diff options
| author | Gab <24553253+gabrix73@users.noreply.github.com> | 2025-10-14 19:55:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-10-14 19:55:21 +0200 |
| commit | 2b6544e9a12bbe171f6653c06cd86d84cb81bb63 (patch) | |
| tree | ee7936cbe751864295df0b07464f3c78b8afff4f | |
| parent | d6796a43bc3803e3c018155f207ca7b2e2890c51 (diff) | |
| download | nofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.tar.gz nofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.tar.xz nofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.zip | |
Update and rename USAGE.md to DEPLOYMENT.md
| -rw-r--r-- | DEPLOYMENT.md | 360 | ||||
| -rw-r--r-- | USAGE.md | 97 |
2 files changed, 360 insertions, 97 deletions
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md new file mode 100644 index 0000000..7730e40 --- /dev/null +++ b/DEPLOYMENT.md @@ -0,0 +1,360 @@ +# π NoFuture-Memguard-PQ - Production Deployment Guide + +This guide shows how to deploy NoFuture-Memguard-PQ securely in production. + +## β οΈ Critical Security Requirements + +**NEVER expose the Go server directly to the internet without HTTPS.** + +- β
Use nginx/Caddy reverse proxy with TLS +- β
Configure strict CORS policies +- β
Enable rate limiting at proxy level +- β
Run server as non-root user +- β
Use systemd for process management +- β
Monitor logs for attacks + +## π Prerequisites + +- Linux server (Ubuntu 22.04, Debian 12, or similar) +- Domain name pointing to your server +- Go 1.21+ installed +- Nginx or Caddy installed +- Let's Encrypt for SSL certificates + +## π§ Step-by-Step Deployment + +### 1. Create Dedicated User + +```bash +sudo useradd -r -s /bin/false nofuture +sudo mkdir -p /opt/nofuture +sudo chown nofuture:nofuture /opt/nofuture +``` + +### 2. Build the Application + +```bash +cd /opt/nofuture +git clone <your-repo-url> . +go mod download +go build -o nofuture main.go +sudo chown nofuture:nofuture nofuture +sudo chmod 755 nofuture +``` + +### 3. Install Systemd Service + +```bash +sudo cp nofuture.service /etc/systemd/system/ +sudo systemctl daemon-reload +sudo systemctl enable nofuture +sudo systemctl start nofuture +``` + +Check status: +```bash +sudo systemctl status nofuture +sudo journalctl -u nofuture -f +``` + +### 4. Configure Nginx Reverse Proxy + +#### Install Certbot (Let's Encrypt) + +```bash +sudo apt update +sudo apt install nginx certbot python3-certbot-nginx -y +``` + +#### Get SSL Certificate + +```bash +sudo certbot --nginx -d safecomms.yourdomain.com +``` + +#### Configure Nginx + +```bash +sudo cp nginx.conf.example /etc/nginx/sites-available/nofuture +# Edit the file and replace 'yourdomain.com' with your actual domain +sudo ln -s /etc/nginx/sites-available/nofuture /etc/nginx/sites-enabled/ +sudo nginx -t +sudo systemctl restart nginx +``` + +### 5. Configure Firewall + +```bash +sudo ufw allow 22/tcp # SSH +sudo ufw allow 80/tcp # HTTP (redirect to HTTPS) +sudo ufw allow 443/tcp # HTTPS +sudo ufw enable +``` + +**Do NOT expose port 8080** - it should only be accessible via localhost. + +### 6. Update CORS in main.go + +Edit `main.go` and update the CORS middleware: + +```go +func corsMiddleware(next http.HandlerFunc) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + origin := r.Header.Get("Origin") + + // IMPORTANT: Replace with your actual domain + allowedOrigins := []string{ + "https://safecomms.yourdomain.com", + } + + for _, allowed := range allowedOrigins { + if origin == allowed { + w.Header().Set("Access-Control-Allow-Origin", origin) + break + } + } + + // ... rest of middleware + } +} +``` + +Rebuild and restart: +```bash +go build -o nofuture main.go +sudo systemctl restart nofuture +``` + +## π Monitoring & Maintenance + +### Check Server Status + +```bash +sudo systemctl status nofuture +``` + +### View Logs + +```bash +# Real-time logs +sudo journalctl -u nofuture -f + +# Last 100 lines +sudo journalctl -u nofuture -n 100 + +# Nginx access logs +sudo tail -f /var/log/nginx/nofuture-access.log + +# Nginx error logs +sudo tail -f /var/log/nginx/nofuture-error.log +``` + +### Monitor Resource Usage + +```bash +# Memory usage +ps aux | grep nofuture + +# Active connections +netstat -an | grep :8080 +``` + +### Rotate Logs + +Create `/etc/logrotate.d/nofuture`: + +``` +/var/log/nginx/nofuture-*.log { + daily + missingok + rotate 14 + compress + delaycompress + notifempty + create 0640 www-data adm + sharedscripts + postrotate + [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid` + endscript +} +``` + +## π Security Hardening + +### 1. Enable Fail2Ban + +```bash +sudo apt install fail2ban -y +``` + +Create `/etc/fail2ban/filter.d/nofuture.conf`: + +``` +[Definition] +failregex = ^<HOST> .* "POST /api/.* HTTP/.*" 429 + ^<HOST> .* "POST /api/.* HTTP/.