster'></a>
<spanstyle="color:#fe4a49">ROSTER</span> -
<spanstyle="color:#fe4a49">ROSTER</span> -
is your list of contacts.
<spanstyle="color:#fe4a49">JID</span> - Jabber ID / XMPP address. JID is the identifier of a user account. It looks a lot like an email address: user@server.com, but it is not. Some users might use the same name for both their email and JID but most of the time these are completely different things. Following the same logic, chatrooms also have a similar address: roomname@muc.server.com.
<spanstyle="color:#fe4a49">JID</span> - Jabber ID / XMPP address. JID is the identifier of a user account. It looks a lot like an email address: user@server.com, but it is not. Some users might use the same name for both their email and JID but most of the time these are completely different things. Following the same logic, chatrooms also have a similar address: roomname@muc.server.com.
<aname='xep'></a>
@ -36,14 +35,14 @@ is your list of contacts.
[XEP-0313: MAM](http://xmpp.org/extensions/xep-0313.html) - Message Archive Management is an extension that allows one to receive messages while offline.
A group of servers which agreed upon certain standards to communicate with each other. Such a group is a federation of servers. The federated XMPP protocol enables the user to select a client of preference and connect to their XMPP server of choice.
A vertically integrated service that includes both exclusive client and server software. In this scenario, most of the time, the user can only run one specific client and only interact with other users from the same service.
### Software: Clients
### Software: Clients
As featured in our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html):
<aname='conversations'></a>
@ -62,7 +61,7 @@ Other popular clients not featured in our guide:
[Kaiwa](http://getkaiwa.com/) - A webclient, so it runs in the browser. Supports a lot of features and XEPs. Win/Lin/OSX
[Pidgin](https://www.pidgin.im/about/) A client which supports a number of messaging standards including XMPP. Recently implemented [support for OMEMO](https://developer.pidgin.im/ticket/16801).
[Pidgin](https://www.pidgin.im/about/) A client which supports a number of messaging standards including XMPP. Recently implemented [support for OMEMO](https://developer.pidgin.im/ticket/16801).
[There are many more clients available](https://xmpp.org/software/clients.html). Check your local F-Droid/Google Play Store/AppStore.
@ -89,29 +88,29 @@ Depending on your threat model, in case you and your contacts share the same tru
End-to-end ciphers is client side method for encrypting messages. Only the sender, and the receiver, at both ends of the communication chain, can read the message, but not the servers in between.
<aname='otr'></a>
<spanstyle="color:#fe4a49">OTR</span> -
<spanstyle="color:#fe4a49">OTR</span> -
"Off-The-Record" is one of the older forms of e2e encryption available in some messaging clients. The big disadvantage of OTR is that both clients need to be online at the same time for the encrypted session to work. It is also not possible to synchronize OTR encrypted messages across mutliple clients.
<aname='omemo'></a>
<spanstyle="color:#fe4a49">OMEMO</span> -
<spanstyle="color:#fe4a49">OMEMO</span> -
OMEMO Multi-End Message and Object Encryption, OMEMO is the XMPP implementation of the Double Ratchett encryption algorithm developed for Signal by Moxie Marlinspike at Open Whisper Systems. It is the most modern and convenient encryption mechanism that is practically invisible to the user. It also provides so-called forward secrecy, which means that every message is separatly encrypted. In the case that one cipher is intercepted by a third party, only one message can thus be decrypted.
<aname='tofu'></a>
<spanstyle="color:#fe4a49">TOFU</span> -
<spanstyle="color:#fe4a49">TOFU</span> -
Trust On First Use. A mechanism where the received fingerprint is assumed trusted immediately and is therefore checked as verified. Used in ChatSecure for OTR and OMEMO, called 'Blind Trust' in Conversations.
<aname='openpgp'></a>
<spanstyle="color:#fe4a49">OpenPGP</span> -
<spanstyle="color:#fe4a49">OpenPGP</span> -
Pretty good Privacy is the oldest generic method for end-to-end encryption. It requires quite some knowledge and maintenance frmo its users. OMEMO is designed to provide similar or better encryption with less hassle. To use OpenPGP in Conversation a third party app called OpenKeyChain is required.
<aname='threat'></a>
<spanstyle="color:#fe4a49">Threat Model</span>. When thinking about security and privacy it is important to note that there is no such thing as a protection against every and any possible threats. By aiming too large and aimlessly at a universal form of privacy, there is a risk of missing obvious blind spots because of lack of resources, lack of time, and lack of knowledge to cover all possible situations. In that sense the concept of a *threat model* is very useful. In a threat model, an assessment of what has to be secured and who could be willing to acquire your information and at what cost, is established in a realistic fashion. What poses a credible threat to you and your situation? Who represents that threat? What kind of resources does this threat possesses? The answer to these questions should inform you on what kind of measures one should take and which ones have the highest priority.
Obviously this differs from situation to situation. Are you a political activists or dissident trying to organise for direct action and trying to avoid surveillance from governement agencies? Are you the user of a popular social network, trying to protect as much as possible your most confidential information from your private life? Are you an office worker trying to leak confidential information about unethical activities of your employer while remaining anonymous? Are you a user of public or private torrent trackers hoping to get away with mass downloading and uploading of whole seasons of The Great British Baking Show? Every situation is different, every situation needs a specific understanding of what is at stake and what would be the consequence if what you try to protect is exposed. Don't believe in magical solutions, do your homework.
Obviously this differs from situation to situation. Are you a political activists or dissident trying to organise for direct action and trying to avoid surveillance from governement agencies? Are you the user of a popular social network, trying to protect as much as possible your most confidential information from your private life? Are you an office worker trying to leak confidential information about unethical activities of your employer while remaining anonymous? Are you a user of public or private torrent trackers hoping to get away with mass downloading and uploading of whole seasons of The Great British Baking Show? Every situation is different, every situation needs a specific understanding of what is at stake and what would be the consequence if what you try to protect is exposed. Don't believe in magical solutions, do your homework.
This list is partly based [on this glossary](https://wiki.xmpp.org/web/Usability/Glossary)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [configuring the self-hosted XMPP server Prosody](http://homebrewserver.club/configuring-a-modern-xmpp-server.html), and our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
Should you succeed, you will be able to read something like:
:::console
:::console
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your cert will
expire on 2018-01-13. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your cert will
expire on 2018-01-13. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
Take note of the path where the certificate is stored as we will use it later.
@ -102,7 +101,7 @@ Exit mysql:
Installing and configuring Prosody, the XMPP server
---
Install the newest version of Prosody and its dependencies from the official prosody repository:
:::console
@ -142,10 +141,10 @@ The homebrewserver.club prosody config:
:::console
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
@ -168,16 +167,16 @@ The homebrewserver.club prosody config:
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
"omemo_all_access"; -- Allow for OMEMO E2E between contacts that haven't added each other
"pep_vcard_avatar"; -- use XEP-0153: vCard-Based Avatars to see the avatars of clients that use XEP-0084: User Avatar and vice versa.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
-- These are the SSL/TLS-related settings.
