Multiple instances, each under HTTPS

Background

This wiki can be discussed at: A broad SSL recipe.

Background: This wiki describes how to make TiddlyWiki run on a public-facing web server alongside other contents. The communication to the server should be encrypted so that is available with HTTPS.

A rundown: the whole process of making TiddlyWiki available via nginx under SSL – with some arbitrary path name – to allow for more than one TiddlyWiki instance or other services.

First some details/caveats:

This wiki covers the setup of Nginx as a reverse proxy that transfers communication to different tiddlywiki nodejs instances.

It assumes, that you already took care of the following elements

  • Your server is secured by a firewall
    • Either your service provider took care of it
    • Or you have to do some work
  • Only the ports that are strictly needed are open for outside connection
  • NodeJS is already installed
  • The commands shown here are for a Unix-style system
  • You have full control of the shell
  • The wiki described is a single server, in order to keep out irrelevant details
  • It is recommend to use a setup → test → deploy strategy

Information about TiddlyWiki

  • The following link is important: Using a custom path prefix with the client-server edition
  • The TW side of the configuration is done from a page in a TW environment, presumably while the instance is running in the web service’s root directory
    • For this setup we will change that
  • It should be possible to deploy more than one session, each in one go
  • The wiki describes what needs to be done the shell…
  • We need to make sure we have correct ownership and permissions. Details below.

That said.

Let’s assume that all of our TiddlyWiki instances are stored under one base directory, like:

/some/place

For example, say we have:

/some/place/foo
/some/place/bar
/some/place/[...]

For each TW instance, we have a TW shell script. There’s nothing unusual for this; if a wiki is stored at /some/place/foo/, then:

#!/bin/sh
cd /some/place && tiddlywiki foo --listen host=localhost port=[PORT]

Important details I’m leaving out:

  • We should have entries for “readers=”, “username=”, “writers=”, “password=”, maybe others.
    • Details will depend on your usecase
  • HTTPS needs keys. We’re assuming that your nginx service has that taken care of.

Moving on:

Make an entry in nginx’s config under the appropriate ‘server’ section. There’s no reason we can’t put this under HTTPS, so within the “listen 443 ssl;” section:

location /foo/ {
   proxy_pass http://127.0.0.1:[PORT]/;
   proxy_set_header  Host  $host;
   proxy_set_header  X-Real-IP  $remote_addr;
   proxy_set_header  X-Forewarded-For $proxy_add_x_for_for;
}

On both the shell script and the “location” entry, change “[PORT]” to whatever you choose, as long as it’s consistent. Remember that each instance of the wiki needs its own number, you know what to do.

Then, in the wiki’s source, in the directory ‘/tiddlers/’: make a page, named:

$__config_tiddlyweb_host.tid

So in our example we have:

/some/place/foo/tiddlers/$__config_tiddlyweb_host.tid

Contents of that file:

title: $:/config/tiddlyweb/host
type: text/vnd.tiddlywiki

$protocol$//$host$/[NAME]/

…in this example, [NAME] should be “foo”:

$protocol$//$host$/foo/

When the file is in place, check its permissions. Your details may vary; in our case we have:

-rw-rw-r-- 1 mjinks nginx 148 Mar 16 23:37 '/some/place/foo/tiddlers/$__config_tiddlyweb_host.tid'

The important part is that the nginx process needs read and write on the file. That probably isn’t handled automatically, so (again, your details may vary):

$ sudo chgrp nginx \$__config_tiddlyweb_host.tid
$ sudo chmod 664 \$__config_tiddlyweb_host.tid
$ ls -l \$__config_tiddlyweb_host.tid
-rw-rw-r-- 1 mjinks nginx   148 Mar 16 23:37 '$__config_tiddlyweb_host.tid'

From here on we’re just verifying that our setup is complete and correct.

Make sure the shell script is running. Restart it. Arrange for the script to be started at boot time; how will depend on your system.

Double check your nginx config. Restart that too.

Now with the service up and running we should be able to go to:

https://our.host.name/foo/

On its TW interface, click through to ‘More → System → $:/config/tiddlyweb/host’. In it we should find content something like:

$protocol$//$host$/foo/

…and that’s it! A TiddlyWiki instance upon the “Intarweb”. Now, make another one!


Testing your HTTPS settings

You can test your HTTPS setting at: SSL Server Test (Powered by Qualys SSL Labs)

It shows you some info about your https settings. If it doesn’t show an A grade … There is some work to do. Read the “hints” that the site gives you.

5 Likes

If you have questions or wish to discuss this further, please do so in the following thread and update the above wiki post with any pertinent information: