Leanote is a free, lightweight, and open source alternative to Evernote, which is written in Golang. With user experience in mind, Leanote provides users with plenty of practical features, including cross-platform support, writing in the MarkDown syntax, public or private blogging, knowledge gathering and sharing, and team collaboration.
In this article, I will guide you through Setting up a Leanote server on a CentOS 7 server instance. For security purposes, enabling HTTPS support using a Let's Encrypt SSL certificate and Nginx will also be covered.
Prerequisites
- A newly deployed CentOS 7 server instance. Say its IPv4 address is
203.0.113.1. - A sudo user named
leanote. - All of the software packages on the machine have been updated to the latest stable status using the EPEL YUM repo. See details here.
- A domain
leanote.example.combeing pointed to the server instance mentioned above.
Step 1: Create a swap file
When firing up a new CentOS 7 server instance, it's always recommended to setup a swap file in order to ensure the system is running smoothly. For example, creating a 2048MB-sized swap file is fit for a machine with 2GB of memory.
sudo dd if=/dev/zero of=/swapfile count=2048 bs=1M
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
free -m
Note: If you are using a different server size, you may need to modify the size of the swap file.
Step 2: Obtain Leanote 2.6.1 binary files
Download and extract the latest stable release of Leanote for 64-bit Linux system:
cd
wget https://sourceforge.net/projects/leanote-bin/files/2.6.1/leanote-linux-amd64-v2.6.1.bin.tar.gz
tar -zxvf leanote-linux-amd64-v2.6.1.bin.tar.gz
Step 3: Install MongoDB Community Edition 4.0
As required by Leanote, the MongoDB NoSQL DBMS has to be in place before you can successfully setup a Leanote server.
Setup the MongoDB 4.0 YUM repo
Create the MongoDB 4.0 YUM repo as follows:
cat <<EOF | sudo tee /etc/yum.repos.d/mongodb-org-4.0.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/\$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
EOF
Install MongoDB 4.0 packages using YUM
Install all of the MongoDB components and tools using the MongoDB 4.0 YUM repo created earlier:
sudo yum install -y mongodb-org
Configure SELinux for MongoDB 4.0
By default, MongoDB would use the 27017 port when working, which is not allowed if SELinux is in the enforcing mode on the CentOS 7 machine. Use the following command to confirm the current SELinux mode:
sudo getenforce
On a CentOS 7 server instance, SELinux is disabled by default. So the output of the above command would be:
Disabled
In this case, you can feel free to skip the following instructions on configuring SELinux and move on.
However, if you are running an original CentOS 7 server instance, the output of above command would be Enforcing. You need to perform any one of the three options below before you can start and enable the MongoDB service.
-
Option 1: Allow MongoDB to use the
27017portsudo semanage port -a -t mongod_port_t -p tcp 27017 -
Option 2: Disable SELinux
sudo sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config sudo shutdown -r now -
Option 3: Change SELinux to
permissivemodesudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config sudo shutdown -r now
Start the MongoDB service and make it start following a system reboot:
sudo systemctl start mongod.service
sudo systemctl enable mongod.service
Step 4: Import initial Leanote data into MongoDB
Use the commands below to import initial Leanote data into MongoDB:
rm /home/leanote/leanote/mongodb_backup/leanote_install_data/.DS_Store
mongorestore --host localhost -d leanote --dir /home/leanote/leanote/mongodb_backup/leanote_install_data/
Step 5: Enable MongoDB authentication
For security purposes, you need to enable access control to MongoDB right after the MongoDB service is up and running. For this purpose, you need to create at least two MongoDB user accounts: a user administrator account and a database administrator account. You will also need to modify the MongoDB configuration.
Enter the MongoDB shell:
mongo --host 127.0.0.1:27017
Switch to the admin database:
use admin
Create a user administrator named useradmin that uses a password useradminpassword:
db.createUser({ user: "useradmin", pwd: "useradminpassword", roles: [{ role: "userAdminAnyDatabase", db: "admin" }] })
Note: The user administrator useradmin is supposed to manage all MongoDB users, so it's wise to choose a strong password. Of course, a more secure tip is to replace useradmin with a hard-to-guess user name.
Switch to the leanote database:
use leanote
Create a database administrator named leanoteadmin that uses a password leanoteadminpassword:
db.createUser({ user: "leanoteadmin", pwd: "leanoteadminpassword", roles: [{ role: "dbOwner", db: "leanote" }] })
Note: Again, it's recommended to choose a lesser-known user name and a hard-to-guess password.
Having the MongoDB users created, you can confirm the results:
use admin
db.auth("useradmin", "useradminpassword")
Confirm the database admin:
use leanote
db.auth("leanoteadmin", "leanoteadminpassword")
Both will output 1 as confirmation.
Exit the MongoDB shell:
exit
In order to enable access control to MongoDB, you also need to append two lines to the MongoDB config file /etc/mongod.conf, as follows:
sudo bash -c "echo 'security:' >> /etc/mongod.conf"
sudo bash -c "echo ' authorization: enabled' >> /etc/mongod.conf"
Restart the MongoDB service in order for the modifications to take effect:
sudo systemctl restart mongod.service
From now on, you can only use the two user accounts to access and manage MongoDB, useradmin for managing all MongoDB users and leanoteadmin for managing the leanote database only.
