summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGab <24553253+gabrix73@users.noreply.github.com>2025-10-14 19:55:21 +0200
committerGitHub <noreply@github.com>2025-10-14 19:55:21 +0200
commit2b6544e9a12bbe171f6653c06cd86d84cb81bb63 (patch)
treeee7936cbe751864295df0b07464f3c78b8afff4f
parentd6796a43bc3803e3c018155f207ca7b2e2890c51 (diff)
downloadnofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.tar.gz
nofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.tar.xz
nofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.zip
Update and rename USAGE.md to DEPLOYMENT.md
-rw-r--r--DEPLOYMENT.md360
-rw-r--r--USAGE.md97
2 files changed, 360 insertions, 97 deletions
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
new file mode 100644
index 0000000..7730e40
--- /dev/null
+++ b/DEPLOYMENT.md
@@ -0,0 +1,360 @@
+# πŸš€ NoFuture-Memguard-PQ - Production Deployment Guide
+
+This guide shows how to deploy NoFuture-Memguard-PQ securely in production.
+
+## ⚠️ Critical Security Requirements
+
+**NEVER expose the Go server directly to the internet without HTTPS.**
+
+- βœ… Use nginx/Caddy reverse proxy with TLS
+- βœ… Configure strict CORS policies
+- βœ… Enable rate limiting at proxy level
+- βœ… Run server as non-root user
+- βœ… Use systemd for process management
+- βœ… Monitor logs for attacks
+
+## πŸ“‹ Prerequisites
+
+- Linux server (Ubuntu 22.04, Debian 12, or similar)
+- Domain name pointing to your server
+- Go 1.21+ installed
+- Nginx or Caddy installed
+- Let's Encrypt for SSL certificates
+
+## πŸ”§ Step-by-Step Deployment
+
+### 1. Create Dedicated User
+
+```bash
+sudo useradd -r -s /bin/false nofuture
+sudo mkdir -p /opt/nofuture
+sudo chown nofuture:nofuture /opt/nofuture
+```
+
+### 2. Build the Application
+
+```bash
+cd /opt/nofuture
+git clone <your-repo-url> .
+go mod download
+go build -o nofuture main.go
+sudo chown nofuture:nofuture nofuture
+sudo chmod 755 nofuture
+```
+
+### 3. Install Systemd Service
+
+```bash
+sudo cp nofuture.service /etc/systemd/system/
+sudo systemctl daemon-reload
+sudo systemctl enable nofuture
+sudo systemctl start nofuture
+```
+
+Check status:
+```bash
+sudo systemctl status nofuture
+sudo journalctl -u nofuture -f
+```
+
+### 4. Configure Nginx Reverse Proxy
+
+#### Install Certbot (Let's Encrypt)
+
+```bash
+sudo apt update
+sudo apt install nginx certbot python3-certbot-nginx -y
+```
+
+#### Get SSL Certificate
+
+```bash
+sudo certbot --nginx -d safecomms.yourdomain.com
+```
+
+#### Configure Nginx
+
+```bash
+sudo cp nginx.conf.example /etc/nginx/sites-available/nofuture
+# Edit the file and replace 'yourdomain.com' with your actual domain
+sudo ln -s /etc/nginx/sites-available/nofuture /etc/nginx/sites-enabled/
+sudo nginx -t
+sudo systemctl restart nginx
+```
+
+### 5. Configure Firewall
+
+```bash
+sudo ufw allow 22/tcp # SSH
+sudo ufw allow 80/tcp # HTTP (redirect to HTTPS)
+sudo ufw allow 443/tcp # HTTPS
+sudo ufw enable
+```
+
+**Do NOT expose port 8080** - it should only be accessible via localhost.
