summaryrefslogtreecommitdiffstats
path: root/DEPLOYMENT.md
diff options
context:
space:
mode:
authorGab <24553253+gabrix73@users.noreply.github.com>2025-10-14 19:55:21 +0200
committerGitHub <noreply@github.com>2025-10-14 19:55:21 +0200
commit2b6544e9a12bbe171f6653c06cd86d84cb81bb63 (patch)
treeee7936cbe751864295df0b07464f3c78b8afff4f /DEPLOYMENT.md
parentd6796a43bc3803e3c018155f207ca7b2e2890c51 (diff)
downloadnofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.tar.gz
nofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.tar.xz
nofuture-go-memguard-2b6544e9a12bbe171f6653c06cd86d84cb81bb63.zip
Update and rename USAGE.md to DEPLOYMENT.md
Diffstat (limited to 'DEPLOYMENT.md')
-rw-r--r--DEPLOYMENT.md360
1 files changed, 360 insertions, 0 deletions
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
new file mode 100644
index 0000000..7730e40
--- /dev/null
+++ b/DEPLOYMENT.md
@@ -0,0 +1,360 @@
+# ๐Ÿš€ NoFuture-Memguard-PQ - Production Deployment Guide
+
+This guide shows how to deploy NoFuture-Memguard-PQ securely in production.
+
+## โš ๏ธ Critical Security Requirements
+
+**NEVER expose the Go server directly to the internet without HTTPS.**
+
+- โœ… Use nginx/Caddy reverse proxy with TLS
+- โœ… Configure strict CORS policies
+- โœ… Enable rate limiting at proxy level
+- โœ… Run server as non-root user
+- โœ… Use systemd for process management
+- โœ… Monitor logs for attacks
+
+## ๐Ÿ“‹ Prerequisites
+
+- Linux server (Ubuntu 22.04, Debian 12, or similar)
+- Domain name pointing to your server
+- Go 1.21+ installed
+- Nginx or Caddy installed
+- Let's Encrypt for SSL certificates
+
+## ๐Ÿ”ง Step-by-Step Deployment
+
+### 1. Create Dedicated User
+
+```bash
+sudo useradd -r -s /bin/false nofuture
+sudo mkdir -p /opt/nofuture
+sudo chown nofuture:nofuture /opt/nofuture
+```
+
+### 2. Build the Application
+
+```bash
+cd /opt/nofuture
+git clone <your-repo-url> .
+go mod download
+go build -o nofuture main.go
+sudo chown nofuture:nofuture nofuture
+sudo chmod 755 nofuture
+```
+
+### 3. Install Systemd Service
+
+```bash
+sudo cp nofuture.service /etc/systemd/system/
+sudo systemctl daemon-reload
+sudo systemctl enable nofuture
+sudo systemctl start nofuture
+```
+
+Check status:
+```bash
+sudo systemctl status nofuture
+sudo journalctl -u nofuture -f
+```
+
+### 4. Configure Nginx Reverse Proxy
+
+#### Install Certbot (Let's Encrypt)
+
+```bash
+sudo apt update
+sudo apt install nginx certbot python3-certbot-nginx -y
+```
+
+#### Get SSL Certificate
+
+```bash
+sudo certbot --nginx -d safecomms.yourdomain.com
+```
+
+#### Configure Nginx
+
+```bash
+sudo cp nginx.conf.example /etc/nginx/sites-available/nofuture
+# Edit the file and replace 'yourdomain.com' with your actual domain
+sudo ln -s /etc/nginx/sites-available/nofuture /etc/nginx/sites-enabled/
+sudo nginx -t
+sudo systemctl restart nginx
+```
+
+### 5. Configure Firewall
+
+```bash
+sudo ufw allow 22/tcp # SSH
+sudo ufw allow 80/tcp # HTTP (redirect to HTTPS)
+sudo ufw allow 443/tcp # HTTPS
+sudo ufw enable
+```
+
+**Do NOT expose port 8080** - it should only be accessible via localhost.
