So this whole thing is installed, now we are gonna configure the server with nginx. I will show a complete config example with Cloudflare to secure things the most possible and hide server origin, but there are infinite others ways to configure this so take just this as informational and be creative yourself. Check this info-graphic to find others CDN and others way to configure a reverse proxy https://weboas.is/media/host.png http://archive.vn/QUZJ6 So make your Cloudflare account and point your domain to your server, left it proxied. Set ssl/tls to full(strict) and in "Edge Certificates" set "Always Use HTTPS" to On. now set a tight firewall, everything will only pass through cloudflare at this point follow this tutorial: (Don't mess this up or you're gonna lose access to ssh and ftp, beware the IPs on the link page aren't uptodate, uptodate cloudlfare IPs are here https://www.cloudflare.com/ips/) https://www.ajsalkeld.com/blog/tutorial/2016/08/01/how-to-use-ufw-to-whitelist-cloudflare-ips-ubuntu-debian-digitalocean/ http://archive.vn/buxxb sudo apt-get install ufw sudo ufw status sudo ufw disable sudo ufw reset sudo ufw allow ssh sudo ufw allow ftp up to date ips but still check on cloudflare linked pages, only allow https sudo ufw allow from 173.245.48.0/20 to any port https sudo ufw allow from 103.21.244.0/22 to any port https sudo ufw allow from 103.22.200.0/22 to any port https sudo ufw allow from 103.31.4.0/22 to any port https sudo ufw allow from 141.101.64.0/18 to any port https sudo ufw allow from 108.162.192.0/18 to any port https sudo ufw allow from 190.93.240.0/20 to any port https sudo ufw allow from 188.114.96.0/20 to any port https sudo ufw allow from 197.234.240.0/22 to any port https sudo ufw allow from 198.41.128.0/17 to any port https sudo ufw allow from 162.158.0.0/15 to any port https sudo ufw allow from 104.16.0.0/12 to any port https sudo ufw allow from 172.64.0.0/13 to any port https sudo ufw allow from 131.0.72.0/22 to any port https sudo ufw allow from 2400:cb00::/32 to any port https sudo ufw allow from 2606:4700::/32 to any port https sudo ufw allow from 2803:f800::/32 to any port https sudo ufw allow from 2405:b500::/32 to any port https sudo ufw allow from 2405:8100::/32 to any port https sudo ufw allow from 2a06:98c0::/29 to any port https sudo ufw allow from 2c0f:f248::/32 to any port https sudo ufw enable sudo ufw status ok now let's install nginx: sudo apt-get update sudo apt-get install nginx some tuto to get commands and stuffs: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-18-04 http://archive.vn/sjBvU let's configure our server: sudo nano /etc/nginx/sites-available/default (or with ftp) put the ngninx config file instead, don't forget to change your hostname ctrl+x y server { if ($host = www.hostname.ltd) { return 301 https://$host$request_uri; } if ($host = hostname.ltd) { return 301 https://$host$request_uri; } listen 80; server_name hostname.ltd www.hostname.ltd; return 404; } server { client_max_body_size 100M; location /robots.txt { return 200 "User-agent: * Disallow:"; } location / { proxy_pass http://localhost:8080; proxy_set_header Host $host; real_ip_header CF-Connecting-IP; client_max_body_size 100M; # max file size for users to upload } } sudo systemctl enable nginx sudo systemctl start nginx check for syntax errors: sudo nginx -t now let's get a ssl certificate with cerbot and cloudflare that auto renew get the latest instructions in there https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx go to "wildcard" and follow the steps: sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot python3-certbot-nginx sudo apt-get install python3-certbot-dns-cloudflare get your Global API key in there https://dash.cloudflare.com/profile/api-tokens copy the key somewhere and: sudo mkdir /root/.secrets/ sudo nano /root/.secrets/cloudflare.ini then put your token and past this (change mail and api key) # Cloudflare API credentials used by Certbot dns_cloudflare_email = [email protected] dns_cloudflare_api_key = my-super-secret-api-key000000 Save sudo chmod 0700 /root/.secrets/ sudo chmod 0400 /root/.secrets/cloudflare.ini run this to generate the certificate (don't forget to change the hostname): sudo certbot certonly \ --dns-cloudflare \ --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \ -d hostname.ltd \ -d www.hostname.ltd (Note: you are limited to 5 certificate a week per domain by cerbot) set email address and agree to terms It can take some times, be patient. Set automatic renewal: sudo certbot renew --dry-run now add the certificate to nginx: sudo nano /etc/nginx/sites-available/defaultor by ftp server { if ($host = www.hostname.ltd) { return 301 https://$host$request_uri; } if ($host = hostname.ltd) { return 301 https://$host$request_uri; } listen 80; server_name hostname.ltd www.hostname.ltd; return 404; } server { listen 443 ssl; server_name hostname.ltd www.hostname.ltd; client_max_body_size 100M; location /robots.txt { return 200 "User-agent: * Disallow:"; } location / { proxy_pass http://localhost:8080; proxy_set_header Host $host; real_ip_header CF-Connecting-IP; client_max_body_size 100M; # max file size for users to upload } ssl_certificate /etc/letsencrypt/live/hostname.ltd/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/hostname.ltd/privkey.pem; } Check that everything works: sudo systemctl restart nginx sudo nginx -t Now run: sudo systemctl start lynxchan And you should see Lynxchan running on your host name. You can try to reboot to check that lynxchan start well on boot. Now let's configure some other nginx parameters let's not save all logs to save space by defauly nginx save logs (ip + user agent) 14 days. sudo nano /etc/logrotate.d/nginx On line 4, change rotate 14 to rotate 1 ctrl+x y enter Now we need to configure nginx to forward IPs of users as it is behind cloudflare that act like a reverse proxy or all ips will be the same and a lots of functions will not work sudo nano /etc/nginx/nginx.conf under # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 104.16.0.0/12; set_real_ip_from 108.162.192.0/18; set_real_ip_from 131.0.72.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 162.158.0.0/15; set_real_ip_from 172.64.0.0/13; set_real_ip_from 173.245.48.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 190.93.240.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2c0f:f248::/32; set_real_ip_from 2a06:98c0::/29; # use any of the following two real_ip_header CF-Connecting-IP; #real_ip_header X-Forwarded-For; } save sudo systemctl restart nginx Clouflare also tends to make lynxchan buggy with the cache so let's set up rules to not use cache. On your account go on Page rules, make a rule for www.domain.ltd and domain.ltd Set Cache level to Bypass Also configure Cloudflare to not show the annoying captcha to your users, in Overview, set Under Attack Mode to On, then back to Off, then set security level to Essentially Off and close. Now that everything is set we will focus on the LynxChan software. Read everything carefully everything is well documented on the gitgud repo https://gitgud.io/LynxChan/LynxChan/-/tree/master/src/be So let's set the flags (like /int/ flags), it was free but now you have to pay I think so we have a backup of the old version (it still works). Get your FTP manager and place the locationData folder (permission level: rwxr-xr-x or 755) in /LynxChan/src/be and you'll be good to go, since the flag icons are already included in the front-end. This is the most recent up to date version (downloaded 4 January 2020 22:50 UTC). Enjoy. https://anonfile.com/B5obd2Lan9/locationData_zip (15 MB .zip) Mirror: https://files.catbox.moe/un1410.zip (15 MB .zip)

