Installing Local Certificate Authority for testing purposes.

I wanted to create a proxy from wss to ws connection. But I didn't want to touch my production environment.

So I created a local certificate authority on my local = private computer.

This is how I did this (Oracle Enterprise Linux = CentOS = RedHat - based)

(First start with a root login)

• vi /etc/yum/repos.d/epel-yum-ol7.repo

[ol7_epel]
name=Oracle Linux $releasever EPEL ($basearch)
baseurl=http://yum.oracle.com/repo/OracleLinux/OL7/developer_EPEL/$basearch/
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpgcheck=1
enabled=1

• yum repolist

• yum -y install easy-rsa

Connect non-root-user

• useradd myrsa

• passwd myrsa

• su - myrsa

(add user to sudoers)

• mkdir ~/easy-rsa

• ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/

• chmod 700 ~/easy-rsa

• cd ~/easy-rsa
  *./easyrsa init-pki

• vi vars

set_var EASYRSA_REQ_COUNTRY    "NL"
set_var EASYRSA_REQ_PROVINCE   "MyProv"
set_var EASYRSA_REQ_CITY       "MyCity"
set_var EASYRSA_REQ_ORG        "MyOrg"
set_var EASYRSA_REQ_EMAIL      "admin@localhost"
set_var EASYRSA_REQ_OU         "Community"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"

• ./easyrsa build-ca nopass

. . .
Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
. . .
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
~/easy-rsa/pki/ca.crt

• cat ~/easy-rsa/pki/ca.crt

Other Server : WebServer (or the same system : in my case the same system )

• vi /tmp/ca.crt
  pate data from the ca.crt you created earlier

• sudo cp /tmp/ca.crt /etc/pki/ca-trust/source/anchors/

• sudo update-ca-trust

Make private key

• openssl genrsa -out webserver.key

Certificate SIGNING request : CSR

• openssl req -new -key webserver.key -out webserver.req

Verify:

• openssl req -in webserver.req -noout -subject

• cat webserver.req
  -----BEGIN CERTIFICATE REQUEST-----
  ....

Transport this certificate to the ca-server

• vi /tmp/webserver.req
  paste - webserver.req from other server

• cd ~/easy-rsa
• ./easyrsa import-req /tmp/webserver.req webserver
• ./easyrsa sign-req server webserver
  Enter: Yes

Certificate created at: .../webserver.crt

• cat ~/easy-rsa/pki/issued/webserver.crt

-----BEGIN CERTIFICATE-----

Take this certifcate to the webserver

• vi /tmp/webserver_ca.crt
  Paste certificate

WebServer (root)

• cp /tmp/webserver_ca.crt /etc/pki/tls/certs/webserver_ca.crt
• cp webserver.key /etc/pki/tls/private/webserver.key
• chmod 600 /etc/pki/tls/private/webserver.key

• yum -y install httpd mod_ssl mod_dav_svn ssl proxy proxy_http proxy_html proxy_wstunne
• vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/webserver_ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/webserver.key
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

service httpd restart

Importing CA in Browser

In order for the client to trust the server it should also trust the CA that made the key.

Generate a key you can import in a browser:

• cd /home/myrsa/easy-rsa
• openssl pkcs12 -export -in pki/ca.crt -inkey pki/private/ca.key -out browser.pfx

Browser / Client

Client computer:
c> pscp root@ca_server:/home/myrsa/easy-rsa/browser.pfx Downloads

Add the name 'webserver' to your host-resolver:

C> notepad c:\windows\system32\drivers\etc\hosts
192.168.0.12 webserver

Open browser

• chrome://settings/security?search=certificat
  Go to certificate management and import the PFX into the Trusted ROOT CERTIFICATES

You can now make a secure connection to the webserver:

https://webserver

Proxy Forward

• vi /etc/httpd/conf.d/ssl.conf
  Add below in the file :

