More nginx additions

rootfs/standard/etc/nginx/modules-enabled/https_electrs.conf

@@ -0,0 +1,17 @@
+#stream {
+#    # SSL proxy for electrs
+#    upstream electrs {
+#        server 127.0.0.1:50001;
+#    }
+#    server {
+#        listen 50002 ssl;
+#        proxy_pass electrs;
+#
+#        ssl_certificate /home/bitcoin/.mynode/electrs/myNode.local.crt;
+#        ssl_certificate_key /home/bitcoin/.mynode/electrs/myNode.local.key;
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout 4h;
+#        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+#        ssl_prefer_server_ciphers on;
+#    }
+#}

rootfs/standard/etc/nginx/mynode/https_proxies

@@ -1,50 +0,0 @@
-stream {
-        # HTTPS Proxy for RTL
-        upstream rtl {
-                server 127.0.0.1:3010;
-        }
-        server {
-                listen 6010 ssl;
-                proxy_pass rtl;
-
-                ssl_certificate /home/bitcoin/.mynode/https/myNode.local.crt;
-                ssl_certificate_key /home/bitcoin/.mynode/https/myNode.local.key;
-                ssl_session_cache shared:SSL:1m;
-                ssl_session_timeout 4h;
-                ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-                ssl_prefer_server_ciphers on;
-        }
-
-        # HTTPS Proxy for Thunderhub
-        upstream thunderhub {
-                server 127.0.0.1:3030;
-        }
-        server {
-                listen 6030 ssl;
-                proxy_pass thunderhub;
-
-                ssl_certificate /home/bitcoin/.mynode/https/myNode.local.crt;
-                ssl_certificate_key /home/bitcoin/.mynode/https/myNode.local.key;
-                ssl_session_cache shared:SSL:1m;
-                ssl_session_timeout 4h;
-                ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-                ssl_prefer_server_ciphers on;
-        }
-
-        # HTTPS Proxy for lnbits
-        upstream lnbits {
-                server 127.0.0.1:5000;
-        }
-        server {
-                listen 6050 ssl;
-                proxy_pass lnbits;
-
-                ssl_certificate /home/bitcoin/.mynode/https/myNode.local.crt;
-                ssl_certificate_key /home/bitcoin/.mynode/https/myNode.local.key;
-                ssl_session_cache shared:SSL:1m;
-                ssl_session_timeout 4h;
-                ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-                ssl_prefer_server_ciphers on;
-        }
-
-}

rootfs/standard/etc/nginx/mynode/mynode_ssl_cert_key.conf

@@ -0,0 +1,3 @@
+# Set myNode HTTPS Cert and Key
+ssl_certificate /home/bitcoin/.mynode/https/myNode.local.crt;
+ssl_certificate_key /home/bitcoin/.mynode/https/myNode.local.key;

rootfs/standard/etc/nginx/mynode/mynode_ssl_params.conf

@@ -0,0 +1,14 @@
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+
+ssl_ciphers 'TLS13+AESGCM+AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 1d;
+ssl_session_tickets off;
+ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
+
+# add HSTS header with a value of 365 days
+add_header Strict-Transport-Security "max-age=31536000";
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;

rootfs/standard/etc/nginx/mynode/mynode_ssl_proxy_params.conf

@@ -0,0 +1,8 @@
+proxy_redirect off;
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto https;
+
+# remove if not needed
+# proxy_set_header X-Forwarded-Host $server_name;

rootfs/standard/etc/nginx/sites-enabled/https_lnbits.conf

@@ -0,0 +1,17 @@
+server {
+    listen 5001 ssl;
+    server_name lnbits;
+
+    include /etc/nginx/mynode/mynode_ssl_params.conf;
+    include /etc/nginx/mynode/mynode_ssl_cert_key.conf;
+
+    access_log /var/log/nginx/access_lnbits.log;
+    error_log /var/log/nginx/error_lnbits.log;
+
+    location / {
+        proxy_pass http://127.0.0.1:5000;
+
+        include /etc/nginx/mynode/mynode_ssl_proxy_params.conf;
+    }
+
+}

rootfs/standard/etc/nginx/sites-enabled/https_rtl.conf

@@ -0,0 +1,17 @@
+server {
+    listen 3011 ssl;
+    server_name rtl;
+
+    include /etc/nginx/mynode/mynode_ssl_params.conf;
+    include /etc/nginx/mynode/mynode_ssl_cert_key.conf;
+
+    access_log /var/log/nginx/access_rtl.log;
+    error_log /var/log/nginx/error_rtl.log;
+
+    location / {
+        proxy_pass http://127.0.0.1:3010;
+
+        include /etc/nginx/mynode/mynode_ssl_proxy_params.conf;
+    }
+
+}

