Differences

This shows you the differences between two versions of the page.

--- blocks:server:virtualized [2022-10-19 12:37]
admin [HTTPS, Domain name and Certificate]
+++ blocks:server:virtualized [2023-03-27 10:05] (current)
mattias [Connecting the USB License Key to Another Computer]
@@ Line 69: / Line 69: @@
 Blocks server software requires a license to be operational. Either connect a physical license key to a USB port or request a cloud-based license (requires internet access). A physical license key can be accessed either directly from a USB port attached to the virtual machine or over the local network.
-====Network Access from Host Computer====
+[[blocks:wibu|Install a Blocks license.]]
-This method provides access to the license key over the network. Assuming both the guest and host operating systems are on the same network (which they will be when using a network adapter in bridge mode), a license key connected to the host computer can be accessed. This assumes network access is allowed in the license keys's settings (more on this below). Thus, the physical USB key can be connected to the host computer and will then be automatically found by Blocks.
-=== Host operating system ===
-Verify or adjust the following license key settings in your host computer
-  * Open the CodeMeter Control Center.
-  * Click the WebAdmin button, and wait for the web UI to appear.
-  * Select Configuration > Server.
-  * Under Network Server, select Enable.
-  * Click Apply.
-=== Guest operating system ===
-The CodeMeter software has been pre-installed, and configured to look for the license on the local network. To verify accesibility:
-  * Start the virtual machine.
-  * Once up, use the command //cmu --list-server --list-content//.
-  * This should show your server's IP address and license information. Look for the text "102977"
-==== Connecting the USB License Key to Another Computer ====
-In the example above, the license key is physically connected to the host computer, and then accessed over the (host-computer internal) "network". If you can't connect the license key to the host computer for some reason, you can instead connect it to another computer on the same subnet, and it will be found automatically by Blocks. Alternatively, use a cloud-based license (requires internet access).
-====Direct USB Access====
-If you have physical access to the computer running the virtualizer, you may prefer to connect the license key directly to this computer, and make the USB port accessible to the guest OS.
-=== Host computer ===
-  * Connect the license key. The key must be physically connected to a USB port on the host computer.
-  * Do NOT install the CodeMeter driver/software (or disable it if already installed).
-:!: The host computer must NOT run the CodeMeter software, since only one driver may access the physical key at a time, and in this case that's is the driver inside the virtual machine.
-===VirtualBox settings ===
-  * Select your guest OS in the list on the left hand side
-  * Select its Details settings pane
-  * Click USB
-  * Make sure "Enable USB Controller" is selected
-  * Add a "USB Device Filter" using the + button to the right
-  * Select your CodeMeter device
-To verify license key accesibility:
-  * Start the virtual machine.
-  * Once up, use the command //cmu -x//.
-  * This should show the details of your license key. Look for the text "102977".
 =====Blocks Configuration=====
-There's no [[blocks:server_configuration_file|configuration file]] included for Blocks in the VM image. This means that Blocks defaults to HTTP over port 8080. Add a configuration file if you need to adjust Blocks' server settings. Note that since Blocks runs under a limited user account, ports below 1024 (thus including the default HTTP port 80) can't be directly specified in the configuration file.
+There's no [[blocks:server_configuration_file|configuration file]] included for Blocks in the VM image. This means that Blocks defaults to HTTP over port 8080. Add a configuration file if you need to adjust Blocks' server settings. Note that since Blocks runs under a limited user account, ports below 1024 (thus including the default HTTP port 80) can't be directly specified in the configuration file. However, the included //nginx// program – acting as a reverse proxy – provides access to Blocks on the customary ports (80 and 443 if you have HTTPS enabled). More on //nginx// and HTTPS below.
-=====Reverse Proxy Configuration=====
+=====Starting and Stopping Blocks=====
+Assuming that the license key is accessible, Blocks should start automatically. Blocks is started and stopped by an operating system service known as //[[https://wiki.debian.org/systemd|systemd]]//, which is controlled by the //systemctl// command line program. Since Blocks runs under the //blocks// user account, you must be logged in as the //blocks// user in order to control Blocks using //systemctl//. Use this command to determine whether Blocks is currently active:
-The server image includes [[http://nginx.org|nginx]], acting as a reverse proxy in front of Blocks. Out of the box, it provides the following functionality:
-===Port Remapping===
-The reverse proxy re-maps ports as the traffic flows through it, thereby exposing HTTP to the outside world on the standard port 80, internally passing it on to Blocks on port 8080. Thus, when accessing Blocks from outside the virtual machine, you don't need to specify any port number.
-===Serving of Static Files===
-It serves all static files (those under /public), rather than passing those requests on to Blocks. Offloading such work leaves more headroom in Blocks for dealing with its more advanced functions.
-====HTTPS, Domain name and Certificate====
-The nginx reverse proxy can also manage a secure HTTPS connection, thus offloading also the work of encryption and decryption from Blocks. HTTPS is increasingly a requirement for many advanced web features. This applies also to Blocks, which is entirely web based. For instance, the Camera, QR Scanner and Locator (when using QR Code or GPS) block types may have limited or no functionality unless  a secure HTTPS connection is used.
-In order to use HTTPS to access Blocks, you need a number of additional things:
-  * A //domain name// of your own.
-  * A //registrar// managing that domain name on your behalf.
-  * A //DNS provider//, making your domain name available on the internet.
-  * A HTTPS //Certificate// (more on that below).
-Furthermore, if you want to access your Blocks server from the internet, you'll also need connection from the internet to your Blocks server. This is often handled in your router or IT infrastructure, for example using a method known as //port forwarding//. Having your Blocks server accessible through the internet makes it easy for visitors to connect to Blocks using their mobile phones.
