deploy: f8f5c3c6be

2026-05-24 19:35:33 +00:00 · 2024-10-14 08:38:53 +00:00
parent 307772015f
commit 3ee8a7bed2
5 changed files with 1000 additions and 71 deletions
@@ -409,6 +409,8 @@ window.addEventListener('scroll',changeHeaderBg);

        
        
+        
+        
            <article class="w-full flex flex-col items-start md:flex-row rounded-[4px] overflow-hidden shadow-[0px_20px_30px_rgba(0,0,0,0.12)] dark:shadow-none bg-white dark:bg-[#11182F] mb-8">
                <div class="min-h-[200px] h-[inherit] self-stretch md:w-[168px] bg-[#D9E7ED] dark:bg-[#17203D] flex items-center justify-center flex-[1] relative">
                    <div class="min-h-[inherit] h-full w-full flex items-end px-4 pt-4 justify-center relative">
@@ -882,7 +882,7 @@ eventWord = 1* ALPHA
 <p>While introduced members establish connection inside group, inviting member forwards messages between them by sending <code>x.grp.msg.forward</code> messages. When introduced members finalize connection, they notify inviting member to stop forwarding via <code>x.grp.mem.con</code> message.</p>
 <p><img src="diagrams/group.svg" alt="Adding member to the group"></p>
 <h3 id="member-roles" tabindex="-1">Member roles</h3>
-<p>Currently members can have one of three roles - <code>owner</code>, <code>admin</code>, <code>member</code> and <code>observer</code>. The user that created the group is self-assigned owner role, the new members are assigned role by the member who adds them - only <code>owner</code> and <code>admin</code> members can add new members; only <code>owner</code> members can add members with <code>owner</code> role. <code>Observer</code> members only receive messages and aren't allowed to send messages.</p>
+<p>Currently members can have one of four roles - <code>owner</code>, <code>admin</code>, <code>member</code> and <code>observer</code>. The user that created the group is self-assigned owner role, the new members are assigned role by the member who adds them - only <code>owner</code> and <code>admin</code> members can add new members; only <code>owner</code> members can add members with <code>owner</code> role. <code>Observer</code> members only receive messages and aren't allowed to send messages.</p>
 <h3 id="messages-to-manage-groups-and-add-members" tabindex="-1">Messages to manage groups and add members</h3>
 <p><code>x.grp.inv</code> message is sent to invite contact to the group via contact's direct connection and includes group member connection address. This message MUST only be sent by members with <code>admin</code> or <code>owner</code> role. Optional <code>groupLinkId</code> is included when this message is sent to contacts connected via the user's group link. This identifier is a random byte sequence, with no global or even local uniqueness - it is only used for the user's invitations to a given group to provide confirmation to the contact that the group invitation is for the same group the contact was connecting to via the group link, so that the invitation can be automatically accepted by the contact - the contact compares it with the group link id contained in the group link uri's data field.</p>
 <p><code>x.grp.acpt</code> message is sent as part of group member connection handshake, only to the inviting user.</p>
@@ -858,10 +858,12 @@ window.addEventListener('scroll',changeHeaderBg);
                            </div>
                        </div>
                    </div>
-                    <div><p>| Updated 28.05.2024 | Languages: EN, <a href="/docs/lang/fr/server.html">FR</a>, <a href="/docs/lang/cs/server.html">CZ</a>, <a href="/docs/lang/pl/server.html">PL</a> |</p>
+                    <div><h1 id="hosting-your-own-smp-server" tabindex="-1">Hosting your own SMP Server</h1>
+<p>| Updated 12.10.2024 | Languages: EN, <a href="/docs/lang/fr/server.html">FR</a>, <a href="/docs/lang/cs/server.html">CZ</a>, <a href="/docs/lang/pl/server.html">PL</a> |</p>
 <h3 id="table-of-contents" tabindex="-1">Table of Contents</h3>
 <ul>
-<li><a href="#hosting-your-own-smp-server">Hosting your own SMP server</a>
+<li><a href="#quick-start">Quick start</a></li>
+<li><a href="#detailed-guide">Detailed guide</a>
 <ul>
 <li><a href="#overview">Overview</a></li>
 <li><a href="#installation">Installation</a></li>
@@ -898,12 +900,177 @@ window.addEventListener('scroll',changeHeaderBg);
 </ul>
 </li>
 </ul>
-<h1 id="hosting-your-own-smp-server" tabindex="-1">Hosting your own SMP Server</h1>
-<h2 id="overview" tabindex="-1">Overview</h2>
+<h2 id="quick-start" tabindex="-1">Quick start</h2>
+<p>To create SMP server, you'll need:</p>
+<ul>
+<li>VPS or any other server.</li>
+<li>Your server domain, with A and AAAA records specifying server IPv4 and IPv6 addresses (<code>smp1.example.com</code>)</li>
+<li>A basic Linux knowledge.</li>
+</ul>
+<p><em>Please note</em>: while you can run an SMP server without a domain name, in the near future client applications will start using server domain name in the invitation links (instead of <code>simplex.chat</code> domain they use now). In case a server does not have domain name and server pages (see below), the clients will be generaing the links with <code>simplex:</code> scheme that cannot be opened in the browsers.</p>
+<ol>
+<li>
+<p>Install server with <a href="https://github.com/simplex-chat/simplexmq#using-installation-script">Installation script</a>.</p>
+</li>
+<li>
+<p>Adjust firewall:</p>
+<pre><code class="language-sh">ufw allow 80/tcp &amp;&amp;\
+ufw allow 443/tcp &amp;&amp;\
+ufw allow 5223/tcp
+</code></pre>
+</li>
+<li>
+<p>Init server:</p>
+<p>Replace <code>smp1.example.com</code> with your actual server domain.</p>
+<pre><code class="language-sh">su smp -c 'smp-server init --yes \
+                        --store-log \
+                        --no-password \
+                        --control-port \
+                        --socks-proxy \
+                        --source-code \
+                        --fqdn=smp1.example.com
+</code></pre>
+</li>
+<li>
+<p>Install tor:</p>
+<pre><code class="language-sh">CODENAME=&quot;$(lsb_release -c | awk '{print $2}')&quot;
+
+echo &quot;deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org ${CODENAME} main
+deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org ${CODENAME} main&quot; &gt; /etc/apt/sources.list.d/tor.list &amp;&amp;\
+curl --proto '=https' --tlsv1.2 -sSf https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg &gt;/dev/null &amp;&amp;\
+apt update &amp;&amp; apt install -y tor deb.torproject.org-keyring
+</code></pre>
+</li>
+<li>
+<p>Configure tor:</p>
+<pre><code class="language-sh">tor-instance-create tor2 &amp;&amp;\
+mkdir /var/lib/tor/simplex-smp/ &amp;&amp;\
+chown debian-tor:debian-tor /var/lib/tor/simplex-smp/ &amp;&amp;\
+chmod 700 /var/lib/tor/simplex-smp/
+</code></pre>
+<pre><code class="language-sh">vim /etc/tor/torrc
+</code></pre>
+<p>Paste the following:</p>
+<pre><code class="language-sh"># Enable log (otherwise, tor doesn't seem to deploy onion address)
+Log notice file /var/log/tor/notices.log
+# Enable single hop routing (2 options below are dependencies of the third) - It will reduce the latency at the cost of lower anonimity of the server - as SMP-server onion address is used in the clients together with public address, this is ok. If you deploy SMP-server with onion-only address, keep standard configuration.
+SOCKSPort 0
+HiddenServiceNonAnonymousMode 1
+HiddenServiceSingleHopMode 1
+# smp-server hidden service host directory and port mappings
+HiddenServiceDir /var/lib/tor/simplex-smp/
+HiddenServicePort 5223 localhost:5223
+HiddenServicePort 443 localhost:443
+</code></pre>
+<pre><code class="language-sh">vim /etc/tor/instances/tor2/torrc
+</code></pre>
+<p>Paste the following:</p>
+<pre><code class="language-sh"># Log tor to systemd daemon
+Log notice syslog
+# Listen to local 9050 port for socks proxy
+SocksPort 9050
+</code></pre>
+</li>
+<li>
+<p>Start tor:</p>
+<pre><code class="language-sh">systemctl enable tor &amp;&amp;\
+systemctl start tor &amp;&amp;\
+systemctl restart tor &amp;&amp;\
+systemctl enable --now tor@tor2
+</code></pre>
+</li>
+<li>
+<p>Install Caddy:</p>
+<pre><code class="language-sh">sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl &amp;&amp;\
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg &amp;&amp;\
+curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list &amp;&amp;\
+sudo apt update &amp;&amp; sudo apt install caddy
+</code></pre>
+</li>
+<li>
+<p>Configure Caddy:</p>
+<pre><code class="language-sh">vim /etc/caddy/Caddyfile
+</code></pre>
+<p>Replace <code>smp1.example.com</code> with your actual server domain. Paste the following:</p>
+<pre><code>http://smp1.example.com {
+   redir https://smp1.example.com{uri} permanent
+}
+
+smp1.example.com:8443 {
+   tls {
+      key_type rsa4096
+   }
+}
+</code></pre>
+<pre><code class="language-sh">vim /usr/local/bin/simplex-servers-certs
+</code></pre>
+<p>Replace <code>smp1.example.com</code> with your actual server domain. Paste the following:</p>
+<pre><code class="language-sh">#!/usr/bin/env sh
+set -eu
+
+user='smp'
+group=&quot;$user&quot;
+
+domain='smp1.example.com'
+folder_in=&quot;/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}&quot;
+folder_out='/etc/opt/simplex'
+key_name='web.key'
+cert_name='web.crt'
+
+# Copy certifiacte from Caddy directory to smp-server directory
+cp &quot;${folder_in}/${domain}.crt&quot; &quot;${folder_out}/${cert_name}&quot;
+# Assign correct permissions
+chown &quot;$user&quot;:&quot;$group&quot; &quot;${folder_out}/${cert_name}&quot;
+
+# Copy certifiacte key from Caddy directory to smp-server directory
+cp &quot;${folder_in}/${domain}.key&quot; &quot;${folder_out}/${key_name}&quot;
+# Assign correct permissions
+chown &quot;$user&quot;:&quot;$group&quot; &quot;${folder_out}/${key_name}&quot;
+</code></pre>
+<pre><code class="language-sh">chmod +x /usr/local/bin/simplex-servers-certs
+</code></pre>
+<pre><code class="language-sh">sudo crontab -e
+</code></pre>
+<p>Paste the following:</p>
+<pre><code class="language-sh"># Every week on 00:20 sunday
+20 0 * * 0 /usr/local/bin/simplex-servers-certs
+</code></pre>
+</li>
+<li>
+<p>Enable and start Caddy service:</p>
+<p>Wait until &quot;good to go&quot; has been printed.</p>
+<pre><code class="language-sh">systemctl enable --now caddy &amp;&amp;\
+sleep 10 &amp;&amp;\
+/usr/local/bin/simplex-servers-certs &amp;&amp;\
+echo 'good to go'
+</code></pre>
+</li>
+<li>
+<p>Enable and start smp-server:</p>
+<pre><code class="language-sh">systemctl enable --now smp-server.service
+</code></pre>
+</li>
+<li>
+<p>Print your address:</p>
+<pre><code class="language-sh">smp=&quot;$(journalctl --output cat -q _SYSTEMD_INVOCATION_ID=&quot;$(systemctl show -p InvocationID --value smp-server)&quot; | grep -m1 'Server address:' | awk '{print $NF}' | sed 's/:443.*//')&quot;
+tor=&quot;$(cat /var/lib/tor/simplex-smp/hostname)&quot;
+
+echo &quot;$smp,$tor&quot;
+</code></pre>
+</li>
+</ol>
+<h2 id="detailed-guide" tabindex="-1">Detailed guide</h2>
+<h3 id="overview" tabindex="-1">Overview</h3>
 <p>SMP server is the relay server used to pass messages in SimpleX network. SimpleX Chat apps have preset servers (for mobile apps these are smp11, smp12 and <a href="http://smp14.simplex.im">smp14.simplex.im</a>), but you can easily change app configuration to use other servers.</p>
 <p>SimpleX clients only determine which server is used to receive the messages, separately for each contact (or group connection with a group member), and these servers are only temporary, as the delivery address can change.</p>
+<p>To create SMP server, you'll need:</p>
+<ol>
+<li>VPS or any other server.</li>
+<li>Your own domain, pointed at the server (<code>smp.example.com</code>)</li>
+<li>A basic Linux knowledge.</li>
+</ol>
 <p><em>Please note</em>: when you change the servers in the app configuration, it only affects which servers will be used for the new contacts, the existing contacts will not automatically move to the new servers, but you can move them manually using <a href="/blog/20221108-simplex-chat-v4.2-security-audit-new-website.html#change-your-delivery-address-beta">&quot;Change receiving address&quot;</a> button in contact/member information pages – it will be automated in the future.</p>
-<h2 id="installation" tabindex="-1">Installation</h2>
+<h3 id="installation" tabindex="-1">Installation</h3>
 <ol>
 <li>
 <p>First, install <code>smp-server</code>:</p>
@@ -953,8 +1120,10 @@ sudo chown smp:smp /var/opt/simplex /etc/opt/simplex
 <p>Allow <code>smp-server</code> port in firewall:</p>
 <pre><code class="language-sh"># For Ubuntu
 sudo ufw allow 5223/tcp
+sudo ufw allow 443/tcp
+sudo ufw allow 80/tcp
 # For Fedora
-sudo firewall-cmd --permanent --add-port=5223/tcp &amp;&amp; \
+sudo firewall-cmd --permanent --add-port=5223/tcp --add-port=443/tcp --add-port=80/tcp &amp;&amp; \
 sudo firewall-cmd --reload
 </code></pre>
 </li>
@@ -972,6 +1141,7 @@ ExecStopPost=/usr/bin/env sh -c '[ -e &quot;/var/opt/simplex/smp-server-store.lo
 LimitNOFILE=65535
 KillSignal=SIGINT
 TimeoutStopSec=infinity
+AmbientCapabilities=CAP_NET_BIND_SERVICE

