# HTTPS and Certificates For productive use of Enginsight, an encrypted connection via HTTPS is mandatory. For this purpose, install and configure nginx on the application server. During the automatic installation of Enginsight, nginx is already installed. So you get the following structure: ![](https://2429355096-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LTMe1v0eboWCAUTQHbT-3758922206%2Fuploads%2FAPgVpJAogJru5sk7ddr9%2FmitHTTPS.png?alt=media\&token=3502dcde-9f41-488b-8d7d-8d788fc728a4) * Container Ports: 80, 8080 * internal Ports: 81, 82 *(127.0.0.1:81, 127.0.0.1:82)* You need two domains pointing to the IP address of the application server: * ngs-api.domain.de (Port 80) * ngs-app.domain.de (Port 443) If you have your own certificate, you can use it. Alternatively, we recommend using Let's Encrypt. ## Install nginx {% hint style="info" %} **This step is required only if you perform a manual installation!**\ If you're using the automated setup skip this section**.** {% endhint %} If you have done a manual installation, install nginx first. If you have an automatic installation, you can skip this step. ``` sudo apt install nginx ``` ## Define internal ports {% hint style="info" %} **This step is required regardless of the installation method.**\ Port definitions are essential for internal communication between services. {% endhint %} Define an internal port in `docker-compose.yml` for the user interface (ui-m1) and API (server-m2). 1\. Navigate to /opt/enginsight/enterprise ``` cd /opt/enginsight/enterprise ``` 2\. Open `docker-compose.yml`. ``` sudo nano docker-compose.yml ``` 3\. Adjust the ports. ``` ui-m1: image: registry.enginsight.com/enginsight/ui-m1:x.x.x ports: - "127.0.0.1:81:80" restart: always volumes: - "./conf/ui-m1/environment.js.production:/opt/enginsight/ui-m1/config/environment.js" server-m2: image: registry.enginsight.com/enginsight/server-m2:x.x.x networks: - redis - mongodb ports: - "127.0.0.1:82:8080" ``` 4\. Save the file (Ctrl+o) and confirm the saving process. Close nano (Ctrl+x). 5\. Run `setup.sh` for the changes to apply. ``` sudo ./setup.sh ``` ## Set up Let's Encrypt {% hint style="info" %} If you want to use your own certificate, skip the following steps. {% endhint %} 1\. Customize the configuration of nginx. Open the configuration file. *Automatic installation* ``` sudo nano /etc/nginx/sites-available/ngs.conf ``` *Manual installation* ``` sudo nano /etc/nginx/sites-available/default ``` 2\. Use the following template and set your domain. ``` server { listen 80; listen [::]:80; location ~ /.well-known { allow all; } location / { return 302 https://ngs-api.domain.de } root /var/www/ngs-api.domain.de server_name ngs-api.domain.de } server { listen 80; listen [::]:80; location ~ /.well-known { allow all; } location / { return 302 https://ngs-app.domain.de } root /var/www/ngs-app.domain.de server_name ngs-app.domain.de } ``` 3\. Check the status of nginx and see if the change was successful. 
sudo nginx -t
4\. Restart nginx. ``` sudo service nginx restart ``` 5\. Install certbot. ``` sudo apt-get install certbot ``` 6\. Create a folder for each domain. ``` sudo mkdir -p /var/www/ngs-api.domain.de sudo mkdir -p /var/www/ngs-app.domain.de ``` 7\. Create the certificate. 
sudo certbot certonly --rsa-key-size 4096 --webroot -w /var/www/ngs-api.domain.de -d ngs-api.domain.de
sudo certbot certonly --rsa-key-size 4096 --webroot -w /var/www/ngs-app.domain.de -d ngs-app.domain.de
8\. Generate the Diffie-Hellman parameters. ``` sudo openssl dhparam -out dhparam.pem 2048 ``` {% hint style="info" %} Please note that LetsEncrypt is only valid for 3 Months. Follow the [manual](https://knowledge.enginsight.com/schritt-f%C3%BCr-schritt-anleitung-zum-aktualisieren-eines-ssl-zertifikats-lets-encrypt) tu update your SSL-ceritificate. {% endhint %} ## Configure certificates and SSL/TLS in nginx ### With Let's Encrypt Customize the configuration of nginx. 1\. Open the configuration file. *Automatic installation* ``` sudo nano /etc/nginx/sites-available/ngs.conf ``` *Manual installation* ``` sudo nano /etc/nginx/sites-available/default ``` 2\. Use the following template and insert your domain. ``` map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 80; listen [::]:80; location ~ /.well-known { allow all; } location / { return 302 https://ngs-api.domain; } root /var/www/ngs-api.domain; server_name ngs-api.domain; } server { listen 80; listen [::]:80; location ~ /.well-known { allow all; } location / { return 302 https://ngs-app.domain; } root /var/www/ngs-app.domain; server_name ngs-app.domain; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ngs-app.domain.de; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE+AESGCM+AES256"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssl_dhparam /etc/nginx/dhparam.pem; ssl_certificate /etc/letsencrypt/live/ngs-app.domain.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ngs-app.domain.de/privkey.pem; client_max_body_size 200m; location / { proxy_pass http://127.0.0.1:81; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header X-Forwarded-Ssl "on"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ngs-api.domain.de; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE+AESGCM+AES256"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssl_dhparam /etc/nginx/dhparam.pem; ssl_certificate /etc/letsencrypt/live/ngs-api.domain.de/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ngs-api.domain.de/privkey.pem; client_max_body_size 200m; location / { proxy_pass http://127.0.0.1:82; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header X-Forwarded-Ssl "on"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } ``` 3\. Check the status of nginx and see if the change was successful. ``` sudo nginx -t ``` 4\. Restart nginx. ``` sudo service nginx restart ``` 5. **Switch APP and API URLs to HTTPS**\ After you have configured nginx and installed the certificate, run `setup.sh` again. During this step, you will be prompted for the external URLs for the APP and the API. Enter the domains using `https://` (instead of `http://`). ```bash cd /opt/enginsight/enterprise sudo ./setup.sh ``` Example: * APP URL: **`https`**`://ngs-app.domain.de` * API URL: **`https`**`://ngs-api.domain.de`

