Rocket.Chat

In this post, I will go over installing Rocket.Chat on a server running CentOS 7 with SELinux ENABLED as well as exposing the service through an Apache Reverse Proxy with SSL enabled.

So far, I really like Rocket.Chat. The feature set is awesome and it's a joy to use. I really like playing with the Integrations and WebHooks, but that will be saved for another post.

At first, I followed this doc on Rocket.Chat's wiki. It got me going nicely but I deviated a bit from it.

Some assumptions made

  • This will be a dedicated Rocket.Chat server
  • You are starting with a fresh install of CentOS 7
  • You know how to generate self-signed SSL certs OR have a fancy 'real' cert

Initial Steps

First, lets get some extra repos. OH, and the following steps are done as the root user.

Getting the EPEL Repo installed:

yum -y install epel-release

Getting Mongodb's repo installed. At first, I thought this was odd because gpgcheck=0...but this is direct from the Mongodb docs:

echo '[mongodb-org-3.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.2/x86_64/
gpgcheck=0
enabled=1' > /etc/yum.repos.d/mongodb-org-3.2.repo

Now, update your system:

yum -y update

Finally, reboot the system:

shutdown -r now

After the system has rebooted, log back in, become root and TEMPORARILY disable SELinux. To be honest, I'm not sure we even need to do this, but the original docs mention that there are issues with SELinux and the MongoDB.

setenforce 0

Now install the needed packages to run Rocket.Chat:

yum -y install nodejs curl GraphicsMagick npm mongodb-org

Enable the MongoDB service and start it:

systemctl enable mongod.service
systemctl start mongod.service

Now that we have our repos and system up-to-date, lets add a new user who will install and run the Rocket.Chat service, as well as getting the latest release of Rocket.Chat and placing it in /opt for our rocket user.

useradd rocket
cd /opt
curl -L https://rocket.chat/releases/latest/download -o rocket.chat.tgz
tar zxvf rocket.chat.tgz
mv bundle Rocket.Chat
chown -R rocket:rocket Rocket.Chat
rm -f rocket.chat.tgz

Installing Rocket.Chat

Install some packages via npm. I did this as root because I ran into permission issues if I used the -g flag as a normal user:

npm install -g inherits
npm install -g n

The document I originally followed mentions that:

"Meteor needs at least this version of node to work."

Where 'this version' is '0.10.40'.

To me, that would imply I could use versions past 0.10.40 and be fine, but this does not seem to be the case. I've not looked into why, but using newer node versions seemed to net a lot of errors. So for now, I'll just be using the version specified in the original docs.

n 0.10.40

Now, we can use our new rocket user:

su - rocket

Change into /opt/Rocket.Chat/programs/server and run npm install:

cd /opt/Rocket.Chat/programs/server
npm install

Assuming that all goes well, we can move into setting up our Systemd service for Rocket.Chat.

Systemd Service

Here is the systemd service file I wrote up to start Rocket.Chat.

Create a new file as root with the following contents in /etc/systemd/system/ and call it RocketChat.service:

[Unit]
Description=Rocket.Chat
After=network.target

[Service]
Type=simple
WorkingDirectory=/opt/Rocket.Chat
User=rocket
Group=rocket
ExecStart=/usr/local/bin/node main.js
Restart=always
SyslogIdentifier=Rocket.Chat
Environment="BIND_IP=127.0.0.1"
Environment="ROOT_URL=https://sooperchatz.example.com"
Environment="PORT=3000"
Environment="MONGO_URL=mongodb://localhost:27017/rocketchat"

[Install]
WantedBy=multi-user.target

The bits you will need to change (assuming you've followed the doc closely thus far) are the Environment lines.

  • Environment="BIND_IP=127.0.0.1"
    • This sets Rocket.Chat to listen on localhost rather than all interfaces
  • Environment="ROOT_URL=https://sooperchatz.example.com"
    • The url that you will access Rocket.Chat from
  • Environment="PORT=3000"
    • The port Rocket.Chat will listen on
  • Environment="MONGO_URL=mongodb://localhost:27017/rocketchat"
    • Where Rocket.Chat should look for the MongoDB

Now, just in case, run this to reload systemd so it sees our new service:

systemctl daemon-reload

Now, enable and start the new service:

systemctl enable RocketChat.service
systemctl start RocketChat.service

HTTPD (apache)

As root, install httpd and mod_ssl:

yum -y install httpd mod_ssl

I like to create a new config folder called proxies.d within /etc/httpd/ to hold any of my proxy configs. You could also just throw the config in /etc/httpd/conf.d.

If you make the new config folder, you will need to add IncludeOptional proxies.d/*.conf to the bottom /etc/httpd/conf/httpd.conf and reload or restart httpd.

The config I used is as follows (/etc/httpd/proxies.d/sooperchatz.example.com.conf):

<VirtualHost *:80>
  ServerName sooperchatz.example.com
  Redirect permanent / https://sooperchatz.example.com/

  CustomLog /var/log/httpd/sooperchatz.example.com_access.log combined
  ErrorLog /var/log/httpd/sooperchatz.example.com_error.log

</VirtualHost>

<VirtualHost *:443>
  ServerName sooperchatz.example.com

  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/sooperchatz.example.com-cert.crt
  SSLCertificateKeyFile /etc/pki/tls/private/sooperchatz.example.com-private-key.pem

  SSLProxyEngine On
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:3000/
  ProxyPassReverse / http://127.0.0.1:3000/

  CustomLog /var/log/httpd/sooperchatz.example.com_ssl_access.log combined
  ErrorLog /var/log/httpd/sooperchatz.example.com_ssl_error.log

</VirtualHost>

This will enforce https at the httpd level. BEWARE that if you enable 'Force SSL' in the Rocket.Chat Admin interface, you will be in a redirect loop and Rocket.Chat will no longer load!! (found that out the hard way...)

Also, be sure to update at least SSLCertificateFile, SSLCertificateKeyFile, CustomLog, ErrorLog, and ServerName to reflect your environment.

Enable and start the httpd service:

systemctl enable httpd
systemctl start httpd

Firewall

Since we are using Apache to expose the Rocket.Chat service, which is listening on localhost, we just need to open ports 80 and 443:

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

SeLinux

Time to throw off the shackles of fear and re-enable SELinux.

setenforce 1

Also, make sure you have it set to enforcing in the config (/etc/selinux/config):

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

So far I've only hit an SELinux Policy Violation due to httpd attempting to connect to the Rocket.Chat service on port 3000.

This can be fixed by running the following as root:

setsebool -P httpd_can_network_connect true

I plan to update this post if I run into any other SELinux issues.

Accessing Rocket.Chat

You should now be able to access Rocket.Chat at the url you chose and create your first user. By default, the first user to register is automatically an Admin.

Rocket.Chat Landing Page