 [Install]
 WantedBy=multi-user.target
@@ -979,7 +1149,7 @@ WantedBy=multi-user.target
 <p>And execute <code>sudo systemctl daemon-reload</code>.</p>
 </li>
 </ol>
-<h2 id="configuration" tabindex="-1">Configuration</h2>
+<h3 id="configuration" tabindex="-1">Configuration</h3>
 <p>To see which options are available, execute <code>smp-server</code> without flags:</p>
 <pre><code class="language-sh">sudo su smp -c smp-server

@@ -993,7 +1163,7 @@ Available commands:
 </code></pre>
 <p>You can get further help by executing <code>sudo su smp -c &quot;smp-server &lt;command&gt; -h&quot;</code></p>
 <p>After that, we need to configure <code>smp-server</code>:</p>
-<h3 id="interactively" tabindex="-1">Interactively</h3>
+<h4 id="interactively" tabindex="-1">Interactively</h4>
 <p>Execute the following command:</p>
 <pre><code class="language-sh">sudo su smp -c &quot;smp-server init&quot;
 </code></pre>
@@ -1020,7 +1190,7 @@ Available commands:
 <p>Enter your domain or ip address that your smp-server is running on - it will be included in server certificates and also printed as part of server address.</p>
 </li>
 </ul>
-<h3 id="via-command-line-options" tabindex="-1">Via command line options</h3>
+<h4 id="via-command-line-options" tabindex="-1">Via command line options</h4>
 <p>Execute the following command:</p>
 <pre><code class="language-sh">sudo su smp -c &quot;smp-server init -h&quot;

@@ -1069,7 +1239,7 @@ Fingerprint: d5fcsc7hhtPpexYUbI2XPxDbyU2d3WsVmROimcL90ss=
 Server address: smp://d5fcsc7hhtPpexYUbI2XPxDbyU2d3WsVmROimcL90ss=:V8ONoJ6ICwnrZnTC_QuSHfCEYq53uLaJKQ_oIC6-ve8=@&lt;hostnames&gt;
 </code></pre>
 <p>The server address above should be used in your client configuration, and if you added server password it should only be shared with the other people who you want to allow using your server to receive the messages (all your contacts will be able to send messages - it does not require a password). If you passed IP address or hostnames during the initialisation, they will be printed as part of server address, otherwise replace <code>&lt;hostnames&gt;</code> with the actual server hostnames.</p>
-<h2 id="further-configuration" tabindex="-1">Further configuration</h2>
+<h3 id="further-configuration" tabindex="-1">Further configuration</h3>
 <p>All generated configuration, along with a description for each parameter, is available inside configuration file in <code>/etc/opt/simplex/smp-server.ini</code> for further customization. Depending on the smp-server version, the configuration file looks something like this:</p>
 <pre><code class="language-ini">[INFORMATION]
 # AGPLv3 license requires that you make any source code modifications
@@ -1088,26 +1258,26 @@ source_code: https://github.com/simplex-chat/simplexmq
 # condition_amendments: link

