Installing Rocket.Chat on Debian 8

Rocket.Chat is a free/open source software for team collaboration. It is a full featured platform and an ideal alternative to Slack, for organizations that are dedicated to the Free Software philosophy.

In this guide we will demonstrate how you can setup Rocket.Chat for your organization.

Prerequisites:

  • A Debian stretch VM or server.
  • A FQDN pointing to the system’s IP. We will be using rocket.example.com throughout this guide.
  • Installation of rocket.chat
  • Install the Snappy package manager

Snappy is not installed on Debian by default, so we need to install it:

 apt install snapd ca-certificates

Install Rocket.Chat

 snap install rocketchat-server

Check its status:

# systemctl status snap.rocketchat-server.rocketchat-server.service
 snap.rocketchat-server.rocketchat-server.service - Service for snap application rocketchat-server.rocketchat-server
   Loaded: loaded (/etc/systemd/system/snap.rocketchat-server.rocketchat-server.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2017-01-03 12:27:50 PST; 12min ago
 Main PID: 24891 (node)
    Tasks: 10 (limit: 4915)
   CGroup: /system.slice/snap.rocketchat-server.rocketchat-server.service
           └─24891 node /snap/rocketchat-server/326/main.js

Jan 03 12:27:50 rocket systemd[1]: Started Service for snap application rocketchat-server.rocketchat-server.

Check its port (default is 3000):

# ss -lnptu | grep 3000
tcp    LISTEN     0      128       *:3000                  *:*                   users:(("node",pid=24891,fd=13))

Looks OK

Install nginx

The core application does not support TLS so we will be setting up an nginx reverse proxy on top of it.

Install NGINX and certbot from Let’s Encrypt:

 apt -y install nginx python-certbot-nginx

Create the VirtualHost

We need to create this file: /etc/nginx/sites-available/rocket.example.com:

 Upstreams
upstream backend {
    server 127.0.0.1:3000;
}

# HTTP Server
server {
    listen 80;
    server_name rocket.example.com;

    error_log /var/log/nginx/rocketchat.access.log;

    location / {
        proxy_pass http://127.0.0.1:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
}

Enable the VirtualHost:

cd /etc/nginx/sites-enabled/
ln -s ../sites-available/rocket.example.com
systemctl reload nginx

Generate the certificate

certbot --nginx run -d rocket.example.com

    Enter email address: admin@example.com
    Agree to the To
    Enforce HTTPS: Secure

The VirtualHost file (/etc/nginx/sites-available/rocket.example.com) should look like this after the creation of the Let’s Encrypt certificate:

# Upstreams
upstream backend {
    server 127.0.0.1:3000;
}

server {
    listen 80;
    server_name rocket.example.com;

    error_log /var/log/nginx/rocketchat.access.log;

    location / {
        proxy_pass http://127.0.0.1:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }

    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/rocket.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rocket.example.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

Now visit the website to test it: http://rocket.example.com (it should redirect you to https://rocket.example.com)
Creating an admin account

Register a new account. You will get this warning:

WARNING: the setting site URL is configured to http://localhost and you are accessing from https://rocket.example.com. do you want to change to https://rocket.example.com?

You should ofcourse answer ‘Yes’.

This first user created is an admin user. You can set global preferences from https://rocket.example.com/admin. Now users can visit the website and register with it. You may wish to Allow Notifications when you are prompted by your browser on your first visit to the site. Rocket.Chat supports many other authentication backends, including LDAP which is described in the next step.

Besides the web service you can also download native applications for Linux, Windows, Mac OS X, Android and iOS.
Configure LDAP

This is an optional step, but recommended if your organization has an LDAP or Active Directory setup. In this example we are using the Fusiondirectory setup from our previous guide.

Create a service account for rocket.chat, using the DSA module of Fusiondirectory:

Username: cn=rocketchat,ou=dsa,dc=example,dc=com
Password: MySecretCombination

Now go to https://rocket.example.com/admin using an admin account and set these:

Enable: True
Login Fallback: True
Host: ldap.example.com
Port: 389
Encryption: StartTLS
CA Cert: Paste the contents of your internal ROOT CA certificate (example.com-rootCA.crt for example)
Reject Unauthorized: True
Domain Base: ou=people,dc=example,dc=com
Use Custom Domain Search: False
Domain Search User: cn=rocketchat,ou=dsa,example,dc=com
Domain Search Password: MySecretCombination
Domain Search User ID: uid
Domain Search Object Class: person
Domain Search Object Category: Leave Empty
Username Field: Leave Empty

Leave the default settings for the rest and press the SAVE CHANGES button

You can use the TEST CONNECTION button to test the connection.

You can now try to login using your LDAP username and password.

References