HTTPS or SSL setup
These are instructions for flex.bi Enterprise 4.0 and later
If you want to enable HTTPS or SSL for flex.bi Enterprise, then you need to setup front-end web server (like Apache or ngnix) which will handle the HTTPS/SSL connection and will use the reverse-proxy to pass the request to flex.bi process. We prefer using nginx, so the following are instructions for setting up connection using nginx web server on a Centos 8 OS.
Setting Up Connection Using nginx
Configure Firewall
First of all, you have to open ports 80
and 443 in your firewall, to allow external connections to your server.
To do this, follow these instructions:
Run the following command to open the port 8
0
:firewall-cmd --permanent --add-port=80/tcp
Run the following command to open the port 443:
firewall-cmd --permanent --add-port=443/tcp
Run the following command to reload the firewall:
firewall-cmd --reload
Run the following command to check if the port is open:
firewall-cmd --list-ports
Install Certbot Let's Encrypt Client
To enable secure communication you need to use an SSL certificate. For this purpose we will use Let's Encrypt solution. For this to work, the first step is to install the Certbot software on your server.
To do this, follow these instructions:
Run the following command to enable access to the EPEL repository on your server:
sudo dnf install epel-release
Run the following command to install cerbot-nginx package:
sudo dnf install certbot python3-certbot-nginx
Install nginx
To be able to use nginx, you have to install it first.
To do this, follow these instructions:
Run the following command to install nginx:
sudo yum install nginx
Run the following command to start nginx using systemctl:
sudo systemctl start nginx
Run the following command to enable and run nginx:
systemctl enable --now nginx
Configure ngninx
To ensure a proper certificate creation and traffic routing, you have to create an nginx configuration file (for example, flexbi.conf
) in the directory etc/nginx/conf.d.
To do this, follow these instructions:
- Go to the
etc/nginx/conf.d
on your server. - Create a new file in this directory and name it accordingly, for example,
flexbi.conf
. Use your preferred text editor to insert the following configuration information into the newly created configuration file: (Replace
example.com
with your domain name.)proxy_http_version 1.1; proxy_set_header Connection ""; server { listen 80; server_name example.com; root /home/flexbi/flexbi_private/public/flexbi; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_set_header Cookie "$http_cookie;nginxremoteaddr=$remote_addr"; proxy_set_header X_FORWARDED_PROTO $scheme; proxy_pass http://127.0.0.1:8080; proxy_cache_valid 200 302 60m; } access_log /var/log/nginx/nginx.vhost.access.log; error_log /var/log/nginx/nginx.vhost.error.log; client_max_body_size 2000M; }
Run the following command to restart nginx and apply the new configuration:
sudo systemctl restart nginx
To test if everything is working, open your website in a web browser using
http://
(e.g.http://example.com
).
Obtain a Certificate
You can use Certbot to obtain SSL certificates, using various plugins. We will use nginx plugin which takes care of reconfiguring nginx and reloading the configuration whenever necessary.
To do this, follow these instructions:
Run the following command to obtain a certificate for your domain: (Replace
example.com
with your domain name.)sudo certbot --nginx -d example.com
Provide additional information, if it is asked, for example, e-mail address.
If the process is successful, certbot will ask how you'd like to configure your HTTPS settings. Select the appropriate option and press Enter.
Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Certbot will create the certificate and show a message telling you the process was successful and where your certificate is stored:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2017-10-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
To test if everything is working, open your website in a web browser using
http://
(e.g.http://example.com
). The site should open with a secure connection indicator (a lock icon) next to the address.
Configure SSL cypher for secure https connections
There is a big variety of ways how to configure nginx web server in regards to SSL ciphers, headers and other features. This is our recommended way to reach A+ rating with SSLLabs and ensure flex.bi can connect to your resource.
Add these lines to your nginx configuration file:
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; add_header Strict-Transport-Security "max-age=31536000"; ssl_protocols TLSv1.2;
Set-up Certificate Auto Renewal
Let's Encrypt's certificates are only valid for ninety days. We will use cron, a standard system service for running periodic jobs, to periodically check the certificate and renew it, if it is necessary.
To do this, follow these instructions:
Run the following command to open and edit the file named
crontab
that is used to configure cron actions:sudo crontab -e
In the opened file, past in the following line, then save and close the file:
15 3 * * * /usr/bin/certbot renew --quiet
The 15 3 * * * part of this line means that the following command will run at 3:15 am every day. You can choose any time.
Reconfigure flex.bi For HTTPS schema
Now, when you have access to your server through https
schema, you have to configure flex.bi to use your domain name and https
. To achieve this, you have to configure the file eazybi.toml
file which is located in the /config
directory of your flex.bi installation.
To do this, follow these instructions:
- Open the
eazybi.toml
file in a text editor of your choice. Make the following changes under
default_url_options
: (Replaceexample.com
with your domain name.)[default_url_options] # This example is for the default http://localhost:8080 URL. # host = "<your-ip-address>" # port = 8080 # This example is for the https://example.com URL. host = "example.com" protocol = "https"
Restart flex.bi service:
systemctl restart flexbi