Core Linux - SSL Certificate Installation
This article covers adding an SSL certificate to modeller to host it over HTTPS.
1 - Obtain SSL Certificate
For testing you can create a self-singed SSL Certificate.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /nginx/server.key -out /nginx/server.crt |
It is recommended for production you obtain a signed SSL certificate from a registered issuing authority.
You should have a .crt and a .key file. Place these on the host machine's local storage. If you have paced them in a directory different than "/nginx", edit the volumes key in the docker-compose.yml file accordingly – replace these sections with your location.
2 - Setup the custom SSL configuration
The package folder comes with a file called docker-compose-ssl.yml - we will want to copy that file into a new file called docker-compose-custom.yml and then potentially edit this newly created file. If you already have a docker-compose-custom.yml file with some custom configuration elements, we will simply be editing that file instead.
cp docker-compose-ssl.yml docker-compose-custom.yml
By default, the docker-compose-ssl.yml file expects the certificate files obtained in step 1 to be available on the host machine at the following location:
/nginx/server.crt
/nginx/server.key
If you are able to place the files there, you can simply proceed to the next step.
If you are unable to place the certificate files in the /nginx folder for some reason (e.g. permissions), you can edit the docker-compose-custom.yml file to change the location or names of the certificate files under the volumes section of nginx
nginx:
image: nginx
volumes:
- ./nginx/nginx-https.conf:/etc/nginx/nginx.conf
- [certificate-file-on-host]:/etc/nginx/server.crt
- [key-file-on-host]:/etc/nginx/server.key
3 - Start (or restart) the Quality Modeller Services
Start the Quality Modeller services.
./run.sh
4 - Enable TLS v1.2 (Optional)
If you wish to enable TLS v1.2, you also need to edit the package/nginx/nginx-https.conf file to have the following values under the server block. Then restart the Quality Modeller services as described in step 4 above.
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; |