Securing NodeBB with A+ SSL (AWS Linux2 + LetsEncrypt + Nginx + Exploits)

JJSagan

Hello Everyone,

I am new to NodeBB so kindly hold on with the tomatoes.

First, I must say that I found NodeBB only few days ago and been playing with it ever since.
I absolutely love it. You guys have made excellent work!!!

Kindly allow me to make a small contribution.

I was looking for ways to set up NodeBB with SSL, and I wanted to make sure the site is secured, and I must say that getting there gave me more gray hair than my calculus professor, lol Let me cut some corners for ya-all:

Target platform: EC2 @ Amazon
OS: Amazon Linux2

Installation Steps:

1. Note that in AWS Linux, you can't immediately install LetsEncrypt (Certbot) and Nodejs. For that follow:
   1a. Aws Linux 2 is similar to Centos7, the best way to install is to follow: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-up-node-on-ec2-instance.html
   1b. LetsEncrypt (with manual hack): https://community.letsencrypt.org/t/help-with-certbot-on-the-new-amazon-linux-2/49399/7
2. Follow: https://hostpresto.com/community/tutorials/how-to-install-nodebb-forum-on-centos-7/
3. Configure NodeBB with DB (I used AWS Redis - rants below)
4. Install nginx: In AWS linux: $amazon-linux-extras install nginx1.12
5. Note, I did not need to change SELinux on my setup.

Addressing SSL security:

1. Find out the latest setup recommendations for security for your nginx version: https://mozilla.github.io/server-side-tls/ssl-config-generator/
2. Remove exploits: Add into the nginx config file:
   
   nginx: How To Block Exploits, SQL Injections, File Injections, Spam, User Agents, Etc.
3. I was having real hard time with HSTS header - it looks as though someone else (nodebb?) is inserting this header, so don't include that header in nginx.
4. Check your site: go to: https://www.ssllabs.com/ssltest/ with the above you should get A+

Database Rants:

1. Redis (AWS Free Tier) does not support backup, and its mighty expensive otherwise.
2. MongDB is not available in AWS Free Tier.
3. AWS Postgres is awesome and available for AWS Free Tier, making NodeBB + Postgres is the ultimate solution for AWS. I saw that mighty @Ben-Lubar got that figured out, however, his pull request is collecting dust as of Jan-13 (https://github.com/NodeBB/NodeBB/pull/5861). @barisusakli, your help pushing the code to master will be highly appreciated, thank you!!!

Security issues:
I wanted no guests, so following https://community.nodebb.org/topic/2371/faq-how-to-make-your-forum-private I added a small JS that checks if the UUID==0 and kicks the user to the login page.

1. Clicking breadcrumb in the login page allows the guest user to go back to the forum main page (in my case, categories). I disabled categories to guests, so that page is now blank.
2. The said JS code does not run for guests users, so if the guest used breadcrumb to redirect to the main page, I would have expected redirection to login.

How to repeat? Simply log out of your account. To resolve, may I suggest to:

1. Remove breadcrumbs from the login page
2. Allow the js code added in the admin page, to run for guests as well.

Additional issues:

1. I installed the onesignal plugin, and I can confirm it does not work. Note, I pulled the latest code from github: https://github.com/CCob/nodebb-plugin-onesignal . Furthermore, the plugin description is a bit difficult - where should I change the "redirect_uri"? OneSignal gui does not allow you to add /onesignal/auth. Redirect entire site in nginx? but that would affect all users. @CCob your help will be highly appreciated.
2. I can confirm the text in the chat window (when not in full screen) is reversed from the getgo, that is with no special css. @mohammadhassan is correct (see: https://github.com/NodeBB/NodeBB/issues/6192 ). The issue exists in the master branch. @julianlam, your help will be highly appreciated. May I suggest to remove the text, and use an icon similar to the one used in the full-page chat? When will the new chat GUI become available in master btw?
3. Clicking the image of the user in the chat window (full screen), opens the user profile, but below the chat window. I believe it should be opened above the chat window - but this is no biggie.

Again, awesome forum!!! I love it. Amazing work guys. Chapeau!

All the best,
JJ.

[Now you can go ahead with the tomatoes]

julianlam created this issue in NodeBB/NodeBB

closed Rewrite chat frontend #6192

BenLubar created this issue in NodeBB/NodeBB

closed PostgreSQL database driver #5861

julian

@mohammadhassan I see the issue now Will fix tomorrow, likely. For release in 1.8.1 in one week's time.

JJSagan

@julianlam, amazing thank you!
May I humbly suggest to remove the text, and use an icon similar to the one used in the full-page chat? That will help keep the code safe from translation and RTL issues in the long run...

When will the new chat GUI become available in the master branch btw?

Again, thank you.

JJSagan

Hi @julianlam, I just grabbed the sources from git. The chat window on mobile is fixed (no inverted text). However, when you are in desktop mode, and open a chat window (the smaller one, that overlays on top of the main window) - the translation for "send" is inverted.
Maybe it makes more sense to use the conventional arrow icon, and do away with the inversion once and for good

julian

@jjsagan said in Securing NodeBB with A+ SSL (AWS Linux2 + LetsEncrypt + Nginx + Exploits):

Maybe it makes more sense to use the conventional arrow icon, and do away with the inversion once and for good

Yes, already made that change. A mistake on my part!

JJSagan

Hi @julianlam, I pulled the new code and can confirm the text was replaced with an icon. Thank you!