From 8ad2dca730db6fdf5560f359c407ed2f5212ebd8 Mon Sep 17 00:00:00 2001
From: Ape Mithrandir <apemithrandir@pm.me>
Date: Mon, 27 Feb 2023 13:41:10 +0000
Subject: [PATCH] Updating GUIDE.md

---
 public-electrum-server/GUIDE.md | 144 ++++++++++++++++++++++++++++++--
 1 file changed, 139 insertions(+), 5 deletions(-)

diff --git a/public-electrum-server/GUIDE.md b/public-electrum-server/GUIDE.md
index 15dfd64..a4003ac 100644
--- a/public-electrum-server/GUIDE.md
+++ b/public-electrum-server/GUIDE.md
@@ -18,7 +18,7 @@ Setup Fulcrum Server OR ElectrumX Server on Local machine:
 - [UNB22 - 05 - Fulcrum Server](https://youtu.be/SpQRrbJt7cg) OR
 - [Running an ElectrumX Server](https://youtu.be/QiX0rR_o_fI)
 
-In addition to the above you will also need a VPS:
+In addition to the above you will also need a remote server:
 - [Host4Coins](https://host4coins.net/)
 - [1984Hosting](https://1984.hosting/)
 
@@ -30,7 +30,7 @@ The way we are going to expose our Bitcoin indexer to the public is via a [Rever
 
 This [guide](https://openoms.github.io/bitcoin-tutorials/ssh_tunnel.html) from @openoms covers some of this but not specifically from the perspective of tunnelling your Electrum Server.
 
-You should have [ssh keys setup](https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/) and copied over to your VPS. For this ssh tunnel daemon to work smoothly you will need ssh keys without a passphrase.
+You should have [ssh keys setup](https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/) and copied over to your remote server. For this ssh tunnel daemon to work smoothly you will need ssh keys without a passphrase.
 
 First install autossh which is a wrapper on ssh:
 ```bash
@@ -54,7 +54,7 @@ After=network.target
 User=statue
 Group=statue
 Environment="AUTOSSH_GATETIME=0"
-ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -R <remote_port>:localhost:50001 <VPS-username>@<VPS-ip-or-domain>
+ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -R <remote_port>:localhost:50001 <remote-username>@<remote-ip-or-domain>
 Restart=always
 RestartSec=60
 StandardOutput=journal
@@ -62,6 +62,7 @@ StandardOutput=journal
 [Install]
 WantedBy=multi-user.target
 ```
+_Note: Remote port should not be equal to 50001 or 50002 to avoid potential binding issues on your remote server._
 
 The port you are tunneling should be the regular TCP port 50001 and not the SSL
 port 50002. This is because on the VPS we will be using your cert and key from
@@ -78,11 +79,11 @@ sudo systemctl enable ssh-tunnel.service
 sudo systemctl start ssh-tunnel.service
 ```
 
-You should then check the status or logs:
+You should then check the status:
 ```bash
 sudo systemctl status ssh-tunnel.service
 ```
-or
+or logs:
 ```bash
 journalctl -fu ssh-tunnel.service
 ```
@@ -92,3 +93,136 @@ This important line in the logs you should be looking for is this:
 autossh[<process-id>]: debug1: remote forward success for: listen <remote-port>, connect localhost:50001
 ```
 
