================= Setup SSL on host ================= .. important:: This method works only when you have Fleio installed using the :ref:`docker deployment method`. This document applies when you want to have the SSL certificate on server host and not in Docker container. Prerequisites ------------- * DNS properly configured (the domain should point to the server that has Fleio installed) * Fleio already installed using an insecure URL (http://your-fqdn.tld) * Nginx * Certbot Re-configure Fleio ------------------ By default, Fleio will use port :80 and we will need to change this port. This is needed because we will have to configure nginx, so we can issue the SSL certificate. First, you will have to impersonate fleio user: .. code-block:: bash sudo -i -u fleio cd /home/fleio/compose vi ./.env Change the `FLEIO_PORT=` variable to a preferred port (we recommend to first check that the port is free). For this example we will use the `8888` port. After that, you will have to run `fleio recreate` command. You might notice that your Fleio installation is no longer accessible at the configured URL. Do not panic, this is a consequence of us changing the port, and will be fixed in the next steps. Install and configure nginx --------------------------- Using the OS system package manager (`yum` or `apt`), you will have to install nginx. After you have installed nginx, we need to configure it (remember, we have reconfigured Fleio to listen on the `8888` port). Depending on your operating system, we have two different location where we will need to create our configuration file, with the following content: Centos ~~~~~~ .. code-block:: bash vi /etc/nginx/conf.d/your-fqdn.tld.conf .. code-block:: bash server { server_name your-fqdn.tld; location / { proxy_pass http://your-fqdn.tld:8888; proxy_redirect http://$host:8888 http://$host; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } Ubuntu ~~~~~~ .. code-block:: bash vi /etc/nginx/sites-enabled/your-fqdn.tld.conf .. code-block:: bash server { server_name your-fqdn.tld; location / { proxy_pass http://your-fqdn.tld:8888; proxy_redirect http://$host:8888 http://$host; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } The final step now is to check the nginx configuration, and then to restart the webserver: .. code-block:: bash nginx -t systemctl restart nginx Install certbot and issue the SSL certificate --------------------------------------------- Please follow the official documentation on how to install certbot, but stop at step 7. * Centos 8 https://certbot.eff.org/instructions?ws=nginx&os=centosrhel8 * Ubuntu 18 https://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic * Ubuntu 20 https://certbot.eff.org/instructions?ws=nginx&os=ubuntufocal Generate the certificate ------------------------ Run this command to generate the certificate, and to automatically configure NGINX to use the SSL certificate: .. code-block:: bash sudo certbot --nginx First time running this command, you will have to enter your email address where you will receive security and renewal notices): Next, you will have to agree to the terms and conditions. Read the terms using the provided link and press `Y`. Answer with `yes` or `no` to the next questions, depending on if you want to subscribe to their news, campaigns etc. On the next step, you will be asked for what domain do you want the SSL certificate to be issued. Please check that the domain is indeed the one that you are using on Fleio installation: .. code-block:: bash Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: your-fqdn.tld - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Press 1 (or the proper number). Wait for Certbot to finish issuing the SSL certificate and to configure Nginx. You should have the following output: .. code-block:: bash Requesting a certificate for your-fqdn.tld Performing the following challenges: http-01 challenge for your-fqdn.tld Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/your-fqdn.tld.conf Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/your-fqdn.tld.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://your-fqdn.tld - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Final Fleio configuration ------------------------- Finally, you will have to edit some Fleio configuration files, and change from HTTP to HTTPS. Run the following commands one by one and change the protocol: .. code-block:: bash fleio edit settings.py Change the `FRONTEND_URL` from `http://your-fqdn.tld` to `https://your-fqdn.tld`. .. code-block:: bash fleio edit enduser.config.json fleio edit staff.config.json Change `backendApiUrl` to use `https` instead of `http`. Now you should be able to access Fleio using `https://your-fqdn.tld`.