Setup SSL on host

Important

This method works only when you have Fleio installed using the docker deployment method.

This document applies when you want to have the SSL certificate on server host and not in Docker container.

Prerequisites

  • DNS properly configured (the domain should point to the server that has Fleio installed)

  • Fleio already installed using an insecure URL (http://your-fqdn.tld)

  • Nginx

  • Certbot

Re-configure Fleio

By default, Fleio will use port :80 and we will need to change this port. This is needed because we will have to configure nginx, so we can issue the SSL certificate.

First, you will have to impersonate fleio user:

sudo -i -u fleio
cd /home/fleio/compose
vi ./.env

Change the FLEIO_PORT= variable to a preferred port (we recommend to first check that the port is free). For this example we will use the 8888 port.

After that, you will have to run fleio recreate command.

You might notice that your Fleio installation is no longer accessible at the configured URL. Do not panic, this is a consequence of us changing the port, and will be fixed in the next steps.

Install and configure nginx

Using the OS system package manager (yum or apt), you will have to install nginx. After you have installed nginx, we need to configure it (remember, we have reconfigured Fleio to listen on the 8888 port).

Depending on your operating system, we have two different location where we will need to create our configuration file, with the following content:

Centos

vi /etc/nginx/conf.d/your-fqdn.tld.conf
server {

  server_name your-fqdn.tld;

  location / {
    proxy_pass http://your-fqdn.tld:8888;
    proxy_redirect http://$host:8888 http://$host;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

Ubuntu

vi /etc/nginx/sites-enabled/your-fqdn.tld.conf
server {

  server_name your-fqdn.tld;

  location / {
    proxy_pass http://your-fqdn.tld:8888;
    proxy_redirect http://$host:8888 http://$host;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

The final step now is to check the nginx configuration, and then to restart the webserver:

nginx -t
systemctl restart nginx

Install certbot and issue the SSL certificate

Please follow the official documentation on how to install certbot, but stop at step 7.

Generate the certificate

Run this command to generate the certificate, and to automatically configure NGINX to use the SSL certificate:

sudo certbot --nginx

First time running this command, you will have to enter your email address where you will receive security and renewal notices):

Next, you will have to agree to the terms and conditions. Read the terms using the provided link and press Y.

Answer with yes or no to the next questions, depending on if you want to subscribe to their news, campaigns etc.

On the next step, you will be asked for what domain do you want the SSL certificate to be issued. Please check that the domain is indeed the one that you are using on Fleio installation:

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your-fqdn.tld
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Press 1 (or the proper number).

Wait for Certbot to finish issuing the SSL certificate and to configure Nginx. You should have the following output:

Requesting a certificate for your-fqdn.tld
Performing the following challenges:
http-01 challenge for your-fqdn.tld
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/your-fqdn.tld.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/your-fqdn.tld.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your-fqdn.tld
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Final Fleio configuration

Finally, you will have to edit some Fleio configuration files, and change from HTTP to HTTPS. Run the following commands one by one and change the protocol:

fleio edit settings.py

Change the FRONTEND_URL from http://your-fqdn.tld to https://your-fqdn.tld.

fleio edit enduser.config.json
fleio edit staff.config.json

Change backendApiUrl to use https instead of http.

Now you should be able to access Fleio using https://your-fqdn.tld.