+### Remote Server Setup
+
+The remote server should be running a debian-based headless distro. You will need
+[nginx
+installed](https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/).
+If you got your server from [1984Hosting](https://1984.hosting/) they have the
+option to pre-install some packages including nginx.
+
+As per [@openoms guide](https://openoms.github.io/bitcoin-tutorials/ssh_tunnel.html) you should login as root or run:
+```
+sudo su
+```
+edit the sshd config:
+```bash
+vim /etc/ssh/sshd_config
+```
+Make sure the following entries are active (uncommented, meaning there is no # at the beggining of the line). You can search for them in the config or if they are not included just paste these on the end of the file:
+```
+RSAAuthentication yes
+PubkeyAuthentication yes
+GatewayPorts yes
+AllowTcpForwarding yes
+ClientAliveInterval 60
+```
+
+Restart the sshd service (WARNING: you can lose access at this point if the config is wrong):
+```
+systemctl restart sshd
+```
+
+Log back onto your remote server and check that the reverse ssh-tunnel is working:
+```bash
+lsof -i :<remote-port>
+```
+This should return:
+```bash
+COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
+sshd   <pid-v4> root    7u  IPv4 00000000      0t0  TCP *:<remote-port> (LISTEN)
+sshd   <pid-v6> root    8u  IPv6 00000000      0t0  TCP *:<remote-port> (LISTEN)
+```
+You can also use:
+```bash
+netstat -tulpn | grep <remote-port>
+```
+which should return:
+```bash
+tcp        0      0 0.0.0.0:<remote-port>           0.0.0.0:*               LISTEN      <pid-v4>/sshd: <remote-username>  
+tcp6       0      0 :::<remote-port>                :::*                    LISTEN      <pid-v6>/sshd: <remote-username>
+```
+
+Now you will need to edit your nginx config (use sudo if not logged in as root):
+```bash
+vim /etc/nginx/nginx.conf
+```
+Then add this section before the `http{}` part of the config:
+```conf
+stream {
+  server {
+     listen [::]:50002 ssl;
+     listen 50002 ssl;
+     proxy_pass localhost:<remote-port>;
+     ssl_certificate /etc/ssl/<remote-ip-or-domain>/server.crt;
+     ssl_certificate_key /etc/ssl/<remote-ip-or-domain>/server.key;
+     error_log /var/log/nginx/error.log;
+  }
+}
+```
+Now you might be wondering where to get the `ssl_certificate` and
+`ssl_certificate_key`. If you already setup ssl on you Electrum server on your
+local machine then you can use
+[scp](https://www.freecodecamp.org/news/scp-linux-command-example-how-to-ssh-file-transfer-from-remote-to-local/)
+to copy those certificate and keys to your remote server and reuse them.
+
+Otherwise you can create a fresh set of keys (add sudo if not logged in as
+root):
+```bash
+apt install openssl
+mkdir /etc/ssl/<remote-ip-or-domain> 
+cd /etc/ssl/<remote-ip-or-domain>/
+openssl genrsa -des3 -out server.pass.key 2048
+openssl rsa -in server.pass.key -out server.key
+rm server.pass.key
+openssl req -new -key server.key -out server.csr
+openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
+rm server.csr
+```
+
+Now you need to check that you haven't messed up your `nginx.conf` by running:
+```bash
+nginx -t
+```
+This should return:
+```bash
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+```
+
+Now reload the daemon and restart nginx:
+```bash
+systemctl daemon-reload
+systemctl restart nginx
+```
+Now you should check the status of nginx:
+```bash
+systemctl status nginx
+```
+
+If you get something like this:
+```
+nginx: [emerg] bind() to 0.0.0.0:50002 failed (98: Address already in use)
+```
+
+Then it means you are re-using one of your ports. Stop nginx and have a look
+at:
+```
+lsof -i :50002
+```
+with nginx stopped there shouldn't be anything running on your remote server
+over that port. If there is then you might need to change the listen port in your
+stream nginx config.
+
+Now in order for someone to use your public facing Electrum server they will
+need to enter use `<remote-ip-or-domain>:50002`. This means that you will need
+to open traffic over port 50002:
+```bash
+apt install ufw
+ufw status
+ufw allow 50002
+ufw status
+```
+You will also want to look into server security:
+  - [How to disable ssh password login](https://www.cyberciti.biz/faq/how-to-disable-ssh-password-login-on-linux/)
+  - [Fail2Ban](https://github.com/fail2ban/fail2ban)