A web server (Apache, nginx) on the Librem 5?

ChriChri · October 2, 2022, 12:27pm

Just to add in case you’d like more information: I’m running lighttpd on my Librem5 to host a matrix webfrontend on 127.0.0.1 .

irvinewade · October 3, 2022, 5:14am

OK but there is nothing unreal about the web site that I tested. It has web pages, including both static and dynamic HTML content, as well as serving out the actual videos (where it is basically just a file server).

It is true that I didn’t bother with a domain name, as this was just for testing, and used the IP address of the Librem 5 directly. If there is only one domain hosted at an IP address then it will make negligible difference whether there is a domain name or not.

kagixa · October 4, 2022, 2:30am

Why not taking this as a wonderful opportunity to learn to program apps for GNU/Linux? If you can already program in JavaScript switching to C will not be a trauma – yes, you will have to change your way of thinking, but the syntax of the two languages is pretty similar.

A very good starting point might be a simple “hello world” app. After not too long you might start to realize that web programming and webservers are a useless complication for what you want to achieve.

Ribby · October 9, 2022, 11:29pm

Yes, what you say is quite true about strictly one domain per IP address as technical protocol. However, with a registered domain name linked to the specified IP address, one can create subdomain names (e.g. subdomain.hostname.domain). Of course, you cannot make a subdomain name out of a IP address, since it is strictly a part of the hostname or domain name. Of course, if you happened to find a way to get a sub IP address for a IP address, more power to you! The purpose of the subdomains or sub IP addresses is to label a directory path of the domain name (or just some other directory path) in question (e.g. subdomain.hostname.domain could be hostname.domain/subdomain, hostname.domain, or /some/other/directory/path/in/documentroot/parameter). Note that we are not talking about serveralias, which is just subdomain name with the same documentroot directory path of the servername.

I assume that people do know about domain registry, but I may oblige to assist upon request. Such requests might also include assistance in web server configuration with IP address beforehand. If someone wants to more the specifics regarding https protocol and how it works with both IPv4 ip addresses and IPv6 ip addresses, I am afraid I cannot help in terms of https://[IPv6_ip_address]/ . I assume that there is no implementation yet.

As kagixa say, you used Clue period tracker app. You did not find any usable alternatives on GNU/Linux. There might not be a GNU/Linux program file format of Clue just yet. Maybe you can contact them about make a GNU/Linux compliant program. Otherwise, github or the like, might have what you are looking for. The materials concerning Clue is a personal and/or private matter, therefore Librem 5 and Librem 5 USA would be sought for.

Ribby · October 17, 2022, 12:21am

How come there is no edit to posts? Oh well.

irvinewade, yes, what you said about domain names is true and it could be a detrimental side effect to domain registry. However, not all is lost for just IP addresses!

For up-to-date standard computers, you should have two ip addresses to use for two different websites. The values will as IPv4 ip address and IPv6 ip address. Think IPv4 as http://#.#.#.#/ or https://#.#.#.#/; think IPv6 as http://[{}::{}::{}::{}]/ or https://[{}::{}::{}::{}]/.

In addition, there are actually three http protocol ports (80, 8008, 8080) per ip address that you can use for three different websites. These ports have been around before IPv6 so stability shouldn’t be an issue. In fact, it’s probably easier to use each alternative port to its own virtual host conf file as extra website hostings. You don’t have to specify ip addresses for virtual host conf files, as you can either leave a ‘default’ or ‘*’ as value to apply as any of the ip addresses in question. Either ways, that’s 3 ports times 2 ip addresses, equaling to a total of 6 potential websites, if permitted. Each website would have its own particular port and ip address in use. If you want domain names and subdomains, it would be a different topic for another day.

There may be new alternative ports, new alternative ip addresses, and new alternative domain/subdomain names. Dismissing this case scenario will allow insecure http access of websites, endangering the integrity of data transmission from and to the website. For the moment, while we can still update, we just have to keep up with adding new alternative ports, new alternative ip addresses, and new alternative domain/subdomain names.

irvinewade · October 17, 2022, 12:47am

It’s much bigger than that.

