Originally published on 17 February 2020
Contents
Over the past few weeks, I've been experimenting with getting back on IRC. IRC is a fairly mature chat protocol that I last heavily used in college. Since then, it's really fallen by the wayside for me as other chat and messaging apps such as Telegram, Discord, Slack and others have taken off and gained wider adoption. Many of these newer applications are easier to get up and running, don't require a lot of technical knowledge, and provide more feature-rich capabilities such as the ability to post images, gifs and formatted text. Even some of the open source options such as Mattermost, Rocket.Chat and Riot have been gaining users. All of these options also have easily installable mobile apps to stay connected on the go.
Despite the features and gaining popularity of these other alternatives, there is something unique about IRC that has had me exploring more ways to get back into that community. Perhaps it's because IRC does require some more effort to to use that allures me to try it again. Because it's all text-based, I don't get distracted by all of the gifs, images and videos you see posted in other communities. Or perhaps there is something nostalgic about it that reminds me of my days sitting in the computer lab at Ohio State chatting with people in the next department over or across the world, back when long distance calling was still something you had to pay several dollars per minute for.
Unlike many other options that use proprietary protocols, IRC is an open standard which means you can use any of the multitude of clients available to log on and communicate with others. I've been using Pidgin for awhile now since it comes installed by default on many Ubuntu-based distributions and is cross-platform. Recently, however, I have been experimenting with some commandline-based programs such as Irssi and Weechat. I really enjoy using these lightweight programs in the terminal and perhaps I'll write up a blog post in the future describing how I use them.
One of the defining characteristics (which some might call a feature) of IRC when using clients such as Pidgin or even the commandline-based ones, is that the chat history is, by default, ephemeral. This means that if you aren't actively logged into a channel, you'll miss out on whatever transpired when you step away. Most clients also don't have out of the box functionality such as notifications to alert you when someone in the channel tagged your nick, or username. You can configure what are called IRC bouncers such as ZNC to serve as a proxy between you and the IRC network you want to connect to. The bouncer can remain persistently connected to IRC and you log into and off the bouncer. I've never set up a bouncer before so I can't speak to the technical complexity of it but based on my initial research, it seems a bit beyond my technical reach. You can solve this connectivity problem more readily with the commandline clients such as Irssi and Weechat when you use them in conjunction with a terminal multiplexer such as Screen or Tmux. There are also cloud services such as IRCCloud that you can pay for that provide a web interface to IRC networks, have mobile applications you can download to your phone, and allow you to remain connected to various IRC channels even when you are not in front of your computer.
The Lounge is kind of like a self-hosted version of IRCCloud that I have been playing around with the past few days and I have to say, I really like what I see so far. It offers a good compromise between a native desktop app such as Pidgin and the web-based UI that is more familiar to people used to chatting in Slack or Discord. It took me a bit longer than expected to get up and running mainly because of my lack of technical expertise but partly also because the documentation lacks a "soup to nuts" tutorial to get you going. I had to piece together a number of steps taken alternately from both the application's online documentation as well as some Digital Ocean tutorials. Please see the section below for links to further reading. In the rest of this post, I will describe how I installed The Lounge on an Azure virtual machine running Ubuntu 18.04.
Before beginning, make sure you open port 9000 on the virtual machine running Ubuntu. By default, this is the port that The Lounge listens on. For Azure hosted VMs, go into the "Networking" section of your virtual machine and click on "Add inbound port rule". Change the "Destination port ranges" field to 9000 and update the "Name" field to TheLounge.
If you have registered a domain and wish to run The Lounge on a subdomain, such as http://irc.example.com, you'll need to configure the Azure DNZ Zone. Create a "Record Set" following these instructions using irc for the "Name" field.
Log into the Ubuntu virtual machine and perform some initial setup before installing The Lounge:
$ sudo apt update $ sudo apt upgrade $ sudo apt dist-upgrade
I would recommend the optional step of creating a separate user who will be responsible for administering The Lounge, one that is separate from the user you'll use to SSH into your VM. This way, if the username and IP address of the user administering The Lounge leaks into an IRC channel (typically when you join or quit a channel), it won't be the same as the user that SSHs into the machine. Yes, this is a bit of security through obscurity, but I feel more comfortable separating the users. You can also block the new user account from being able to SSH into your virtual machine using the DenyUsers directive in the /etc/ssh/sshd_config configuration file. Please see this post on Hardening Your SSH Configuration for more options.