-===Obtaining a Certificate===
-You must obtain a HTTPS certificate from an accredited //Certificate Authority// (CA). Furthermore, since certificates expire after some time, you must renew your certificate on a regular basis. Fortunately, there's a relatively painless method available to do all of this from [[https://letsencrypt.org|Let's Eencrypt]]. The server image comes with Let's Encrypt preinstalled, so once you've got your domain name registered with a DNS (you can check this using the //nslookup// terminal command), all you need to do is:
-  - Edit the nginx configuration file to specify your domain name, and restart nginx.
-  - Run Let's Encrypt's //certbot// command in the terminal, following its instructions.
-To edit the nginx configuration file, do as follows:
-  * Start the virtual Blocks image.
-  * Log in as the root user (either in the virtualizers terminal window or over ssh and then switch to the root user using **su**).
-  * Open the editor using the command **nano /etc/nginx/sites-available/blocks.conf**
-The //nano// command opens a text editor, showing the configuration, that begins like this:
 <code>
-include /etc/nginx/snippets/pixi-expires.conf;
+systemctl --user status blocks
-server {
-    server_name _;
 </code>
-Replace the underscore character after //server_name// with your domain name, so it looks something like this but with your own domain name instead of //mydomain.com//):
+If Blocks is currently active, you should see the text "Active: active (running)" as part of the status. To enable and start Blocks, use this command:
 <code>
-include /etc/nginx/snippets/pixi-expires.conf;
+systemctl --user enable --now blocks
-server {
-    server_name mydomain.com;
 </code>
-Make sure to keep the space  after //server_name// as well as the semicolon after the domain name. Save the result by pressing ctrl-O followed by the Enter key, then exit the //nano// editor by ctrl-X.
+To stop and disable Blocks:
-In the same way, edit the file at **/etc/nginx/conf.d/pixilab.conf** by uncommenting (removing the #-signs) the last section under "Redirect ALL http request to https", so it looks like this:
 <code>
-# This file is included inside the main server directive, in the main nginx.con$
+systemctl --user disable --now blocks
-# Allow large uploads (e.g., huge video files) through the proxy
-client_max_body_size 0;
-# Add our own mime type for our JSON-like serialization files
-types {
-    application/x.pixi      pixi;
-}
-# Redirect ALL http request to https
-server {
-    listen 80 default_server;
-    server_name _;
-    return 301 https://$host$request_uri;
-}
 </code>
-Save and exit //nano// again.
+Note that //systemd// differentiates between //starting// and //enabling// a service. The command shown above will do both. An //enabled// service will automatically be started as the server computer is started, which is useful f you for some reason need to restart your Blocks server (e.g., as the result of a power outage). To merely start or stop a service, without changing its enablement, use the //start// and //stop// sub-commands instead. See the //systemd// documentation for details.
-Make sure you've set good, strong passwords on all your Blocks users. Finally, while still as the //root// user, run the following commands, pressing enter after each. The first of these commands checks your new nginx configuration for errors. Pay close attention to any error messages that may appear.
+If you run into trouble launching Blocks, and the //status// command doesn't provide sufficient details, you can use the //journalctl// command to obtain more details:
 <code>
-/sbin/nginx -t
+journalctl -n 20 --no-pager --user-unit blocks
-systemctl restart nginx
-certbot --nginx
 </code>
-If the test is successful, then run the second command which  restarts //nginx// to pick up the changed configuration. Finally, the last command tells certbot to do its thing – obtaining a certificate for your domain, integrating it with nginx, etc. If all goes well, you should then be able to access your server from the internet using a URL like this (again using your own domain name):
+This will show the 20 most recent //systemd// log messages related to blocks. Again, you must be logged in as the //blocks// user in order to use this command.
-<code>
-https://mydomain.com/edit
-</code>
-If you get stuck, and need more details, follow the official //certbot// guide found [[https://certbot.eff.org/instructions?ws=nginx&os=debianbuster|here]], keeping in mind that all installations have already been done, so you can skip the first couple of steps.
-===Using Local Wifi===
-While you may use a local wifi network instead of making your Blocks server internet accessible, this adds more complexity for visitors in connecting to your system, since they must first connect to your local wifi and then to your blocks server. Both of these actions can be done from most modern smartphones using QR codes – but you will need two of those, and they need to be scanned in the right order. You of course also need to provide a wifi network with adequate performance and coverage. Thus, for most visitor-facing Blocks applications, internet access is the recommended method.
-If you do opt for a local wifi network, your method for setting up HTTPS also becomes a bit more complicated:
-  - You must provide internet access to your visitors through your local wifi. This is required both to expedite the wifi connection (many phones will refuse to connect to a wifi that doesn't have internet access) and to access the DNS.
+=====Using HTTPS with Blocks=====
-  - Your DNS entry must point to the IP address of your intranet Blocks server, now (hopefully) accessible through your wifi. That means that any attempts to access it from the internet will fail (since it's only available while on the in-house wifi). An "official" DNS entry is required since many smartphones and browsers use some form of "secure DNS", such as [[https://en.wikipedia.org/wiki/DNS_over_HTTPS|DNS over HTTPS]], and will ignore any in-house DNS.
-  - You can't use the automatic "certbot" method mentioned above to obtain a certificate. You must instead use a more complicated DNS-based method.
+The server image includes [[http://nginx.org|nginx]], acting as a reverse proxy in front of Blocks. This can be configured to manage secure HTTPS connections, as described [[blocks:server:nginx|here]].
 =====Security Considerations=====