HTTPS or SSL setup

These are instructions for flex.bi private 4.0 and later

 

If you want to enable HTTPS or SSL for Private flex.bi, then you need to setup front-end web server (like Apache or ngnix) which will handle the HTTPS/SSL connection and will use the reverse-proxy to pass the request to Private flex.bi process. We prefer using nginx, so the following are instructions for setting up connection using nginx web server.

Setting Up Connection Using nginx

Set-up Firewall

First of all, you have to open ports 80 and 443 in your firewall to allow external connections to your server.

  • Run the following command to open the port 80:

    firewall-cmd --permanent --add-port=80/tcp
  • Run the following command to open the port 443:

    firewall-cmd --permanent --add-port=443/tcp
  • Run the following command to reload the firewall:

    firewall-cmd --reload
  • Run the following command to check if the port is open:

    firewall-cmd --list-ports

Install Certbot Let's Encrypt Client

To enable secure communication you need to use an SSL certificate. For this purpose we will use Let's Encrypt solution.  For this to work, the first step is to install the certbot software on your server.

  • Run the following command to enable access to the EPEL repository on your server:

    sudo yum install epel-release
  • Run the following command to install cerbot-nginx package:

    sudo yum install certbot-nginx

Install nginx

To be able to use nginx, you have to install it first.

  • Run the following command to install nginx:

    sudo yum install nginx
  • Run the following command to start nginx using systemctl:

    sudo systemctl start nginx
  • Run the following command to make sure nginx is installed and check it's version: 

    nginx -v

Configure ngninx

To ensure proper certificate creation and traffic routing, you have to create an nginx configuration file ( for example, flexbi.conf)  in the directory /etc/nginx/conf.d.

  • Go to the /etc/nginx/conf.d on your server. 
  • Create a new file in this directory and name it accordingly, for example, flexbi.conf.
  • Use your preferred text editor to insert the following configuration information into the newly created configuration file:

    proxy_http_version 1.1;
    proxy_set_header Connection "";
    
    server {
      listen       80;
      server_name  example.com;
    
      root /home/flexbi/flexbi_private/public/flexbi;
      location / {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header Cookie "$http_cookie;nginxremoteaddr=$remote_addr";
                proxy_set_header X_FORWARDED_PROTO $scheme;
                proxy_pass  http://127.0.0.1:8080;
                proxy_cache_valid  200 302  60m;
      }
    
      access_log      /var/log/nginx/nginx.vhost.access.log;
      error_log       /var/log/nginx/nginx.vhost.error.log;
    }

    In the configuration above, replace example.com with your domain name which has a hostname configured for this server in DNS records.

  • Run the following command to reload nginx and apply the new configuration:

    sudo systemctl reload nginx

    To test if everything is working, open your website in a web browser using http:// (e.g. https://example.com).

Obtain a Certificate

You can use Certbot to obtain SSL certificates using various plugins. We will use nginx plugin which takes care of reconfiguring nginx and reloading the configuration whenever necessary.

Run the following command to obtain a certificate for your domain:

sudo certbot --nginx -d example.com

In the configuration above, replace example.com with your domain name.

Provide additional information, if it is asked, for example, e-mail address.

If the process is successful, certbot will ask how you'd like to configure your HTTPS settings:

Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select the appropriate option and press Enter.

Certbot will create the certificate and show a message telling you the process was successful and where your certificate is stored:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-10-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

To test if everything is working, open your website in a web browser using https:// (e.g. https://example.com). The site should open with a secure connection indicator (a lock icon) next to the address.

Set-up Certificate Auto Renewal

Let's Encrypt's certificates are only valid for ninety days. We will use cron, a standard system service for running periodic jobs, to periodically check the certificate and renew it, if it is necessary.

Run the following command to open and edit the file named crontab that is used to configure cron actions:

sudo crontab -e

In the opened file, past in the following line, then save and close the file:

15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part of this line means that the following command will run at 3:15 am every day. You can choose any time.

Reconfigure flex.bi For HTTPS schema

Now, when you have access to your server through https schema, you have to configure flex.bi to use your domain name and https. To achieve this, you have to configure the file eazybi.toml which is located in the directory /home/flexbi/flexbi_private/config of your server.

  • Run the following command to open the file for editing (in this example we are using vi text editor):
vi /home/flexbi/flexbi_private/config/eazybi.toml

In the code example above we are using the vi text editor, but you can use the editor of your choice.

  • In the opened file find the part [default_url_options]. It should look similar to this:
[default_url_options]
# This example is for the default http://localhost:8080 URL.
host = "<your-ip-address>"
port = 8080
# This example is for the https://example.com URL.
# host = "example.com"
# protocol = "https"

In the code example above you should see the IP address of your server instead of <your-ip-address>.

  • Edit the part [default_url_options] following this example:
[default_url_options]
# This example is for the default http://localhost:8080 URL.
# host = "<your-ip-address>"
# port = 8080
# This example is for the https://example.com URL.
 host = "example.com"
 protocol = "https"

In the code example above enter your domain name instead of example.com.

  • Run the following command to restart flex.bi:

    systemctl restart flexbi

Congratulations, your server is set up and ready to go!