SSL certificates in Apiary
Important!
Right after the installation of the Apiary Platform:
- WebUI is available only on HTTP.
- If you just turn on HTTPS you will get self-signed SSL certificates. We do not recommend using them.
You can configure SSL by one of the following methods:
- upload your SSL certificates to the Platform and configure HTTP-to-HTTPS redirect or HTTPS-only;
- configure HTTP or TCP Reverse proxy with SSL termination.
Upload SSL certificates to Apiary
Upload SSL certificates in the PEM format to the directory /opt/hw-fh/fssl. Please note that uploaded files will not be overwritten when upgrading to the next version, so feel free to store them on the Platform.
You can change default directory if it does not suit you:
- Open the file
/opt/hw-fh/config/user.ini(root privileges required); Add the
f.ssl.diroption to the[main]section and indicate new path:[main] f.ssl.dir = new_pathTo apply changes, run the command:
/opt/hw-fh/bin/reconfig
Configure HTTP-to-HTTPs redirect or HTTPs-only
To configure HTTP-to-HTTPs redirect or HTTPs-only, perform the following steps:
- Open the file
/opt/hw-fh/config/user.ini(root privileges required); Add the following options to the
[main]section:[main] f.ssl.enabled = no_ssl f.deck.ip.expose = 127.0.0.0 f.deck.port.expose = 80
where,
f.ssl.enabled- option, which enables SSL. Possible values:no_ssl- only insecure HTTP-connection is used (set by default);ssl_both- both insecure HTTP-connection and secure HTTPs-connection are used;ssl_redirect- redirection from insecure connection HTTP-connection to secure HTTPs-connection;ssl_only- only secure HTTPs-connection is used.
f.deck.ip.expose- IP address for insecure HTTP-connection (0.0.0.0- public IP address,127.0.0.1- local IP address);f.deck.port.expose- Port number for insecure HTTP-connection (default value - 80);
Additionally, you can add the following options:
f.deck.https.ip.expose- IP address for secure HTTPs-connection;f.deck.https.port.expose- Port number for secure HTTPs-connection;
To apply changes, run the command:
/opt/hw-fh/bin/reconfig
Configure HTTP or TCP Reverse proxy with SSL termination
Configure proxy server before installation of the Apiary.
For example, configure nginx, which will proxy all requests for Apiary.
To install your proxy server on the same virtual machine, change the following parameters in /opt/hw-fh/config/user.ini:
[main]
f.ssl.enabled = no_ssl
f.deck.ip.expose = 127.0.0.0
f.deck.port.expose = <your port>
To apply changes, run the command (root privileges required):
/opt/hw-fh/bin/reconfig
Example of nginx configuration as HTTP Reverse proxy
Example of
nginxconfiguration:server { server_name yourapiary.example.com; access_log /var/log/nginx/yourapiary.example.com-access.log full_log; error_log /var/log/nginx/yourapiary.example.com-error.log; client_max_body_size 0; location / { proxy_pass http://localhost:10002; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } listen 443 ssl; ssl_certificate /path/to-your/certs/fullchain.pem; ssl_certificate_key /path/to-your/certs/privkey.pem; } server { if ($host = yourapiary.example.com) { return 301 https://$host$request_uri; } listen 80; server_name yourapiary.example.com; return 404; }where,
10002- port number of your virtual machine;yourapiary.example.com- hostname or IP address of your virtual machine.
Example of
Let's Encryptwithcertbotconfiguration. You should set this configuration before you issue certificates usingcertbot.server { listen 80; server_name yourapiary.example.com; access_log /var/log/nginx/yourapiary.example.com-access.log full_log; error_log /var/log/nginx/yourapiary.example.com-error.log; client_max_body_size 0; location / { proxy_pass http://localhost:10002; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } }where,
10002- port number of your virtual machine;yourapiary.example.com- hostname or IP address of your virtual machine.
Rabbitmq SSL certificates
After installation, RabbitMQ by default is started on an insecure port 5672.
You can use this port, for example, if Apiary and Hive platforms are installed in a secured local network.
For production environment we recommend using secure connection and setting up 5671 port instead of port 5672.
To do it, you can use the same SSL certificate as for HTTPs in WebUI.
You can upload ready SSL certificates in the PEM format to the directory /opt/hw-fh/qssl and configure RabbitMQ:
- Open the file
/opt/hw-fh/config/user.ini(root privileges required); Add the following options to the
[main]section:[main] q.ssl.enabled = ssl_only rmq.ip.ssl.expose = 0.0.0.0 rmq.port.ssl.expose = 5671 rmq.client.host = my.apiary.host.com rmq.client.port = 5671
where,
q.ssl.enabled- option, which enables SSL. Possible values:no_ssl- only insecure TCP-connection is used (set by default);ssl_both- both insecure and secure TCP-connections are used (use this option only if you know why you need both types of TCP-connections);ssl_only- only secure TCP-connection is used (is recommended for production).
rmq.port.expose- Port for insecure TCP-connection;rmq.ip.expose- IP address for insecure TCP-connection;rmq.port.ssl.expose- Port for secure TCP-connection;rmq.ip.ssl.expose- IP address for secure TCP-connection;rmq.client.host option- Apiary IP address or hostname;rmq.client.port- Apiary port number (5671or5672);
If you are using a self-signed certificate for a secure connection or certificate issued by organization's CA, basically any non-global SSL certificate — you need to share these root certificates with Apiary and Hive.
See option custom.root.certs.path for Apiary and Hive in /opt/hw-fh/config/user-template.ini.
See also