For a start: who said you can only use those three ports for HTTP? If it’s for a limited audience, there is nothing wrong with picking a random port number in the suitable range and publicising that. The only potential obstacle is that really crappy ISPs may block inbound connections except on very specific ports (but those ISPs probably wouldn’t allow 8008 either).

I can’t speak for anyone else but my ISP gives me a 64 bit IPv6 address space. So I’m not going to run out of unique IPv6 addresses for web sites in the lifetime of the universe.

Ribby · April 23, 2023, 5:25am

There’s plenty of things for Librem 5 to work on. For now, I will focus on the requirements of hosting servers.

First, we need to ensure port forwarding with cellular data services. Now, wifi data services can easily help out with port forwarding. And I’m not that lazy to stick with a smartphone and call it the only computer that I need. Despite the benefits of wifi data port forwarding, there are setbacks as well. If you ever had to share the credentials of wifi security, you would know as a fact, that ignorant people with exposed devices, may have a chance to share the information to wifi data thieves, providing a chance to rip a hole in finance. It’s even worse when you have to trust strangers, for they may be accomplices in sharing that information to other strangers. Strangers may even use the wifi access to accost wifi account holders, because it would be logical to eventually snuff their victims before they get the Sherlock Holmes intuition (or even upper-hand) on things. Of course, burglars could just break into the residence to access the wifi credentials. In either case, I would suggest to shut down the wifi signals in order to prevent networking capabilities of criminals. Managing credentials is a chore that increments stress levels. Then again, port forwarding with cellular data services may lead to the same situation. However, I don’t think the proposed method follow such instances.
Second, we need to ensure firewall, that is firewall-config. The Librem 5 repository DOES support it. In case you want to access default superuser privilege mode, the default user is considered the default superuser already.
Third, we need the server application, which is a obvious fact.

In regards to port forwarding capabilities with cellular data services, there is a possible workaround that may not require development from cellular data service providers. Here is a list of url addresses regarding port forwarding with cellular data services. Despite the Android design, such progress would also bring hope to accommodate GNU/Linux operating systems. If things go well, the ability to host (port forwarded) servers with cellular data services would be a reality. May we succeed in telecommunications and privacy with our endeavors.

https://support.elix.sr/#!/products/fwd/answers/What_does_fwd_do

I will contact the company if it can handle GNU/Linux platforms.

EDIT (24/04/2023):
Also, there’s a claim that iptables, adb, (GNU) netcat, and socat can do port forwarding.

A claim that third party services can help out too. One example is remote.it.

At this moment, I will attempt to try building a web server on the device without port forwarding. Maybe there’s no need for port forwarding configuration on cellular data networks. If things get dicey, and they probably will, I will forget waiting on GUI applications and get straight to the CLI application research. Of course, if I do fail, I will put up with a third party service. Sounds like a plan!

2disbetter · April 25, 2023, 2:07pm

I don’t see why port forwarding would be necessary. UFW would be your firewall most likely. But I mean do you really want your L5, your digital mobile fortress, open to the public?

But back to port forwarding, if you have UFW open for the ports you want and for the type of traffic you want, it should work, provided the ISP is not blocking those ports, which it very well could be.

irvinewade · April 25, 2023, 11:03pm

Because many MVNOs only offer a private IP(v4) address for the phone. Your phone is behind CGNAT.¹ So that is very unhelpful towards the goal of running a public server on a phone that is connected to the internet via its cellular modem. And you need workarounds (of which port forwarding is one - but I doubt many MVNOs will offer that, so you need other workarounds).

When I did my testing above, I was more interested in the capability of the Librem 5 to run the software unchanged and with reasonable performance. I was only serving to the local LAN (i.e. inside my house), so issues of IP addressing didn’t apply at all and issues of security didn’t really apply.

¹ It is of course up to you to verify whether this is true for your particular MVNO.

A fair question but, hey, it’s @‍Ribby’s phone. He owns it. He can do what he wants.

