This document describes making a self hosted nightscout instance, with SSL encryption and certificate with Let's Encrypt.
Make a fresh instance of Ubuntu 16.04.1 LTS as a VM or on a physical machine Download from http://www.ubuntu.com/download/server/thank-you?version=16.04.1&architecture=amd64
VIrtual machine host options :
- Virtualbox - https://www.virtualbox.org/
- Parallels - https://www.parallels.com/
- Vmware - https://www.vmware.com/ - various options including vmware workstation, vmware player, ESXi
Alternatively, consider hosting your Ubuntu instance elsewhere, for example:
Update the Ubuntu instance:
sudo apt-get update && sudo apt-get upgrade
Update node:
sudo npm cache clean -f
sudo npm install -g n
sudo n stable
Install Node.js and npm sudo apt-get install nodejs npm
Download cgm-remote-monitor (nightscout) from github:
git clone https://github.com/nightscout/cgm-remote-monitor.git
Alternatively fork a copy of cgm-remote-monitor and clone your own copy.
cd cgm-remote-monitor
Install cgm-remote-monitor:
git checkout dev
npm install
setup your cgm-remote-monitor environment as you normally would, for example creating a file my.env :
MONGO_CONNECTION=MONGOCONNECTIONSTRING
DISPLAY_UNITS=mmol
BASE_URL=NIGHTSCOUT_SITE_URL
DEVICESTATUS_ADVANCED="true"
mongo_collection="mogocollection_name"
API_SECRET=AVeryLongString
ENABLE=careportal%20openaps%20iob%20bwp%20cage%20basal%20pump%20bridge
BRIDGE_SERVER=EU
BRIDGE_USER_NAME=USERNAME
BRIDGE_PASSWORD=PASSWORD
sudo npm install pm2 -g
Start cgm-remote-monitor with pm2:
env $(cat my.env) PORT=1337 pm2 start lib/server/server.js
Make pm2 start cgm-remote-monitor on startup
pm2 startup ubuntu - this will give you a command you need to run as superuser to allow pm2 to start the app on reboot
The command will be something like:
sudo su -c "env PATH=$PATH:/usr/bin pm2 startup ubuntu -u username --hp /home/username"
And then:
pm2 save
Install nginx:
sudo apt-get install nginx
edit this file:
sudo vi /etc/nginx/sites-available/default
Delete the existing contents and replace with this:
I'm assuming the proxy is on the same host as nightscout and the proxy_pass http://127.0.0.1:1337 line - 1337 is replaced with the port that nightscout is using
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://127.0.0.1:1337;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Then restart the nginx service
sudo service nginx restart
install Let's Encrypt
sudo apt-get install letsencrypt python-certbot-nginx
Obtain SSL certificate using webroot plugin
Allow access to /.well-known directory for Lets Encrypt
sudo nano /etc/nginx/sites-available/default
Stop ngnix service
sudo service nginx stop
Obtain letsencrypt certificate -
sudo letsencrypt certonly
enter your domain name when prompted. This will create the certificates for your domain name. The certificates should now be available at /etc/letsencrypt/live/your_domain_name
improve SSL security by generating a strong Diffie-Hellman group
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Add this to the etc/nginx/sites-enabled/defaults file:
server {
listen 443 ssl;
server_name your_domain_name;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/your_domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain_name/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-E
CDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECD
HE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA3
84:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-
RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-S
HA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DE
S-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
location ~ /.well-known {
allow all;
}
location / {
proxy_pass http://localhost:1337/; # Note port number for your cgm-remote-monitor should be changed if it isn't 1337
}
}
restart nginx
sudo service nginx restart
You can test the quality of the SSL connection using: https://www.ssllabs.com/ssltest/analyze.html?d=your_domain_name Unfortunately only works with port 443
Arrange auto renewal of certificates. Add this line to the su crontab sudo crontab -e
30 2 * * 1 certbot renew >> /var/log/le-renew.log
Hopefully that is now done!
Hey @johnmales , this is great stuff! I think I will plan to follow this and your Oracle cloud guide. I've got Ubuntu instances running at home, but port 443 is already used, and I'd prefer to not rely on my home Internet connection. One question, is there anything tricky if I want to migrate my Atlas Mongo data to a local Mongo instance? Normally I wouldn't really care, but we are switching to a new Endo, and I'd like to have all the data possible. Thanks!