rootfs/standard/etc/nginx/sites-enabled/https_thunderhub.conf

@@ -0,0 +1,17 @@
+server {
+    listen 3031 ssl;
+    server_name thunderhub;
+
+    include /etc/nginx/mynode/mynode_ssl_params.conf;
+    include /etc/nginx/mynode/mynode_ssl_cert_key.conf;
+
+    access_log /var/log/nginx/access_thunderhub.log;
+    error_log /var/log/nginx/error_thunderhub.log;
+
+    location / {
+        proxy_pass http://127.0.0.1:3030;
+
+        include /etc/nginx/mynode/mynode_ssl_proxy_params.conf;
+    }
+
+}

rootfs/standard/etc/nginx/sites-enabled/https_www.conf

@@ -0,0 +1,16 @@
+#server {
+#    listen 443 ssl;
+#    server_name https;
+#
+#    include /etc/nginx/mynode/mynode_ssl_params.conf;
+#    include /etc/nginx/mynode/mynode_ssl_cert_key.conf;
+#
+#    access_log /var/log/nginx/access_www_https.log;
+#    error_log /var/log/nginx/error_www_https.log;
+#
+#    location / {
+#        proxy_pass http://127.0.0.1:80;
+#
+#        include /etc/nginx/mynode/mynode_ssl_proxy_params.conf;
+#    }
+#}

rootfs/standard/etc/tor/torrc

@@ -221,9 +221,13 @@ HiddenServicePort 2222 127.0.0.1:2222
 HiddenServicePort 3000 127.0.0.1:3000
 HiddenServicePort 3002 127.0.0.1:3002
 HiddenServicePort 3010 127.0.0.1:3010
+HiddenServicePort 3011 127.0.0.1:3011
 HiddenServicePort 3020 127.0.0.1:3020
+HiddenServicePort 3030 127.0.0.1:3030
+HiddenServicePort 3031 127.0.0.1:3031
 HiddenServicePort 4080 127.0.0.1:4080
 HiddenServicePort 5000 127.0.0.1:5000
+HiddenServicePort 5001 127.0.0.1:5001
 HiddenServicePort 8899 127.0.0.1:8899
 HiddenServicePort 19999 127.0.0.1:19999
 HiddenServicePort 25441 127.0.0.1:25441

rootfs/standard/usr/bin/mynode-local-upgrade

@@ -18,8 +18,9 @@ else
     ip_address="$1"
 fi
 
-# Clear /var/log tmpfs
+# Clear /var/log tmpfs (remake necessary folders)
 rm -rf /var/log/*
+mkdir -p /var/log/nginx
 
 # Delete any existing rootfs tarball and download new one
 rm -f mynode_rootfs_${DEVICE_TYPE}.tar.gz

rootfs/standard/usr/bin/mynode_firewall.sh

@@ -34,14 +34,14 @@ ufw allow 3000  comment 'allow LndHub'
 ufw allow 3002  comment 'allow BTC RPC Explorer'
 #ufw allow 3004  comment 'allow LND Admin'
 ufw allow 3010  comment 'allow RTL'
+ufw allow 3011  comment 'allow RTL HTTPS'
 ufw allow 3020  comment 'allow Caravan'
 ufw allow 3030  comment 'allow Thunderhub'
+ufw allow 3031  comment 'allow Thunderhub HTTPS'
 ufw allow 4080  comment 'allow Mempool'
 ufw allow 5000  comment 'allow LNBits'
+ufw allow 5001  comment 'allow LNBits HTTPS'
 ufw allow 5353  comment 'allow Avahi'
-ufw allow 6010  comment 'allow HTTPS Proxy for RTL'
-ufw allow 6030  comment 'allow HTTPS Proxy for Thunderhub'
-ufw allow 6050  comment 'allow HTTPS Proxy for LNBits'
 ufw allow 8899  comment 'allow Whirlpool'
 ufw allow 50001 comment 'allow Electrum Server'
 ufw allow 50002 comment 'allow Electrum Server'

rootfs/standard/usr/bin/mynode_post_upgrade.sh

@@ -11,8 +11,9 @@ date
 # Shut down main services to save memory and CPU
 /usr/bin/mynode_stop_critical_services.sh
 
