Important!
Right after the installation of the Hive Platform:
You can configure SSL by one of the following methods:
Upload SSL certificates in the PEM format to the directory /opt/hw-bw/ssl
. Please note that uploaded files will not be overwritten when upgrading to the next version, so feel free to store them on the Platform.
You can change default directory if it does not suit you:
/opt/hw-bw/config/user.ini
(root privileges required);Add the b.ssl.dir
option to the [main]
section and indicate new path:
[main]
b.ssl.dir = new_path
To apply changes, run the command:
/opt/hw-bw/bin/reconfig
To configure HTTP-to-HTTPs redirect or HTTPs-only, perform the following steps:
/opt/hw-bw/config/user.ini
(root privileges required);Add the following options to the [main]
section:
[main]
b.ssl.enabled = no_ssl
b.deck.ip.expose = 127.0.0.0
b.deck.port.expose = 80
where,
b.ssl.enabled
- option, which enables SSL. Possible values:
no_ssl
- only insecure HTTP-connection is used (set by default);ssl_both
- both insecure HTTP-connection and secure HTTPs-connection are used;ssl_redirect
- redirection from insecure connection HTTP-connection to secure HTTPs-connection;ssl_only
- only secure HTTPs-connection is used.b.deck.ip.expose
- IP address for insecure HTTP-connection (0.0.0.0
- public IP address, 127.0.0.1
- local IP address);
b.deck.port.expose
- Port number for insecure HTTP-connection (default value - 80);Additionally, you can add the following options:
b.deck.https.ip.expose
- IP address for secure HTTPs-connection;b.deck.https.port.expose
- Port number for secure HTTPs-connection;To apply changes, run the command:
/opt/hw-bw/bin/reconfig
Configure proxy server before installation of the Hive.
For example, configure nginx
, which will proxy all requests for Hive.
To install your proxy server on the same virtual machine, change the following parameters in /opt/hw-bw/config/user.ini
:
[main]
b.ssl.enabled = no_ssl
b.deck.ip.expose = 127.0.0.0
b.deck.port.expose = <your port>
To apply changes, run the command (root privileges required):
/opt/hw-bw/bin/reconfig
Example of nginx
configuration:
server {
server_name yourhive.example.com;
access_log /var/log/nginx/yourhive.example.com-access.log full_log;
error_log /var/log/nginx/yourhive.example.com-error.log;
client_max_body_size 0;
location / {
proxy_pass http://localhost:10002;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
listen 443 ssl;
ssl_certificate /path/to-your/certs/fullchain.pem;
ssl_certificate_key /path/to-your/certs/privkey.pem;
}
server {
if ($host = yourhive.example.com) {
return 301 https://$host$request_uri;
}
listen 80;
server_name yourhive.example.com;
return 404;
}
where,
10002
- port number of your virtual machine;yourhive.example.com
- hostname or IP address of your virtual machine.Example of Let's Encrypt
with certbot
configuration. You should set this configuration before you issue certificates using certbot
.
server {
listen 80;
server_name yourhive.example.com;
access_log /var/log/nginx/yourhive.example.com-access.log full_log;
error_log /var/log/nginx/yourhive.example.com-error.log;
client_max_body_size 0;
location / {
proxy_pass http://localhost:10002;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
where,
10002
- port number of your virtual machine;yourhive.example.com
- hostname or IP address of your virtual machine.You may need to convert CA from .pfx
if:
* it is necessary to transfer issues between Hive and Apiary via secure channel;
* it is impossible to use global valid certificates;
* it is necessary to use local Certificate Authority to issue certificates.
openssl pkcs12 -in your_file.pfx -nocerts -nodes -out key.pem
openssl pkcs12 -in your_file.pfx -clcerts -nokeys -out domain.pem
Note: remove the
-out
option from the commands and the key with other information will be displayed on the screen. In this case, copy everything from the linesBEGIN PRIVATE KEY / BEGIN CERTIFICATE
toEND PRIVATE KEY / END CERTIFICATE
and save it to a file.
openssl pkcs12 -in your_file.pfx -cacerts -nokeys -chain -out ca.pem
Note: you will get a chain of root certificates. You will need only last one certificate in this chain. For example, you can open file for editing and delete everything except the last one.
cat domain.pem ca.pem > cert.pem
cp cert.pem /opt/hw-bw/ssl/
cp key.pem /opt/hw-bw/ssl/
cp ca.pem /opt/certs
Note: in this case, it is necessary to specify path to directory with root certificates in
/opt/hw-bw/config/user.ini
filecustom.root.certs.path = /opt/certs
.
systemctl restart hw-bw
) or do /opt/hw-bw/bin/reconfig
if you have changed the /opt/hw-bw/config/user.ini
file.