+
+### 6. Update CORS in main.go
+
+Edit `main.go` and update the CORS middleware:
+
+```go
+func corsMiddleware(next http.HandlerFunc) http.HandlerFunc {
+ return func(w http.ResponseWriter, r *http.Request) {
+ origin := r.Header.Get("Origin")
+
+ // IMPORTANT: Replace with your actual domain
+ allowedOrigins := []string{
+ "https://safecomms.yourdomain.com",
+ }
+
+ for _, allowed := range allowedOrigins {
+ if origin == allowed {
+ w.Header().Set("Access-Control-Allow-Origin", origin)
+ break
+ }
+ }
+
+ // ... rest of middleware
+ }
+}
+```
+
+Rebuild and restart:
+```bash
+go build -o nofuture main.go
+sudo systemctl restart nofuture
+```
+
+## ๐Ÿ” Monitoring & Maintenance
+
+### Check Server Status
+
+```bash
+sudo systemctl status nofuture
+```
+
+### View Logs
+
+```bash
+# Real-time logs
+sudo journalctl -u nofuture -f
+
+# Last 100 lines
+sudo journalctl -u nofuture -n 100
+
+# Nginx access logs
+sudo tail -f /var/log/nginx/nofuture-access.log
+
+# Nginx error logs
+sudo tail -f /var/log/nginx/nofuture-error.log
+```
+
+### Monitor Resource Usage
+
+```bash
+# Memory usage
+ps aux | grep nofuture
+
+# Active connections
+netstat -an | grep :8080
+```
+
+### Rotate Logs
+
+Create `/etc/logrotate.d/nofuture`:
+
+```
+/var/log/nginx/nofuture-*.log {
+ daily
+ missingok
+ rotate 14
+ compress
+ delaycompress
+ notifempty
+ create 0640 www-data adm
+ sharedscripts
+ postrotate
+ [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
+ endscript
+}
+```
+
+## ๐Ÿ” Security Hardening
+
+### 1. Enable Fail2Ban
+
+```bash
+sudo apt install fail2ban -y
+```
+
+Create `/etc/fail2ban/filter.d/nofuture.conf`:
+
+```
+[Definition]
+failregex = ^<HOST> .* "POST /api/.* HTTP/.*" 429
+ ^<HOST> .* "POST /api/.* HTTP/.*" 400
+ignoreregex =
+```
+
+Create `/etc/fail2ban/jail.d/nofuture.conf`:
+
+```
+[nofuture]
+enabled = true
+port = http,https
+filter = nofuture
+logpath = /var/log/nginx/nofuture-access.log
+maxretry = 10
+bantime = 3600
+findtime = 600
+```
+
+Restart Fail2Ban:
+```bash
+sudo systemctl restart fail2ban
+```
+
+### 2. Automatic Security Updates
+
+```bash
+sudo apt install unattended-upgrades -y
+sudo dpkg-reconfigure -plow unattended-upgrades
+```
+
+### 3. Harden SSH
+
+Edit `/etc/ssh/sshd_config`:
+
+```
+PermitRootLogin no
+PasswordAuthentication no
+PubkeyAuthentication yes
+```
+
+Restart SSH:
+```bash
+sudo systemctl restart sshd
+```
+
+## ๐Ÿ”„ Updates & Maintenance
+
+### Update the Application
+
+```bash
+cd /opt/nofuture
+git pull
+go build -o nofuture main.go
+sudo systemctl restart nofuture
+```
+
+### Renew SSL Certificates
+
+Certbot auto-renews. Test renewal:
+
+```bash
+sudo certbot renew --dry-run
+```
+
+## ๐Ÿšจ Troubleshooting
+
+### Server won't start
+
+```bash
+# Check logs
+sudo journalctl -u nofuture -n 50
+
+# Check if port 8080 is already in use
+sudo netstat -tulpn | grep 8080
+
+# Check permissions
+ls -la /opt/nofuture
+```
+
+### Cannot access via HTTPS
+
+```bash
+# Check nginx status
+sudo systemctl status nginx
+
+# Test nginx configuration
+sudo nginx -t
+
+# Check SSL certificate
+sudo certbot certificates
+
+# Check firewall
+sudo ufw status
+```
+
+### High memory usage
+
+```bash
+# Check active sessions
+curl http://localhost:8080/api/sessions | jq
+
+# Restart service
+sudo systemctl restart nofuture
+```
+
+## ๐Ÿ“Š Performance Tuning
+
+### Increase File Descriptor Limits
+
+Edit `/etc/security/limits.conf`:
+
+```
+nofuture soft nofile 4096
+nofuture hard nofile 8192
+```
+
+### Optimize Nginx
+
+Add to nginx.conf:
+
+```nginx
+worker_processes auto;
+worker_connections 2048;
+keepalive_timeout 30;
+client_body_timeout 12;
+client_header_timeout 12;
+send_timeout 10;
+```
+
+## ๐Ÿงช Testing
+
+### Test from localhost
+
+```bash
+curl http://localhost:8080
+```
+
+### Test via HTTPS
+
+```bash
+curl https://safecomms.yourdomain.com
+```
+
+### Load testing
+
+```bash
+# Install ab (Apache Bench)
+sudo apt install apache2-utils -y
+
+# Test rate limiting (should see 429 errors after 60 requests)
+ab -n 100 -c 10 https://safecomms.yourdomain.com/api/start_session
+```
+
+## ๐Ÿ“ž Support
+
+If you encounter issues:
+
+1. Check logs first: `sudo journalctl -u nofuture -n 100`
+2. Verify nginx config: `sudo nginx -t`
+3. Test SSL: `openssl s_client -connect yourdomain.com:443`
+4. Check firewall: `sudo ufw status verbose`
+
+For security issues, report privately.
+
+---
+
+**Remember: Privacy is a human right, not a feature.**