To make sure that all non-browser traffic goes to specific port I open up the 8567 port instead of 443

  <VirtualHost *:8567>
    
    SSLEngine On
    SSLCertificateFile /etc/pki/tls/certs/webserver_ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/webserver.key
    SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

     RewriteEngine On

    RewriteCond %{HTTP:Upgrade} =websocket [NC]
        # Port 3567 is where the docker is listening for
    RewriteRule ^/(.*)    ws://0.0.0.0:3567/$1 [P,L]

  </VirtualHost>

My docker is started like this:

• docker run --name=col -h col --dns=8.8.8.8 -p 3567:3567 -v /home/root:/home/extern/ -t -d oel /bin/bash

Port forward trafic comming from 3567 is going inside the docker where colyseus is listening on 3567 as well.

Firewall is completely open on my private server.
This should never be done for global servers. But for global servers you really need a non-self-signed certificate.

You now have a secure connection to the server and it will proxy the stream to the docker. Inside the docker (colyseus-code) nothing has to be altered!

While preparing for the LD47 I revisted an old (LD38) project and converted it into a Client-As-A-Server game.

The left shows player control using the arrow keys and the right session you control the rock with the mouse.

The Extension Demo Page where you can play yourself is:
StencylColsyeusDemoPage

Since I want to join the Ludum Dare Jam 47 (2nd October) and make an on-line game we need to make resources public available.
Therefore I have made the Stencyl Extension available as a public beta : Stencyl Colyseus Extension Page

Last days I've worked on the documentation

And I worked on implementing a turn based card game.

Sending and receiving data is a breeze with Colyseus.

It all depends on the game-logic and how to show the state of the game.

I hope that the docker container that I provide to the Stencyl users will make running of the server easier for them.

As mentioned before I have made the extension based on the work of serjek (haxe externs) on top of the Colyseus engine.

The server has only three logic parts : Turn based and Locking mechanism and a check on active seat.
All other logic has to run on the client.

Of course most good server implementations need more logic on the server,
but I still am not certain how to provide the stencyl users with a relative easy way to make server-side code.

The best 'feel' you get is when you implement the Lock Room Type for your game. The room-data is kind of like a database server
that allows only one player to modify the data.

But, to be honest, most Stencyl users want to create physics based games. I provide examples how to run a client-as-a-server approach.
That seems to work since all clients see the same 'server'-state. But it is never as fast as it could be with server-side-physics.

I've attempted to create physics logic on the server based on the Box2D library.
The problems arise when doing client side prediction and server lag compensation. I wasn't able to get that to work. The data on the
clients 'jumped' all over the place. It works when you have minimal player interaction on the physics objects, but then the 'client-as-a-server' approach
is way easier to implement.

Working towards a beta release of the Colyseus Stencyl Extension.

I had already Lock, TurnBased and Raw room-types.

Most of the progress has been made with the Client-As-A-Server concept.
I know that the best way to handle multiplayer is on the server-side.
But many of the Stencyl users are not comfortable writing the server-side logic.

Therefore I attempted for a Client-Server-Relay kind of thing.
The collision and logic is handled on the client side with one of the clients acting as the server.
On that client the real physics objects are hidden and only the data that is send to all players is displayed.

These are the things that are currently made with the Client-As-A-Server approach:

Left Window is a Windows executable
Right Window is a web-page

I hope to do some more beta-testing with other Stencyl users to gain more information about this approach.

From my setup:

root@raspberrypi:~/colyseus-hxjs-examples# haxe -version

4.0.0-rc.2

root@raspberrypi:~/colyseus-hxjs-examples# haxelib list

colyseus-hxjs: [git]
hxnodejs: [10.0.0]
tink_core: [1.23.0]
tink_lang: [0.6.2]
tink_macro: [0.17.7]
tink_priority: [0.1.4]
tink_syntaxhub: [0.4.3]

root@raspberrypi:~/colyseus-hxjs-examples# cat src/colyseus/server/schema/Schema.hx | grep MapSchemaUtil

class MapSchemaUtil {

Your tink_core is different than mine. Don't know if that is the only thing that is different?