-- These are the SSL/TLS-related settings.
ssl = {
certificate = "/etc/prosody/certs/fullchain.pem";
key = "/etc/prosody/certs/privkey.pem";
@ -197,9 +196,9 @@ The homebrewserver.club prosody config:
@ -209,7 +208,7 @@ The homebrewserver.club prosody config:
}
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.myserver.org" "http_upload"
@ -238,16 +237,16 @@ Users can be added from the command line, you will also be prompted for a passwo
:::console
prosodyctl adduser me@myserver.org
Alternatively you can change "allow_registration = false;" to "allow_registration = true;" in the config (line 35) to allow users to register accounts on your server via their clients.
Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password.
If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp://prosody.conference.prosody.im?join)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
**edit 9th of january 2018**
updated config for new debian stable and prosody 0.10
Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html)
Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html)
Summary: Hands-on step-by-step guide that shows how to set up a federated chat server based on Prosody 0.11 configured for security, mobile messaging, rich features and ease of use.
@ -27,7 +26,7 @@ To make your server communicate make sure following ports are open in your firew
5281 (default https port for prosody)
Additionally make sure you have set up a domain name and have A-records for the following subdomains:
:::console
groups.myserver.org (for the groupchats)
upload.myserver.org (for the HTTP-Upload component)
@ -54,7 +53,7 @@ Pick an authentication method that [best fits your situation](https://certbot.ef
Should you succeed, you will be able to read something like:
:::console
:::console
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your
cert will expire on 2019-02-15. To obtain a new or tweaked version
@ -65,7 +64,7 @@ Should you succeed, you will be able to read something like:
Installing and configuring Prosody, the XMPP server
---
Install the newest version of Prosody and its dependencies from the official prosody repository:
:::console
@ -96,10 +95,10 @@ The homebrewserver.club prosody config
:::console
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
@ -122,27 +121,27 @@ The homebrewserver.club prosody config
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocklist"; -- XEP-0191 blocking of users
"bookmarks"; -- Synchronize currently joined groupchat between different clients.
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
"server_contact_info"; --add contact info in the case of issues with the server
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
c2s_require_encryption = true -- Force clients to use encrypted connections
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security
s2s_secure_auth = true
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
@ -155,7 +154,7 @@ The homebrewserver.club prosody config
archive_expires_after = "1w" -- Remove archived messages after 1 week
disco_items = { -- allows clients to find the capabilities of your server
disco_items = { -- allows clients to find the capabilities of your server
{"upload.myserver.org", "file uploads"};
{"groups.myserver.org", "group chats"};
}
@ -167,7 +166,7 @@ The homebrewserver.club prosody config
}
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "upload.myserver.org" "http_upload"
@ -202,7 +201,7 @@ Finishing up
---
Add an entry to cron to automatically renew LetsEncrypt certificates
:::console
sudo crontab -e
@ -222,24 +221,24 @@ Users can be added from the command line, you will also be prompted for a passwo
:::console
prosodyctl adduser me@myserver.org
Alternatively you can change `allow_registration = false;` to `allow_registration = true;` in the config (line 35) to allow users to register accounts on your server via their clients.
Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password.
If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp:prosody.conference.prosody.im?join)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
Attention: Upgrading From Previous Versions
Attention: Upgrading From Previous Versions
---
Previous versions of this guide[^1] included instructions how to set up a MySQL/MariaDB database back-end. That is because earlier versions of prosody had SQL as a dependency for message archiving. This is no longer the case. The new guide is lighter and leaves out MySQL/MariaDB in favor of the inbuilt file-based storage. This should be sufficient for hundreds of users.
Previous versions of this guide[^1] included instructions how to set up a MySQL/MariaDB database back-end. That is because earlier versions of prosody had SQL as a dependency for message archiving. This is no longer the case. The new guide is lighter and leaves out MySQL/MariaDB in favor of the inbuilt file-based storage. This should be sufficient for hundreds of users.
When upgrading to prosody 0.11 on a server using sql make sure to run database upgrades with:
:::console
prosodyctl mod_storage_sql upgrade
prosodyctl mod_storage_sql upgrade
[^1]: Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html) and [Prosody 0.10](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.10.html)
[^1]: Previous articles descibed how to set up [Prosody 0.9](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.9.html) and [Prosody 0.10](https://homebrewserver.club/drafts/configuring-a-modern-xmpp-server-0.10.html)
Should you succeed, you will be able to read something like:
:::console
:::console
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your cert will
expire on 2017-02-13. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your cert will
expire on 2017-02-13. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
Take note of the path where the certificate is stored as we will use it later.
@ -98,7 +97,7 @@ Exit mysql:
Installing and configuring Prosody, the XMPP server
---
Install the newest version of Prosody and its dependencies from the official prosody repository:
:::console
@ -138,10 +137,10 @@ The homebrewserver.club prosody config:
:::console
-- a custom prosody config focused on high security and ease of use across (mobile) clients
-- provided to you by the homebrewserver.club
-- the original config file (prosody.cfg.lua.original) will have more information
-- the original config file (prosody.cfg.lua.original) will have more information
plugin_paths = { "/usr/src/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial
modules_enabled = {
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
@ -165,14 +164,14 @@ The homebrewserver.club prosody config:
"http"; -- mod_http needed for XEP-363
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
"blocking"; -- XEP-0198 blocking of users
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
--"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS.
-- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
-- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have.
};
allow_registration = false; -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts
-- These are the SSL/TLS-related settings.
-- These are the SSL/TLS-related settings.
ssl = {
certificate = "/etc/prosody/certs/fullchain.pem";
key = "/etc/prosody/certs/privkey.pem";
@ -192,9 +191,9 @@ The homebrewserver.club prosody config:
@ -204,7 +203,7 @@ The homebrewserver.club prosody config:
}
VirtualHost "myserver.org"
-- Enable http_upload to allow image sharing across multiple devices and clients
Component "dump.myserver.org" "http_upload"
@ -234,14 +233,14 @@ Users can be added from the command line, you will also be prompted for a passwo
:::console
prosodyctl adduser me@myserver.org
Alternatively you can change "allow_registration = false;" to "allow_registration = true;" in the config (line 35) to allow users to register accounts on your server via their clients.
Now you can try connecting to your own server by using a client like Gajim or Conversations. Login with the above configured username and password.
If you have questions about Prosody, the project's [documentation](http://prosody.im/doc) is quite good. If you can't find answers there, try contacting prosody developers and users directly via [the Prosody XMPP chatroom](xmpp://prosody.conference.prosody.im?join)
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
This guide is a companion to our article [Have You Considered The Alternative?](http://homebrewserver.club/have-you-considered-the-alternative.html) on instant messaging. Also check out our guide on [XMPP clients](http://homebrewserver.club/picking-modern-xmpp-clients.html).
Description: Hands-on step-by-step guide that shows how to configure Prosody 0.11 aimed at security, mobile messaging, rich features and ease of use.
@ -25,7 +24,7 @@ Abre los siguientes puertos en tu firewall para poder comunicarte con el servido
5281 (el puerto https por defecto de prosody)
También asegúrate de que tienes un dominio con DNS A-records para los siguientes subdominios
:::console
myserver.org (el dominio principal)
groups.myserver.org (para sala de grupos)
@ -37,7 +36,7 @@ Esta guía usa los dominios escritos arriba, pero puedes ser más creativo :)
Habilitar HTTPS
---
Primero, conseguimos un certificado HTTPS firmado por [Let's Encrypt](https://letsencrypt.org/):
Primero, conseguimos un certificado HTTPS firmado por [Let's Encrypt](https://letsencrypt.org/):
Se necesita para XMPP moderno, certificados auto-firmados no funcionaran.
