Installing¶
Installing kisee¶
First start by building a venv, let’s say /tmp/kisee
for the
example, but please find it a better place:
python3 -m venv /tmp/kisee
and activate it:
/tmp/kisee/bin/activate
To install kisee
, run:
pip install kisee
Quickstart a settings file:
kisee-quickstart
Run it once manually to test it:
kisee # or python -m kisee
This will start a server on port 8140, you can kill it and now configure systemd to start it.
In a file like /etc/systemd/system/kisee.service
, copy:
[Unit]
Description=Kisee
After=network.target
[Service]
Type=simple
ExecStart=/tmp/kisee/bin/python -m kisee
WorkingDirectory=/home/kisee/kisee-19.07.0/
Restart=on-abort
User=kisee
Group=kisee
[Install]
WantedBy=multi-user.target
Then reload systemd config, enable it and start it:
systemctl daemon-reaload
systemctl enable kisee
systemctl start kisee
Configuring HTTPS using nginx with certbot¶
Using nginx
as a front-end for kisee
may be a good idea,
typically at least for HTTPS decapsulation.
First install nginx and certbot:
apt install nginx certbot python3-certbot-nginx
First generate a nice dhparam if needed:
[ -f /etc/ssl/certs/dhparam.pem ] || openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
Make sure your domain resolves correcly to the machine, and generate the certificate (replace EXAMPLE.COM in the command, if nginx is running, replace –standalone with –nginx):
DOMAIN=EXAMPLE.COM; certbot certonly --cert-name $DOMAIN -n --agree-tos -d $DOMAIN \
-m admin@$DOMAIN --standalone --rsa-key-size 4096
Create the nginx TLS snippet (replace EXAMPLE.COM
) in
/etc/nginx/snippets/letsencrypt-EXAMPLE.COM.conf
like this
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH";
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:ssl_session_cache:10m;
ssl_certificate /etc/letsencrypt/live/EXAMPLE.COM/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.COM/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Make sure installer
and authenticator
are set to nginx
in
/etc/letsencrypt/renewal/EXAMPLE.COM.conf
, in the
[renewalparams]
section. installer
may not exist, if so create
it near the authenticator
one.
Finally configure nginx like this (again, replace EXAMPLE.COM):
server
{
listen 80;
server_name EXAMPLE.COM;
return 301 https://$server_name$request_uri;
}
server
{
listen 443 ssl;
server_name EXAMPLE.COM;
include snippets/letsencrypt-EXAMPLE.COM.conf;
location /
{
proxy_pass http://127.0.0.1:8140;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
}
}
Testing your instance¶
To check if your instance is running, just curl on it, over HTTPS from the outside:
curl https://kisee.example.com
this should give you the json-home of kisee, like this:
{
"api": {
"title": "Identification Provider",
"links": {
"author": "mailto:julien@palard.fr",
"describedBy": "https://kisee.readthedocs.io"
}
},
[...]