 # Server location and operator.
-server_country: &lt;YOUR_SERVER_LOCATION&gt;
-operator: &lt;YOUR_NAME&gt;
-operator_country: &lt;YOUR_LOCATION&gt;
-website: &lt;WEBSITE_IF_AVAILABLE&gt;
+# server_country: ISO-3166 2-letter code
+# operator: entity (organization or person name)
+# operator_country: ISO-3166 2-letter code
+# website:

 # Administrative contacts.
-#admin_simplex: SimpleX address
-admin_email: &lt;EMAIL&gt;
+# admin_simplex: SimpleX address
+# admin_email:
 # admin_pgp:
 # admin_pgp_fingerprint:

 # Contacts for complaints and feedback.
 # complaints_simplex: SimpleX address
-complaints_email: &lt;COMPLAINTS_EMAIL&gt;
+# complaints_email:
 # complaints_pgp:
 # complaints_pgp_fingerprint:

 # Hosting provider.
-hosting: &lt;HOSTING_PROVIDER_NAME&gt;
-hosting_country: &lt;HOSTING_PROVIDER_LOCATION&gt;
+# hosting: entity (organization or person name)
+# hosting_country: ISO-3166 2-letter code

 [STORE_LOG]
 # The server uses STM memory for persistence,
@@ -1121,6 +1291,7 @@ enable: on
 # they are preserved in the .bak file until the next restart.
 restore_messages: on
 expire_messages_days: 21
+expire_ntfs_hours: 24

 # Log daily server statistics to CSV file
 log_stats: on
@@ -1137,11 +1308,17 @@ new_queues: on
 # with the users who you want to allow creating messaging queues on your server.
 # create_password: password to create new queues (any printable ASCII characters without whitespace, '@', ':' and '/')

+# control_port_admin_password:
+# control_port_user_password:
+
 [TRANSPORT]
-# host is only used to print server address on start
-host: &lt;your server domain/ip&gt;
-port: 5223
+# Host is only used to print server address on start.
+# You can specify multiple server ports.
+host: &lt;domain/ip&gt;
+port: 5223,443
 log_tls_errors: off
+
+# Use `websockets: 443` to run websockets server in addition to plain TLS.
 websockets: off
 # control_port: 5224

@@ -1153,7 +1330,7 @@ websockets: off
 # required_host_mode: off

 # The domain suffixes of the relays you operate (space-separated) to count as separate proxy statistics.
-# own_server_domains: &lt;your domain suffixes&gt;
+# own_server_domains: 

 # SOCKS proxy port for forwarding messages to destination servers.
 # You may need a separate instance of SOCKS proxy for incoming single-hop requests.
@@ -1169,7 +1346,7 @@ websockets: off
 [INACTIVE_CLIENTS]
 # TTL and interval to check inactive clients
 disconnect: off
-# ttl: 43200
+# ttl: 21600
 # check_interval: 3600

 [WEB]
@@ -1179,16 +1356,16 @@ static_path: /var/opt/simplex/www
 # Run an embedded server on this port
 # Onion sites can use any port and register it in the hidden service config.
 # Running on a port 80 may require setting process capabilities.
-# http: 8000
+#http: 8000

