self-hosting with tls confusion

[nat-418]

been trying to self-host charm following the tls instructions but it's pretty confusing. including some more instructions on how to do it on a fresh vps would be useful, as well as explaining what tls brings over and against the basic ssh connection.

[aymanbagabas]

@nat-418 thank you for using Charm, and indeed, the self-hosting documents could be improved. Setting up TLS depends on your setup really.

We're hosting our infrastructure on AWS. The Charm instance uses 2 load balancers, one is layer 4 (NLB) for handling SSH requests, and the other is layer 7 (ALB) for handling HTTPS SSL/TLS requests. TLS gets terminated at the load balancer level, then the ALB communicates with the Charm instance in plain HTTP no-TLS.

The NLB handles incoming traffic using a TCP listener on port 35353 and forwards that to the Charm instance port 35353. The ALB handles incoming traffic using an HTTPS listener on port 35354, terminates TLS, and forwards plain HTTP to the Charm instance on port 35354.

If you want to use your own TLS certificate, you could specify CHARM_SERVER_USE_TLS, CHARM_SERVER_TLS_KEY_FILE, and CHARM_SERVER_TLS_CERT_FILE. In this case, the Charm HTTP server will handle TLS terminations.

[nat-418]

thanks @aymanbagabas I am going to keep fiddling with my setup and will submit a pr for the docs to include what i consider to be a pretty common use-case for self-hosters: a little vps running apache or nginx, let's encrypt, etc.

[aymanbagabas]

thanks @aymanbagabas I am going to keep fiddling with my setup and will submit a pr for the docs to include what i consider to be a pretty common use-case for self-hosters: a little vps running apache or nginx, let's encrypt, etc.

I use Docker+Traefik+Let's Encrypt in my setup, I can help with that :) I don't imagine nginx or apache to be much different really. In nginx, you could set up Let's Encrypt, SSL termination, and HTTPS/SSL on port 35354, then use proxy_pass to reverse proxy the requests to your Charm instance. For SSH port 35353, you'd just need to make sure that this port accepts incoming traffic on the VPS.

Helpful resources:
[1] https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
[2] https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
[3] https://upcloud.com/community/tutorials/install-lets-encrypt-nginx/