If you really wanted to go down this route, this would be an argument for virtualisation but that might be a bridge too far at this stage. (See what I did there with the networking puns? )

For me personally, no, I won’t be running a public web server on my phone. I already have three servers on the internet with public static IP addresses so no real need to battle to get one working on my phone.

2disbetter · April 26, 2023, 6:12am

Right, but these are things done at the cellular carrier’s level, and not on the phone. Cellular connections are not traditionally used for web hosting because it is just not practical for a number of reasons. Sure you can circumvent these limitations with effort, but again I ask, why? (Channel the Key and Peele skit about Hogwarts here for the reference)

irvinewade · April 26, 2023, 6:30am

So you are tagging @‍Ribby, then? Because I already said that it’s not something that I will be doing. You don’t have to convince me.

Ribby · April 30, 2023, 5:43am

2disbetter, you made a good point about the futility of configuring the cellular data service for web server hosting.

That fact, I understand. MVNOs just don’t go for port forwarding because that feature is within the specialized field of the ISPs.

Still, with smartphone technology popping about, one cannot just turn away from the possibility of innovation. I am sure that the Librem 5 is considered as an example.
__

Like Don Quixote, I press onwards.

In terms of using the fwd app .apk, I see that using apk emulators would be a hassle. Not to mention privacy issue concerns. Check this topic for reference. Is it possible to use Android apps on the Librem 5?
Especially check this announcement page. Google Play server infects smartphone clients with adware! https://puri.sm/posts/how-pureos-can-stop-devices-from-being-infected-with-intrusive-adware/

I decided to try the iptables/nftables. I have reached some snag of a conclusion.

One of the biggest hurdles for cellular data service as web server host is that its Cloned MAC address mode is not configurable (the parameter for such type of service is non-existent). The cellular data service provider or the smartphone OS build itself, sets that setting in stone. That means, IP addresses will change overtime. Even the public IP addresses change! It’s smartphone client focus, what else is new? In addition, access to port forwarding features by cellular data modem cli/gui interface (on client side) is not readily available, otherwise, you would have to make the necessary components, firmware, and software. Nevermind the firewall configurations (update required for each IP address change).

My next step is a creation of the mobile hotspot from the cellular data service. It’s technically wifi (from the cellular data service) and the port forwarding access is pretty much the same result, but hey, you have a better chance of permanent public IP addresses? This move might be at least something than nothing.

As 2disbetter mentioned, MVNO means mobile virtual network operator, which means that technically, the network is a virtual type of network. That could mean that the real/physical network hosting the virtual network could be a internet network that hosts software as combined cellular data service components of hardware and software network resources and network functionality. As to determine if the virtual network is external or internal virtualization, I have no idea. Due to restrictions on the cellular data modem’s capabilities, I would say internal virtualization is the mobile virtual network’s structure. To this date, there is no cellular data modem’s cli/gui interface (on client side) of mobile virtual network to access port forwarding.

If I fail here (which I did), I can go for the wifi connection of internet router option. At least the router does allow port forwarding. Cloned MAC address mode can be set to permanent for less maintenance. Hardware problem is that you will have to make sure that both router and phone server is active and working correctly. Limit in router’s wifi radius vicinity would restrict/nullify the hosting smartphone device’s ability as a mobile/portable server. I would say that this option might be the easiest, but electric costly option. In addition, you might have to tolerate the router’s 24/7 light during sleep and maintain specific device access. It does not seem good for the environment! It does not seem good for you!

Back to using cellular data service, I might go for remote.it zero trust network (connectivity) service (https://www.remote.it/benefits) as third party host or something like that. In addition, I believe that certain VPNs allow port forwarding features (e.g. https://www.ivpn.net/pricing/). While usually not considered free service, its a kill of two birds (features virtual proxy and port forwarding services) with one stone. Maybe, a free VPN can allow port forwarding? I certainly hope so! HOWEVER, and that’s a big however, free services come at a price of invasion of privacy issues. Same goes for zero trust network (connectivity) services.