 # You can run an embedded TLS web server too if you provide port and cert and key files.
 # Not required for running relay on onion address.
-# https: 443
-# cert: /etc/opt/simplex/web.cert
-# key: /etc/opt/simplex/web.key
+https: 443
+cert: /etc/opt/simplex/web.crt
+key: /etc/opt/simplex/web.key
 </code></pre>
-<h2 id="server-security" tabindex="-1">Server security</h2>
-<h3 id="initialization" tabindex="-1">Initialization</h3>
+<h3 id="server-security" tabindex="-1">Server security</h3>
+<h4 id="initialization" tabindex="-1">Initialization</h4>
 <p>Although it's convenient to initialize smp-server configuration directly on the server, operators <strong>ARE ADVISED</strong> to initialize smp-server fully offline to protect your SMP server CA private key.</p>
 <p>Follow the steps to quickly initialize the server offline:</p>
 <ol>
@@ -1210,7 +1387,7 @@ static_path: /var/opt/simplex/www
 </code></pre>
 </li>
 </ol>
-<h3 id="private-keys" tabindex="-1">Private keys</h3>
+<h4 id="private-keys" tabindex="-1">Private keys</h4>
 <p>Connection to the smp server occurs via a TLS connection. During the TLS handshake, the client verifies smp-server CA and server certificates by comparing its fingerprint with the one included in server address. If server TLS credential is compromised, this key can be used to sign a new one, keeping the same server identity and established connections. In order to protect your smp-server from bad actors, operators <strong>ARE ADVISED</strong> to move CA private key to a safe place. That could be:</p>
 <ul>
 <li><a href="https://tails.net/">Tails</a> live usb drive with <a href="https://tails.net/doc/persistent_storage/create/index.en.html">persistent and encrypted storage</a>.</li>
@@ -1234,7 +1411,7 @@ static_path: /var/opt/simplex/www
 </code></pre>
 </li>
 </ol>
-<h3 id="online-certificate-rotation" tabindex="-1">Online certificate rotation</h3>
+<h4 id="online-certificate-rotation" tabindex="-1">Online certificate rotation</h4>
 <p>Operators of smp servers <strong>ARE ADVISED</strong> to rotate online certificate regularly (e.g., every 3 months). In order to do this, follow the steps:</p>
 <ol>
 <li>
@@ -1300,8 +1477,8 @@ $HOME/simplex/smp/config/ca.key
 <p>Done!</p>
 </li>
 </ol>
-<h2 id="tor-installation-and-configuration" tabindex="-1">Tor: installation and configuration</h2>
-<h3 id="installation-for-onion-address" tabindex="-1">Installation for onion address</h3>
+<h3 id="tor-installation-and-configuration" tabindex="-1">Tor: installation and configuration</h3>
+<h4 id="installation-for-onion-address" tabindex="-1">Installation for onion address</h4>
 <p>SMP-server can also be deployed to be available via <a href="https://www.torproject.org">Tor</a> network. Run the following commands as <code>root</code> user.</p>
 <ol>
 <li>
@@ -1350,6 +1527,7 @@ HiddenServiceSingleHopMode 1
 # smp-server hidden service host directory and port mappings
 HiddenServiceDir /var/lib/tor/simplex-smp/
 HiddenServicePort 5223 localhost:5223
+HiddenServicePort 443 localhost:443
 </code></pre>
 </li>
 <li>
@@ -1372,7 +1550,7 @@ HiddenServicePort 5223 localhost:5223
 </code></pre>
 </li>
 </ol>
-<h3 id="socks-port-for-smp-proxy" tabindex="-1">SOCKS port for SMP PROXY</h3>
+<h4 id="socks-port-for-smp-proxy" tabindex="-1">SOCKS port for SMP PROXY</h4>
 <p>SMP-server versions starting from <code>v5.8.0-beta.0</code> can be configured to PROXY smp servers available exclusively through <a href="https://www.torproject.org">Tor</a> network to be accessible to the clients that do not use Tor. Run the following commands as <code>root</code> user.</p>
 <ol>
 <li>
@@ -1411,15 +1589,27 @@ own_server_domains: &lt;your domain suffixes if using `log_stats: on`&gt;
 </code></pre>
 </li>
 </ol>
-<h2 id="server-information-page" tabindex="-1">Server information page</h2>
-<p>SMP-server versions starting from <code>v5.8.0</code> can be configured to serve Web page with server information that can include admin info, server info, provider info, etc. Run the following commands as <code>root</code> user.</p>
+<h3 id="server-information-page" tabindex="-1">Server information page</h3>
+<p>SMP server <strong>SHOULD</strong> be configured to serve Web page with server information that can include admin info, server info, provider info, etc. It will also serve connection links, generated using the mobile/desktop apps. Run the following commands as <code>root</code> user.</p>
+<p><em>Please note:</em> this configuration is supported since <code>v6.1.0-beta.2</code>.</p>
 <ol>
 <li>
 <p>Add the following to your smp-server configuration (please modify fields in [INFORMATION] section to include relevant information):</p>
 <pre><code class="language-sh">vim /etc/opt/simplex/smp-server.ini
 </code></pre>
-<pre><code class="language-ini">[WEB]
+<pre><code class="language-ini">[TRANSPORT]
+# host is only used to print server address on start
+host: &lt;domain/ip&gt;
+port: 443,5223
+websockets: off
+log_tls_errors: off
+control_port: 5224
+
+[WEB]
+https: 443
 static_path: /var/opt/simplex/www
+cert: /etc/opt/simplex/web.crt
+key: /etc/opt/simplex/web.key

