jascha's blog

Words on privacy, cybersecurity, decentralization, and AI

Cloudflare is a controversial company to some, considering that they have taken steps to block sites and organizations that promote specific ideas or topics. While I am not supporting any of these organizations, there is a deeper issue with using Cloudflare in front of public relays. For people running personal ones, it does have the advantage of obfuscating your home IP address. But this post is focused on people providing general public relays.

One of Nostr's selling points is clients' decentralized (distributed?) architecture using relays. Relays help to avoid the centralization issue witnessed by Twitter, Facebook, and other social media companies. We build this whole decentralized architecture to put it behind a centralized company's network?

Some of the Biggest Relays Using Cloudflare for DNS/Proxying: – nostr.wine – relay.damus.io – relay.snort.social – X.nostr.land

The above is not an exhaustive list, but you can check your relays by going to a site like digwebinterface.com, choosing Type: NS, and checking Authoritative.

Example: https://www.digwebinterface.com/?hostnames=relay.damus.io&type=NS&useresolver=8.8.4.4&ns=auth&nameservers=

You can also choose Type: A and do an IPWhois.

Relayable.org will never use Cloudflare. However, we use cloud providers like Amazon Web Services (AWS). But the overall architecture allows us to quickly spin up Docker containers for a new relay and load up a copy of the DB in an automated fashion using Ansible and Terraform. Then it is a matter of repointing DNS to the new relay. Creating new relays can all be done in a couple of minutes, which makes the cloud or VPSs relays are running on not as much of an issue. Finally, we back up the DB offsite on safe harbors of encrypted storage.

I'm not encouraging people not to use the above relays. However, putting relays behind Cloudflare is not a feasible approach to a censorship-resistant network. It is a good idea to make sure you have a good mix of relays, with some (but not all) using Cloudflare.

I'd be glad to help any relay admins move off Cloudflare. We will add much more documentation on Relayable.org to be completely transparent in our configs, architecture, and operations.

Follow me on Twitter

When setting up a #nostr relay like strfry, you may want to use a top-level domain for your relay and the website about the relay. To be NIP-11 compliant, you need to allow calls with the header accept: application/nostr+json to hit strfry. The below nginx config allows for this.

server {

        server_name tld-relay.com;

location / {
    error_page 418 = @websocket;
# Check for NIP-11 accept to send to strfry 
        if ($http_accept = "application/nostr+json") {
        return 418;
    }

# Dummy entry to send requests to relay or static site
    try_files /nonexistent @$http_upgrade;
  }
# WSS proxy for strfry relay
  location @websocket {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_pass http://127.0.0.1:7777;
            proxy_http_version 1.1;
            proxy_read_timeout 300s;
            proxy_connect_timeout 300s;
            proxy_send_timeout 300s;
            send_timeout 300s;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
  }

# Static relay website
  location @ {
        root /var/www/html;
        index index.html;

  }

Follow me on Twitter

Run your own nostr relay!

Overview

In order to have a resilient decentralized nostr network there needs to be a good distribution of relays. Avoiding the caveat of too many large (centralized) relays, many of unknown architecture and availability. It is not too difficult to run your own private relay at home or on an inexpensive cloud provider.

The following is based on the unofficial strfry docker repo: https://hub.docker.com/r/relayable/strfry

Install Requirements

(In this example we're assuming your host is running Ubuntu 22.04 but should work with most Debian based OSs)

On your cloud server or home server be sure to install Docker.

Now install docker-compose:

curl -SL https://github.com/docker/compose/releases/download/v2.16.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose

Make executable:

sudo chmod +x /usr/local/bin/docker-compose

Point DNS to IP of Relay

In your DNS registrar or hosting control panel add an A record for relay.yourdomain.com to your instance public IP. You can alternatively use dynamic DNS if hosting from home. If using from home I recommend using a free CloudFlare account to proxy DNS to your home IP to obfuscate it. There are many videos and howtos on this.

Create docker-compose.yml

Make a docker-compose.yml file with contents below:

services:
  strfry-nostr-relay:
    image: relayable/strfry:latest
    restart: unless-stopped
    volumes:
      - /local/path/to/strfry-data/etc:/etc/
      - /local/path/to/strfry-data/strfry-db:/app/strfry-db
      - /local/path/to/strfry-data/plugins:/app/plugins
    ports:
      - "7777:7777"

Add whitelist.js Plugin to Lock Down Relay

Add the following to you plugins directory:

#!/usr/bin/env node

const whiteList = {
    '003ba9b2c5bd8afeed41a4ce362a8b7fc3ab59c25b6a1359cae9093f296dac01': true,
};

const rl = require('readline').createInterface({
  input: process.stdin,
  output: process.stdout,
  terminal: false
});

rl.on('line', (line) => {
    let req = JSON.parse(line);

    if (req.type === 'lookback') { 
        return; // do nothing
    } 

    if (req.type !== 'new') {
        console.error("unexpected request type"); // will appear in strfry logs
        return;
    }

    let res = { id: req.event.id }; // must echo the event's id

    if (whiteList[req.event.pubkey]) {
        res.action = 'accept';
    } else {
        res.action = 'reject';
        res.msg = 'blocked: not on white-list';
    }

    console.log(JSON.stringify(res));
});

Change the hex public key (003ba9b2c5bd8afeed41a4ce362a8b7fc3ab59c25b6a1359cae9093f296dac01) to yours and add others you want to allow to use the relay.

Make it executable:

sudo chmod +x whitelist.js

Create your strfry.conf in your /etc directory from above docker-compose.yml

##
## Default strfry config for relayable/strfry Docker
##

# Directory that contains the strfry LMDB database (restart required)
db = "./strfry-db/"

dbParams {
    # Maximum number of threads/processes that can simultaneously have LMDB transactions open (restart required)
    maxreaders = 256

    # Size of mmap() to use when loading LMDB (default is 10TB, does *not* correspond to disk-space used) (restart required)
    mapsize = 10995116277760
}

relay {
    # Interface to listen on. Use 0.0.0.0 to listen on all interfaces (restart required)
    bind = "0.0.0.0"

    # Port to open for the nostr websocket protocol (restart required)
    port = 7777

    # Set OS-limit on maximum number of open files/sockets (if 0, don't attempt to set) (restart required)
    nofiles = 1000000

    # HTTP header that contains the client's real IP, before reverse proxying (ie x-real-ip) (MUST be all lower-case)
    realIpHeader = ""

    info {
        # NIP-11: Name of this server. Short/descriptive (< 30 characters)
        name = "strfry docker test"

        # NIP-11: Detailed information about relay, free-form
        description = "This is a strfry instance."

        # NIP-11: Administrative nostr pubkey, for contact purposes
        pubkey = "unset"

        # NIP-11: Alternative administrative contact (email, website, etc)
        contact = "unset"
    }

    # Maximum accepted incoming websocket frame size (should be larger than max event and yesstr msg) (restart required)
    maxWebsocketPayloadSize = 131072

    # Websocket-level PING message frequency (should be less than any reverse proxy idle timeouts) (restart required)
    autoPingSeconds = 55

    # If TCP keep-alive should be enabled (detect dropped connections to upstream reverse proxy)
    enableTcpKeepalive = false

    # How much uninterrupted CPU time a REQ query should get during its DB scan
    queryTimesliceBudgetMicroseconds = 10000

    # Maximum records that can be returned per filter
    maxFilterLimit = 500

    # Maximum number of subscriptions (concurrent REQs) a connection can have open at any time
    maxSubsPerConnection = 20

    writePolicy {
        # If non-empty, path to an executable script that implements the writePolicy plugin logic
        plugin = "./plugins/whitelist.js"

        # Number of seconds to search backwards for lookback events when starting the writePolicy plugin (0 for no lookback)
        lookbackSeconds = 0
    }

    compression {
        # Use permessage-deflate compression if supported by client. Reduces bandwidth, but slight increase in CPU (restart required)
        enabled = true

        # Maintain a sliding window buffer for each connection. Improves compression, but uses more memory (restart required)
        slidingWindow = true
    }

    logging {
        # Dump all incoming messages
        dumpInAll = false

        # Dump all incoming EVENT messages
        dumpInEvents = false

        # Dump all incoming REQ/CLOSE messages
        dumpInReqs = false

        # Log performance metrics for initial REQ database scans
        dbScanPerf = false
    }

    numThreads {
        # Ingester threads: route incoming requests, validate events/sigs (restart required)
        ingester = 3

        # reqWorker threads: Handle initial DB scan for events (restart required)
        reqWorker = 3

        # reqMonitor threads: Handle filtering of new events (restart required)
        reqMonitor = 3

        # yesstr threads: Experimental yesstr protocol (restart required)
        yesstr = 1
    }
}

events {
    # Maximum size of normalised JSON, in bytes
    maxEventSize = 65536

    # Events newer than this will be rejected
    rejectEventsNewerThanSeconds = 900

    # Events older than this will be rejected
    rejectEventsOlderThanSeconds = 94608000

    # Ephemeral events older than this will be rejected
    rejectEphemeralEventsOlderThanSeconds = 60

    # Ephemeral events will be deleted from the DB when older than this
    ephemeralEventsLifetimeSeconds = 300

    # Maximum number of tags allowed
    maxNumTags = 2000

    # Maximum size for tag values, in bytes
    maxTagValSize = 1024
}

Under the info section can add name, description, pubkey, and contact to fit your relay.

