blob: 7730e409b3681447f004bcf5d556ea12cb762555 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
|
# ๐ NoFuture-Memguard-PQ - Production Deployment Guide
This guide shows how to deploy NoFuture-Memguard-PQ securely in production.
## โ ๏ธ Critical Security Requirements
**NEVER expose the Go server directly to the internet without HTTPS.**
- โ
Use nginx/Caddy reverse proxy with TLS
- โ
Configure strict CORS policies
- โ
Enable rate limiting at proxy level
- โ
Run server as non-root user
- โ
Use systemd for process management
- โ
Monitor logs for attacks
## ๐ Prerequisites
- Linux server (Ubuntu 22.04, Debian 12, or similar)
- Domain name pointing to your server
- Go 1.21+ installed
- Nginx or Caddy installed
- Let's Encrypt for SSL certificates
## ๐ง Step-by-Step Deployment
### 1. Create Dedicated User
```bash
sudo useradd -r -s /bin/false nofuture
sudo mkdir -p /opt/nofuture
sudo chown nofuture:nofuture /opt/nofuture
```
### 2. Build the Application
```bash
cd /opt/nofuture
git clone <your-repo-url> .
go mod download
go build -o nofuture main.go
sudo chown nofuture:nofuture nofuture
sudo chmod 755 nofuture
```
### 3. Install Systemd Service
```bash
sudo cp nofuture.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable nofuture
sudo systemctl start nofuture
```
Check status:
```bash
sudo systemctl status nofuture
sudo journalctl -u nofuture -f
```
### 4. Configure Nginx Reverse Proxy
#### Install Certbot (Let's Encrypt)
```bash
sudo apt update
sudo apt install nginx certbot python3-certbot-nginx -y
```
#### Get SSL Certificate
```bash
sudo certbot --nginx -d safecomms.yourdomain.com
```
#### Configure Nginx
```bash
sudo cp nginx.conf.example /etc/nginx/sites-available/nofuture
# Edit the file and replace 'yourdomain.com' with your actual domain
sudo ln -s /etc/nginx/sites-available/nofuture /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx
```
### 5. Configure Firewall
```bash
sudo ufw allow 22/tcp # SSH
sudo ufw allow 80/tcp # HTTP (redirect to HTTPS)
sudo ufw allow 443/tcp # HTTPS
sudo ufw enable
```
**Do NOT expose port 8080** - it should only be accessible via localhost.
### 6. Update CORS in main.go
Edit `main.go` and update the CORS middleware:
```go
func corsMiddleware(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
origin := r.Header.Get("Origin")
// IMPORTANT: Replace with your actual domain
allowedOrigins := []string{
"https://safecomms.yourdomain.com",
}
for _, allowed := range allowedOrigins {
if origin == allowed {
w.Header().Set("Access-Control-Allow-Origin", origin)
break
}
}
// ... rest of middleware
}
}
```
Rebuild and restart:
```bash
go build -o nofuture main.go
sudo systemctl restart nofuture
```
## ๐ Monitoring & Maintenance
### Check Server Status
```bash
sudo systemctl status nofuture
```
### View Logs
```bash
# Real-time logs
sudo journalctl -u nofuture -f
# Last 100 lines
sudo journalctl -u nofuture -n 100
# Nginx access logs
sudo tail -f /var/log/nginx/nofuture-access.log
# Nginx error logs
sudo tail -f /var/log/nginx/nofuture-error.log
```
### Monitor Resource Usage
```bash
# Memory usage
ps aux | grep nofuture
# Active connections
netstat -an | grep :8080
```
### Rotate Logs
Create `/etc/logrotate.d/nofuture`:
```
/var/log/nginx/nofuture-*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0640 www-data adm
sharedscripts
postrotate
[ -f /var/run/nginx.pid ] && kill -USR1 `cat /var/run/nginx.pid`
endscript
}
```
## ๐ Security Hardening
### 1. Enable Fail2Ban
```bash
sudo apt install fail2ban -y
```
Create `/etc/fail2ban/filter.d/nofuture.conf`:
```
[Definition]
failregex = ^<HOST> .* "POST /api/.* HTTP/.*" 429
^<HOST> .* "POST /api/.* HTTP/.*" 400
ignoreregex =
```
Create `/etc/fail2ban/jail.d/nofuture.conf`:
```
[nofuture]
enabled = true
port = http,https
filter = nofuture
logpath = /var/log/nginx/nofuture-access.log
maxretry = 10
bantime = 3600
findtime = 600
```
Restart Fail2Ban:
```bash
sudo systemctl restart fail2ban
```
### 2. Automatic Security Updates
```bash
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure -plow unattended-upgrades
```
### 3. Harden SSH
Edit `/etc/ssh/sshd_config`:
```
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
```
Restart SSH:
```bash
sudo systemctl restart sshd
```
## ๐ Updates & Maintenance
### Update the Application
```bash
cd /opt/nofuture
git pull
go build -o nofuture main.go
sudo systemctl restart nofuture
```
### Renew SSL Certificates
Certbot auto-renews. Test renewal:
```bash
sudo certbot renew --dry-run
```
## ๐จ Troubleshooting
### Server won't start
```bash
# Check logs
sudo journalctl -u nofuture -n 50
# Check if port 8080 is already in use
sudo netstat -tulpn | grep 8080
# Check permissions
ls -la /opt/nofuture
```
### Cannot access via HTTPS
```bash
# Check nginx status
sudo systemctl status nginx
# Test nginx configuration
sudo nginx -t
# Check SSL certificate
sudo certbot certificates
# Check firewall
sudo ufw status
```
### High memory usage
```bash
# Check active sessions
curl http://localhost:8080/api/sessions | jq
# Restart service
sudo systemctl restart nofuture
```
## ๐ Performance Tuning
### Increase File Descriptor Limits
Edit `/etc/security/limits.conf`:
```
nofuture soft nofile 4096
nofuture hard nofile 8192
```
### Optimize Nginx
Add to nginx.conf:
```nginx
worker_processes auto;
worker_connections 2048;
keepalive_timeout 30;
client_body_timeout 12;
client_header_timeout 12;
send_timeout 10;
```
## ๐งช Testing
### Test from localhost
```bash
curl http://localhost:8080
```
### Test via HTTPS
```bash
curl https://safecomms.yourdomain.com
```
### Load testing
```bash
# Install ab (Apache Bench)
sudo apt install apache2-utils -y
# Test rate limiting (should see 429 errors after 60 requests)
ab -n 100 -c 10 https://safecomms.yourdomain.com/api/start_session
```
## ๐ Support
If you encounter issues:
1. Check logs first: `sudo journalctl -u nofuture -n 100`
2. Verify nginx config: `sudo nginx -t`
3. Test SSL: `openssl s_client -connect yourdomain.com:443`
4. Check firewall: `sudo ufw status verbose`
For security issues, report privately.
---
**Remember: Privacy is a human right, not a feature.**
|