 [INFORMATION]
 # AGPLv3 license requires that you make any source code modifications
@@ -1487,12 +1677,18 @@ hosting_country: &lt;HOSTING_PROVIDER_LOCATION&gt;
 <p><a href="https://caddyserver.com/docs/install">Full Caddy instllation instructions</a></p>
 </li>
 <li>
-<p>Replace Caddy configuration with the following (don't forget to replace <code>&lt;YOUR_DOMAIN&gt;</code>):</p>
+<p>Replace Caddy configuration with the following:</p>
+<p>Please replace <code>YOUR_DOMAIN</code> with your actual domain (<a href="http://smp.example.com">smp.example.com</a>).</p>
 <pre><code class="language-sh">vim /etc/caddy/Caddyfile
 </code></pre>
-<pre><code class="language-caddy">&lt;YOUR_DOMAIN&gt; {
-  root * /var/opt/simplex/www
-  file_server
+<pre><code>http://YOUR_DOMAIN {
+   redir https://YOUR_DOMAIN{uri} permanent
+}
+
+YOUR_DOMAIN:8443 {
+   tls {
+      key_type rsa4096
+   }
 }
 </code></pre>
 </li>
@@ -1502,16 +1698,66 @@ hosting_country: &lt;HOSTING_PROVIDER_LOCATION&gt;
 </code></pre>
 </li>
 <li>
-<p>Upgrade your smp-server to latest version - <a href="#updating-your-smp-server">Updating your smp server</a></p>
+<p>Create script to copy certificates to your smp directory:</p>
+<p>Please replace <code>YOUR_DOMAIN</code> with your actual domain (<a href="http://smp.example.com">smp.example.com</a>).</p>
+<pre><code class="language-sh">vim /usr/local/bin/simplex-servers-certs
+</code></pre>
+<pre><code class="language-sh">#!/usr/bin/env sh
+set -eu
+
+user='smp'
+group=&quot;$user&quot;
+
+domain='HOST'
+folder_in=&quot;/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}&quot;
+folder_out='/etc/opt/simplex'
+key_name='web.key'
+cert_name='web.crt'
+
+# Copy certifiacte from Caddy directory to smp-server directory
+cp &quot;${folder_in}/${domain}.crt&quot; &quot;${folder_out}/${cert_name}&quot;
+# Assign correct permissions
+chown &quot;$user&quot;:&quot;$group&quot; &quot;${folder_out}/${cert_name}&quot;
+
+# Copy certifiacte key from Caddy directory to smp-server directory
+cp &quot;${folder_in}/${domain}.key&quot; &quot;${folder_out}/${key_name}&quot;
+# Assign correct permissions
+chown &quot;$user&quot;:&quot;$group&quot; &quot;${folder_out}/${key_name}&quot;
+</code></pre>
 </li>
 <li>
-<p>Access the webpage you've deployed from your browser. You should see the smp-server information that you've provided in your ini file.</p>
+<p>Make the script executable and execute it:</p>
+<pre><code class="language-sh">chmod +x /usr/local/bin/simplex-servers-certs &amp;&amp; /usr/local/bin/simplex-servers-certs
+</code></pre>
+</li>
+<li>
+<p>Check if certificates were copied:</p>
+<pre><code class="language-sh">ls -haltr /etc/opt/simplex/web*
+</code></pre>
+</li>
+<li>
+<p>Create cronjob to copy certificates to smp directory in timely manner:</p>
+<pre><code class="language-sh">sudo crontab -e
+</code></pre>
+<pre><code class="language-sh"># Every week on 00:20 sunday
+20 0 * * 0 /usr/local/bin/simplex-servers-certs
+</code></pre>
+</li>
+<li>
+<p>Then:</p>
+<ul>
+<li>If you're running at least <code>v6.1.0-beta.2</code>, <a href="#systemd-commands">restart the server</a>.</li>
+<li>If you're running below <code>v6.1.0-beta.2</code>, <a href="#updating-your-smp-server">upgrade the server</a>.</li>
+</ul>
+</li>
+<li>
+<p>Access the webpage you've deployed from your browser (<code>https://smp.example.org</code>). You should see the smp-server information that you've provided in your ini file.</p>
 </li>
 </ol>
-<h2 id="documentation" tabindex="-1">Documentation</h2>
+<h3 id="documentation" tabindex="-1">Documentation</h3>
 <p>All necessary files for <code>smp-server</code> are located in <code>/etc/opt/simplex/</code> folder.</p>
 <p>Stored messages, connections, statistics and server log are located in <code>/var/opt/simplex/</code> folder.</p>
-<h3 id="smp-server-address" tabindex="-1">SMP server address</h3>
+<h4 id="smp-server-address" tabindex="-1">SMP server address</h4>
 <p>SMP server address has the following format:</p>
 <pre><code>smp://&lt;fingerprint&gt;[:&lt;password&gt;]@&lt;public_hostname&gt;[,&lt;onion_hostname&gt;]
 </code></pre>
@@ -1529,7 +1775,7 @@ hosting_country: &lt;HOSTING_PROVIDER_LOCATION&gt;
 <p>Your configured hostname(s) of <code>smp-server</code>. You can check your configured hosts in <code>/etc/opt/simplex/smp-server.ini</code>, under <code>[TRANSPORT]</code> section in <code>host:</code> field.</p>
 </li>
 </ul>
-<h3 id="systemd-commands" tabindex="-1">Systemd commands</h3>
+<h4 id="systemd-commands" tabindex="-1">Systemd commands</h4>
 <p>To start <code>smp-server</code> on host boot, run:</p>
 <pre><code class="language-sh">sudo systemctl enable smp-server.service

