Configuring HTTPS and SSL

Follow

 

Configure your Countly installation to use the HTTPS connection you need to modify your Nginx configuration.

The directory of Nginx configuration depends on the operating system you use, but for our recommended Ubuntu, the Nginx configuration is under /etc/nginx/sites-available/default

If you would like to have an HTTPS only connection, then replace the current server clause with the one provided, assuming you would like to have HTTP and HTTPS simultaneously, then add this server clause to the configuration file:

server {
  listen   443;
  server_name  localhost;
  access_log  off;
  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_stapling on;

  # Use 2048 bit Diffie-Hellman RSA key parameters
  # (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption 
  # when using PFS)
  # Generated by OpenSSL with the following command:
  # openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
        
  ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
  ssl_certificate /etc/nginx/ssl/certificate.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

  location = /i {
    proxy_pass http://127.0.0.1:3001;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
  }
	
  location ^~ /i/ {
    proxy_pass http://127.0.0.1:3001;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
  }

  location = /o {
    proxy_pass http://127.0.0.1:3001;
  }
	
  location ^~ /o/ {
    proxy_pass http://127.0.0.1:3001;
  }

  location / {
    proxy_pass http://127.0.0.1:6001;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
  }
}

This configuration uses the latest and the most secure protocols and ciphers.

If your localhost is already taken, replace the server_name value from localhost to the name you would like to use.

Also check that the ssl_certificate points to your certificate bundle and that ssl_certificate_key points to your server key.

If you would like to create a self-signed ssl_certificate and ssl_certificate_key simply run:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/certificate.crt

By default, the Nginx server will use 1024-bit long RSA key parameters, to comply with latest security recommendations. We recommend switching to 2048 bits.

That means you would need to generate your own 2048-bit long params. To do so, run:

openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048

(this command should take some time, around a few minutes).

Then set ssl_dhparam to point to your generated dh param file (it already points to the right path with this command).

If you receive the "/etc/nginx/ssl/dhparam2048.pem: No such file or directory" Error, run the following code to create the needed directory:

sudo mkdir /etc/nginx/ssl
sudo chown -R root:root /etc/nginx/ssl
sudo chmod -R 600 /etc/nginx/ssl

Then generate your own 2048-bit long params again.

openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048

If you replaced your current configuration with the example provided, then you will also want to redirect all HTTP traffic to HTTPS. To do this, add this server clause in the beginning of configuration file:

server {
        listen      80;
        server_name localhost;
        access_log  off;
        rewrite ^ https://$host$request_uri? permanent;
}

Replace yourdomain.com with your domain or IP address where your Countly server is located. Also use the same value for localhost which you used in the previous example.

If you did not replace your current configuration with the provided example and would like to Force Redirect Dashboard traffic to HTTPS, modify the "location /" section for 80 port as below:

server {
	listen   443;
	server_name  localhost;
	access_log  off;
  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_stapling on;

  # Use 2048 bit Diffie-Hellman RSA key parameters
  # (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption 
  # when using PFS)
  # Generated by OpenSSL with the following command:
  # openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
        
  ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
  ssl_certificate /etc/nginx/ssl/certificate.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

	location / {
		 rewrite ^ https://yourdomain.com$request_uri? permanent;
	}
  
	location = /i {
		proxy_pass http://127.0.0.1:3001;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP $remote_addr;
	}
	
	location ^~ /i/ {
		proxy_pass http://127.0.0.1:3001;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP $remote_addr;
	}

	location = /o {
		proxy_pass http://127.0.0.1:3001;
	}
	
	location ^~ /o/ {
		proxy_pass http://127.0.0.1:3001;
	}
  
}

Replace yourdomain.com with your domain or IP address where your Countly server is located.

All that is left to do is reload the Nginx configuration, and the HTTPS connection should work:

sudo nginx -s reload
Was this article helpful?
0 out of 0 found this helpful

Looking for help?