01:14 <DanC> ok... I have a machine on the internet at a sort of colo facility... I have a range of ports that doesn't include 6080 . can I just edit sandstorm.conf and restart?

01:14 <DanC> not obvious from the docs

01:14 <DanC> where are grains started?

01:14 <DanC> stored?

01:14 <DanC> ah...

01:14 <DanC> "/opt/sandstorm/var/sandstorm/grains - this directory contains the files and directories created by each app instance, which we call a grain."

01:15 <kentonv> yes, editing sandstorm.conf and restarting should work

01:16 <kentonv> if you don't have a reverse proxy in front of it -- so you include the port number in the URL bar in your browser -- you may need to reconfigure OAuth after the change

01:16 <kentonv> that is to say, if you change BASE_URL in addition to PORT

01:19 <DanC> but speaking of OAuth ... I'd like to just use TOTP. has anybody done that?

01:20 <DanC> I don't think these grains are worth much; I suspect I might be better off starting from scratch.

01:40 <DanC> should MONGO_PORT=6081 be exposed to the world?

01:44 <DanC> wait... should PORT=6080 be exposed? Does sandstorm do its own SSL termination? I guess I better read the docs more carefully.

01:45 <DanC> ... before I change from BIND_IP=127.0.0.1

01:47 <xet7> DanC: Really, do not expose MongoDB database to Internet. :D

01:48 <xet7> DanC: Because then anyone could connect to MongoDB and delete it's content, or download all it's data, or modify it :D

01:49 <DanC> yeah... that advice belongs in BIG BOLD LETTERS in sandstorm.conf and in docs about sandstorm.conf

01:50 <xet7> DanC: Sandstorm uses port 80 and 443, for HTTP and HTTPS. Sandstorm automatically creates https://yourserver.sandcats.io SSL cert.

01:50 <xet7> DanC: and if you open port 25, Sandstorm can receive email to grains

01:50 <DanC> I don't have 80 nor 443. maybe I could; not sure.

01:51 <DanC> I have a range of ports in the thousands

01:51 <xet7> DanC: Do you have some other webserver at 80 or 443 ?

01:52 <DanC> I suspect somebody in this colo arrangement does

01:52 <DanC> but maybe not

01:53 <xet7> You could also just use HTTP port

01:54 <xet7> For SSL, Sandstorm requires wildcard SSL. For example, I user Caddy webserver with CloudFlare free wildcard this way: https://github.com/wekan/wekan/wiki/Caddy-Webserver-Config

01:54 <xet7> Or, if you can SSH to colo, you can SSH proxy to Sandstorm HTTP port

01:54 <xet7> At Wekan wiki is also other config examples for Nginx, Apache etc

01:56 <xet7> Another way is, if you have some other port open to Internet, you can configure SSL for that, for example https://yourserver.sandcats.io:5000 would have SSL at port 5000

01:56 <xet7> I think any port can be http or https

01:59 <xet7> If you don't use HTTPS, you can comment out that config line with #

02:03 <xet7> BTW, there are already enough Internet exposed MongoDB (and other database) servers at Internet, if someone does some scanning. For example, Chinese house monitoring webcam databases, etc etc :D I do listen news about those from https://twit.tv/sn

02:05 <xet7> There area also videos at YouTube how Mikko Hyppönen (F-Secure) did find from Internet some factory control panels, etc... :D

02:05 <xet7> VNC servers, printers, etc

03:24 <TimMc> Shodan is truly a font of wonders.