Who Wants To Hear More About Blog Configuring??

For someone who was determined to get this blog up and running then forget about it, I sure have made a fair number of posts. Today I decided that getting a TLS cert and some login security absolutely had to be done!

So some high-level talk about this webhost: It's a mess. I have installed and orphaned SO many things here that I often run into trouble when I want to do something new (that I will then forget about.) I am sure there is still a Mumble server on here, from the days before Discord, and the husks of many a Red Discord bot liter my home directory. But something that isn't abandoned is the Mailu server I run. It gets updated and I use it for all my personal domains now that GSuite hosting is dead (THANKS GOOGLE.)

Mailu is really cool in that its just a couple of config files that tell a series of docker containers how you want your mail server configured. I have kept it (somewhat) up-to-date, and I log into the webmail weekly, if not approaching daily. I also have my phone email client hooked up to it via IMAP to let me know when I get (extremely infrequent) mail. I had to configure it in a bit of a round-about way since I have Nginx bound to port 80 for all the web pages that I don't update. Mailu needs port 80 exposed so it can use LetsEncrypt to assign it the relatively short life TLS certs. (Mailu uses the ACME bot that does verification against a directory in the root of the webserver on port 80, since if your cert is expired port 443 isn't going to work.) Since I already had port 80 bound to Nginx I had to tell Mailu to use port 8080 on the outside of the docker container and point it to it's internal port 80. I then told Nginx to proxy any traffic for the mailserver URL on port 80 to port 8080, and bang! it worked!

Now, that long and somewhat boring story seems irrelevant since I am getting a TLS cert for the blog working, not Mailu. Well, since I only proxied port 80 to Mailu that meant that port 443 (ssl) was bound to Mailu directly. I was ready to write off adding certs to the blog until my friend Mike pointed out that I could have Mailu listen on port 8443 and then use Nginx to proxy 443 to it. This was an excellent idea, so I went about getting a snazzy new LetsEncrypt setup configured(using SnapCraft to set up Certbot, which I have never encountered and was pretty impressed with!). The problem with making these changes years after installing this is that you usually have no idea how you configured them in the first place. Thankfully Mailu has very good documentation, and I was able to edit the docker_compose.yml to make 443 point to 8443, which I was then able to proxy via Nginx (while pointing to the Mailu certs, natch.) This made both Mailu and the Blog very happy. As a bonus the Certbot put an auto redirect from port 80 to 443 in the Nginx config, saving me the trouble!

Once that was done I figured that I should add 2 Factor Authentication to the admin interface of the blog, as that would just be prudent. I went searching through Grav's plugins looking for 2fa, 2 factor, and finally auth to see what was there. Auth gave a few Oauth plug ins, but that's not what I wanted. Stymied I did a quick Bing for "Grav 2fa" and lo and behold, it's built in! I just had to enable it on my account! A quick QR Code picture later and I now have proper 2fa security on the admin interface!

This blog is really shaping up! Maybe I'll even keep updating it!