kyle
/
mcias
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mcias/docs/deployment.md

3.9 KiB
Raw Blame History

MCIAS Deployment Guide

Overview

This document provides guidance on deploying the Metacircular Identity and Access System (MCIAS) in a production environment. MCIAS is designed to be deployed behind a reverse proxy that handles TLS termination and security headers.

Prerequisites

  • Linux server with systemd
  • Nginx or another reverse proxy for TLS termination
  • User and group mcias created on the system
  • Go 1.23 or later for building from source

Installation

  1. Build the MCIAS binary:

    go build -o mcias ./cmd/mcias

  2. Create the installation directory:

    sudo mkdir -p /opt/mcias

  3. Copy the binary and service file:

    sudo cp mcias /opt/mcias/
sudo cp mcias.service /etc/systemd/system/

  4. Set appropriate permissions:

    sudo chown -R mcias:mcias /opt/mcias
sudo chmod 755 /opt/mcias/mcias

  5. Initialize the database:

    sudo -u mcias /opt/mcias/mcias init --db /opt/mcias/mcias.db

  6. Enable and start the service:

    sudo systemctl daemon-reload
sudo systemctl enable mcias
sudo systemctl start mcias

Reverse Proxy Configuration

MCIAS is designed to run behind a reverse proxy that handles TLS termination and security headers. Below is an example Nginx configuration:

server {
    listen 443 ssl http2;
    server_name mcias.example.com;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/mcias.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mcias.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security headers
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Content-Security-Policy "default-src 'self';" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # Proxy to MCIAS
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name mcias.example.com;
    return 301 https://$host$request_uri;
}

Security Considerations

  1. TLS Configuration: The reverse proxy should use modern TLS protocols (TLSv1.2 and TLSv1.3) and strong cipher suites.

  2. Security Headers: The reverse proxy should add security headers to all responses, as shown in the Nginx configuration example.

  3. Firewall Configuration: Configure your firewall to only allow connections to the MCIAS server from the reverse proxy.

  4. Regular Updates: Keep the MCIAS software, operating system, and reverse proxy up to date with security patches.

  5. Monitoring: Set up monitoring for the MCIAS service and review logs regularly for security events.

Logging

MCIAS logs to the systemd journal by default. You can view logs using:

sudo journalctl -u mcias

Security events are logged with the prefix SECURITY_EVENT: and are in JSON format for easy parsing.

Backup and Recovery

Regularly back up the MCIAS database file (/opt/mcias/mcias.db) to ensure you can recover in case of data loss.

Example backup script:

#!/bin/bash
BACKUP_DIR="/var/backups/mcias"
TIMESTAMP=$(date +%Y%m%d%H%M%S)
mkdir -p $BACKUP_DIR
sqlite3 /opt/mcias/mcias.db ".backup $BACKUP_DIR/mcias_$TIMESTAMP.db"