-# Delete ramlog to prevent ram issues
+# Delete ramlog to prevent ram issues (remake necessary folders)
 rm -rf /var/log/*
+mkdir -p /var/log/nginx
 
 # Create any necessary users
 
@@ -76,6 +77,7 @@ apt-get -y purge chrony # (conflicts with systemd-timedatectl)
 mkdir -p /var/log/nginx || true
 $TORIFY apt-get -y install nginx || true
 # Install may fail, so we need to edit the default config file and reconfigure
+rm -f /etc/nginx/modules-enabled/50-mod-* || true
 echo "" > /etc/nginx/sites-available/default
 dpkg --configure -a
 
@@ -629,6 +631,10 @@ if [ $IS_ROCKPRO64 = 1 ]; then
 fi
 
 
+# Update nginx conf file
+cp -f /usr/share/mynode/nginx.conf /etc/nginx/nginx.conf
+
+
 # Cleanup MOTD
 rm -f /etc/update-motd.d/10-armbian-header || true
 rm -f /etc/update-motd.d/30-armbian-sysinfo || true

rootfs/standard/usr/bin/mynode_startup.sh

@@ -461,13 +461,32 @@ if [ $STARTUP_MODIFIED -eq 1 ]; then
     exit 0
 fi
 
+# Generate certificates
+echo "Generating certificates..."
+/usr/bin/mynode_gen_cert.sh https 825
+/usr/bin/mynode_gen_cert_electrs.sh
+
+# Setup nginx HTTPS proxy
+mkdir -p /var/log/nginx || true
+mkdir -p /etc/nginx || true
+rm -f /etc/nginx/modules-enabled/50-mod-* || true # Remove unnecessary files
+if [ ! -f /etc/ssl/certs/dhparam.pem ]; then
+    time openssl dhparam -out /tmp/dhparam.pem 2048
+    cp -f /tmp/dhparam.pem /etc/ssl/certs/dhparam.pem
+    sync
+else
+    echo "dharam.pem already created"
+fi
+cp -f /usr/share/mynode/nginx.conf /etc/nginx/nginx.conf
+systemctl restart nginx || true
+
 
 # Weird hacks
 chmod +x /usr/bin/electrs || true # Once, a device didn't have the execute bit set for electrs
 timedatectl set-ntp True || true # Make sure NTP is enabled for Tor and Bitcoin
 rm -f /var/swap || true # Remove old swap file to save SD card space
 systemctl enable check_in || true
-mkdir -p /var/log/nginx || true
+
 
 # Check for new versions
 torify wget $LATEST_VERSION_URL -O /usr/share/mynode/latest_version || true

rootfs/standard/usr/share/mynode/nginx.conf

@@ -1,7 +1,10 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
+
+load_module /usr/lib/nginx/modules/ngx_stream_module.so;
+
+include /etc/nginx/modules-enabled/*.conf; 
 
 events {
 	worker_connections 768;
@@ -61,6 +64,3 @@ http {
 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*;
 }
-
-# Start HTTPS Proxies for myNode
-include /etc/nginx/mynode/https_proxies;

rootfs/standard/var/www/mynode/templates/lnd.html

@@ -66,7 +66,7 @@
                 });
 
                 $("#rtl").on("click", function() {
-                    url = location.protocol+'//'+location.hostname+':3010'
+                    url = 'https://'+location.hostname+':3011';
                     window.open(url,'_blank');
                 })
 

rootfs/standard/var/www/mynode/templates/main.html

@@ -19,17 +19,17 @@
                 })
 
                 $("#rtl").on("click", function() {
-                    url = 'http://'+location.hostname+':3010'
+                    url = 'https://'+location.hostname+':3011'
                     window.open(url,'_blank');
                 })
 
                 $("#lnbits").on("click", function() {
-                    url = 'http://'+location.hostname+':5000'
+                    url = 'https://'+location.hostname+':5001'
                     window.open(url,'_blank');
                 })
 
                 $("#thunderhub").on("click", function() {
-                    url = 'http://'+location.hostname+':3030'
+                    url = 'https://'+location.hostname+':3031'
                     window.open(url,'_blank');
                 })
 

setup/setup_device.sh

@@ -149,6 +149,7 @@ apt-get -y install --no-install-recommends expect
 mkdir -p /var/log/nginx
 $TORIFY apt-get -y install nginx || true
 # Install may fail, so we need to edit the default config file and reconfigure
+rm -f /etc/nginx/modules-enabled/50-mod-* || true
 echo "" > /etc/nginx/sites-available/default
 dpkg --configure -a