*" 400 +ignoreregex = +``` + +Create `/etc/fail2ban/jail.d/nofuture.conf`: + +``` +[nofuture] +enabled = true +port = http,https +filter = nofuture +logpath = /var/log/nginx/nofuture-access.log +maxretry = 10 +bantime = 3600 +findtime = 600 +``` + +Restart Fail2Ban: +```bash +sudo systemctl restart fail2ban +``` + +### 2. Automatic Security Updates + +```bash +sudo apt install unattended-upgrades -y +sudo dpkg-reconfigure -plow unattended-upgrades +``` + +### 3. Harden SSH + +Edit `/etc/ssh/sshd_config`: + +``` +PermitRootLogin no +PasswordAuthentication no +PubkeyAuthentication yes +``` + +Restart SSH: +```bash +sudo systemctl restart sshd +``` + +## π Updates & Maintenance + +### Update the Application + +```bash +cd /opt/nofuture +git pull +go build -o nofuture main.go +sudo systemctl restart nofuture +``` + +### Renew SSL Certificates + +Certbot auto-renews. Test renewal: + +```bash +sudo certbot renew --dry-run +``` + +## π¨ Troubleshooting + +### Server won't start + +```bash +# Check logs +sudo journalctl -u nofuture -n 50 + +# Check if port 8080 is already in use +sudo netstat -tulpn | grep 8080 + +# Check permissions +ls -la /opt/nofuture +``` + +### Cannot access via HTTPS + +```bash +# Check nginx status +sudo systemctl status nginx + +# Test nginx configuration +sudo nginx -t + +# Check SSL certificate +sudo certbot certificates + +# Check firewall +sudo ufw status +``` + +### High memory usage + +```bash +# Check active sessions +curl http://localhost:8080/api/sessions | jq + +# Restart service +sudo systemctl restart nofuture +``` + +## π Performance Tuning + +### Increase File Descriptor Limits + +Edit `/etc/security/limits.conf`: + +``` +nofuture soft nofile 4096 +nofuture hard nofile 8192 +``` + +### Optimize Nginx + +Add to nginx.conf: + +```nginx +worker_processes auto; +worker_connections 2048; +keepalive_timeout 30; +client_body_timeout 12; +client_header_timeout 12; +send_timeout 10; +``` + +## π§ͺ Testing + +### Test from localhost + +```bash +curl http://localhost:8080 +``` + +### Test via HTTPS + +```bash +curl https://safecomms.yourdomain.com +``` + +### Load testing + +```bash +# Install ab (Apache Bench) +sudo apt install apache2-utils -y + +# Test rate limiting (should see 429 errors after 60 requests) +ab -n 100 -c 10 https://safecomms.yourdomain.com/api/start_session +``` + +## π Support + +If you encounter issues: + +1. Check logs first: `sudo journalctl -u nofuture -n 100` +2. Verify nginx config: `sudo nginx -t` +3. Test SSL: `openssl s_client -connect yourdomain.com:443` +4. Check firewall: `sudo ufw status verbose` + +For security issues, report privately. + +--- + +**Remember: Privacy is a human right, not a feature.** diff --git a/USAGE.md b/USAGE.md deleted file mode 100644 index a0bf70c..0000000 --- a/USAGE.md +++ /dev/null @@ -1,97 +0,0 @@ -# π How to Use nofuture.go - -This guide explains how to use `nofuture.go` in practice with a mainstream chat application. - ---- - -## βοΈ Requirements - -- Modern browser (Chrome, Firefox, Brave, etc.) -- JavaScript enabled -- Optional: virtual keyboard enabled for secure passphrase input - ---- - -## π§ͺ Step-by-step Example - -### 1. Open `nofuture.go` in one browser tab - -> Visit: `https://safecomms.virebent.art` - -You will see the interface for starting a new secure session. - ---- - -### 2. Open your chat app in another tab - -Use any web-based messaging platform: -- Signal Web -- Telegram Web -- WhatsApp Web -- Email client (optional) - ---- - -### 3. Generate a Session ID - -In `nofuture.go`, click **"Generate Session ID"**. -This creates a **post-quantum key pair**, generates a random nonce, and bundles them into your personal **Session ID**. - -You can think of your `Session ID` like a **temporary public key**: it tells the other party how to encrypt messages for you. - ---- - -### 4. Share Your Session ID - -Copy your Session ID and paste it into your chat app. -Send it to your conversation partner. They will import it into their own instance of `nofuture.go`. - -> β
Session IDs contain **no sensitive private key data** β they are safe to transmit over standard channels. - ---- - -### 5. Synchronize Sessions - -This is the **core step**: -When the other user imports your Session ID, their instance uses it to derive a **shared secret** and bind their session to yours. - -π Once both users are synchronized: -- Messages can be encrypted asymmetrically using XChaCha and the shared key -- The session is protected against MITM (with optional signature validation) -- The encrypted messages are now meaningful only to those inside the session - -> Without synchronization, decryption will fail. -> With it, communication is seamless, secure, and ephemeral. - ---- - -### 6. Start exchanging encrypted messages - -- You write your message in `nofuture.go` -- Itβs encrypted and output as ciphertext -- You copy that into your chat app -- Your contact copies the ciphertext back into their `nofuture.go`, which decrypts it - ---- - -### 7. End Session when done - -Once the conversation is finished: - -- Click βEnd Sessionβ -- All keys are destroyed securely in memory -- Even if the ciphertext remains in the chat, it can never be decrypted again - -> π£ Your private key is never written to disk and is irreversibly destroyed. - ---- - -## π§Ό Security Notes - -- Session data is stored only in encrypted memory -- `memguard` prevents access even from root processes or dump tools -- Virtual keyboard bypasses system-level keyloggers - ---- - -Enjoy your ephemeral, post-quantum privacy β |