Step 6: Configure Leanote
Backup the Leanote config file /home/leanote/leanote/conf/app.conf:
cd /home/leanote/leanote/conf/
cp app.conf app.conf.bak
Use the vi editor to open the Leanote config file:
vi app.conf
Find the following lines one by one:
site.url=http://localhost:9000
db.username= # if not exists, please leave it blank
db.password= # if not exists, please leave it blank
app.secret=V85ZzBeTnzpsHyjQX4zukbQ8qqtju9y2aDM55VWxAH9Qop19poekx3xkcDVvrD0y
Replace them, respectively, as shown below:
site.url=http://leanote.example.com:9000
db.username=leanoteadmin
db.password=leanoteadminpassword
app.secret=E52tyCDBRk39HmhdGYJLBS3etXpnz7DymmxkgHBYxd7Y9muWVVJ5QZNdDEaHV2sA
Note: For security purposes, the value of the app.secret parameter MUST be a 64-bit random string that is different from the original one. Make sure to replace the value E52tyCDBRk39HmhdGYJLBS3etXpnz7DymmxkgHBYxd7Y9muWVVJ5QZNdDEaHV2sAwith your own 64-bit random value.
Save and quit:
:wq!
Step 7: Start Leanote
Modify firewall rules in order to allow inbound TCP traffic on port 9000:
sudo firewall-cmd --permanent --add-port=9000/tcp
sudo systemctl reload firewalld.service
Start Leanote using the official script:
cd /home/leanote/leanote/bin
bash run.sh
Upon seeing Listening on.. 0.0.0.0:9000, point your favorite web browser to http://leanote.example.com:9000 to start using the Leanote site.
Use the default Leanote admin account to sign in:
- Username:
admin - Password:
abc123
For security purposes, you should change the default password immediately after signing in.
Step 8: Enable HTTPS access
For now, you can already access the Leanote server using the HTTP protocol, a less secure protocol. In order to improve system security, you can enable HTTPS by deploying both a Let's Encrypt SSL certificate and the Nginx reverse proxy on your machine.
Properly setup a hostname and fully qualified domain name (FQDN)
Before you can obtain the Let's Encrypt SSL certificate, you need to properly setup the hostname and FQDN on your machine.
First, press CTRL+C to stop the Leanote script run.sh.
Next, setup the hostname and FQDN as follows:
sudo hostnamectl set-hostname leanote
cat <<EOF | sudo tee /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
203.0.113.1 leanote.example.com leanote
EOF
You can confirm the results, as well:
hostname
hostname -f
Modify firewall rules
Block inbound traffic on port 9000 and allow inbound traffic on ports for HTTP and HTTPS services:
sudo firewall-cmd --permanent --remove-port=9000/tcp
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo systemctl reload firewalld.service
Apply for a Let's Encrypt SSL certificate
Install the Certbot utility:
sudo yum -y install yum-utils
sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum install -y certbot
Apply for a Let's Encrypt SSL certificate for the domain leanote.example.com:
sudo certbot certonly --standalone --agree-tos --no-eff-email -m admin@example.com -d leanote.example.com
The certificate and chain will be saved as follows:
/etc/letsencrypt/live/leanote.example.com/fullchain.pem
The private key file will be saved as follows:
/etc/letsencrypt/live/leanote.example.com/privkey.pem
By default, the Let's Encrypt SSL certificate will expire in three months. You can setup a cron job, as shown below, to auto-renew your Let's Encrypt certificates:
sudo crontab -e
Press I to enter the insert mode, and then input the following line:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew
Save and quit:
:wq!
This cron job will try to renew the Let's Encrypt certificate every day at noon.
Install Nginx as a reverse proxy
Install Nginx using the EPEL YUM repo:
sudo yum install -y nginx
Create a config file for Leanote:
cat <<EOF | sudo tee /etc/nginx/conf.d/leanote.conf
# Redirect HTTP to HTTPS
server {
listen 80;
server_name leanote.example.com;
return 301 https://\$server_name\$request_uri;
}
server {
# Setup HTTPS certificates
listen 443 default ssl;
server_name leanote.example.com;
ssl_certificate /etc/letsencrypt/live/leanote.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/leanote.example.com/privkey.pem;
# Proxy to the Leanote server
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host \$http_host;
proxy_set_header Host \$http_host;
proxy_max_temp_file_size 0;
proxy_pass http://127.0.0.1:9000;
proxy_redirect http:// https://;
}
}
EOF
Restart Nginx in order to put your modifications into effect:
sudo systemctl daemon-reload
sudo systemctl restart nginx.service
sudo systemctl enable nginx.service
Modify the site.url setting in the Leanote config file:
cd /home/leanote/leanote/conf/
vi app.conf
Find the following line:
site.url=http://leanote.example.com:9000
Replace it:
site.url=https://leanote.example.com
Save and quit:
:wq!
Run the Leanote script again:
<pre style="overflow: auto; font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: 13px; padding-right: 10px; padding-left: 10px; margin-bottom: 25px; line-height: 1.25em; color: #c7254e; word-break: break-all; overflow-wrap: break-word; background-image: linear-gradient(#f9f2f4 0em, #f9f2f4 1.25em, #fffbfb 1.25em,