I’m done for today, but at least I know the current limitations of current cellular data service capabilities. There might be future developments from these limitations.
I will explore and compare the last two options (zero trust network [connectivity] service versus/with virtual private network [no data traffic anonymization details such yet {e.g. The Onion Router ((TOR)) and Invisible Internet Project ((I2P))}]) involving cellular data service. While I do like remote.it’s concepts of zero trust network (connectivity) services, the free plan comes with hesitation on privacy invasion issues as data mining, psychometrics, surveillance capitalism, surveillance industrialism, corporatocracy (not corporatism as tool), corporate warfare, espionage, (industrial) sabotage, government surveillance, surveillance totalitarianism, and surveillance imperialism. So it’s a search for surveillance activities under free plans and then research of concepts. Until then.
The two links are just for reference.

Ribby · May 2, 2023, 4:09am

Alright, before we embark onto the technical details of candidate picks, we have to take a look at the business side of things. After all, a tool is only a tool of its user. It’s almost like a Star Wars vibe or something of the like, I think you get the picture.

+Scam/fraud potential of remote.it
-no bbb.org page
-is a for-profit company
-monthy service fee is higher than
-collects information as said in privacy policy
-nevermind the Zero Trust Network Connectivity Service claim
-"…regularly collect information…" (https://www.remote.it/legal/privacy-policy). Not authorized by FTC and credit bureaus’s fraud alert.
-"…may utilize automated recording tools and files such as “cookies.”…"
-"…If you restrict our ability to use automated tools and files, your ability to access and use all or part of the Service may be limited or disabled completely. We will ask you to consent to our use of cookies when you first visit our website. …"
-"… Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a third-party to recognize you and make your next visit easier and the Service more useful to you. …" Third-party cookies, you say? That could be internet tracking! Could be very bad! Get your third cookie blockers out, people!
-"… In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the Service, deliver advertisements on and through the Service. …" Advertisements? I hope it ain’t bad. Advertising to the audience as commercials? Maybe snooping on the user itself?
-"… Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, some of our pages might not display properly or you may not be able to sign-in to the Service, or connect to remote Devices. …" Talk about a contract risking your privacy. That’s right!
-"… Finally, remote.it may disclose your personally identifiable information upon a transfer or sale to another entity of all or substantially all of remot3.it’s stock or assets in remot3.it’s line of business to which this Privacy Policy relates or upon any bankruptcy or other corporate reorganization. …" Could share information by sale to another entity? That could be data mining. Anyways, talk about selling out! What happened to the ideals of commitment to privacy?

The verdict.
While remote.it did explicitly say it does not directly sell information for marketing purposes, the fine print details say otherwise. Some other paragraphs elsewhere, it mentions that it may sell information to entities it has business relations with. There are also third-party cookies that it will not bear responsibility for even though the company itself is the one who placed AND ENFORCED the foreign cookies in its service in the first place. So much risk for trust! Is this the zero trust network connectivity service model? We have to reconsider!
I say that remote.it is going down for a zero trust security model practicing company.

+Scam/fraud potential of ivpn.net
-no bbb.org page, it operates outside of america
-not sure if it is a for-profit company or not
-monthy service fee is (actually) lower than
-is a vpn
-Not a business thing, claim stated by a review site-Port forwarding, but no static IP address. I was hoping for a static public IP address to say at the least! What are the change times so I can update the firewall and server with the new IP address? Oh well, no biggie. Will contact for details.
-"… We will also not log any personally identifiable information e.g. IP address. …" (https://www.ivpn.net/privacy/) big claim
-"… We do not log any data relating to a user’s VPN activity (while connected or connecting to the VPN). …"
-"… Matomo is open source software that is hosted on our own server infrastructure to ensure your privacy (unlike platforms such as Google Analytics). …"
-"… No third-parties have access to any of your data. We always use first or third-party tools we can host on our own servers in a protected and secure environment. …"
-"… As this data is only stored for the duration of the VPN session, if you or anyone requests to know how many connections you had at a specific time in the past, we couldn’t tell you because we don’t store it. …"
-"… When a VPN account is terminated on our network due to the subscription ending, non-payment or for any other reason, all data associated with that VPN account including the account itself (with the exception of the accounting data below) is automatically deleted after 90 days. …"
-"… ? …"