@@ -1572,11 +1818,12 @@ Nov 23 19:23:21 5588ab759e80 smp-server[30878]: Listening on port 5223 (TLS)...
 Nov 23 19:23:21 5588ab759e80 smp-server[30878]: not expiring inactive clients
 Nov 23 19:23:21 5588ab759e80 smp-server[30878]: creating new queues requires password
 </code></pre>
-<h3 id="monitoring" tabindex="-1">Monitoring</h3>
+<h4 id="monitoring" tabindex="-1">Monitoring</h4>
 <p>You can enable <code>smp-server</code> statistics for <code>Grafana</code> dashboard by setting value <code>on</code> in <code>/etc/opt/simplex/smp-server.ini</code>, under <code>[STORE_LOG]</code> section in <code>log_stats:</code> field.</p>
 <p>Logs will be stored as <code>csv</code> file in <code>/var/opt/simplex/smp-server-stats.daily.log</code>. Fields for the <code>csv</code> file are:</p>
-<pre><code class="language-sh">fromTime,qCreated,qSecured,qDeleted,msgSent,msgRecv,dayMsgQueues,weekMsgQueues,monthMsgQueues,msgSentNtf,msgRecvNtf,dayCountNtf,weekCountNtf,monthCountNtf,qCount,msgCount,msgExpired,qDeletedNew,qDeletedSecured,pRelays_pRequests,pRelays_pSuccesses,pRelays_pErrorsConnect,pRelays_pErrorsCompat,pRelays_pErrorsOther,pRelaysOwn_pRequests,pRelaysOwn_pSuccesses,pRelaysOwn_pErrorsConnect,pRelaysOwn_pErrorsCompat,pRelaysOwn_pErrorsOther,pMsgFwds_pRequests,pMsgFwds_pSuccesses,pMsgFwds_pErrorsConnect,pMsgFwds_pErrorsCompat,pMsgFwds_pErrorsOther,pMsgFwdsOwn_pRequests,pMsgFwdsOwn_pSuccesses,pMsgFwdsOwn_pErrorsConnect,pMsgFwdsOwn_pErrorsCompat,pMsgFwdsOwn_pErrorsOther,pMsgFwdsRecv,qSub,qSubAuth,qSubDuplicate,qSubProhibited,msgSentAuth,msgSentQuota,msgSentLarge
+<pre><code class="language-sh">fromTime,qCreated,qSecured,qDeleted,msgSent,msgRecv,dayMsgQueues,weekMsgQueues,monthMsgQueues,msgSentNtf,msgRecvNtf,dayCountNtf,weekCountNtf,monthCountNtf,qCount,msgCount,msgExpired,qDeletedNew,qDeletedSecured,pRelays_pRequests,pRelays_pSuccesses,pRelays_pErrorsConnect,pRelays_pErrorsCompat,pRelays_pErrorsOther,pRelaysOwn_pRequests,pRelaysOwn_pSuccesses,pRelaysOwn_pErrorsConnect,pRelaysOwn_pErrorsCompat,pRelaysOwn_pErrorsOther,pMsgFwds_pRequests,pMsgFwds_pSuccesses,pMsgFwds_pErrorsConnect,pMsgFwds_pErrorsCompat,pMsgFwds_pErrorsOther,pMsgFwdsOwn_pRequests,pMsgFwdsOwn_pSuccesses,pMsgFwdsOwn_pErrorsConnect,pMsgFwdsOwn_pErrorsCompat,pMsgFwdsOwn_pErrorsOther,pMsgFwdsRecv,qSub,qSubAuth,qSubDuplicate,qSubProhibited,msgSentAuth,msgSentQuota,msgSentLarge,msgNtfs,msgNtfNoSub,msgNtfLost,qSubNoMsg,msgRecvGet,msgGet,msgGetNoMsg,msgGetAuth,msgGetDuplicate,msgGetProhibited,psSubDaily,psSubWeekly,psSubMonthly,qCount2,ntfCreated,ntfDeleted,ntfSub,ntfSubAuth,ntfSubDuplicate,ntfCount,qDeletedAllB,qSubAllB,qSubEnd,qSubEndB,ntfDeletedB,ntfSubB,msgNtfsB,msgNtfExpired
 </code></pre>
+<h4 id="fields-description" tabindex="-1">Fields description</h4>
 <table>
 <thead>
 <tr>
@@ -1876,6 +2123,146 @@ Nov 23 19:23:21 5588ab759e80 smp-server[30878]: creating new queues requires pas
 <td><code>msgSentLarge</code></td>
 <td>Large message errors</td>
 </tr>
+<tr>
+<td>48</td>
+<td><code>msgNtfs</code></td>
+<td>XXXXXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>49</td>
+<td><code>msgNtfNoSub</code></td>
+<td>XXXXXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>50</td>
+<td><code>msgNtfLost</code></td>
+<td>XXXXXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>51</td>
+<td><code>qSubNoMsg</code></td>
+<td>Removed, always 0</td>
+</tr>
+<tr>
+<td>52</td>
+<td><code>msgRecvGet</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>53</td>
+<td><code>msgGet</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>54</td>
+<td><code>msgGetNoMsg</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>55</td>
+<td><code>msgGetAuth</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>56</td>
+<td><code>msgGetDuplicate</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>57</td>
+<td><code>msgGetProhibited</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>58</td>
+<td><code>psSub_dayCount</code></td>
+<td>Removed, always 0</td>
+</tr>
+<tr>
+<td>59</td>
+<td><code>psSub_weekCount</code></td>
+<td>Removed, always 0</td>
+</tr>
+<tr>
+<td>60</td>
+<td><code>psSub_monthCount</code></td>
+<td>Removed, always 0</td>
+</tr>
+<tr>
+<td>61</td>
+<td><code>qCount</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>62</td>
+<td><code>ntfCreated</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>63</td>
+<td><code>ntfDeleted</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>64</td>
+<td><code>ntfSub</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>65</td>
+<td><code>ntfSubAuth</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>66</td>
+<td><code>ntfSubDuplicate</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>67</td>
+<td><code>ntfCount</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>68</td>
+<td><code>qDeletedAllB</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>69</td>
+<td><code>qSubAllB</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>70</td>
+<td><code>qSubEnd</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>71</td>
+<td><code>qSubEndB</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>72</td>
+<td><code>ntfDeletedB</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>73</td>
+<td><code>ntfSubB</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>74</td>
+<td><code>msgNtfsB</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
+<tr>
+<td>75</td>
+<td><code>msgNtfExpired</code></td>
+<td>XXXXXXXXXXXXXXXXX</td>
+</tr>
 </tbody>
 </table>
 <p>To import <code>csv</code> to <code>Grafana</code> one should:</p>
@@ -1885,15 +2272,13 @@ Nov 23 19:23:21 5588ab759e80 smp-server[30878]: creating new queues requires pas
 </li>
 <li>
 <p>Allow local mode by appending following:</p>
-</li>
-</ol>
 <pre><code class="language-sh">[plugin.marcusolsson-csv-datasource]
 allow_local_mode = true
 </code></pre>
 <p>... to <code>/etc/grafana/grafana.ini</code></p>
-<ol start="3">
-<li>Add a CSV data source:</li>
