Raspberry Pi as a secure websocket chat server

CAUTION! This guide is for advanced users only! If any of the terms nginx, port forwarding, DNS record, SSL certificate, DHCP server, static IP, systemd sounds foreign and unfamiliar you'd better stop now. It is useless to skip steps unless you know what you are doing.

Requirements

• Full DNS access to a domain name records
• Home router with a static external WAN IP
• Raspberry Pi 1/2/3 with the latest Raspbian Stretch (Lite)
• Website / shared hosting service with PHP/MySQL to install Blab! WS (client)

Step 1   Domain/Subdomain

If you do not have a domain name to spare, create a subdomain from the control panel provided by your domain registrar. In short, if you own mydomain123.com you have to add a new A record chatserver that points to the public (external) IP of your home router so that when you navigate to chatserver.mydomain123.com your browser pings your home router. The terminology might be slightly different - you'd better Google / Google for details.

Step 2   Raspberry Pi: Static IP (wired)

sudo nano /etc/dhcpcd.conf uncomment and modify the following lines:

interface eth0
static ip_address=192.168.1.5/24
static routers=192.168.1.1
static domain_name_servers=8.8.4.4 8.8.8.8

and reboot.

192.168.1.5 must be outside the range used by the DHCP server of your router.

( nano: save with CTRL+o - confirm with Enter - exit with CTRL+x )

In detail: WiFi · StackExchange · Google

Step 3   Router: Port Forwarding

Using the admin panel of your home router forward ports 80 and 443 to the static IP address of the Raspberry Pi so that when you navigate to chatserver.mydomain123.com or chatserver.mydomain123.com your browser pings your Raspberry Pi (through your home router) on ports 80 and 443 respectively. If there's a conflict with the remote management of the router (TP-Link) you'll have to change the remote management port to something else beforehand (e.g. 12000) and load the remote management with chatserver.mydomain123.com:12000.

Step 4   Raspberry Pi: Nginx & Let'sEncrypt SSL certificate

Install Nginx: sudo apt install nginx. Nginx will be used as a frontend websocket proxy. The default configuration file of Nginx is /etc/nginx/nginx.conf, many other files within this directory are included as well and amongst them /etc/nginx/sites-available/default where the default Nginx virtual server is set.

sudo nano /etc/nginx/sites-available/default and add a new location within the server block:

location /MyWsServer/ {
    proxy_pass http://127.0.0.1:9002; 
    proxy_http_version 1.1; 
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection "upgrade"; 
    proxy_read_timeout 1200s;
}

In the same file replace: server_name _; with server_name chatserver.mydomain123.com;

( nano: save with CTRL+o - confirm with Enter - exit with CTRL+x )

The official method of installing a Let'sEncrypt SSL certificate on Nginx / DebianStretch did not work at the time of writing this due to a missing dependency but you can test it anyway. If it doesn't work remember to sudo apt remove certbot before continuing with this guide: https://certbot.eff.org/lets-encrypt/otherpip-nginx.

Reload Nginx with the following command sudo systemctl reload nginx and check that both chatserver.mydomain123.com and chatserver.mydomain123.com load the start page of Nginx.

Step 5   Raspberry Pi: blabws-server

Download blabws-server {ARM7-32bit - RaspberryPi} from the product page, unzip and upload to your Raspberry Pi so that the full filepath to the server executable file is: /opt/blabws-server/blabws-server. You can put the server in your home folder first: /home/pi and then move the server folder and its content with:

sudo mv /home/pi/blabws-server /opt/blabws-server

Step 6   Raspberry Pi: systemd service

Create a systemd service file with nano to start your blabws-server on boot.

sudo nano /lib/systemd/system/blabws.service (replace MyAccessKey321 with a random string with letters/digits only):

[Unit]
Description=blabws-server
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=5

ExecStart=/opt/blabws-server/blabws-server MyAccessKey321 9002

[Install]
WantedBy=multi-user.target

( nano: save with CTRL+o - confirm with Enter - exit with CTRL+x )

• Enable the service with: sudo systemctl enable blabws
• Start the server: sudo systemctl start blabws
• Make sure that it works: sudo systemctl status blabws
• Confirm that it listens on port 9002: telnet 127.0.0.1 9002

Step 7   Website: BlaB! WS (client)

• Download BlaB! WS (client) from the product page, unzip the content in an empty folder and upload it to your website (shared hosting service).

• CHMOD blabws/config.php to 666, blabws/attachments to 777, navigate with your browser to YOUR_WEBSITE_URL.COM/blabws/index.php and follow the instructions (3 steps only).

• On the first screen select Remotely Hosted Websocket Server and do not enter anything on Step #1.

• At the end of the installation process you'll see a link to the Admin CP - go to Server, and set:

  • protocol: wss
  • Server URL: chatserver.mydomain123.com (see step 1)
  • Server port: remove 9002 and leave the box empty
  • ProxyPass token: MyWsServer (see step 4 - nginx location)
  • Accesskey: MyAccessKey321 (see step 6)

Save with OKAY, hit EXIT to go to chat.

Done!