@ -49,10 +48,10 @@ Instala Certbot y consigue los certificados para tu dominio (reemplaza `myserver
certbot certonly -d groups.myserver.org
certbot certonly -d upload.myserver.org
certbot certonly -d proxy.myserver.org
Si funciona, deberías poder ver algo así:
:::console
:::console
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/myserver.org/fullchain.pem. Your
cert will expire on 2019-02-15. To obtain a new or tweaked version
@ -62,7 +61,7 @@ Si funciona, deberías poder ver algo así:
Instalar y configurar Prosody, el servidor XMPP
---
Instala la version Prosody 0.11 y sus dependencias desde el repositorio oficial de Prosody:
:::console
@ -93,10 +92,10 @@ La configuración de homebrewserver.club
:::console
-- una configuración de prosody enfocado a la seguridad, mensajería móvil y fácil de usar.
-- proporcionada por homebrewserver.club
-- el archivo de la configuración original(prosody.cfg.lua.original) tendrá mas información
plugin_paths = { "/usr/src/prosody-modules" } -- el directorio de los plugin no estándar para mantenerlos al dia con mercurial
-- el archivo de la configuración original(prosody.cfg.lua.original) tendrá mas información
plugin_paths = { "/usr/src/prosody-modules" } -- el directorio de los plugin no estándar para mantenerlos al dia con mercurial
modules_enabled = {
"roster"; -- Permite a los usuarios tener una lista de contactos. Recomendado ;)
"saslauth"; -- Autenticación entre clientes y servidores. Recomendado si quieres iniciar sesión.
@ -108,7 +107,7 @@ La configuración de homebrewserver.club
"vcard_legacy"; -- Convierte entre legacy vCard y PEP Avatar, vcard
"version"; -- Contesta a las peticiones de la versión del servidor
"uptime"; -- Informa sobre cuánto tiempo ha estado funcionando el servidor
"time"; -- Permite conocer la hora en el servidor
"time"; -- Permite conocer la hora en el servidor
"ping"; -- Contesta XMPP pings con pongs
"register"; --Permite registrar una cuenta en tu servidor desde un cliente
"pep"; -- Entre otras cosas, permite a usuarios publicar sus claves OMEMO publicas
@ -119,27 +118,27 @@ La configuración de homebrewserver.club
"admin_adhoc"; -- Permite la administración del servidor desde un cliente XMPP (que soporte comandos ad-hoc)
"blocklist"; -- XEP-0191 bloquear usuarios
"bookmarks"; -- Sincroniza entre clientes diferentes las salas a las que te has unido
--"cloud_notify"; -- Soporta XEP-0357 Push Notifications para tener compatibilidad con ChatSecure/iOS.
--"cloud_notify"; -- Soporta XEP-0357 Push Notifications para tener compatibilidad con ChatSecure/iOS.
-- iOS normalmente aborta la conexión cuando una aplicación funciona en segundo plano y requiere el uso de los servidores de Push de Apple para levantar la conexión y recibir un mensaje. Habilitar este módulo permite a tu servidor comunicarse con los servidores Push de Apple para ayudar a tus usuarios de iOS.
-- Sin embargo, lo dejamos comentado porque es un otro ejemplo de una plataforma cloud integrada verticalmente que choca con las ideas de federación y las redes libres. Descomentarlo tiene riesgo de vigilancia de los meta dados de tus usuarios por Apple.
"server_contact_info"; -- Añade información de contacto en caso de incidencias con el servidor
};
allow_registration = false; -- Permite registrar una cuenta en tu servidor desde un cliente, para más información visita http://prosody.im/doc/creating_accounts
certificates = "/etc/prosody/certs" -- Ruta donde Prosody busca los certificados: https://prosody.im/doc/letsencrypt
https_certificate = "certs/myserver.org.crt"
https_certificate = "certs/myserver.org.crt"
c2s_require_encryption = true -- Fuerza a los clientes a usar conexiones cifradas
s2s_secure_auth = true -- Fuerza la autenticación de certificados para conexiones entre servidores
pidfile = "/var/run/prosody/prosody.pid"
authentication = "internal_hashed"
-- Historial de conversaciones
-- Si mod_mam esta activo, Prosody guardara una copia de cada mensaje.
-- Historial de conversaciones
-- Si mod_mam esta activo, Prosody guardara una copia de cada mensaje.
-- Se usa para sincronizar conversaciones entre múltiples clientes, incluso
-- si están desconectados. Esta configuración controla cuanto tiempo Prosody
-- guarda los mensajes en el historial antes de eliminarlos.
@ -152,17 +151,17 @@ La configuración de homebrewserver.club
"*syslog";
}
disco_items = { -- allows clients to find the capabilities of your server
disco_items = { -- allows clients to find the capabilities of your server
{"upload.myserver.org", "file uploads"};
{"groups.myserver.org", "group chats"};
}
VirtualHost "myserver.org"
-- Habilita http_upload para permitir compartir imágenes entre diferentes dispositivos y diferentes clientes
Component "upload.myserver.org" "http_upload"
-- Permite crear salas
-- Permite crear salas
Component "groups.myserver.org" "muc"
modules_enabled = { "muc_mam", "vcard_muc" }
@ -195,7 +194,7 @@ Para acabar
---
Configura `cron` para renovar los certificados LetsEncrypt automáticamente
:::console
sudo crontab -e
@ -215,7 +214,7 @@ Se pueden añadir usuarios desde la línea de comandos. Te pedirá una contrase
:::console
prosodyctl adduser me@myserver.org
De otra forma puedes cambiar `allow_registration = false;` a `allow_registration = true;` en la configuración (linea 35) para permitir a los usuarios registrarse en tu servidor desde sus propios clientes.
Ahora puedes intentar conectarte a tu servidor usando un cliente como Gajim o Conversations. Inicia sesión con tu nombre y contraseña.
Summary: Signal is often considered an alternative to Whatsapp, but is it really? Why you should gather a group of friends and consider staring into the abyss of self-hosted, federated messaging services.
@ -9,7 +8,7 @@ Summary: Signal is often considered an alternative to Whatsapp, but is it really
>"Remember, when advertising is involved you the user are the product. [...]
>When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"
>When people ask us why we charge for WhatsApp, we say 'Have you considered the alternative?'"
<small>Brian Acton and Jan Koum, June 2012[^1] </small>
@ -42,12 +41,12 @@ Every time there is a breach of user trust —read: a change in the Terms of Ser
There are no alternatives.