Not sure if you are mixing libraries. The stuff that I rely on is from serjek and was based on 0.10 release. There is now a 0.11 release so I hope you didn't load any of that?!

Unfortunately I can't confirm now on my system, but you might try to move the contents of that hxjs directory to the [git] (or copy)
So that /usr/lib/haxe/lib/colyseus/-hxjs/git has the src, haxelib.json, README.md and extraParams.hxml

And then try again haxe server.hxml

@closetmonkey
Hmm that is a strange output of haxelib list on colyseus-hxjs

From memory (I don't have access to it now since I'm at work) the colyseus-hxjs should only have one version behind it :
colyseus-hxjs: [git]

this was used to tell haxelib what version it should use:
echo "git" > /usr/lib/haxe/lib/colyseus-hxjs/.current

what is the contents of your .current file?!

Maybe you just edit the /usr/lib/haxe/lib/ (or your own haxelib path) /colyseus-hxjs/.current and make sure it only has the git in it?!

what does ' haxelib list ' show?

I had to use a mix of steps ( haxelib install and copying files) before haxe server.hxml could find all types.

Raspberry PI & Colyseus ( & Haxe )

Currently there are two basic ways to deploy my Colyseus server:

• (Virtual) Host on premise or in the cloud
• Docker container running on premise or in the cloud

For my Console system I wanted to run Colyseus and Haxe on a Raspberry PI.
You could use this as a low budget computer for testing purposes or use port forwarding on your router to host it to the rest of the world.

The steps below could be used to create a nodejs server and you can avoid all the extra steps to get haxe working.

For small multiplayer games or for turnbased/idle games this would be a cheap way to run a server from your home.

The procedure for a Virtual Raspberry PI (VirtualBox/XenServer) is much simpler because the x86 can work with lix.
Unfortunately I haven't managed to get lix working on the real (ARM) hardware. It defaults to an incompatible distribution.

If anyone knows how to tell lix to get the ARM based executables that would make this procedure a lot easier

Installation Steps:

Components:

• Raspberry PI B v1.2 : 1GB Ram, 4x 1.2 Ghz Cores
• Stretch image 2018-11-13-raspbian-stretch from https://distrowatch.com/?newsid=10376
• Use Win32DiskImage/RUFUS to write the image to a 16GB SD card. The haxe software that we will install brings it to 14 GB!

Boot raspbian (default it will use DHCP to get an IP address)
Open terminal : sudo su - (Become root)

vi /etc/ssh/sshd_config 

change permitRootLogin to : permitRootLogin yes

change password for root : passwd root

Allow putty / ssh into the PI

systemctl enable ssh
systemctl start ssh

Update/upgrade

apt update
apt upgrade

rpi-update

restart the PI

Get the IP address:

ip addr show      

login as root to do the (remote) installation

cd /root
#nodejs
#curl -sL https://deb.nodesource.com/setup_8.x | bash - # used for x86 version of pi
curl -sL https://deb.nodesource.com/setup_10.x | bash -
apt-get -y install nodejs
node -v
npm -v

You can install the node stuff for Colyseus and run the NodeJS version.

But I wanted HaXe so these are the steps we need to make before we can compile the neko and haxe versions

If you are on x86 versions you can use the serjek example github files and use ' lix download' to download the binaries.

