Install server
All the commands in this section need to be executed as root.
Installing pre-requisites
Installing tiCrypt-Mailbox
tiCrypt-Mailbox is distributed as an .rpm package for RHEL-based systems. To install it, make sure you have access to the tiCrypt package repository as described in the Back-end installation instructions.
Then install the {tm} package with:
dnf install ticrypt-mailbox
We need a place to put the .szip files: /var/www/ticrypt-mailbox
Create the static directory for tiCrypt REST
mkdir -p /var/www/ticrypt-mailbox
chmod a+rx /var/www/ticrypt-mailbox
chown ticrypt /var/www/ticrypt-pmailbox
The tiCrypt-Mailbox service3 need to be enabled:
systemctl enable ticrypt-mailbox
Configuration
Configurint tiCrypt-Mailbox
The configuration file for tiCrypt-Mailbox is /etc/ticrypt/mailbox.toml. The configuration options supported are:
[options="header",cols="3,2,3,8"]
| Parameter | Type | Required | Description |
|---|---|---|---|
hostname | String | Hostname to bind to | |
port | Int | ✅ | The port to bind to |
baseURL | String | ✅ | The external URL for server |
backendURL | String | ✅ | The URL of the tiCrypt server |
mailbox | String | ✅ | Path to the application .szip file |
secureCookie | Bool | Disable/enable secure cookie |
Some notes on the configuration:
hostnameshould be127.0.0.1if you deploy behind Nginxportshould match the service port in Nginx config belowbaseURLshould match the external name configured in Nginx belowbackendURLshould be fully qualified and accessible from the server, e.g.https://ticrypt.example.com. To test that it works do:
wget https://ticrypt.example.com/info
And make sure you get a reply containing the system info. If that does not work, connectivity with the tiCrypt server is not working.
mailboxmust point to a validinbox-....szipfile that the usernginxcan read.
To update the inbox, simply download a newer inbox....szip file and change the mailbox variable. Simply restart the service with systemctl restart ticrypt-mailbox.
secureCookie=true is only useful for debugging, assuming https cannot be used, and should never be used in production.
Configuring the firewall
If you have not done already, you need to allow external access to https port
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
Setting up Nginx
The recommended way to install the web application is to use an Nginx instance that is set up for serving flat files and dealing with the TLS/SSL certificate for the respective domain.
This can be accomplished by adding a file /etc/nginx/conf.d/mailbox.ticrypt.conf.
With the assumptions:
- The tiCrypt-Mailbox service runs on port 8082
- We serve the mailbox from URL:
https://mailbox.example.com - The TLS stacked certificate for the domain is stored in file
/etc/pki/tls/certs/example-stacked.crt - The TLS private key is stored in file
/etc/pki/tls/private/example.pem
The configuration file can look like:
upstream tc-mailbox {
server 127.0.0.1:8082;
}
server {
### Configuration based on Mozilla Configuration Tool
listen 443 ssl;
server_name mailbox.example.com
root /var/www/ticrypt-mailbox
ssl_certificate /etc/pki/tls/certs/example-stacked.crt;
ssl_certificate_key /etc/pki/tls/private/example.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_dhparam /etc/pki/tls/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; frame-ancestors 'self' http://127.0.0.1:*";
#### This is critical for tiCrypt ####
client_max_body_size 16M;
ssl_session_tickets off;
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_pass http://tc-mailbox;
proxy_redirect off;
proxy_buffering off;
proxy_cache off;
proxy_http_version 1.1;
proxy_read_timeout 900s;
proxy_connect_timeout 360s;
proxy_send_timeout 360s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Failure to set client_max_body_size to at least 16M will prevent large file uploads and will result in mysterious failures.
include::@site/common/nginx_critical.adoc[]
Wrapping up
To wrap up the installation, we simply start the tiCrypt-Mailbox service with:
systemctl start ticrypt-mailbox
and verify that the service works by navigating to the public URL. You should get a message telling you that you do not have the required credentials but the page should load.
Debugging
If the application is not served correctly, check the error logs of tiCrypt-Mailbox to ensure that the mailbox file can be found and that it is correctly signed.
You need to update the mailbox .szip file soon after it becomes available since it might contain security patches and usability improvements.
Updating the tiCrypt-Mailbox server
The tiCrypt-Mailbox server is very simple and needs updating rarely. In case you need to update it, do:
- Install the new
.rpmpackages - Restart the
{tm}service with:
systemctl restart ticrypt-mailbox