+
+### 6. Update CORS in main.go
+
+Edit `main.go` and update the CORS middleware:
+
+```go
+func corsMiddleware(next http.HandlerFunc) http.HandlerFunc {
+ return func(w http.ResponseWriter, r *http.Request) {
+ origin := r.Header.Get("Origin")
+
+ // IMPORTANT: Replace with your actual domain
+ allowedOrigins := []string{
+ "https://safecomms.yourdomain.com",
+ }
+
+ for _, allowed := range allowedOrigins {
+ if origin == allowed {
+ w.Header().Set("Access-Control-Allow-Origin", origin)
+ break
+ }
+ }
+
+ // ... rest of middleware
+ }
+}
+```
+
+Rebuild and restart:
+```bash
+go build -o nofuture main.go
+sudo systemctl restart nofuture
+```
+
+## πŸ” Monitoring & Maintenance
+
+### Check Server Status
+
+```bash
+sudo systemctl status nofuture
+```
+
+### View Logs
+
+```bash
+# Real-time logs
+sudo journalctl -u nofuture -f
+
+# Last 100 lines
+sudo journalctl -u nofuture -n 100
+
+# Nginx access logs
+sudo tail -f /var/log/nginx/nofuture-access.log
+
+# Nginx error logs
+sudo tail -f /var/log/nginx/nofuture-error.log
+```
+
+### Monitor Resource Usage
+
+```bash
+# Memory usage
+ps aux | grep nofuture
+
+# Active connections
+netstat -an | grep :8080
+```
+
+### Rotate Logs
+
+Create `/etc/logrotate.d/nofuture`:
+
+```
+/var/log/nginx/nofuture-*.log {
+ daily
+ missingok
+ rotate 14
+ compress
+ delaycompress
+ notifempty
+ create 0640 www-data adm
+ sharedscripts
+ postrotate
+ [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
+ endscript
+}
+```
+
+## πŸ” Security Hardening
+
+### 1. Enable Fail2Ban
+
+```bash
+sudo apt install fail2ban -y
+```
+
+Create `/etc/fail2ban/filter.d/nofuture.conf`:
+
+```
+[Definition]
+failregex = ^<HOST> .* "POST /api/.* HTTP/.*" 429
+ ^<HOST> .* "POST /api/.* HTTP/.*" 400
+ignoreregex =
+```
+
+Create `/etc/fail2ban/jail.d/nofuture.conf`:
+
+```
+[nofuture]
+enabled = true
+port = http,https
+filter = nofuture
+logpath = /var/log/nginx/nofuture-access.log
+maxretry = 10
+bantime = 3600
+findtime = 600
+```
+
+Restart Fail2Ban:
+```bash
+sudo systemctl restart fail2ban
+```
+
+### 2. Automatic Security Updates
+
+```bash
+sudo apt install unattended-upgrades -y
+sudo dpkg-reconfigure -plow unattended-upgrades
+```
+
+### 3. Harden SSH
+
+Edit `/etc/ssh/sshd_config`:
+
+```
+PermitRootLogin no
+PasswordAuthentication no
+PubkeyAuthentication yes
+```
+
+Restart SSH:
+```bash
+sudo systemctl restart sshd
+```
+
+## πŸ”„ Updates & Maintenance
+
+### Update the Application
+
+```bash
+cd /opt/nofuture
+git pull
+go build -o nofuture main.go
+sudo systemctl restart nofuture
+```
+
+### Renew SSL Certificates
+
+Certbot auto-renews. Test renewal:
+
+```bash
+sudo certbot renew --dry-run
+```
+
+## 🚨 Troubleshooting
+
+### Server won't start
+
+```bash
+# Check logs
+sudo journalctl -u nofuture -n 50
+
+# Check if port 8080 is already in use
+sudo netstat -tulpn | grep 8080
+
+# Check permissions
+ls -la /opt/nofuture
+```
+
+### Cannot access via HTTPS
+
+```bash
+# Check nginx status
+sudo systemctl status nginx
+
+# Test nginx configuration
+sudo nginx -t
+
+# Check SSL certificate
+sudo certbot certificates
+
+# Check firewall
+sudo ufw status
+```
+
+### High memory usage
+
+```bash
+# Check active sessions
+curl http://localhost:8080/api/sessions | jq
+
+# Restart service
+sudo systemctl restart nofuture
+```
+
+## πŸ“Š Performance Tuning
+
+### Increase File Descriptor Limits
+
+Edit `/etc/security/limits.conf`:
+
+```
+nofuture soft nofile 4096
+nofuture hard nofile 8192
+```
+
+### Optimize Nginx
+
+Add to nginx.conf:
+
+```nginx
+worker_processes auto;
+worker_connections 2048;
+keepalive_timeout 30;
+client_body_timeout 12;
+client_header_timeout 12;
+send_timeout 10;
+```
+
+## πŸ§ͺ Testing
+
+### Test from localhost
+
+```bash
+curl http://localhost:8080
+```
+
+### Test via HTTPS
+
+```bash
+curl https://safecomms.yourdomain.com
+```
+
+### Load testing
+
+```bash
+# Install ab (Apache Bench)
+sudo apt install apache2-utils -y
+
+# Test rate limiting (should see 429 errors after 60 requests)
+ab -n 100 -c 10 https://safecomms.yourdomain.com/api/start_session
+```
+
+## πŸ“ž Support
+
+If you encounter issues:
+
+1. Check logs first: `sudo journalctl -u nofuture -n 100`
+2. Verify nginx config: `sudo nginx -t`
+3. Test SSL: `openssl s_client -connect yourdomain.com:443`
+4. Check firewall: `sudo ufw status verbose`
+
+For security issues, report privately.