===
There's a tendency to oversimplify the issues related to the use of these apps as merely a privacy matter, and not even that is sufficiently addressed. While each of the aforementioned apps are alternative companies and brands, what these alternatives all have in common is that they share the same model. A model that revolves around centralized services, vendor lock-in and marketing related surveillance, and all of that within a neoliberal context of the free market. These alternatives therefore promote themselves as more than just an alternative, but also as competing products, usually highlighting a particular feature lacking in rivals' products. Remember that ill-fated, super cool, nice looking alternative to Facebook, Ello? It gained a lot of traction out of legitimate concerns with Facebook's modus operandi, promoting itself as an alternative for its nice features and its promise not to use advertising. But as Aral Balkan was quick to point out, allowing investments by venture capital firms meant the project was dead before it really began[^7]. Taking these investments, which allowed them to scale as a platform, also meant that they would, at some point, *have* to make a lot of money for their investors. How? By selling ad space or information about their users. The reason the pattern keeps repeating itself is not because the makers of these apps always secretly intended to sell your data while saying they wouldn’t. The reason is that they have no choice within the economic system they choose to operate in.
There's a tendency to oversimplify the issues related to the use of these apps as merely a privacy matter, and not even that is sufficiently addressed. While each of the aforementioned apps are alternative companies and brands, what these alternatives all have in common is that they share the same model. A model that revolves around centralized services, vendor lock-in and marketing related surveillance, and all of that within a neoliberal context of the free market. These alternatives therefore promote themselves as more than just an alternative, but also as competing products, usually highlighting a particular feature lacking in rivals' products. Remember that ill-fated, super cool, nice looking alternative to Facebook, Ello? It gained a lot of traction out of legitimate concerns with Facebook's modus operandi, promoting itself as an alternative for its nice features and its promise not to use advertising. But as Aral Balkan was quick to point out, allowing investments by venture capital firms meant the project was dead before it really began[^7]. Taking these investments, which allowed them to scale as a platform, also meant that they would, at some point, *have* to make a lot of money for their investors. How? By selling ad space or information about their users. The reason the pattern keeps repeating itself is not because the makers of these apps always secretly intended to sell your data while saying they wouldn’t. The reason is that they have no choice within the economic system they choose to operate in.
Cryptography matters, but then it also doesn’t
===
The latest competitive feature—one might even say, marketing trick—to make concerned users switch from one alternative to another is cryptography, the act of coding messages during communication. This strategy works well because the vast majority of people are not really informed when it comes down to the technicalities of cryptography, so this discourse mostly serves to throw bedazzling sparkles in our eyes. To be sure, cryptography is fundamental for privacy. However, the main privacy threat in the context of using these apps isn't the potential of a government eavesdropping on our communications. The privacy threat is the wholesale and increasing dependence on centralized services which revolve around the surveillance and monetization of user information. In 2016, both WhatsApp and Facebook Messenger enabled end-to-end encryption[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#e2e) to address increasing privacy concerns. Adding *crypto* to a communication app in this case merely obfuscates a concern about the hegemony of these platforms. In essence, the issue of privacy is much larger than just the lack of cryptography; the conditions that threaten privacy are structural and economic and not resolved by a *patch* or a new feature.
The latest competitive feature—one might even say, marketing trick—to make concerned users switch from one alternative to another is cryptography, the act of coding messages during communication. This strategy works well because the vast majority of people are not really informed when it comes down to the technicalities of cryptography, so this discourse mostly serves to throw bedazzling sparkles in our eyes. To be sure, cryptography is fundamental for privacy. However, the main privacy threat in the context of using these apps isn't the potential of a government eavesdropping on our communications. The privacy threat is the wholesale and increasing dependence on centralized services which revolve around the surveillance and monetization of user information. In 2016, both WhatsApp and Facebook Messenger enabled end-to-end encryption[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#e2e) to address increasing privacy concerns. Adding *crypto* to a communication app in this case merely obfuscates a concern about the hegemony of these platforms. In essence, the issue of privacy is much larger than just the lack of cryptography; the conditions that threaten privacy are structural and economic and not resolved by a *patch* or a new feature.
This issue is further stressed when looking at the question of metadata, that is to say, data about data, which in the case of communication applications is everything but the communication data itself. When WhatsApp started sharing, among other things, its users' phone numbers with its parent company, Facebook, it went to great lengths to guarantee us that the content of our messages was still perfectly secure, impossible to be read by both WhatsApp and Facebook. The argument stating that "It's only metadata, don't worry" has been however debunked numerous times. Even though these platforms would love us to believe otherwise, metadata is neither a trivial disposable by-product, nor it is anonymous. And assuming that the crypto is sound and that the app running this crypto is not flawed, cross-referencing several databases containing metadata will always produce an array of very personal information, that in itself is much more valuable than encrypted naked selfies. Thus it should be no surprise that former NSA director Michael Hayden infamously said in 2012 "we kill based on metadata"[^8] and later argued in 2015 that metadata should be the main area of focus of surveillance activities, and not the creation of backdoors within crypto, or the banning of the latter[^9].
@ -58,7 +57,7 @@ In short, both Whatsapp and FacebookMessenger can afford to deploy end-to-end en
The Wrong Signal[^10]
===
The end-to-end encryption enabled in WhatsApp and Facebook Messenger has been developed by Open Whisper Systems, a non-profit run by crypto-celebrity Moxie Marlinspike. OWS also developed the algorithm for their own instant messaging application, Signal, and then open-sourced it. Signal itself is now the latest app being promoted as an alternative to WhatsApp and is hailed as the panacea of both security and usability. It even has the backing of members of the dissident elite such as Edward Snowden.
The end-to-end encryption enabled in WhatsApp and Facebook Messenger has been developed by Open Whisper Systems, a non-profit run by crypto-celebrity Moxie Marlinspike. OWS also developed the algorithm for their own instant messaging application, Signal, and then open-sourced it. Signal itself is now the latest app being promoted as an alternative to WhatsApp and is hailed as the panacea of both security and usability. It even has the backing of members of the dissident elite such as Edward Snowden.
While OWS provides thorough expertise in the field of cryptography, Marlinspike is currently advocating centralisation as the only answer towards user-friendly, fast and secure messaging apps. Decentralisation, according to him, has no place in the modern world and apparently hampers innovation. However, some of his arguments have not remained unchallenged. In particular, where Marlinspike accuses federation of stalling evolution[^11], Daniel Gultsch[^12] provides a counter argument by using the Web as an example of successfully federated system[<sup>?</sup>](http://homebrewserver.club/beginners-guide-to-xmpp-speak.html#federated). Furthermore, Gultsch states that the problem is not that federation doesn't adapt, but rather that there are problems with its implementation for a very significant reason: software developers working on federated systems mostly work for free in their spare time or with little means, given the difficulty to monetise a system which design can only succeed if it is open and can be appropriated easily beyond its original scope, and thus making its capitalisation particularly challenging. In that sense, the most interesting aspect of this debate is that while Marlinspike seems to defend his product from a technological perspective, Gultsch's counter argument moves back the discussion to the context of political economy.
@ -86,7 +85,7 @@ The reason is not technical but is linked to the fact that, as discussed earlier
With that said, there are however two essential points that the Conversations case brings up. These points are not always articulated clearly in discussions on federation: scale and trust.
Rather than having to swap one app for the other in an attempt to mitigate a large and confusing privacy problem, the XMPP federation approach allows to collectively tackle the problem based on its various discrete parts. Such an approach, rather than suggesting a singular and proprietary solution, allows for the existence of different free and open source software servers which can be combined with different free and open source software clients. That makes it possible for you and a group of friends to run your own infrastructure, whether on a rented server or on a very small home server.
