- Spin up a virtual machine running Debian
- Create a `helpcovid`` user and group
- Create SSL certificate (optional)
- Adjust Firewall settings
- Install PostgreSQL and extensions
- Clone and build
helpcovid - Generate configuration file
- Run
helpcovid
Although running HelpCovid as an HTTPS service is option, it is highly recommended. If it is to be run as an HTTPS service, HelpCovid requires that an SSL certificate and its corresponding private key be available. Typically, such certificates and private keys are obtained from a registered Certificate Authority (CA).
However, in case an SSL certificate from a Certificate Authority is not available, there is always the option of creating a self-signed certificate. However, it is important to note that although HelpCovid will be able to run as an HTTPS service using self-signed certificates, users running HelpCovid in their web browser will receive a warning message.
Another option is to create an SSL certificate through the free and open Let's Encrypt Certificate Authority provided by the Internet Security Research Group (ISRG). Arguably, this is a better option than a self-signed certificate, since web browsers trust certificates issued by Let's Encrypt.
We will explore both options in this section. Section 3.1 discusses how to create a self-signed certficate, and Section 3.2 shows how to generate a certificate through Let's Encrypt. Ideally, a self-signed certificate could be used while testing HelpCovid, and a certificate issued by Let's Encrypt could be used in the production environment.
On Debian, there are two ways to create a self-signed certificate. The first option is more involved, but gives greater control on the generation of the certificate. In contrast, the latter option is simpler, but gives less control over the generation of the certificate. We will discuss both options.
sudo apt install openssl
sudo mkdir -p /etc/ssl/localcerts
sudo openssl req -new -x509 -days 365 -nodes \
-out /etc/ssl/localcerts/helpcovid.pem \
-keyout /etc/ssl/localcerts/helpcovid.key
sudo chmod 600 /etc/ssl/localcerts/helpcovid*
A series of questions will be asked, which would need to be answered. An illustrative set of answers is shown below.
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Paris
Locality Name (eg, city) []:Bourg Le Reine
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HelpCovid
Organizational Unit Name (eg, section) []:HelpCovid
Common Name (e.g. server FQDN or YOUR name) []:your_domain_or_server_IP_address
Email Address []:admin@your_domain.com
The most important questions that need to be answered are the last two, so please be sure to provide appropriate answers.
sudo apt install openssl
sudo apt install ssl-cert
The certificate is stored at /etc/ssl/certs/ssl-cert-snakeoil.pem and the
private key at /etc/ssl/private/ssl-cert-snakeoil.key.
At any time, the certificate and key may be regenerated by running the following
command: sudo make-ssl-cert generate-default-snakeoil --force-overwrite
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt
sudo -H ./letsencrypt-auto certonly --standalone -d example.com \
-d www.example.com
The -d flag specifies the name of the (sub)domains for which to generate the
certificate file. The same certificate can be used for multiple domains that you
own. For illustrative purposes, we are using the fictitious example.com domain
and www.example.com subdomain.
When prompted, you would need to specify an administrative e-mail address which will be used for important communication such as security notices and for regaining control of lost certificates. You will also need to agree to accept the Terms of Service, and can optionally share your e-mail address with the Electronic Frontier Foundation (EFF).
Once done, the certificate file will be saved to
/etc/letsencrypt/live/example.com/fullchain.pem and the private key to
/etc/letsencrypt/live/example.com/privkey.pem. Although other *.pem files
are to be found in the directory, it is strongly recommended not to use any
of the other certificates.
The helpcovid executable and C++ code requires the public
certificate and private key file to not be world-readable. Use Linux
command chmod o-rwx on these files when needed. See calls to
stat(2) system
call in our C++ files hcv_main.cc, hcv_main.cc, hcv_template.cc.
In order to optionally renew certificates automatically, a crontab(5) rule needs to be set up.
cd /opt/letsencrypt
./letsencrypt-auto renew
sudo crontab -e
Add the following to the end of the crontab file:
0 0 1 * * /opt/letsencrypt/letsencrypt-auto renew
sudo apt install ufw
sudo ufw allow OpenSSH
sudo ufw allow 8089/tcp for custom port
or
sudo ufw allow https for HTTPS
sudo ufw enable
sudo ufw status
sudo apt install postgresql postgresql-client
sudo pg_isready
sudo systemctl status postgresql
The pgcrypto extension is used for encrypting sensitive data such as passwords
and personally identifiable data (including medical records). The pgcrypto
extension supports both hashing and encryption algorithms, and is part of the
postgresql-contrib package. Install it like so:
sudo apt install postgresql-contrib
The pgtap extension is a unit testing framework implementing the Test Anything
Protocol (TAP) for PostgreSQL. pgtap is particularly useful in checking
whether the database schema has been created correctly.
git clone https://github.com/theory/pgtap.git
cd pgtap
make
make install
cpan App::cpanminus
sudo cpan TAP::Parser::SourceHandler::pgTAP
sudo passwd postgres
sudo vim /etc/postgresql/11/main/pg_hba.conf
Change "trust" to "md5"
sudo apt install build-essential
sudo apt install g++
sudo apt install git
sudo apt install libjsoncpp-dev
cd ~/helpcovidu
git clone https://github.com/bstarynk/helpcovid.git
make