Now the LynxChan / PenumbraLynx front end is raw, you can use it as it is, customize it as you want or get a third party front end with all the functionality included like (You), catalog sorting, clipboardimage, a few more themes, rainbow text... I will show you how to get the same front end as https://bchan.net and how to customize it. Simply delete the current front end sudo rm -r -f /home/bchan/LynxChan/src/fe get this front end, (keep in mind this front end haven't been tested on the 2.3.x version, it's made for the 2.4.x lynxchan version): https://gitgud.io/bchan/bchan and put it at the same location as the other one cd /home/bchan/LynxChan/src You can git clone it and rename the folder to "fe" git clone https://gitgud.io/bchan/bchan.git To clear cache and apply changes, run this command lynxchan -cc -r -rfe -nd Run this as root if you have some EACCES errors with /tmp/unix.socket learn more about this here: https://gitgud.io/LynxChan/LynxChan/-/tree/master/src/be Now let's check a few settings in Lynxchan GUI, go to yoursite.ltd/globalSettings.js Set this: sudo chmod 676 /home/bchan/LynxChan/src/be/settings/general.json connect with the root account you made earlier set: >Tor Port2: 9090 (we will come back to this latter, just set a Tor port and remember it) >Maximum size for requests (MB): to something like 50mb >Extension used for thumbnails (Will make all gif thumbs not animate): png >Character limit for messages: 20000 >Maximum size for uploaded files (MB): 50mb >Allowed MIME types1: bunch of MIME type you can include image/png,image/jpeg,image/gif,image/bmp,video/webm,audio/mpeg,video/mp4,video/ogg,audio/ogg,audio/webm,application/pdf,image/webp,application/x-7z-compressed,application/zip,audio/webm,audio/x-wav,application/x-tar,application/x-rar-compressed,font/ttf,image/tiff,image/svg+xml,font/otf,application/vnd.oasis.opendocument.text,application/vnd.oasis.opendocument.spreadsheet,application/json,image/x-icon,text/html,application/epub+zip,application/vnd.openxmlformats-officedocument.wordprocessingml.document,application/msword,text/css,text/plain,application/octet-stream,video/x-ms-wmv for webp images compatibility sudo apt-get install webp >Total limit of uploaded files on the site 30000 >Disable flood checks (to test your site after) >Disable check on spammer IPs this (to allow VPNs and proxies to post) >Captcha security level: easy >Tor posting permission level: Allowed to post normally >Bypass mode: this will require a block bypass to post, disable right now but activate in case of flood and for easier moderation >Amount of latest posts to show on front-page:10 >Amount of latest images to show on front-page:4 >Amount of threads on the multi-board:10 >Amount of boards to be picked as top boards: 1 >Maximum amount of threads per board: 1000 >Maximum number of banners in boards: 1000 >Maximum size for banners (KB): 500 >Amount of days before removing IPs from posts (any value below 1 or null means to never remove): 1 >Maximum dimension for thumbnails, for both height and width: 200 >Overboard uri: overboard >Site title: Title >Addons1,2(They will be loaded in the order they appear in this list): rainbow,CatalogSort,orange,sage,webring,fortune,jewtext (we will come back to this) >Use ffmpeg to generate animated gif thumbnails (requires ffmpeg installed) >Allow global staff to moderate boards >Make boards use global banners >Generate thumbnails from media files (requires ffmpeg installed) >Display total post count and total unique IPs on front-page >Strip exif data from files Save, if you get this message: Error: EACCES: permission denied sudo chmod 676 /home/bchan/LynxChan/src/be/settings/general.json Now let's add the add-ons. You can get the addons here and clone them in LynxChan/src/be/addons cd /home/bchan/LynxChan/src/be/addons git clone https://gitgud.io/bchan/addons.git This will put the addons folder in the addons folder, don't forget to fix that. You need to change a few things, in addons/webring/config.js put your website then change permission for this to work. find /home/bchan/LynxChan/src/be/addons/webring -type d -exec chmod 0777 {} \; find /home/bchan/LynxChan/src/be/addons/webring -type f -exec chmod 0777 {} \; To be visible in others webring