# ๐Ÿš€ NoFuture-Memguard-PQ - Production Deployment Guide This guide shows how to deploy NoFuture-Memguard-PQ securely in production. ## โš ๏ธ Critical Security Requirements **NEVER expose the Go server directly to the internet without HTTPS.** - โœ… Use nginx/Caddy reverse proxy with TLS - โœ… Configure strict CORS policies - โœ… Enable rate limiting at proxy level - โœ… Run server as non-root user - โœ… Use systemd for process management - โœ… Monitor logs for attacks ## ๐Ÿ“‹ Prerequisites - Linux server (Ubuntu 22.04, Debian 12, or similar) - Domain name pointing to your server - Go 1.21+ installed - Nginx or Caddy installed - Let's Encrypt for SSL certificates ## ๐Ÿ”ง Step-by-Step Deployment ### 1. Create Dedicated User ```bash sudo useradd -r -s /bin/false nofuture sudo mkdir -p /opt/nofuture sudo chown nofuture:nofuture /opt/nofuture ``` ### 2. Build the Application ```bash cd /opt/nofuture git clone . go mod download go build -o nofuture main.go sudo chown nofuture:nofuture nofuture sudo chmod 755 nofuture ``` ### 3. Install Systemd Service ```bash sudo cp nofuture.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable nofuture sudo systemctl start nofuture ``` Check status: ```bash sudo systemctl status nofuture sudo journalctl -u nofuture -f ``` ### 4. Configure Nginx Reverse Proxy #### Install Certbot (Let's Encrypt) ```bash sudo apt update sudo apt install nginx certbot python3-certbot-nginx -y ``` #### Get SSL Certificate ```bash sudo certbot --nginx -d safecomms.yourdomain.com ``` #### Configure Nginx ```bash sudo cp nginx.conf.example /etc/nginx/sites-available/nofuture # Edit the file and replace 'yourdomain.com' with your actual domain sudo ln -s /etc/nginx/sites-available/nofuture /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl restart nginx ``` ### 5. Configure Firewall ```bash sudo ufw allow 22/tcp # SSH sudo ufw allow 80/tcp # HTTP (redirect to HTTPS) sudo ufw allow 443/tcp # HTTPS sudo ufw enable ``` **Do NOT expose port 8080** - it should only be accessible via localhost. ### 6. Update CORS in main.go Edit `main.go` and update the CORS middleware: ```go func corsMiddleware(next http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { origin := r.Header.Get("Origin") // IMPORTANT: Replace with your actual domain allowedOrigins := []string{ "https://safecomms.yourdomain.com", } for _, allowed := range allowedOrigins { if origin == allowed { w.Header().Set("Access-Control-Allow-Origin", origin) break } } // ... rest of middleware } } ``` Rebuild and restart: ```bash go build -o nofuture main.go sudo systemctl restart nofuture ``` ## ๐Ÿ” Monitoring & Maintenance ### Check Server Status ```bash sudo systemctl status nofuture ``` ### View Logs ```bash # Real-time logs sudo journalctl -u nofuture -f # Last 100 lines sudo journalctl -u nofuture -n 100 # Nginx access logs sudo tail -f /var/log/nginx/nofuture-access.log # Nginx error logs sudo tail -f /var/log/nginx/nofuture-error.log ``` ### Monitor Resource Usage ```bash # Memory usage ps aux | grep nofuture # Active connections netstat -an | grep :8080 ``` ### Rotate Logs Create `/etc/logrotate.d/nofuture`: ``` /var/log/nginx/nofuture-*.log { daily missingok rotate 14 compress delaycompress notifempty create 0640 www-data adm sharedscripts postrotate [ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid` endscript } ``` ## ๐Ÿ” Security Hardening ### 1. Enable Fail2Ban ```bash sudo apt install fail2ban -y ``` Create `/etc/fail2ban/filter.d/nofuture.conf`: ``` [Definition] failregex = ^ .* "POST /api/.* HTTP/.*" 429 ^ .* "POST /api/.* HTTP/.*" 400 ignoreregex = ``` Create `/etc/fail2ban/jail.d/nofuture.conf`: ``` [nofuture] enabled = true port = http,https filter = nofuture logpath = /var/log/nginx/nofuture-access.log maxretry = 10 bantime = 3600 findtime = 600 ``` Restart Fail2Ban: ```bash sudo systemctl restart fail2ban ``` ### 2. Automatic Security Updates ```bash sudo apt install unattended-upgrades -y sudo dpkg-reconfigure -plow unattended-upgrades ``` ### 3. Harden SSH Edit `/etc/ssh/sshd_config`: ``` PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes ``` Restart SSH: ```bash sudo systemctl restart sshd ``` ## ๐Ÿ”„ Updates & Maintenance ### Update the Application ```bash cd /opt/nofuture git pull go build -o nofuture main.go sudo systemctl restart nofuture ``` ### Renew SSL Certificates Certbot auto-renews. Test renewal: ```bash sudo certbot renew --dry-run ``` ## ๐Ÿšจ Troubleshooting ### Server won't start ```bash # Check logs sudo journalctl -u nofuture -n 50 # Check if port 8080 is already in use sudo netstat -tulpn | grep 8080 # Check permissions ls -la /opt/nofuture ``` ### Cannot access via HTTPS ```bash # Check nginx status sudo systemctl status nginx # Test nginx configuration sudo nginx -t # Check SSL certificate sudo certbot certificates # Check firewall sudo ufw status ``` ### High memory usage ```bash # Check active sessions curl http://localhost:8080/api/sessions | jq # Restart service sudo systemctl restart nofuture ``` ## ๐Ÿ“Š Performance Tuning ### Increase File Descriptor Limits Edit `/etc/security/limits.conf`: ``` nofuture soft nofile 4096 nofuture hard nofile 8192 ``` ### Optimize Nginx Add to nginx.conf: ```nginx worker_processes auto; worker_connections 2048; keepalive_timeout 30; client_body_timeout 12; client_header_timeout 12; send_timeout 10; ``` ## ๐Ÿงช Testing ### Test from localhost ```bash curl http://localhost:8080 ``` ### Test via HTTPS ```bash curl https://safecomms.yourdomain.com ``` ### Load testing ```bash # Install ab (Apache Bench) sudo apt install apache2-utils -y # Test rate limiting (should see 429 errors after 60 requests) ab -n 100 -c 10 https://safecomms.yourdomain.com/api/start_session ``` ## ๐Ÿ“ž Support If you encounter issues: 1. Check logs first: `sudo journalctl -u nofuture -n 100` 2. Verify nginx config: `sudo nginx -t` 3. Test SSL: `openssl s_client -connect yourdomain.com:443` 4. Check firewall: `sudo ufw status verbose` For security issues, report privately. --- **Remember: Privacy is a human right, not a feature.**