If using below nginx config you can change bind back to 127.0.0.1 to make it more secure. Change any other settings you feel confident you need to alter.

Start your container with docker-compose to test working from directory with the docker-compose.yml file: sudo docker-compose up

This will start container in terminal. Once you are happy configuration is working can start as a daemon: sudo docker-compose up -d

Add Nginx Reverse Proxy and SSL

Install nginx on your relay: sudo apt-get update && sudo apt-get install nginx certbot python3-certbot-nginx

Remove default config: sudo rm -rf /etc/nginx/sites-available/default

Create new default config: sudo nano /etc/nginx/sites-available/default Add new reverse proxy config:

    server{
        server_name relay.yourdomain.com;
        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_pass http://127.0.0.1:7777;
            proxy_http_version 1.1;
            proxy_read_timeout 300s;
            proxy_connect_timeout 300s;
            proxy_send_timeout 300s;
            send_timeout 300s;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }

Change relay.yourdomain.com to your DNS name.

Restart nginx: sudo systemctl restart nginx

Add LetsEncrypt SSL Certificate

Use certbot to create new SSL and install it with nginx-plugin (replace with your DNS name): sudo certbot --nginx -d relay.yourdomain.com

Restart nginx again: sudo systemctl restart nginx

If no errors then good to go!

Testing and Usage

You can now install something like nostril to test your relay. Just use a testing nostr account you add to whitelist.js to test with. Or add relay to your client.

nostril --envelope --sec <your sec hex key> --content "docker container is working and whitelisting!" | websocat ws://localhost:7777

Using Other strfry Commands

See container name or ID: sudo docker ps

Enter container to get bash access: sudo docker exec -it <container> /bin/bash

This will show you have entered the running container. You can now run any strfry commands needed. See strfry readme for more.

bash-5.1# ./strfry --help

Congrats you now have a working strfry nostr relay!

By npub1y3uh89v5a4vq92t8q0j6su94zhvcdxpywjn3l6hpsr5welarqtrqj7yzhd  @jascha.

V4V lightning:crispactor61@walletofsatoshi.com

Follow me on Twitter

Having a home server is a big step towards better privacy and living a more ad and tracking-free life. Unfortunately, many people think they do not have the technical skills to run a home server, but there are many accessible options for setting one up. It can be a weekend project, and the only additional requirements are having some hardware to run it on and a fast enough Internet connection to access your services from outside your home.

Most services and hosting options are well documented and have active communities eager to help newcomers. If you find them useful, you can contribute back by reporting bugs or new features you'd like to see. Or by donating to the projects financially or by helping with documentation or code (if you have that skill set).

Home Server Options

Yunohost – an all-in-one home server with a simple interface and a vast list of ready-to-install packages for various services.

Umbrel – project started as a home Bitcoin node but has grown into a full-featured home server option where services run in Docker containers. Umbrel has fewer service options than Yunohost but always adds more.

Proxmox – a mature and full-featured virtualization environment for more advanced users. Allows to run LXC Containers as well as KVM (Virtual Machines).

Home Services

Nginx Proxy Manager – add to your DMZ in home network to use as a proxy for all other services. Can add LetsEncrypt certificate(s) to secure services with SSL

Pi-Hole – block ads with this local DNS server you can go one step further and make it a recursive DNS server

NextCloud – your own home DropBox to save files and images can tie into your computers and mobile devices

Mealie – recipe management database and a front end that allows you to scrape recipes by URL and add users to share recipes with friends and family

BitWarden – self-hosted password manager with browser add-ons, mobile apps, and more

PaperMerge – OCR document mangagement system (DMS) can upload receipts and documents scan using a phone and version documents

Wiki.js – clean and straightforward wiki with authentication for creating home documentation for personal, friends, and family

mStream – home music streaming service that supports FLAC files and can create accounts for friends and family with mobile apps to stream on the go

Jellyfin – home media server with DVR and metadata services to organize your movies, tv, and audio

Mastodon – you can run your home Mastodon server for family and friends

DashMachine – a dashboard to organize and link to other services hosting at home

TrueNAS – a open source Network Attached Storage (NAS) system to create redundant and robust storage

Home Assistant – a self-hosted home automation server with support for many common devices.

Conclusion

The above is not an exhaustive list but is a sampling of various valuable services you can run on older hardware you may have lying around at home already. I run all of the above services on a six year old desktop with an i7 Intel CPU, (2)14TB SATA drives, and 48GB RAM (need a lot of RAM for various VMs and containers).

Follow me on Twitter