$ sudo adduser username $ sudo usermod -aG sudo username $ sudo su username
You may need to also change the default text editor for your new user if you prefer something other than nano.
$ sudo update-alternatives --config editor There are 4 choices for the alternative editor (providing /usr/bin/editor). Selection Path Priority Status ------------------------------------------------------------ * 0 /bin/nano 40 auto mode 1 /bin/ed -100 manual mode 2 /bin/nano 40 manual mode 3 /usr/bin/vim.basic 30 manual mode 4 /usr/bin/vim.tiny 15 manual mode Pressto keep the current choice[], or type selection number: 3 update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode
You can also adjust the sudoers file to allow the new user to execute sudo commands without having to enter a password.
Most online instructions, including the official documentation, have you first install Node.js after which you can download and install a deb package. I've found it much easier to install The Lounge using the available snap package. To install The Lounge, just run the following command:
$ sudo snap install thelounge
Next, change the owner of The Lounge home directory in the snap to the new user you created earlier:
$ sudo chown -R $USER:$USER /var/snap/thelounge/XX/home
where XX will depend on your installation.
Confirm that you can now execute thelounge commands with the current user without having to escalate privileges:
$ thelounge start $ thelounge list
Check that you can now access The Lounge by visiting http://irc.example.com:9000. You can now add users for The Lounge via the documentation guide provided here. Note that at this point, you need to specify the port on which The Lounge listens to and that your connection is still running through HTTP, not HTTPS. We'll address those issues in the next few steps.
First, edit The Lounge config.js file to enable the reverse proxy. When using The Lounge behind a reverse proxy, set the reverseProxy option to true in your configuration file. This will instruct The Lounge to use the X-Forwarded-For header passed by your reverse proxy.
$ sudo vim /var/snap/thelounge/XX/home/config.js reverseProxy: true,
Now we can install NGINX and enable the service:
$ sudo apt install nginx $ sudo systemctl enable nginx
Next, create the NGINX configuration file /etc/nginx/sites-available/irc.example.com using the following configuration:
server {
listen 80;
listen [::]:80;
server_name irc.example.com;
location / {
proxy_pass http://irc.example.com:9000/;
proxy_http_version 1.1;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 1d;
}
}Create a link between the configuration file and the sites-enabled directory which NGINX reads during startup:
$ sudo ln -s /etc/nginx/sites-available/irc.example.com /etc/nginx/sites-enabled/
Check the configuration and restart the NGINX service:
$ sudo nginx -t $ sudo systemctl restart nginx
The Lounge should now be running behind a reverse proxy and be accessible at http://irc.example.com.
The first step in enabling HTTPS is to install certbot:
$ sudo add-apt-repository ppa:certbot/certbot $ sudo apt install python-certbot-nginx $ sudo systemctl reload nginx
Then apply for the certificate. Provide the required information and when prompted, select the option to redirect HTTP requests to HTTPS.
$ sudo certbot --nginx -d irc.example.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): email@example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for irc.example.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/irc.example.com Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/irc.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://irc.example.com You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=irc.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/irc.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/irc.example.com/privkey.pem Your cert will expire on 2020-05-17. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le - We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
Open your configuration file, located at /var/snap/thelounge/XX/home/config.js, find the https stanza, and set the following values:
enable to trueprivkey.pem:fullchain.pemFor example:
https: {
enable: true,
key: "/etc/letsencrypt/live/irc.example.com/privkey.pem",
certificate: "/etc/letsencrypt/live/irc.example.com/fullchain.pem",
ca: "",
},Let's Encrypt will create its /etc/letsencrypt folder under the ownership of the root user, so you might have to change the owner of these files to the user that runs The Lounge.
$ sudo chown -R $USER:$USER /etc/letsencrypt $ sudo systemctl restart nginx
Verify that you can now reach your site at https://irc.example.com.
Let's Encrypt's certificates are only valid for 90 days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within 30 days of expiration.
To test the renewal process, you can do a dry run with certbot:
$ sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/irc.example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Renewing an existing certificate Performing the following challenges: http-01 challenge for irc.example.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed with reload of nginx server; fullchain is /etc/letsencrypt/live/irc.example.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/irc.example.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload NGINX to pick up the changes. If the automated renewal process ever fails, Let's Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
For further reading, please consult the following resources which were instrumental in helping me create this tutorial:
If you happen to be hanging around #d, #freebsd, ##networking, #photogeeks, #ubuntu or #darkscience and happen to see me lurking around, please be sure to say Hello!