+
+---
+
+**Remember: Privacy is a human right, not a feature.**
diff --git a/USAGE.md b/USAGE.md
deleted file mode 100644
index a0bf70c..0000000
--- a/USAGE.md
+++ /dev/null
@@ -1,97 +0,0 @@
-# πŸš€ How to Use nofuture.go
-
-This guide explains how to use `nofuture.go` in practice with a mainstream chat application.
-
----
-
-## βš™οΈ Requirements
-
-- Modern browser (Chrome, Firefox, Brave, etc.)
-- JavaScript enabled
-- Optional: virtual keyboard enabled for secure passphrase input
-
----
-
-## πŸ§ͺ Step-by-step Example
-
-### 1. Open `nofuture.go` in one browser tab
-
-> Visit: `https://safecomms.virebent.art`
-
-You will see the interface for starting a new secure session.
-
----
-
-### 2. Open your chat app in another tab
-
-Use any web-based messaging platform:
-- Signal Web
-- Telegram Web
-- WhatsApp Web
-- Email client (optional)
-
----
-
-### 3. Generate a Session ID
-
-In `nofuture.go`, click **"Generate Session ID"**.
-This creates a **post-quantum key pair**, generates a random nonce, and bundles them into your personal **Session ID**.
-
-You can think of your `Session ID` like a **temporary public key**: it tells the other party how to encrypt messages for you.
-
----
-
-### 4. Share Your Session ID
-
-Copy your Session ID and paste it into your chat app.
-Send it to your conversation partner. They will import it into their own instance of `nofuture.go`.
-
-> βœ… Session IDs contain **no sensitive private key data** β€” they are safe to transmit over standard channels.
-
----
-
-### 5. Synchronize Sessions
-
-This is the **core step**:
-When the other user imports your Session ID, their instance uses it to derive a **shared secret** and bind their session to yours.
-
-πŸ”„ Once both users are synchronized:
-- Messages can be encrypted asymmetrically using XChaCha and the shared key
-- The session is protected against MITM (with optional signature validation)
-- The encrypted messages are now meaningful only to those inside the session
-
-> Without synchronization, decryption will fail.
-> With it, communication is seamless, secure, and ephemeral.
-
----
-
-### 6. Start exchanging encrypted messages
-
-- You write your message in `nofuture.go`
-- It’s encrypted and output as ciphertext
-- You copy that into your chat app
-- Your contact copies the ciphertext back into their `nofuture.go`, which decrypts it
-
----
-
-### 7. End Session when done
-
-Once the conversation is finished:
-
-- Click β€œEnd Session”
-- All keys are destroyed securely in memory
-- Even if the ciphertext remains in the chat, it can never be decrypted again
-
-> πŸ’£ Your private key is never written to disk and is irreversibly destroyed.
-
----
-
-## 🧼 Security Notes
-
-- Session data is stored only in encrypted memory
-- `memguard` prevents access even from root processes or dump tools
-- Virtual keyboard bypasses system-level keyloggers
-
----
-
-Enjoy your ephemeral, post-quantum privacy ✊