Versions Compared

Old Version 1

changes.mady.by.user Miks Valers

Saved on

compared with

New Version 2

changes.mady.by.user Miks Valers

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Note

These are instructions for flex.bi Enterprise 4.0 and later

...

  1. Go to the etc/nginx/conf.d on your server. 
  2. Create a new file in this directory and name it accordingly, for example, flexbi.conf.

  3. Use your preferred text editor to insert the following configuration information into the newly created configuration file: (Replace example.com with your domain name.)

    Code Block
    proxy_http_version 1.1;
proxy_set_header Connection "";

server {
  listen       80;
  server_name  example.com;

  root /home/flexbi/flexbi_private/public/flexbi;
  location / {
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header Cookie "$http_cookie;nginxremoteaddr=$remote_addr";
            proxy_set_header X_FORWARDED_PROTO $scheme;
            proxy_pass  http://127.0.0.1:8080;
            proxy_cache_valid  200 302  60m;
  }

  access_log      /var/log/nginx/nginx.vhost.access.log;
  error_log       /var/log/nginx/nginx.vhost.error.log;
}


  4. Run the following command to restart nginx and apply the new configuration:

    Code Block
    sudo systemctl restart nginx


  5. To test if everything is working, open your website in a web browser using http:// (e.g. http://example.com).

Obtain a Certificate

You can use Certbot to obtain SSL certificates, using various plugins. We will use nginx plugin which takes care of reconfiguring nginx and reloading the configuration whenever necessary.
To do this, follow these instructions:

  1. Run the following command to obtain a certificate for your domain:  (Replace example.com with your domain name.)

    Code Block
    sudo certbot --nginx -d example.com


  2. Provide additional information, if it is asked, for example, e-mail address.

  3. If the process is successful, certbot will ask how you'd like to configure your HTTPS settings. Select the appropriate option and press Enter.

    Code Block
    Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):


  4. Certbot will create the certificate and show a message telling you the process was successful and where your certificate is stored:

    Code Block
    IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on 2017-10-23. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


    Note

    To test if everything is working, open your website in a web browser using http:// (e.g. http://example.com). The site should open with a secure connection indicator (a lock icon) next to the address.


Configure SSL cypher for secure https connections

There is a big variety of ways how to configure nginx web server in regards to SSL ciphers, headers and other features. This is our recommended way to reach A+ rating with SSLLabs and ensure flex.bi can connect to your resource.

Add these lines to your nginx configuration file:

Code Block
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1;
 
add_header Strict-Transport-Security "max-age=31536000";
ssl_protocols TLSv1.2;

Set-up Certificate Auto Renewal

Let's Encrypt's certificates are only valid for ninety days. We will use cron, a standard system service for running periodic jobs, to periodically check the certificate and renew it, if it is necessary.
To do this, follow these instructions:

  1. Run the following command to open and edit the file named crontab that is used to configure cron actions:

    Code Block
    sudo crontab -e


  2. In the opened file, past in the following line, then save and close the file:

    Code Block
    15 3 * * * /usr/bin/certbot renew --quiet


    Note

    The 15 3 * * * part of this line means that the following command will run at 3:15 am every day. You can choose any time.


...

Now, when you have access to your server through https schema, you have to configure flex.bi to use your domain name and https. To achieve this, you have to configure the file eazybi.toml file which is located in the /config directory of your flex.bi installation.
To do this, follow these instructions:

  1. Open the eazybi.toml file in a text editor of your choice.

  2. Make the following changes under default_url_options(Replace example.com with your domain name.)

    Code Block
    [default_url_options]
# This example is for the default http://localhost:8080 URL.
# host = "<your-ip-address>"
# port = 8080
# This example is for the https://example.com URL.
 host = "example.com"
 protocol = "https"


  3. Restart flex.bi service:

    Code Block
    systemctl restart flexbi


...