Rather than having to swap one app for the other in an attempt to mitigate a large and confusing privacy problem, the XMPP federation approach allows to collectively tackle the problem based on its various discrete parts. Such an approach, rather than suggesting a singular and proprietary solution, allows for the existence of different free and open source software servers which can be combined with different free and open source software clients. That makes it possible for you and a group of friends to run your own infrastructure, whether on a rented server or on a very small home server.
The federated nature of the protocol allows you to try, play and experiment with different network infrastructures with different clients. These clients can range from custom XMMP bots to general instant messengers that you would be able recommend your friends and family to replace Whatsapp, without making a fool of yourself. As these open-source technologies continue to evolve you can make incremental changes to your server or switch clients as newer versions arrive.
Description: How to set up a spare olimex board as a networked backup disk
@ -9,7 +8,7 @@ Status:draft
#Introduction
The idea behind this setup is to make a so-called NAS (networked attached storage) which can be used as a remote back-up drive for your data. The setup is really meant as a low power, 'set and forget' solution. It connects to a public server via a VPN so it isn't publically accessible and doesn't need any open ports in a home router.
The idea behind this setup is to make a so-called NAS (networked attached storage) which can be used as a remote back-up drive for your data. The setup is really meant as a low power, 'set and forget' solution. It connects to a public server via a VPN so it isn't publically accessible and doesn't need any open ports in a home router.
This particular set up will be connected via the homerouter of the author's parents.
@ -34,14 +33,14 @@ The distro used is [Armbian](https://www.armbian.com/olimex-lime-a10/), unfortun
*In case you run into trouble during this part of the install, make sure you have read [Armbian's Troubleshooting](https://docs.armbian.com/User-Guide_Basic-Troubleshooting/)*
Grab the ['Armbian Jessie'](https://dl.armbian.com/lime-a10/Debian_jessie_next.7z) image from Armbian. It is the image described as suitable for servers.
Grab the ['Armbian Jessie'](https://dl.armbian.com/lime-a10/Debian_jessie_next.7z) image from Armbian. It is the image described as suitable for servers.
Once you've downloaded and unpacked the `.7z` insert your SD card into your computer and proceed to write the image to the SD card:
After having copied the image to the SD card insert it in the board and connect it via the ethernet cable to the router and then connect the power supply, in that order.
After about a minute your board should have booted up. Now the trick is to find it on the network.
After about a minute your board should have booted up. Now the trick is to find it on the network.
In case you have access to the router's admin panel you should be able to find it quickly there.
@ -86,7 +85,7 @@ To set up the virtual private network we'll use a very light and easy to configu
First make sure you install it `sudo apt update && sudo apt install tinc`.
We will be making a network consisting of *homeserver* and *nas*, wherby server as a publically reachable IP address.
We will be making a network consisting of *homeserver* and *nas*, wherby server as a publically reachable IP address.
## Configure for *homeserver*
First start out on *homeserver* and make the directory for the vpn called `backupnet`
@ -99,7 +98,7 @@ Name = homeserver
AdressFamily = ipv4
Interface = tun0
Port = 655
```
```
Then create a host config file for *homeserver* with `sudo vim /etc/tinc/backupnet/hosts/homeserver`. Edit it so it looks like this:
@ -142,7 +141,7 @@ Name = nas
AdressFamily = ipv4
Interface = tun0
Port = 655
```
```
We also create a configuration file `sudo vim /etc/tinc/backupnet/hosts/nas` and edit so it looks like this:
```
@ -178,7 +177,7 @@ Make you copy `homeserver` to `/etc/tinc/backupnet/hosts/` in *nas* and `nas` to
After you've done that you should be able to test the network by running `sudo tincd -n backupnet -D -d3`**first** on *homeserver* and then on *nas*.
If all is well the terminal output should indicate that both nodes see each other.
If all is well the terminal output should indicate that both nodes see each other.
You should also be able to run `ping 10.0.0.1` on *nas* and get confirmation.
@ -227,4 +226,4 @@ Where UUID reflects what you got from `blkid`
To test whether it works you should be able to run `mount /media/depot/` without sudo and it should mount. Confirm with `df -h`
Description: Trying to make sense of all those XMPP clients around? A guide helping you to choose between various modern XMPP clients. Which are the necessary features and how do I get this software running?
@ -34,7 +33,7 @@ Considering XMPP clients
Then you need to pick and install a client (also known as an app or a software package). There are many clients avaible that support XMPP chats, both for mobile, desktop and web-based environments. The nice thing about using XMPP is that your account and your client are not intertwined, as is the case with Whatsapp, Telegram, Signal and the others. These applications offer a full chat service, which includes the facilitation and hosting of your messages over the network, and the interface options of your client. By separating the two, you have the option to choose. To pick from all the available clients we made a list of criteria of what we considered essential requirements and started crossing off all those applications that didn't meet them:
- free & open source software — the technology is open, and therefore it's possible to install use the software on your own terms.
- free & open source software — the technology is open, and therefore it's possible to install use the software on your own terms.
- works with federated servers — servers are not all controlled by a single company or organization, but can also be run by volunteers, organizations, companies, you and me.
@ -65,7 +64,7 @@ This (apparently) rather rigorous list of requirements left us with three applic
Conversations is available via Google Play for €2,39. The sale of the app goes towards the ongoing development of te software.
In case you don't use Google apps or want it for free, you need to install the alternative 'app store' [f-droid](https://f-droid.org/) before. F-droid works like the app store Google Play, except that it isn't a store and only offers apps that are free and open source software. See instructions in the next paragraph how to install f-droid.
In case you don't use Google apps or want it for free, you need to install the alternative 'app store' [f-droid](https://f-droid.org/) before. F-droid works like the app store Google Play, except that it isn't a store and only offers apps that are free and open source software. See instructions in the next paragraph how to install f-droid.
If you decided for f-droid, open the website ([https://f-droid.org/](https://f-droid.org/)) with your phone's browser. Press the big download button on the website, which will download f-droid’s installer. After download, press the downloaded file and the installer should start. Next, start f-droid, update the repositories and search for the app Conversations.
@ -73,11 +72,11 @@ If you decided for f-droid, open the website ([https://f-droid.org/](https://f-d
Now, start Conversations. If you already have an XMPP account, you can log in with your so-called JID (jabber id, username@server.com) and password. Otherwise, if your server of choice has the option for application-based registration enabled, it is also possible to register a new account in this menu, by selecting the "register new account on server" option.
After you clicked Next, the registration process might take up to 20 seconds.
After you clicked Next, the registration process might take up to 20 seconds.
**Start chatting.**
To start a chat you need to add another Jabber friend under the '+' in the menu and insert your friend’s Jabber ID, e.g. your-friend@a-jabber-server.com. That’s it. You can now chat with your friend. However, this will be unencrypted!
To start a chat you need to add another Jabber friend under the '+' in the menu and insert your friend’s Jabber ID, e.g. your-friend@a-jabber-server.com. That’s it. You can now chat with your friend. However, this will be unencrypted!
**Encryption**
@ -85,7 +84,7 @@ So let’s activate OMEMO encryption by pressing the padlock in the top menu bar
OMEMO is an extension to XMPP for multi-client end-to-end encryption. OMEMO only works if the fingerprint of your and your friend’s device match. To compare them, open one of your conversations and click on your profile picture next to one of your messages. At the same time, your friend clicks on your icon on his phone.
