Adding SSL to self-hosted NewsBlur

Hi - great product and really getting a lot out of it.

I’ve got a self-hosted instance up and running after making a few tweaks (noting here for anyone looking for hints on their setup)

-apt install build-essential if not on system to run make nb and make collectstatic
-using willnorris/imageproxy for imageproxy
-change protected mode to no in redis.conf
-run make collectstatic to install assets

last thing i am trying to figure out is how to add ssl certificate for my custom domain with certbot without breaking the nginx config - any suggestions there?

thanks in advance

Why the change in protected mode for redis? Also, what happens if you don’t run collectstatic? It shouldn’t be necessary in the default configuration.

As for the ssl issue, haproxy is the service that wants your ssl cert, not nginx. Nginx used to handle it, which is why there are references in the configs, but really the haproxy.docker-compose.cfg file is the one you want.

Thanks for getting back.

Running redis in protected mode I get below - also tried setting a password but got an error as well - can try to recreate if needed.

ResponseError at /

DENIED Redis is running in protected mode because protected mode is enabled and no password is set for the default user. In this mode connections are only accepted from the loopback interface. If you want to connect from external computers to Redis you may adopt one of the following solutions: 1) Just disable protected mode sending the command ‘CONFIG SET protected-mode no’ from the loopback interface by connecting to Redis from the same host the server is running, however MAKE SURE Redis is not publicly accessible from internet if you do so. Use CONFIG REWRITE to make this change permanent. 2) Alternatively you can just disable the protected mode by editing the Redis configuration file, and setting the protected mode option to ‘no’, and then restarting the server. 3) If you started the server manually just for testing, restart it with the ‘–protected-mode no’ option. 4) Setup a an authentication password for the default user. NOTE: You only need to do one of the above things in order for the server to start accepting connections from the outside.

When I run default setup without make collectstatic I get the same result noted in: Benefits of owning a self-hosted NewsBlur? - #17 by samuelclay

-tried changing the debug settings as noted elsewhere but might’ve missed something

haven’t used haproxy prior to this so will have to have a look around but ended up using cloudflare as a proxy for ssl which works well enough but for now

I self-host Newsblur using Tailscale DNS [1] and TLS certificates [2] to access it over https. It requires the device you’re on to have Tailscale running as well, but this has the benefit of setting up the Newsblur mobile app to use a custom server and not have to expose Newsblur publicly.

Trick I found was to create a separate VM for Newsblur and set it up as a Tailscale host, this way it gets its own sub-domain on Tailnet with it’s own TLS cert.

Once that was setup, concatenate the cert and key into a single .pem file that HAProxy can use,

cat /var/lib/tailscale/certs/ /var/lib/tailscale/certs/ > /srv/NewsBlur/config/certificates/newsblur.pem

and update /srv/Newsblur/docker/haproxy/haproxy.docker-compose.cfg to use it,

frontend public
    bind :80 
    bind :443 ssl crt /srv/newsblur/config/certificates/newsblur.pem #ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA:AES256-SHA256:AES256-SHA no-sslv3
    http-response add-header Strict-Transport-Security max-age=0;\ includeSubDomains
    option http-server-close

Downside is the cert is only valid for 3 months, and I’m not entirely certain if Tailscale will automatically renew it or it requires a manual process.

  1. DNS in Tailscale · Tailscale
  2. Enabling HTTPS · Tailscale
1 Like