-</ol>
+</li>
+<li>
+<p>Add a CSV data source:</p>
 <ul>
 <li>In the side menu, click the Configuration tab (cog icon)</li>
 <li>Click Add data source in the top-right corner of the Data Sources tab</li>
@@ -1901,23 +2286,31 @@ allow_local_mode = true
 <li>Click the search result that says &quot;CSV&quot;</li>
 <li>In URL, enter a file that points to CSV content</li>
 </ul>
-<ol start="4">
-<li>You're done! You should be able to create your own dashboard with statistics.</li>
+</li>
+<li>
+<p>You're done! You should be able to create your own dashboard with statistics.</p>
+</li>
 </ol>
 <p>For further documentation, see: <a href="https://grafana.github.io/grafana-csv-datasource/">CSV Data Source for Grafana - Documentation</a></p>
-<h2 id="updating-your-smp-server" tabindex="-1">Updating your SMP server</h2>
+<h3 id="updating-your-smp-server" tabindex="-1">Updating your SMP server</h3>
 <p>To update your smp-server to latest version, choose your installation method and follow the steps:</p>
 <ul>
 <li>
 <p>Manual deployment</p>
 <ol>
-<li>Stop the server:<pre><code class="language-sh">sudo systemctl stop smp-server
+<li>
+<p>Stop the server:</p>
+<pre><code class="language-sh">sudo systemctl stop smp-server
 </code></pre>
 </li>
-<li>Update the binary:<pre><code class="language-sh"> curl -L https://github.com/simplex-chat/simplexmq/releases/latest/download/smp-server-ubuntu-20_04-x86-64 -o /usr/local/bin/smp-server &amp;&amp; chmod +x /usr/local/bin/smp-server
+<li>
+<p>Update the binary:</p>
+<pre><code class="language-sh"> curl -L https://github.com/simplex-chat/simplexmq/releases/latest/download/smp-server-ubuntu-20_04-x86-64 -o /usr/local/bin/smp-server &amp;&amp; chmod +x /usr/local/bin/smp-server
 </code></pre>
 </li>
-<li>Start the server:<pre><code class="language-sh">sudo systemctl start smp-server
+<li>
+<p>Start the server:</p>
+<pre><code class="language-sh">sudo systemctl start smp-server
 </code></pre>
 </li>
 </ol>
@@ -1925,23 +2318,38 @@ allow_local_mode = true
 <li>
 <p><a href="https://github.com/simplex-chat/simplexmq#using-installation-script">Offical installation script</a></p>
 <ol>
-<li>Execute the followin command:<pre><code class="language-sh">sudo simplex-servers-update
+<li>
+<p>Execute the followin command:</p>
+<pre><code class="language-sh">sudo simplex-servers-update
+</code></pre>
+<p>To install specific version, run:</p>
+<pre><code class="language-sh">export VER=&lt;version_from_github_releases&gt; &amp;&amp;\
+sudo -E simplex-servers-update
 </code></pre>
 </li>
-<li>Done!</li>
+<li>
+<p>Done!</p>
+</li>
 </ol>
 </li>
 <li>
 <p><a href="https://github.com/simplex-chat/simplexmq#using-docker">Docker container</a></p>
 <ol>
-<li>Stop and remove the container:<pre><code class="language-sh">docker rm $(docker stop $(docker ps -a -q --filter ancestor=simplexchat/smp-server --format=&quot;\{\{.ID\}\}&quot;))
+<li>
+<p>Stop and remove the container:</p>
+<pre><code class="language-sh">docker rm $(docker stop $(docker ps -a -q --filter ancestor=simplexchat/smp-server --format=&quot;\{\{.ID\}\}&quot;))
 </code></pre>
 </li>
-<li>Pull latest image:<pre><code class="language-sh">docker pull simplexchat/smp-server:latest
+<li>
+<p>Pull latest image:</p>
+<pre><code class="language-sh">docker pull simplexchat/smp-server:latest
 </code></pre>
 </li>
-<li>Start new container:<pre><code class="language-sh">docker run -d \
+<li>
+<p>Start new container:</p>
+<pre><code class="language-sh">docker run -d \
  -p 5223:5223 \
+  -p 443:443 \
  -v $HOME/simplex/smp/config:/etc/opt/simplex:z \
  -v $HOME/simplex/smp/logs:/var/opt/simplex:z \
  simplexchat/smp-server:latest
@@ -1952,19 +2360,25 @@ allow_local_mode = true
 <li>
 <p><a href="https://www.linode.com/marketplace/apps/simplex-chat/simplex-chat/">Linode Marketplace</a></p>
 <ol>
-<li>Pull latest images:<pre><code class="language-sh">docker-compose --project-directory /etc/docker/compose/simplex pull
+<li>
+<p>Pull latest images:</p>
+<pre><code class="language-sh">docker-compose --project-directory /etc/docker/compose/simplex pull
 </code></pre>
 </li>
-<li>Restart the containers:<pre><code class="language-sh">docker-compose --project-directory /etc/docker/compose/simplex up -d --remove-orphans
+<li>
+<p>Restart the containers:</p>
+<pre><code class="language-sh">docker-compose --project-directory /etc/docker/compose/simplex up -d --remove-orphans
 </code></pre>
 </li>
-<li>Remove obsolete images:<pre><code class="language-sh">docker image prune
+<li>
+<p>Remove obsolete images:</p>
+<pre><code class="language-sh">docker image prune
 </code></pre>
 </li>
 </ol>
 </li>
 </ul>
-<h2 id="configuring-the-app-to-use-the-server" tabindex="-1">Configuring the app to use the server</h2>
+<h3 id="configuring-the-app-to-use-the-server" tabindex="-1">Configuring the app to use the server</h3>
 <p>To configure the app to use your messaging server copy it's full address, including password, and add it to the app. You have an option to use your server together with preset servers or without them - you can remove or disable them.</p>
 <p>It is also possible to share the address of your server with your friends by letting them scan QR code from server settings - it will include server password, so they will be able to receive messages via your server as well.</p>
 <p><em>Please note</em>: you need SMP server version 4.0 to have password support. If you already have a deployed server, you can add password by adding it to server INI file.</p>
@@ -5,7 +5,7 @@
    <link type="application/atom+xml" rel="self" href="https://simplex.chat/feed.atom"/>
    <title>SimpleX Chat Blog</title>
    <subtitle>It allows you to stay up to date with the latest Blogs from SimpleX Chat.</subtitle>
-    <updated>2024-08-14T00:00:00Z</updated>
+    <updated>2024-10-14T00:00:00Z</updated>
    <author>
        <name>SimpleX Chat</name>
        <email>chat@simplex.chat</email>