OMEMO is an extension to XMPP for multi-client end-to-end encryption. OMEMO only works if the fingerprint of your and your friend’s device match. To compare them, open one of your conversations and click on your profile picture next to one of your messages. At the same time, your friend clicks on your icon on his phone.
If you already have an XMPP account, you can log in with your username@hostname and password. After you selected "Add Existing Account" you have the option to connect with "XMPP" or with "Google Talk". Select "XMPP" and fill in your Nickname, Username (username@server.net) and password. Optionally fill in the Hostname of your XMPP server and select if you want to use Tor or not. If you're doubting about the port, 5222 is the default XMPP port and would likely be on your server as well.
If you already have an XMPP account, you can log in with your username@hostname and password. After you selected "Add Existing Account" you have the option to connect with "XMPP" or with "Google Talk". Select "XMPP" and fill in your Nickname, Username (username@server.net) and password. Optionally fill in the Hostname of your XMPP server and select if you want to use Tor or not. If you're doubting about the port, 5222 is the default XMPP port and would likely be on your server as well.
**Enabling Push**
@ -140,7 +139,7 @@ In the next screen you can "Share invite" (let people on social media know about
 >  > 
If you are successfully connected, the word "Connected" appears right under your username. Before you can edit your account settings, you need to log out. To do this, click your account/nickname in the settings menu and select "Log Out".
If you are successfully connected, the word "Connected" appears right under your username. Before you can edit your account settings, you need to log out. To do this, click your account/nickname in the settings menu and select "Log Out".
**Create New Account**
@ -152,7 +151,7 @@ Choose "Create New Account" and give your preferred nickname. Under "show advanc
From the settings menu, tap 'Chats' (top left) to start chatting and adding friends. To add friends tap the 'Compose' icon, top left corner. Then tap "Add Buddy" and fill in your friends username and hostname (username@hostname) or scan their QR code.
From the settings menu, tap 'Chats' (top left) to start chatting and adding friends. To add friends tap the 'Compose' icon, top left corner. Then tap "Add Buddy" and fill in your friends username and hostname (username@hostname) or scan their QR code.
Click the "+" icon when you are ready. Your friend will now appear in the "Chats" list and will be available for conversation after being approved by the other side ("pending approval"). After this, tap your friends name to start chatting
@ -169,7 +168,7 @@ At the time of writing OMEMO works well with other OMEMO clients, images shared
ChatSecure implements OMEMO and OTR on a TOFU or “trust on first use" basis. New "buddies" are automatically trusted.
You can also untrust your friends devices/fingerprints by sliding the green "Verified" button and share fingerprints by tapping them and selecting a medium to share your fingerprint over.
@ -183,7 +182,7 @@ These instructions are for Debian / Linux. For windows it is possible to downloa
**Getting the latest version of Gajim**
The version that is packaged in the repositories of Debian does not support OMEMO unfortunately. As a way around, you can download and install the latest version of Gajim from the Debian backports repositories.
The version that is packaged in the repositories of Debian does not support OMEMO unfortunately. As a way around, you can download and install the latest version of Gajim from the Debian backports repositories.
In case you don't have backports on your sources.list, follow these instructions before you start:
@ -207,13 +206,13 @@ Now we are ready to go!
**Installing Gajim & other dependencies from backports**
To install gajim:
:::console
apt-get -t jessie-backports install gajim
Now you'll also need to install Python-axolotl, which will allow you to setup a security layer on top of XMPP. Run:
:::console
apt-get install python-axolotl
@ -255,7 +254,7 @@ Then, you should see a wizard to setup your XMPP account. Select the option that
After you finished the wizard successfully, Gajim will show your status as **Available**. Congratulations!
After you finished the wizard successfully, Gajim will show your status as **Available**. Congratulations!
Now, let’s send messages to your friends.
To do so, click on the Gajim window and move your mouse to the top of the screen. There, a menu should appear. Go to Actions -> Start chat… . In the new window, add the XMPP ID of your friend and click ok.
@ -284,7 +283,7 @@ You might at some point be confronted with a window about trusting fingerprints.
Simply put, a fingerprint is an ID of a device someone uses for the messaging. In order to make sure that you communicate with exact the devices, which your friend uses, you need to see if the fingerprints listed in this window match with the ones your friend really has.
So, ask your friend to list her fingerprints on her desktop. On her computer, in the chat window with you, she should click on the setting symbol below the text input field (grey, with wheels). From there to **OMEMO encryption
So, ask your friend to list her fingerprints on her desktop. On her computer, in the chat window with you, she should click on the setting symbol below the text input field (grey, with wheels). From there to **OMEMO encryption
-> Fingerprints**. She should now see the same window as you.
She should chose the tab Own devices, while you chose the tab Contact. Now, select a fingerprint that matches with the one of your friend and press the button Trust/Revoke Fingerprint. Also press yes in the window that appears.
@ -300,4 +299,3 @@ Sometimes, a restart of Gajim just helps :)
If OMEMO encryption or the fingerprint option is grey and cannot be activated, just send a message in the chat window. This sometimes helps.
If you wish to know more about Gajim check out the [documentation](https://dev.gajim.org/gajim/gajim/wikis/help/home). For more advanced issues check out [Gajim's XMPP chatroom](xmpp://gajim@conference.gajim.org/?join)
Title: How to build a Low-Tech website: Software & Hardware
Date: 2018-9-08
Category: solar server
Tags: solar power, static sites, energy optimization, web design
Slug: low-tech-website-howto
Summary: How to build a low tech website by optimizing web design, server settings and hardware.
Author: Roel Roscam Abbing
Author: Roel Roscam Abbing
Status: published
[TOC]
Earlier this year we've been asked to help redesign the website of [lowtechmagazine.com](http://lowtechmagazine.com). The primary goal of the redesign was to radically reduce the energy use associated with accesing their web content. At the same time it is an attempt to find out what a low-tech website could be.
In general the idea behind lowtechmagazine.com is to understand technologies and techniques of the past and combine them with the knowledge of today. Not in order to be able to 'do more with the same', but rather 'to do the same with less'.
In general the idea behind lowtechmagazine.com is to understand technologies and techniques of the past and combine them with the knowledge of today. Not in order to be able to 'do more with the same', but rather 'to do the same with less'.
In this particular case it means that all the optimizations and increases in efficiency do not go towards making a website which is faster at delivering even more megabytes. Rather it is a website which uses all the advances in technological efficiency, combined with specific hardware and software choices, to radically and drastically cut resource usage. At the same time for us a sustainable web site means ensuring support for older hardware, slower networks and improving the portability and archivability of the blog's content.
This meant making a website and server which could be hosted from the off-grid solar system used in the lowtechmagazine.com's home-office in Barcelona.
This meant making a website and server which could be hosted from the off-grid solar system used in the lowtechmagazine.com's home-office in Barcelona.
The article ['How To Build A Low-Tech Website?'](https://solar.lowtechmagazine.com/2018/09/how-to-build-a-lowtech-website/) gives more insights into the motivations on making a self-hosted solar-powered server, while this companion article on will give in-depth technical information.