The verdict.
According to reviews, ivpn.it seems like the real deal in terms of optimal quality standard vpn service. While I cannot vouch for any consumer complaints of business malpractice due to the lack of official business information mediums, the trustpilot consumer reviews claim excellent service. I can’t say it is a non-profit company, but its demand for compensation sounds about fair. It is a VPN, a known network service so no messing around with new false concepts and etc. Claims for no saved session logs of VPN activity and all analytics are solely first party side, ivpn.net. Account termination will result in removal of all its instances. The claims sounds a bit tall, but reviews echo them too.
|
As for the port forwarding and IP address assignments, that be on the technical side of things.

After done with the business side of things, it’s operation time, probably to be done in its own post.
Case studies of the privacy models pending. That means comparison time. That also means to call in the GNU team on such aspects.

irvinewade · May 2, 2023, 6:07am

If I had to do this (and I wouldn’t!) then I would ssh from my phone to my VPS using a reverse listen (ssh -R). That is quick and dirty but it should do the job.

Performance would suck greatly but you wouldn’t expect great performance running a web server on a low power 4 core ARM anyway.

That would however just move the privacy problem from … do I trust remote.it (or whomever)? … to … do I trust the provider of the VPS?

Ribby · May 9, 2023, 6:42am

You guys are in for a gas! Laugh it off as you can.

I tried out the VPN service and things seems to be quite swell (had a bit of VPN user experience before so yeah). Well, most VPN services include an (GUI) interface. Still, being a linux machine, CLI commands are still relevant to this day. I was just playing around and got a bit stuck on the port forwarding and (source) firewall tests. It appears that my lazy overlook of the VPN configurations, let the VPN firewall rule against non-VPN connections to be continually blocked! So when the app interface decided to freeze over just because it had a bad connection, I had to kill off the interface process.

Well, it’s just the interface that’s been killed off. The rest of the VPN mis-configurations still continue. I wanted to access the internet with normal service, but lo and behold, the VPN firewall rules say otherwise! I was in a scare that my computer was in a internet bricking. Naturally, I calmed down and managed to get the CLI to tear down that VPN firewall and was able to access the internet once again. It turns out that the VPN service somehow left the VPN connection on after the firewall teardown incident. It would appear that dismantling the GUI interface sprung a panic mode.

And that’s just the start of my port forwarding and firewall with VPN adventures.

Ribby · July 2, 2023, 11:55pm

So it has became apparent that VPNs in general don’t go for port forwarding. The options are really limited. I guess I have to make do with the normal internet network instead. Turns out that each Linux build could be its own machine.

While I was going over the steps (plus blunders) for the Librem 5, I found out that the overheat (I think it was due to high screen brightness settings) plus overload of program input, may cause the OS to slow down or lock up to a near brick state. I have to restart the device for normal operation amid the heat. Not to mention that switching the power states (most likely due to high screen brightness settings) may incur a shutdown. Upon lock, the phone substantially lower its temperature to a warm if not lukewarm level.

Also, using the real mouse and real keyboard feels so much better than the screen mouse and screen keyboard. All I can hope for is a monitor with USC-A and USB-C port type compatibility and my Librem 5 (with its hub and cables) is complete as a small desktop machine. Unfortunately, I have to deal with this USB Guard feature before that dream could come true. Sometimes, it doesn’t know when to quit. What gives? I will find a topic about this problem, but that’s for another time.

Took about 1 day and a half to get localhost HTTP website hosting setup up the first time!
Finally got the localhost HTTPS website running after a while (took about less than a day).

The next thing is the firewall blocking online access? Or rather to chase down IP address changes! We ain’t there yet? Well, as I said before, each Linux build may have its own rules so it may take a while!
.
.
.

Wait, I managed to get the HTTPS website online! It was completed around 2 days estimate including time before this post. And now for the obligatory exclamation. Woo!
As Neil Armstrong said, “That’s one small step for [a] man, one giant leap for mankind.” Of course, to be neutral and objective, Yuri Gagarin quoted, “Orbiting Earth in the spaceship, I saw how beautiful our planet is. People, let us preserve and increase this beauty, not destroy it!”
I might have exaggerated about the success. There’s still room for improvement. One issue being the power supply. Another is the security and privacy of appending/transmitting such document(s). I’m sure there’s more issues to be addressed.

