I am playing with a bin called Haste. Very cool, very usable. It is internal, so I don’t have a link for you. However, you can use the developers http://hastebin.com/

It was an interesting journey getting this working. It is based on node.js, something I have never worked on before. Installation started with the basics listed on the haste-server page above. It wasn’t until much later that I discovered the wiki.

What I have is haste-server running via npm behind a nginx proxy to provide ssl. I went through a lot of variations until I got to this point. In the following, I will try to distil the process into something sane.

Prep the environment.

apt-get install git npm
cd /opt
git clone https://github.com/seejohnrun/haste-server.git
cd haste-server/
adduser --shell /usr/sbin/nologin --home/opt/haste-server haste-server
chown -R haste-server.haste-server static/ data/
npm install
npm start

This verifies that haste-server is running. Browse to the listed server to verify. ctrl+c when done.

This is what I changed to prep for being proxied. Much to my dismay, haste does not support ipv6 address in the field.

vi /opt/haste-server/config.js
"host": "127.0.0.1",
"port": 12434,
"storage": {
    "type": "file",
    "path": "./data"
},

Now to get haste-server to start automatically. I dont’ have a great solution for this, so I will just point it at the instructions provided by the dev and say good luck!

I poked around at some of these options as well.

Here is my nginx config. You will need to adjust the listen and server_name value be appropriate for your build.

Resources I used for building a strong SSL configuration.

vi /etc/nginx/sites-available/haste.conf
server {
        listen 192.0.2.100:80;
        listen [2001:db8:2210::100]:80;
        listen 192.0.2.100:443 ssl;
        listen [2001:db8:2210::100]:443 default ssl;
        server_name haste.example.com;
        if ($scheme = http) {
                return 301 https://$server_name$request_uri;
        }
        ssl_session_timeout 5m;
        ssl_session_cache shared:NginxCache123:50m;
        ssl_dhparam /path/to/ssl/dhparam.pem;
        ssl_certificate /path/to/ssl/haste.example.com.bundle.crt;
        ssl_certificate_key /path/to/ssl/haste.example.com.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /path/to/ssl/ca-intermediary.bundle.crt;
        resolver 2001:4860:4860::8888;
        location / {
                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   Host      $http_host;
                proxy_set_header   X-NginX-Proxy true;
                proxy_pass         http://127.0.0.1:12434;
                proxy_redirect     off;
        }
        add_header Strict-Transport-Security max-age=31536000;
        add_header X-Frame-Options DENY;
}

Here is the config breakdown.

Get nginx listening to the right IPs and urls. I specified the IPs because it wasn’t giving consistent behavior in binding when I was doing “[::]:80”

listen 192.0.2.100:80;
listen [2001:db8:2210::100]:80;
listen 192.0.2.100:443 ssl;
listen [2001:db8:2210::100]:443 default ssl;
server_name haste.example.com;

Force https by redirection.

if ($scheme = http) {
    return 301 https://$server_name$request_uri;
}

Basic SSL certs – cat site.crt intermediate.crt ca.crt > haste.example.com.bundle.crt

ssl_certificate /path/to/ssl/haste.example.com.bundle.crt;
ssl_certificate_key /path/to/ssl/haste.example.com.key;

Cached SSL session resumption

ssl_session_timeout 5m;
ssl_session_cache shared:NginxCache123:50m;

Making forward security stronger.

ssl_dhparam /path/to/ssl/dhparam.pem;

This is how you generate the file.

openssl dhparam -outform PEM -out dhparam.pem 2048

Choosing strong ciphers. Note: If you follow my example, you will break some older clients like XP. (make sure to take the line breaks out of the cipherlist)

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA \
!RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

OCSP Stapling to make cert validation faster. The resolver is google-public-dns-a.google.com v6 IP.

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/ssl/ca-intermediary.bundle.crt;
resolver 2001:4860:4860::8888;

Next we setup the proxy. Make sure to match the proxy_pass to what you configured your haste-server to listen on.

location / {
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   Host      $http_host;
        proxy_set_header   X-NginX-Proxy true;
        proxy_pass         http://127.0.0.1:12434;
        proxy_redirect     off;
}

SSL Strick Transport Security. Lets your clients know that http isn’t used.

add_header Strict-Transport-Security max-age=31536000;

and to protect your clients a little more, prevent the page from being loaded in an x-Frame. You can set SAMEORIGIN instead if you plan to load your bin in a frame locally.

add_header X-Frame-Options DENY;

Next, activate the config and restart nginx

ln -s /etc/nginx/sites-available/haste.conf /etc/nginx/sites-enabled/haste.conf
service nginx restart

You, of course, have to generate your certs and get them signed. That is beyond the scope of this post.

You should be good to go at this point.