I have really avoided adding comments to my blog for the longest time because I didn’t think I got the amount of traffic needed to make them worthwhile. However, after putting some more effort into content lately I’ve seen enough that it felt like a nice addition. I wanted to self host the comments and keep the JS footprint to a minimum so I picked Isso as the platform since it seemed pretty straight forward and already had a Debian package available. First order of business was obviously to install Isso from the Debian repositories.

$ sudo apt install isso

Next up was configuring a site for Isso, and it looks like the Debian package is set up for multisite hosting by default. Similar to Apache or nginx sites-available and sites-enabled, the Isso package provides two directories, available and enabled, under /etc/isso.d for this configuration. Following the quickstart guide I put together the following configuration file in /etc/isso.d/available.

# /etc/isso.d/available/example.com.cfg
[general]
name = example.com
dbpath = /var/lib/isso/example.com.db
host =
  http://example.com
  https://example.com

[admin]
enabled = true
password = <secure password>

Things to note are the name key which needs to appear since the Debian provided service file is set up for multisite. If you see errors in journalctl -u isso that say unable to dispatch '...', no 'name' set this is what is going on. The log file theoretically exists at /var/log/isso/isso.log but it’s much less helpful than one would hope. Using journalctl is going to get more useful info to you. Another fun problem is that the character % must not appear in the password you provide for the administrative interface. If it does the Python string parsing that is done in the background will crash the entire service when you try to login.

Once the site configuration is available, we just need to link it to the enabled directory before we start the service up.

$ sudo ln -s /etc/isso.d/available/example.com.cfg /etc/isso.d/enabled
$ sudo systemctl enable isso
$ sudo systemctl start isso

Since I intend to use Isso on other domains that I host I decided to deal with the CORS settings and have Isso hosted separately on its own sub-domain. The nginx configuration for Isso itself is fairly straight forward, and in my case hosted over HTTPS.

server {
  listen *:80;
  server_name isso.example.com;
  server_tokens off;
  return 301 https://isso.example.com$request_uri;
}
server {
  listen *:443 ssl;
  server_name isso.example.com;
  access_log                 /var/log/nginx/isso.example.com.access.log combined;
  error_log                  /var/log/nginx/isso.example.com.error.log;

  ssl on;
  ssl_certificate /etc/ssl/isso.example.com.chained.crt;
  ssl_certificate_key /etc/ssl/isso.example.com.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
  ssl_session_cache shared:SSL:10m;

  ssl_trusted_certificate /etc/ssl/isso.example.com.chain.crt;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=330s;
  resolver_timeout 10s;

  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  add_header Strict-Transport-Security max-age=63072000;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  # Prevent XSS
  add_header X-XSS-Protection "1; mode=block";
  # Set Content Security Policy to restrict JS.
  add_header Content-Security-Policy "script-src isso.example.com";
  # Only pass referrer information over HTTPS
  add_header Referrer-Policy no-referrer-when-downgrade;

  # Do not advertise nginx version
  server_tokens off;

  location / {
    proxy_pass http://127.0.0.1:8000;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
}

The Debian service is slightly different from the one described in the Isso documentation and runs on port 8000 instead of the 8080 the documentation shows. We also need to add our new Isso domain to the CORS header of any site we are going to use it on.

add_header Content-Security-Policy "script-src isso.example.com";

Once that’s done we can reload nginx and get things up and running.

$ sudo systemctl reload nginx

The last part is actually inserting Isso into my Jekyll site via the templates. In the _layouts directory I edited the post.html template and inserted the following.

<h2>Comments:</h2>
<script data-isso="//isso.example.com/example.com"
        src="//isso.example.com/example.com/js/embed.min.js"></script>
<section id="isso-thread"></section>

With that and a quick rebuild of the site there are comment boxes under all of my posts. So feel free to say hello and let me know what info is most useful or interesting to you!