This step is required so that Enginsight uses the APP and API endpoints correctly over HTTPS.
If you accidentally enter http://, the instance will remain internally configured for HTTP, even though nginx is already providing HTTPS.

### With own certificate {% hint style="warning" %} Please make sure that the certificate is in PEM format. If not, convert the certificate to PEM format first. {% endhint %} Adjust the configuration of nginx. 1\. Open the configuration file. *Automatic installation* ``` sudo nano /etc/nginx/sites-available/ngs.conf ``` *Manual installation* ``` sudo nano /etc/nginx/sites-available/default ``` 2\. Use the following template and insert your domain and the paths to the certificates. ``` map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ngs-app.domain.de; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE+AESGCM+AES256"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # ssl_dhparam /etc/nginx/dhparam.pem; ssl_certificate //fullchain.pem; ssl_certificate_key //privkey.pem; client_max_body_size 200m; location / { proxy_pass http://127.0.0.1:81; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header X-Forwarded-Ssl "on"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name ngs-api.domain.de; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE+AESGCM+AES256"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # ssl_dhparam /etc/nginx/dhparam.pem; ssl_certificate //fullchain.pem; ssl_certificate_key //privkey.pem; client_max_body_size 200m; location / { proxy_pass http://127.0.0.1:82; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto "https"; proxy_set_header X-Forwarded-Ssl "on"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } ``` 3\. Check the status of nginx and see if the change was successful. ``` sudo nginx -t ``` 4\. Restart nginx. ``` service nginx restart ``` 5. **Switch APP and API URLs to HTTPS**\ After you have configured nginx and installed the certificate, run `setup.sh` again. During this step, you will be prompted for the external URLs for the APP and the API. Enter the domains using `https://` (instead of `http://`). ```bash cd /opt/enginsight/enterprise sudo ./setup.sh ``` Example: * APP URL: **`https`**`://ngs-app.domain.de` * API URL: **`https`**`://ngs-api.domain.de`

This step is required so that Enginsight uses the APP and API endpoints correctly over HTTPS.
If you accidentally enter http://, the instance will remain internally configured for HTTP, even though nginx is already providing HTTPS.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.enginsight.com/docs/manual/english/on-premises/configuration/https.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.