Ribby · July 16, 2023, 8:15pm

Well, I got my power supply up and running. We will just see how the power fares for some time. Of course, overheating and programming issues can occur with the hosting service/hardware/software functions. I could only hope, by a gamble, that power is sustained long enough for the next recharge period and that the hosting service/hardware/software will sustain uptime long enough for the next rest period. I have considered 24/7 uptime, but the monetary, time, effort, overheat, and failure costs may rise overtime.

As for the status of the web server, it is like any web server on a desktop, but now hosted on a mobile wifi client device. Oh, that’s wifi connection than ethernet connection. It’s going to be a bit slow, kind of like 56k dialup? Well, we’ll see how it goes, we’ll see.

As for proper safekeeping procedures.
Always check for keys before closing/locking lockbox/safe.
Always make sure keys are away from lockbox/safe after unlocking/opening lockbox/safe.
Always activate/authenticate computer/electronic device away from lockbox/safe.
Lockboxes/safes ought to have key required locking mechanism.
Haste makes waste.

JCS · July 18, 2023, 7:49am

There’s a lot going on in this thread and I apologize if this has already been covered, but my experience using mobile-based data networks (including mobile broadband on a phone as well as Verizon 5G Home internet) has been extremely underwhelming. Due to load-balancing on the cell tower (and the fact that I’m not willing to pay for a business-class-only option for a static IP), I have found in my region (US, PNW) that I’m only able to secure an external IP address for 1-3 days. This simply is not sustainable for a server configuration without automated A-record updates prior to any downtime. Please ping me if you have had success here; I’d be interested in testing out inexpensive mobile-based server options.

Ribby · July 20, 2023, 4:49am

irvinewade:

Ribby:

accommodate as much ip address types as possible

Well I do urge you to ask Purism because I know that here ( not in the USA ) it can be quite difficult to get a mobile phone with a public static IP. Carriers don’t typically support it for mainstream (consumer) services. Instead, all phones are behind Carrier Grade NAT (CGNAT) and so it is doubtful that running a web server for public use is viable at all. I would need a premium (business) service in order to get a public static IP and that would then be a data-only service i.e. no voice calling but of course that will work fine for any VoIP application if VoIP is adequate for the voice side of things.

The only way to know is to ask.

I expect that only the carrier is the obstacle here. The phone itself would support any type of IP address allocation / acquisition that a standard Linux computer supports (and for both IPv4 and IPv6).

Hello JCS. Sorry about the delay. I thought that no one is interested in a mobile server host, or at least one to avert overheating conditions. I have been proofreading documents under the summer heat. Well, I’m here now.

Okay, your first problem is definitely the ever changing IP address(es). Unless you do not care about changing IP addresses, you do not have to worry about configuring IP address assignment to necessary services in a periodic cycle. Usually, MNOs (the cellular data service providers [smartphone internet/data network service provider]) don’t allow static IP address(es). The main purpose of cellular data is to provide internet access to mobile device clients/users.

Your second problem is whether your MNO/VPN/ISP network provides you the ability of port forwarding for modem/router/firewall interface. Without port forwarding, you may not have access to host services on the given IP address(es). Because of the vast expanse of cellular data service networks, MNOs generally do not allow port forwarding in order to protect its cellular data service network integrity. They just can’t afford the risk of malware attacks on a global scale. VPNs also do not allow port forwarding for the same reason. They are a privacy oriented service after all. The only port forwarding mechanism I can find are ISPs.

The inexpensive mobile-based/internet-based service that you seek might be the MVNOs. They are usually the customer of some major MNO turned into a minor business. I do not think they have the full capabilities as MNOs.
I am not sure what you mean by ping, but I thought I should let you know about my feedback.

FranklyFlawless · July 20, 2023, 7:20am

@JCS

This is how to ping/mention someone.