But for now I had to compile the ARM versions:

# ---------------
# Neko / HaXe / Colyseus-hxjs 
# ---------------
# base software packages  
# execute line after line (do not copy-paste-run!)
mkdir -p ~/Development/haxe/{dev,lib,source}
cd ~/Development/haxe/source
apt-get install -y build-essential git cmake
apt-get install -y libgc-dev libgc1c2 libpcre3 libpcre3-dev
apt-get install -y apache2-dev libmariadb-client-lgpl-dev-compat    
apt-get install -y libsqlite3-0 sqlite3 libsqlite3-dev    
apt-get install -y libgtk2.0-dev
apt-get install -y libudev-dev
apt-get install -y libasound2-dev
apt-get install -y zlib1g libmariadb2 libmbedtls-dev libmbedcrypto0 libmbedtls10 libmbedx509-0
apt-get install -y m4 ocaml ocaml-native-compilers libpcre-ocaml-dev libextlib-ocaml libextlib-ocaml-dev opam
apt-get install -y openssl libssl-dev 

Interactive setup/install:

opam init
ocamlc -config|grep arch # should be arm 
#interactive:
opam install conf-m4 ocamlfind sedlex depext xml-light extlib rope ptmap sha

We are ready to install neko and haxe:

export HAXE_VERSION='4.0.0-rc.2'
export NEKO_VERSION='v2-2-0'

cd /root
eval `opam config env`
#
#Neko install
#
git clone --recursive  https://github.com/HaxeFoundation/neko -b $NEKO_VERSION
cd neko 
mkdir build
cd build
cmake -DRELOCATABLE=OFF ..
make
make install

Test the neko by typing in neko and check that the version is 2.2.0

  
#
# haxe install
#  
eval `opam config env`
cd ~/Development/haxe/source
git clone --recursive https://github.com/HaxeFoundation/haxe -b $HAXE_VERSION
cd haxe
make
make tools
make install  
  

haxe --version # should give you 4.0.0-rc.2

Setting up the libraries to run the examples

haxelib setup
# default /usr/lib/haxe/lib
 
# yarn
npm i yarn -g
yarn

# Get Haxe Libraries
cd /usr/lib/haxe/lib
# haxelib git colyseus-hxjs https://github.com/serjek/colyseus-hxjs
git clone https://github.com/serjek/colyseus-hxjs

Unfortunately I'm not good enough with haxe and lix libraries and I needed a hack to get
the colyseus-hxjs library to work with the compiled ARM versions.

Apparently the required versions are different from the default haxelib installations.
Since I know that the lix steps worked for x86 installations I used a mix of installation steps to get it to work.

npm i lix -g

cd /root
git clone https://github.com/serjek/colyseus-hxjs-examples.git
cd /root/colyseus-hxjs-examples
# We are still going to download the latest haxe_libraries but we are using the haxelib versions later
lix download
haxelib install tink_core
haxelib install tink_lang
haxelib install hxnodejs

# Now we need to copy some of the /root/haxe/haxe_libraries to the haxelib libraries:
mkdir -p /usr/lib/haxe/lib/colyseus-hxjs/git/src
cp -r /root/haxe/haxe_libraries/colyseus-hxjs/0.0.0/github/*6  /usr/lib/haxe/lib/colyseus-hxjs/git
mv /usr/lib/haxe/lib/colyseus-hxjs/git/*6/src  /usr/lib/haxe/lib/colyseus-hxjs/git/src
cp -r /root/haxe/haxe_libraries/hxnodejs/6.9.1/haxelib/src/ /usr/lib/haxe/lib/hxnodejs/10,0,0

echo "git" > /usr/lib/haxe/lib/colyseus-hxjs/.current

haxelib list

With these hacked haxe libraries we can then run the steps to create node versions from the haxe code:

haxe server.hxml

cd bin/server
yarn
node index.js

You can now tell your client to connect to the examples.

My pre-alpha Stencyl Extension Server was used by myself to run the TicTacToe game.

For that I installed a webserver on the PI and uploaded both the server code and the client code to the Raspberry PI:

#
# Apache WebServer
#
apt-get install apache2
systemctl enable apache2

Copy your project to /var/www/html
and
Visit your game with a browser to the following URL: http://raspberry_pi_ip_address

You can use win32diskimage to create an image from the SD card as a back-up.