Support center for flex.bi version 4.0
HTTPS or SSL setup
These are instructions for flex.bi private 4.0 and later
If you want to enable HTTPS or SSL for Private flex.bi, then you need to setup front-end web server (like Apache or ngnix) which will handle the HTTPS/SSL connection and will use the reverse-proxy to pass the request to Private flex.bi process. We prefer using nginx, so the following are instructions for setting up connection using nginx web server.
Setting Up Connection Using nginx
Set-up Firewall
First of all, you have to open ports 80 and 443 in your firewall to allow external connections to your server.
Run the following command to open the port 80:
firewall-cmd --permanent --add-port=80/tcp
Run the following command to open the port 443:
firewall-cmd --permanent --add-port=443/tcp
Run the following command to reload the firewall:
firewall-cmd --reload
Run the following command to check if the port is open:
firewall-cmd --list-ports
Install Certbot Let's Encrypt Client
To enable secure communication you need to use an SSL certificate. For this purpose we will use Let's Encrypt solution. For this to work, the first step is to install the certbot software on your server.
Run the following command to enable access to the EPEL repository on your server:
sudo yum install epel-release
Run the following command to install cerbot-nginx package:
sudo yum install certbot-nginx
Install nginx
To be able to use nginx, you have to install it first.
Run the following command to install nginx:
sudo yum install nginx
Run the following command to start nginx using systemctl:
sudo systemctl start nginx
Run the following command to make sure nginx is installed and check it's version:
nginx -v
Configure ngninx
To ensure proper certificate creation and traffic routing, you have to create an nginx configuration file ( for example, flexbi.conf) in the directory /etc/nginx/conf.d.
- Go to the /etc/nginx/conf.d on your server.
- Create a new file in this directory and name it accordingly, for example, flexbi.conf.
Use your preferred text editor to insert the following configuration information into the newly created configuration file:
proxy_http_version 1.1; proxy_set_header Connection ""; server { listen 80; server_name example.com; root /home/flexbi/flexbi_private/public/flexbi; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_set_header Cookie "$http_cookie;nginxremoteaddr=$remote_addr"; proxy_set_header X_FORWARDED_PROTO $scheme; proxy_pass http://127.0.0.1:8080; proxy_cache_valid 200 302 60m; } access_log /var/log/nginx/nginx.vhost.access.log; error_log /var/log/nginx/nginx.vhost.error.log; }
In the configuration above, replace example.com with your domain name which has a hostname configured for this server in DNS records.
Run the following command to reload nginx and apply the new configuration:
sudo systemctl reload nginx
To test if everything is working, open your website in a web browser using http:// (e.g. https://example.com).
Obtain a Certificate
You can use Certbot to obtain SSL certificates using various plugins. We will use nginx plugin which takes care of reconfiguring nginx and reloading the configuration whenever necessary.
Run the following command to obtain a certificate for your domain:
sudo certbot --nginx -d example.com
In the configuration above, replace example.com with your domain name.
Provide additional information, if it is asked, for example, e-mail address.
If the process is successful, certbot will ask how you'd like to configure your HTTPS settings:
Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select the appropriate option and press Enter.
Certbot will create the certificate and show a message telling you the process was successful and where your certificate is stored:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
To test if everything is working, open your website in a web browser using https:// (e.g. https://example.com). The site should open with a secure connection indicator (a lock icon) next to the address.
Set-up Certificate Auto Renewal
Let's Encrypt's certificates are only valid for ninety days. We will use cron, a standard system service for running periodic jobs, to periodically check the certificate and renew it, if it is necessary.
Run the following command to open and edit the file named crontab that is used to configure cron actions:
sudo crontab -e
In the opened file, past in the following line, then save and close the file:
15 3 * * * /usr/bin/certbot renew --quiet
The 15 3 * * * part of this line means that the following command will run at 3:15 am every day. You can choose any time.
Reconfigure flex.bi For HTTPS schema
Now, when you have access to your server through https schema, you have to configure flex.bi to use your domain name and https. To achieve this, you have to configure the file eazybi.toml which is located in the directory /home/flexbi/flexbi_private/config of your server.
- Run the following command to open the file for editing (in this example we are using vi text editor):
vi /home/flexbi/flexbi_private/config/eazybi.toml
In the code example above we are using the vi text editor, but you can use the editor of your choice.
- In the opened file find the part [default_url_options]. It should look similar to this:
[default_url_options] # This example is for the default http://localhost:8080 URL. host = "<your-ip-address>" port = 8080 # This example is for the https://example.com URL. # host = "example.com" # protocol = "https"
In the code example above you should see the IP address of your server instead of <your-ip-address>.
- Edit the part [default_url_options] following this example:
[default_url_options] # This example is for the default http://localhost:8080 URL. # host = "<your-ip-address>" # port = 8080 # This example is for the https://example.com URL. host = "example.com" protocol = "https"
In the code example above enter your domain name instead of example.com.
Run the following command to restart flex.bi:
systemctl restart flexbi
Congratulations, your server is set up and ready to go!