These are instructions for flex.bi Enterprise 4.0 and later

If you want to enable HTTPS or SSL for flex.bi Enterprise, then you need to setup front-end web server (like Apache or ngnix) which will handle the HTTPS/SSL connection and will use the reverse-proxy to pass the request to flex.bi process. We prefer using nginx, so the following are instructions for setting up connection using nginx web server on a Centos 8 OS.

On this page:

Setting Up Connection Using nginx

Configure Firewall

First of all, you have to open ports 80 and 443 in your firewall, to allow external connections to your server.
To do this, follow these instructions:

  1. Run the following command to open the port 80:

    firewall-cmd --permanent --add-port=80/tcp
    CODE
  2. Run the following command to open the port 443:

    firewall-cmd --permanent --add-port=443/tcp
    CODE
  3. Run the following command to reload the firewall:

    firewall-cmd --reload
    CODE
  4. Run the following command to check if the port is open:

    firewall-cmd --list-ports
    CODE

Install Certbot Let's Encrypt Client

To enable secure communication you need to use an SSL certificate. For this purpose we will use Let's Encrypt solution.  For this to work, the first step is to install the Certbot software on your server. 
To do this, follow these instructions:

  1. Run the following command to enable access to the EPEL repository on your server:

    sudo dnf install epel-release
    CODE
  2. Run the following command to install cerbot-nginx package:

    sudo dnf install certbot python3-certbot-nginx
    CODE

Install nginx

To be able to use nginx, you have to install it first.
To do this, follow these instructions:

  1. Run the following command to install nginx:

    sudo yum install nginx
    CODE
  2. Run the following command to start nginx using systemctl:

    sudo systemctl start nginx
    CODE
  3. Run the following command to enable and run nginx: 

    systemctl enable --now nginx
    CODE

Configure ngninx

To ensure a proper certificate creation and traffic routing, you have to create an nginx configuration file (for example, flexbi.conf) in the directory etc/nginx/conf.d.
To do this, follow these instructions:

  1. Go to the etc/nginx/conf.d on your server. 
  2. Create a new file in this directory and name it accordingly, for example, flexbi.conf.
  3. Use your preferred text editor to insert the following configuration information into the newly created configuration file: (Replace example.com with your domain name.)

    proxy_http_version 1.1;
    proxy_set_header Connection "";
    
    server {
      listen       80;
      server_name  example.com;
    
      root /home/flexbi/flexbi_private/public/flexbi;
      location / {
                proxy_set_header X-Real-IP  $remote_addr;
                proxy_set_header X-Forwarded-For $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header Cookie "$http_cookie;nginxremoteaddr=$remote_addr";
                proxy_set_header X_FORWARDED_PROTO $scheme;
                proxy_pass  http://127.0.0.1:8080;
                proxy_cache_valid  200 302  60m;
      }
    
      access_log      /var/log/nginx/nginx.vhost.access.log;
      error_log       /var/log/nginx/nginx.vhost.error.log;
      client_max_body_size 2000M;
    }
    CODE
  4. Run the following command to restart nginx and apply the new configuration:

    sudo systemctl restart nginx
    CODE
  5. To test if everything is working, open your website in a web browser using http:// (e.g. http://example.com).

Obtain a Certificate

You can use Certbot to obtain SSL certificates, using various plugins. We will use nginx plugin which takes care of reconfiguring nginx and reloading the configuration whenever necessary.
To do this, follow these instructions:

  1. Run the following command to obtain a certificate for your domain:  (Replace example.com with your domain name.)

    sudo certbot --nginx -d example.com
    CODE
  2. Provide additional information, if it is asked, for example, e-mail address.

  3. If the process is successful, certbot will ask how you'd like to configure your HTTPS settings. Select the appropriate option and press Enter.

    Please choose whether HTTPS access is required or optional.
    -------------------------------------------------------------------------------
    1: Easy - Allow both HTTP and HTTPS access to these sites
    2: Secure - Make all requests redirect to secure HTTPS access
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
    CODE
  4. Certbot will create the certificate and show a message telling you the process was successful and where your certificate is stored:

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
       expire on 2017-10-23. To obtain a new or tweaked version of this
       certificate in the future, simply run certbot again with the
       "certonly" option. To non-interactively renew *all* of your
       certificates, run "certbot renew"
     - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    CODE

    To test if everything is working, open your website in a web browser using http:// (e.g. http://example.com). The site should open with a secure connection indicator (a lock icon) next to the address.

Configure SSL cypher for secure https connections

There is a big variety of ways how to configure nginx web server in regards to SSL ciphers, headers and other features. This is our recommended way to reach A+ rating with SSLLabs and ensure flex.bi can connect to your resource.

Add these lines to your nginx configuration file:

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
 
add_header Strict-Transport-Security "max-age=31536000";
ssl_protocols TLSv1.2;
CODE

Set-up Certificate Auto Renewal

Let's Encrypt's certificates are only valid for ninety days. We will use cron, a standard system service for running periodic jobs, to periodically check the certificate and renew it, if it is necessary.
To do this, follow these instructions:

  1. Run the following command to open and edit the file named crontab that is used to configure cron actions:

    sudo crontab -e
    CODE
  2. In the opened file, past in the following line, then save and close the file:

    15 3 * * * /usr/bin/certbot renew --quiet
    CODE

    The 15 3 * * * part of this line means that the following command will run at 3:15 am every day. You can choose any time.

Reconfigure flex.bi For HTTPS schema

Now, when you have access to your server through https schema, you have to configure flex.bi to use your domain name and https. To achieve this, you have to configure the file eazybi.toml file which is located in the /config directory of your flex.bi installation.
To do this, follow these instructions:

  1. Open the eazybi.toml file in a text editor of your choice.
  2. Make the following changes under default_url_options(Replace example.com with your domain name.)

    [default_url_options]
    # This example is for the default http://localhost:8080 URL.
    # host = "<your-ip-address>"
    # port = 8080
    # This example is for the https://example.com URL.
     host = "example.com"
     protocol = "https"
    CODE
  3. Restart flex.bi service:

    systemctl restart flexbi
    CODE