The article ['How To Build A Low-Tech Website?'](https://solar.lowtechmagazine.com/2018/09/how-to-build-a-lowtech-website/) gives more insights into the motivations on making a self-hosted solar-powered server, while this companion article on will give in-depth technical information.
Both the articles and the readesign should be read as a proposition how things could be done, but also as a question on [what could be improved](#room-for-improvements). So we really appreciate additional insights and feedback.
@ -37,7 +36,7 @@ You can find the source code for 'solar', the Pelican theme we developed [here](
### Image compression
One of the main challenges was to reduce the overall size of the website. Particularly to try and reduce the size of each page to something less than 1MB . Since a large part of both the appeal and the weight of the magazine comes from the fact it is richly illustrated, this presented us with a particular challenge.
One of the main challenges was to reduce the overall size of the website. Particularly to try and reduce the size of each page to something less than 1MB . Since a large part of both the appeal and the weight of the magazine comes from the fact it is richly illustrated, this presented us with a particular challenge.
Image from the blog showing 20th century telephone switchboard operators([original source](https://commons.wikimedia.org/wiki/File:Bell_System_switchboard.jpg)), 159.5KB
@ -45,19 +44,19 @@ In order to reduce the size of the images, without diminishing their role in the
The same image but dithered with a 3 color palette, 36.5KB
This is a technique 'to create the illusion of "color depth" in images with a limited color palette'[^illusion]. It based on the print reproduction technique called [halftoning](https://en.wikipedia.org/wiki/Halftone). Dithering, or digital half-toning[^digitalhalftone], was widely used in video games and pixel art at a time when a limited amount of video memory constrained the available colors. In essence dithering relies on optical illusions to simulate more colors. These optical illusions are broken however by the distinct and visible patterns that the dithering algorithms generate.
This is a technique 'to create the illusion of "color depth" in images with a limited color palette'[^illusion]. It based on the print reproduction technique called [halftoning](https://en.wikipedia.org/wiki/Halftone). Dithering, or digital half-toning[^digitalhalftone], was widely used in video games and pixel art at a time when a limited amount of video memory constrained the available colors. In essence dithering relies on optical illusions to simulate more colors. These optical illusions are broken however by the distinct and visible patterns that the dithering algorithms generate.
Dithered with a six tone palette, 76KB
As a consequence most of the effort and literature on dithering is around limiting the 'banding' or visual artifacts by employing increasingly complex dithering algorithms[^dithering].
As a consequence most of the effort and literature on dithering is around limiting the 'banding' or visual artifacts by employing increasingly complex dithering algorithms[^dithering].
Our design instead celebrates the visible patterns introduced by the technique, this to stress the fact that it is a 'different' website. Coincidentally, the 'Bayesian Ordered Dithering' algorithm that we use not only introduces these distinct visible patterns, but it is also quite a simple and fast algorithm.
Dithered with an eleven tone palette, 110KB
We chose dithering not only for the compression but also for the aesthetic and reading experience. Converting the images to grayscale and then dithering them allows us to scale them in a visually attractive way to 100% of the view port, despite their small sizes. This gives each article a visual consistency and provides the reader with pauses in the long articles.
We chose dithering not only for the compression but also for the aesthetic and reading experience. Converting the images to grayscale and then dithering them allows us to scale them in a visually attractive way to 100% of the view port, despite their small sizes. This gives each article a visual consistency and provides the reader with pauses in the long articles.
To automatically dither the images on the blog we wrote [a plugin for pelican](https://github.com/lowtechmag/solar-plugins) that converts all source images of the blog. The plugin is based on the [Python Pillow](https://pillow.readthedocs.io/en/5.2.x/#) imaging library and [hitherdither](https://github.com/hbldh/hitherdither), a dithering palette library by [Henrik Blidh](https://blog.hbldh.se/).
To automatically dither the images on the blog we wrote [a plugin for pelican](https://github.com/lowtechmag/solar-plugins) that converts all source images of the blog. The plugin is based on the [Python Pillow](https://pillow.readthedocs.io/en/5.2.x/#) imaging library and [hitherdither](https://github.com/hbldh/hitherdither), a dithering palette library by [Henrik Blidh](https://blog.hbldh.se/).
Using this custom plug-in we reduced the total weight of the 623 images that are on the blog so far by 89%. From 194.2MB to a mere 21.3MB.
@ -69,13 +68,13 @@ While this is quite a bit of work to do with an archive that spans 10 years of w
### Off-line archive
Because we designed the system to have an uptime of only 90% it is expected to go off-line 35 days a year.
Because we designed the system to have an uptime of only 90% it is expected to go off-line 35 days a year.
Increasing the uptime of the server to 99% on solar energy means increasing the website's ecological footprint by adding more and more tech in the form of extra solar panels, massively increased battery capacity or extra servers in different geographic locations.
Increasing the uptime of the server to 99% on solar energy means increasing the website's ecological footprint by adding more and more tech in the form of extra solar panels, massively increased battery capacity or extra servers in different geographic locations.
Rather than that we opted for a low-tech approach that accepts being off-line during longer stretches of cloudy weather. However, we wanted to provide the reader with off-line reading options. Our primary method of doing so currently is by providing an [RSS feed containing all the articles and images on the site](https://solar.lowtechmagazine.com/feeds/all.rss.xml). In the future we will explore other means of providing off-line reading of the magazine.
 Most browsers preview only the article titles and summaries of the RSS feed. In fact the feed contains the full articles. Once you add the feed to your favorite reader, it will download the full articles that you can read at any given time.
 Most browsers preview only the article titles and summaries of the RSS feed. In fact the feed contains the full articles. Once you add the feed to your favorite reader, it will download the full articles that you can read at any given time.
## Material Server
@ -97,7 +96,7 @@ To activate this feature there is a `cron` entry that runs the script every minu
## Configuring the webserver
As a webserver we use [NGINX](https://www.nginx.com/) to serve our static files. However we made a few non-standard choices to further reduce the energy consumption and page loading times on (recurrent) visits.
As a webserver we use [NGINX](https://www.nginx.com/) to serve our static files. However we made a few non-standard choices to further reduce the energy consumption and page loading times on (recurrent) visits.
To test some of the assumed optimizations we've done some measurements using a few different articles. We've used the following pages:
@ -154,7 +153,7 @@ The common practice is to cache everything except the HTML, so that when the use
Concretely this had the following effects:
The first time a page is loaded (FL) it around one second to fully load the page. The second time, however, the file is loaded from the cache and the load time reduced by 40% on average. Since load time are based on the time it takes to load resources over the network and the time it takes for the browser to render all the styling, caching can really decrease load times.
The first time a page is loaded (FL) it around one second to fully load the page. The second time, however, the file is loaded from the cache and the load time reduced by 40% on average. Since load time are based on the time it takes to load resources over the network and the time it takes for the browser to render all the styling, caching can really decrease load times.
@ -175,9 +174,9 @@ In terms of data transferred the change is even more radical, essentially meanin
In case you want to force the browser to load cached resources over the network again, do a 'hard refresh' by pressing `ctrl+r`
### HTTP2, a more efficient hyper text transfer protocol.
### HTTP2, a more efficient hyper text transfer protocol.
Another optimization is the use of [HTTP2](https://http2.github.io/) over HTTP/1.1. This is a relatively recent protocol that increases the transport speed of the data. This increase is the result of HTTP2 compressing the packet data headers and multiplexing multiple requests into a single TCP connection. In other words, it produces less overhead data and needs to opens less connections between the server and the browser.
