SSL configuration in Hive
Important!
Right after the installation of the Hive Platform WebUI is available only on HTTP.
You can configure SSL by one of the following methods:
- upload your SSL certificates to the Platform and configure HTTP/HTTPs;
- configure HTTP or TCP Reverse proxy with SSL termination.
Upload SSL certificates to Hive
Upload SSL certificates in the PEM format to the directory /opt/hw-bw/ssl.
Please note that uploaded files will not be overwritten when upgrading to the next version, so feel free to store them in this directory.
You can change default directory if it does not suit you:
- Open the file
/opt/hw-bw/config/user.ini(root privileges required); Add the
b.ssl.diroption to the[main]section and indicate new path:[main] b.ssl.dir = /my/certs/dirTo apply changes, run the command:
/opt/hw-bw/bin/reconfig
Configure HTTP/HTTPs
To configure HTTP to HTTPs redirect add the following properties to the [main] section of /opt/hw-bw/config/user.ini file (root privileges required):
[main]
b.ssl.enabled = ssl_redirect
b.deck.ip.expose = 0.0.0.0
b.deck.port.expose = 80
b.deck.https.ip.expose = 0.0.0.0
b.deck.https.port.expose = 443
where,
b.ssl.enabled- option, which enables SSL. Possible values:no_ssl- only insecure HTTP-connection is used (default value);ssl_both- both insecure HTTP-connection and secure HTTPs-connection are used;ssl_redirect- redirection from insecure connection HTTP-connection to secure HTTPs-connection;ssl_only- only secure HTTPs-connection is used.
b.deck.ip.expose- IP address for insecure HTTP-connection (0.0.0.0- public IP address,127.0.0.1- local IP address). Required forno_ssl,ssl_bothandssl_redirect.b.deck.port.expose- Port number for insecure HTTP-connection (default value - 80). Required forno_ssl,ssl_bothandssl_redirect.b.deck.https.ip.expose- IP address for secure HTTPs-connection (0.0.0.0- public IP address,127.0.0.1- local IP address). Required forssl_only,ssl_bothandssl_redirect.b.deck.https.port.expose- Port number for secure HTTPs-connection. Required forssl_only,ssl_bothandssl_redirect.
To apply changes, run the command:
/opt/hw-bw/bin/reconfig
Configure HTTP or TCP Reverse proxy with SSL termination
If necessary, you can run Hive behind your own reverse proxy.
For example, configure nginx, which will proxy all requests for Hive.
To use your proxy server on the same machine, change the following parameters in /opt/hw-bw/config/user.ini:
[main]
b.ssl.enabled = no_ssl
b.deck.ip.expose = 127.0.0.0
b.deck.port.expose = 10001
To apply changes, run the command (root privileges required):
/opt/hw-bw/bin/reconfig
Example of nginx configuration as HTTP Reverse proxy
Example of
nginxconfiguration:server { server_name yourhive.example.com; access_log /var/log/nginx/yourhive.example.com-access.log full_log; error_log /var/log/nginx/yourhive.example.com-error.log; client_max_body_size 0; location / { proxy_pass http://localhost:10001; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } listen 443 ssl; ssl_certificate /path/to-your/certs/fullchain.pem; ssl_certificate_key /path/to-your/certs/privkey.pem; } server { if ($host = yourhive.example.com) { return 301 https://$host$request_uri; } listen 80; server_name yourhive.example.com; return 404; }where,
10001- port number you set tob.deck.port.exposeinuser.inifile;yourhive.example.com- hostname or IP address of your virtual machine.
Example of
Let's Encryptwithcertbotconfiguration. You should set this configuration before you issue certificates usingcertbot.server { listen 80; server_name yourhive.example.com; access_log /var/log/nginx/yourhive.example.com-access.log full_log; error_log /var/log/nginx/yourhive.example.com-error.log; client_max_body_size 0; location / { proxy_pass http://localhost:10001; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; } }where,
10001- port number you set tob.deck.port.exposeinuser.inifile;yourhive.example.com- hostname or IP address of your virtual machine.
Convert CA-certificate from .PFX
You may need to convert CA from .pfx if:
* it is necessary to transfer issues between Hive and Apiary via secure channel;
* it is impossible to use global valid certificates;
* it is necessary to use local Certificate Authority to issue certificates.
Create SSL key:
openssl pkcs12 -in your_file.pfx -nocerts -nodes -out key.pemCreate SSL certificate:
openssl pkcs12 -in your_file.pfx -clcerts -nokeys -out domain.pemNote: remove the
-outoption from the commands and the key with other information will be displayed on the screen. In this case, copy everything from the linesBEGIN PRIVATE KEY / BEGIN CERTIFICATEtoEND PRIVATE KEY / END CERTIFICATEand save it to a file.Create a root certificate:
openssl pkcs12 -in your_file.pfx -cacerts -nokeys -chain -out ca.pemNote: you will get a chain of root certificates. You will need only last one certificate in this chain. For example, you can open file for editing and delete everything except the last one.
Concatenate files into one certificate:
cat domain.pem ca.pem > cert.pemCopy SSL certificates to a virtual machine with installed Platform to a directory with SSL certificates:
cp cert.pem /opt/hw-bw/ssl/ cp key.pem /opt/hw-bw/ssl/Copy root certificate to a Platform directory with root certificates:
cp ca.pem /opt/certsNote: in this case, it is necessary to specify path to directory with root certificates in
/opt/hw-bw/config/user.inifilecustom.root.certs.path = /opt/certs.Restart the Platform (
systemctl restart hw-bw) or do/opt/hw-bw/bin/reconfigif you have changed the/opt/hw-bw/config/user.inifile.
See also
