Configure WeeChat WebSocket relay with TLS

This is a short guide how to setup WeeChat WebSocket relay protocol with TLS encryption. The relay protocol is great since it allows you to conveniently access your WeeChat instance from a browser using Glowing Bear and on Android using the weechat-andorid app.

Outline of setup steps:

1. Setup WeeChat relay protocol with a strong password and to listen to loopback interface only.
2. Setup NGINX to serve traffic over HTTPS using Let’s Encrypt TLS certificates.
3. Setup NGINX to proxy and rate limit traffic to WeeChat.

Install the prerequisite software:

sudo dnf install weechat pwgen nginx certbot python3-certbot-nginx

Setup WeeChat

Generate a strong password to use with the relay protocol using the pwgen command:

pwgen 32 1

It’s important to make sure that WeeChat is not exposed on any public network interface, so make sure that you set the relay.network.bind_address option to bind to the loopback interface only. We will use NGINX to securely expose the relay protocol publicly.

Now enable the relay protocol by running the following commands in WeeChat:

/set relay.network.password "mypassword"
/set relay.network.bind_address "::"
/relay add weechat 9000
/save

Verify that WeeChat is not listening on any public network interfaces:

$ sudo netstat -lntp | grep weechat
tcp6       0      0 :::9000                 :::*                    LISTEN      1203/weechat

Setup NGINX to serve traffic over HTTPS

Enable and start NGINX:

sudo systemctl enable nginx
sudo systemctl start nginx

Retrieve a certificate for your domain using certbot:

sudo certbot --nginx

Configure NGINX to only use modern TLS encryption. I recommend using the Digital Ocean NGINX config tool or Mozilla SSL Configuration Generator with the modern TLS profile.

Setup NGINX to proxy and rate limit requests to WeeChat:

# Limit requests to WeeChat to 5 per minute
limit_req_zone $binary_remote_addr zone=weechat:10m rate=5r/m;

server {
    ... # Your original config goes here

    location /weechat {
        proxy_pass http://[::]:9000/weechat;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout 4h;                   # Don't disconnect idle websocket connections
        limit_req zone=weechat burst=1 nodelay;  # Prevent password brute forcing
    }
}

Reload NGINX config:

sudo nginx -t && sudo systemctl nginx reload

Use testssl.sh to verify your HTTPS configuration:

testssl example.com

Use a certificate transparency monitoring service to monitor certificate issuance:

• https://developers.facebook.com/tools/ct/
• https://sslmate.com/certspotter
• https://github.com/SSLMate/certspotter

Finally use Glowing Bear or other WeeChat relay client to access your WeeChat instance.

References

• WeeChat user’s guide
• Digital Ocean NGINX Config tool
• Mozilla SSL Configuration Generator]
• Certbot documentation
• testssl.sh
• Let’s Encrypt
• Proxying WeeChat relay with a web server