Another optimization is the use of [HTTP2](https://http2.github.io/) over HTTP/1.1. This is a relatively recent protocol that increases the transport speed of the data. This increase is the result of HTTP2 compressing the packet data headers and multiplexing multiple requests into a single TCP connection. In other words, it produces less overhead data and needs to opens less connections between the server and the browser.
The effect of this is most notable when the browser needs to do a lot of different requests, since these can all be fit into a single connection. In our case that specifically means that articles with more images will load slightly faster over HTTP2 than over HTTP/1.1.
@ -210,7 +209,7 @@ For this reason we redirect all our traffic to HTTPS via the following server di
server {
listen 80;
server_name solar.lowtechmagazine.com;
location / {
return 301 https://$server_name$request_uri;
}
@ -239,7 +238,7 @@ We tell the visitors browser to always use HTTPS, in order to reduce the amount
We enable OCSP stapling which is quick way in which browsers can check whether the certificate is still active without incurring more round trips to the Certificate Issuer. Most tutorials recommend setting Google's `8.8.8.8` and `8.8.4.4` DNS servers but we don't want to use those. Instead we chose some servers provided through <https://www.opennic.org> that are close to our location:
@ -252,7 +251,7 @@ We enable OCSP stapling which is quick way in which browsers can check whether t
resolver_timeout 5s;
Last but not least, we set change the size of the SSL buffer to increase to so-called 'Time To First Byte'[^TTFB] which shortens the amount of time between passing between a click and elements changing on the screen:
:::console
# Lower the buffer size to increase TTFB
ssl_buffer_size 4k;
@ -292,7 +291,7 @@ Then the only thing you need to do in your NGINX config is to specify where your
The server itself is an [Olimex Olinuxino A20 Lime 2](https://www.olimex.com/Products/OLinuXino/A20/A20-OLinuXino-LIME2/) single board computer.
We chose it because of the quality of the (open source) hardware[^manual], the low power consumption and useful extra components such as the charging circuit based on the [AXP209 power managment chip](http://dl.linux-sunxi.org/AXP/AXP209_Datasheet_v1.0en.pdf).
We chose it because of the quality of the (open source) hardware[^manual], the low power consumption and useful extra components such as the charging circuit based on the [AXP209 power managment chip](http://dl.linux-sunxi.org/AXP/AXP209_Datasheet_v1.0en.pdf).
This chip makes it possible to query power statistics such as current voltage and amperage both from the DC-barrel jack connection and the battery. The maintainers of [Armbian](https://www.armbian.com/olimex-lime-2/) exposed these statistics via `sysfs` bindings in their OS.
In addition to the power statistics the power chip can charge and discharge a Lithium Polimer battery and automatically switch between the battery and DC-barrel connector. This means the battery can then act as an uninterruptible power supply, which helps prevent sudden shutdowns. The LiPo battery used has a capacity of 6600mAh which is about 24 Watt hour.
The server operating system all runs on an SD-card. Not only are these low-powered but also much faster than hard drives. We use high speed Class 10 16GB mirco-sd card. A 16GB card is actually a bit of an overkill considering the operating system is around 1GB and the website a mere 30MB, but considering the price it doesn't make sense to buy any smaller high-performance cards.
The server operating system all runs on an SD-card. Not only are these low-powered but also much faster than hard drives. We use high speed Class 10 16GB mirco-sd card. A 16GB card is actually a bit of an overkill considering the operating system is around 1GB and the website a mere 30MB, but considering the price it doesn't make sense to buy any smaller high-performance cards.
### Network
The server gets it's internet access through the existing connection of the home office in Barcelona. This connection is a 100mbit consumer fiber connection with a static IP-adress.
The server gets it's internet access through the existing connection of the home office in Barcelona. This connection is a 100mbit consumer fiber connection with a static IP-adress.
The fiber connection itself is not necessary, especially if you keep your data footprint small, but a fixed IP adress is very handy.
The router is a standard consumer router that came with the internet contract. To make the website available, some settings in the router's firewall had to be changed.
The router is a standard consumer router that came with the internet contract. To make the website available, some settings in the router's firewall had to be changed.
Using a process called 'port forwarding', the following ports had to be forwarded between the external network and the server's local IP address:
@ -431,32 +430,32 @@ Using a process called 'port forwarding', the following ports had to be forwarde
# Room for improvements?
### OS Optimization
While the Armbian operating system has all kinds of optimizations for running on a SoC, there probably are still many tweaks that can be made to lower the energy usage.
While the Armbian operating system has all kinds of optimizations for running on a SoC, there probably are still many tweaks that can be made to lower the energy usage.
For example energy savings from disabling some of the hardware such as the the USB-hub? Some tips or insights into this are greatly appreciated!
### Image dithering
We're looking for suggestions how to further compress the images while maintaining this visual quality. We know PNGs are in theory not optimal for representing images on the web, even though they let us limit the color palette to save bandwidth and produce very crisp dithered images.
We're looking for suggestions how to further compress the images while maintaining this visual quality. We know PNGs are in theory not optimal for representing images on the web, even though they let us limit the color palette to save bandwidth and produce very crisp dithered images.
We've found that saving them as JPEG after dithering in fact increases the file size but perhaps other file formats exist that give is similar quality but have a lighter footprint.
### Sensible comments on static sites
Dynamic content such as comments are in theory incompatible with a static site.
Dynamic content such as comments are in theory incompatible with a static site.
At the same time they are a big part of the community of knowledge around lowtechmagazine.com.
At the same time they are a big part of the community of knowledge around lowtechmagazine.com.
The comment box under each article on that site is widely used, but e-mail is equally used (often the comments are then added to the article by the author after moderating).
There are some plugins that might address this such as Bernhard Scheirle's ['Pelican Comment System'](https://github.com/getpelican/pelican-plugins/tree/master/pelican_comment_system) but these we haven't tested.
There are some plugins that might address this such as Bernhard Scheirle's ['Pelican Comment System'](https://github.com/getpelican/pelican-plugins/tree/master/pelican_comment_system) but these we haven't tested.
### SSL & Legacy browsers
An open question remains: In what a way would it be possible to further extend the support for older machines and browsers without comprimising on security by using deprecated ciphers? Should we maintain both HTTP and HTTPS versions of the site?
An open question remains: In what a way would it be possible to further extend the support for older machines and browsers without comprimising on security by using deprecated ciphers? Should we maintain both HTTP and HTTPS versions of the site?
# Donations
As is mentioned on the ['donate'](https://solar.lowtechmagazine.com/donate/) page of the site, advertising trackers are incompatible with the new web site design and we really want to keep Low-Tech Magazine tracker free and sustainable so if you enjoy our work or find our public research useful please consider donating.
As is mentioned on the ['donate'](https://solar.lowtechmagazine.com/donate/) page of the site, advertising trackers are incompatible with the new web site design and we really want to keep Low-Tech Magazine tracker free and sustainable so if you enjoy our work or find our public research useful please consider donating.
