Hideout can be hosted on a linux system with AMD64 CPU. Ideally I'd like to host it on a Raspberry Pi, because it's very affordable. But Haskell didn't play well with the ARM CPU on my Pi 3. So currently I've only successfully hosted Hideout on a spare laptop. I'll try Pi 4 when I get one. Rented VPS works too, but it's not ideal for Hideout. See section titled "Hideout is designed to be self-hosted" in README.
Hideout is tested to work on Debian. Testing on other distros is very welcomed.
This guide assumes:
- Hideout will be hosted at
/home/user/hideout-1.0.0
. Your version number may be different. - Domain name will be
hideout-demo.com
. - You are using a device you own to host Hideout. If you decide to choose the less ideal option with rented VPS, the process will be similar and simpler. Port-forwarding is likely already handled by the VPS provider, and you won't need to care about VPN either.
To host Hideout, first download the latest release from the release page: https://github.com/techmindful/hideout/releases
Unzip it to /home/user/hideout-1.0.0
.
We need nginx for the server. Get it here: https://nginx.org/en/docs/install.html
We need to config nginx. You can skip this part if you are familiar with nginx. I'm no expert. I left nginx's default config at /etc/nginx/nginx.conf
untouched:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/hideout-demo.com.conf;
}
Notice the last line include /etc/nginx/conf.d/hideout-demo.com.conf;
. It brings in the site-specific config at /etc/nginx/conf.d/hideout-demo.com.conf
. So let's create a config for Hideout at /etc/nginx/conf.d/hideout-demo.com.conf
:
server {
server_name www.hideout-demo.com;
root /home/user/hideout-1.0.0/;
location / {
try_files $uri $uri/ /index.html;
}
location ~ /api {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
listen 80;
}
Change your server_name
and root
based on your domain name, and file location.
Now if you start nginx with sudo nginx
, you should see Hideout's frontend running at localhost
. This is also a good time to make sure Hideout can be accessed by visiting your public IP in your browser. You will need to configure port-forwarding for port 80 and 443 on your router and firewall for the traffic to be forwarded.
Now we need to setup domain name, DNS, and HTTPS. I'm switching to my perspective here, as there are multiple ways to make it work. I don't want to sound like a sales associate by saying things like "okay now you should get a domain from Njalla and buy Mullvad VPN".
I got my domain name at Njalla: https://njal.la/, a "privacy-aware domain service". For the domain's DNS, I added an A record, fill in its name with "www", and its content with my public IP. I gave the record a short TTL. I didn't continue until I tested to see that I can reach Hideout by visiting http://www.hideout-demo.com
. Note that it only works over HTTP, not HTTPS, at this point.
The next step is to enable HTTPS. Unlike domain and VPN, an HTTPS certificate can be acquired freely with EFF's Certbot: https://certbot.eff.org/. The instruction there is pretty simple to follow. Certbot modified my /etc/nginx/conf.d/hideout-demo.com.conf
to handle HTTPS traffic, and redirect HTTP traffic to HTTPS.
I decided to test if I can access Hideout over HTTPS, and if I'll be redirected when I attempt HTTP connection. I found the website timing out. After checking every corner, it turned out that on my firewall, I've only setup port-forwarding for port 80, but not port 443. After I forwarded port 443, the HTTPS connection and redirection worked immediately.
At this point, I've successfully hosted a working instance of Hideout on my laptop. But if I'm to send a Hideout link to others, I'd expose the public IP of my home to both the recipients, and the unprivate platform where I send the link. So I need to host Hideout behind a VPN. Fortunately, port-forwarding is supported by Mullvad VPN: https://mullvad.net. I installed its open-source app on my laptop, and followed Mullvad's port-forwarding guide: https://mullvad.net/en/help/port-forwarding-and-mullvad/. Overall, it was a rather simple process. I first updated the DNS of the domain to point to the "Out" IP of Mullvad, which can be seen by clicking the expand arrow on the app's home interface. The ports were next. A caveat is that Mullvad assigns me a random port number. Let's assume it's 50000 in this guide. I first disabled the port-forwarding on my firewall for port 80 and 443, as they are unnecessary now. I thought I need to enable port-forwarding for port 50000, but somehow it worked without me doing so. The new port did require me to change the listen 443 ssl
in hideout-demo.com.conf
to listen 50000 ssl
. Below is the final config. Notice the commented block at the end too.
server {
server_name www.hideout-demo.com;
root /home/user/hideout-1.0.0/;
location / {
try_files $uri $uri/ /index.html;
}
location ~ /api {
proxy_pass http://localhost:9000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# SSL cert
listen 50000 ssl;
ssl_certificate /etc/letsencrypt/live/www.hideout-demo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.hideout-demo.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
# The traditional redirection from HTTP to HTTPS,
# Is not needed here, because port 80 won't be available
# Through Mullvad anyway.
#server {
#
# server_name hideout-demo.com
#
# if ($host = www.hideout-demo.com) {
# return 301 https://$host$request_uri;
# }
#
# listen 80;
#
# return 404;
#
#}
At this point, I've successfully hosted Hideout on a computer I physically own, over HTTPS, behind a VPN. I can access it in browser at https://www.hideout-demo.com:50000
. Note that no piece of the URL can be left out. I need to specify https
, because http
isn't available. I need to specify www
, because the DNS only has one record, which translates IP for www
. I can't add some DNS redirect, because DNS isn't aware of port numbers. Finally, I need to specify the port number 50000
as well.