nodes I think one of them have to manually add you first. in the CatalogSort add-on, change the path to where is installed your LynxChan. You can also change the fortunes messages. Now just reboot and check there is no errors with the addons: sudo reboot sudo lynxchan -cc -r -rfe -nd Now go in https://yoursite/account.js and create a board Under Owned Boards click your board URI, you can manage your board here Set the parameters you want, flags, ids... Allow use of code tags To change the logo change logo.png in the static folder by your image and for the animated logo go in /static/pages/logo.html and include your logo as base64. You can do this here: https://www.base64-image.de/ To personalize the front end more in depth play with the CSS, to change text in Bulk use some text editor like Notepad++ or Sublime Text 3 (like changing Bchan to MYchan quickly). Now you'll need an onion address. here is some tutorial: https://chown.io/guide-host-your-own-onion-site-tor-nginx/ http://archive.vn/W6muG echo -e "deb https://deb.torproject.org/torproject.org bionic main\ndeb-src https://deb.torproject.org/torproject.org bionic main" > /etc/apt/sources.list.d/tor.list wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add apt update && apt -y upgrade && apt-get -y install nginx tor systemctl enable nginx && systemctl enable tor && systemctl start tor.service Open /etc/nginx/nginx.conf - turn off our server_tokens. Change hash_bucket_size to allow for a lengthy address. I tend to use nano: nano /etc/nginx/nginx.conf (don't froget to remove the #) Within http { server_names_hash_bucket_size 125; server_tokens off; } Exit and Save: CTRL + x + y | ENTER Do test for any errors, reload nginx. nginx -t nginx -s reload Proceed to configure a Hidden Service within Tor, using your editor open /etc/tor/torrc nano /etc/tor/torrc Find and replace, remove the # like with the nginx config file. HiddenServiceDir /var/lib/tor/nginx/ HiddenServicePort 80 127.0.0.1:9090 (remember the Tor port we set earlier in globalSettings.js) Exit and Save: CTRL + x + y | ENTER Reload Tor, to generate your .onion address. (don't change "hostname" here) service tor reload cat /var/lib/tor/nginx/hostname You may find; cat: /var/lib/tor/nginx/hostname: No such file or directory Okay, speedy fingers! Wait a couple of seconds for Tor to load. cat /var/lib/tor/nginx/hostname Onion: vvhff6npqpyd3xsv5mfjuz64litpngve4kg7wlrth2ikugvt7vsfwhad.onion Go check if you can access your generated address from the Tor browser. Now let's generate a Vanity onion address with 5 characters, should take 1 minute, some tuto: https://opensource.com/article/19/8/how-create-vanity-tor-onion-address http://archive.vn/10WtN You'll need mkp224o: git clone https://github.com/cathugger/mkp224o.git cd mkp224o sudo apt install gcc libsodium-dev make autoconf ./autogen.sh ./configure make Type ./mkp224o -h to view Help Type something like that to generate your address: ./mkp224o bchan -t 4 -v -n 4 -d ~/Extracts ctrl+c to stop process. Keep in mind that more than 5 characters will take a long time. Now go in the folder where the address have been generated, something like /path/to/Extracts Copy the three files, hostname, public and secret key then replace the /var/lib/tor/nginx files with the one you just generated sudo service tor reload nginx -t nginx -s reload Now check that everything is working: bchan46hwn7fxf67hav7khj3ca7v4avg7yhieahqyocgnaolazgi6tqd.onion Setting up your sites favicon: mongofiles -h localhost -d lynxchan -l /home/bchan/LynxChan/src/fe/static/favicon.ico put /favicon.ico If you want to change it again delete the old one (learn MongoDB) Everything should be working fine now.

>>1 ok

>>3 You know, you could just clone the new FE to anywhere then select it on the global settings page. It would automatically refresh everything.

>>10 Yes this works too.

Video tutorial miss some stuffs, keep following the text tutorial

Minimum configuration: 1/2 gb ram, 1 CPU core, 10gb SSD