For productive use of Enginsight, an encrypted connection via HTTPS is mandatory.
For this purpose, install and configure nginx on the application server. During the automatic installation of Enginsight, nginx is already installed.
So you get the following structure:
Container Ports: 80, 8080
internal Ports: 81, 82 (127.0.0.1:81, 127.0.0.1:82)
You need two domains pointing to the IP address of the application server:
ngs-api.domain.de (Port 80)
ngs-app.domain.de (Port 443)
If you have your own certificate, you can use it. Alternatively, we recommend using Let's Encrypt.
Install nginx (only for manual installation).
If you have done a manual installation, install nginx first. If you have an automatic installation, you can skip this step.
Define internal ports
Define an internal port in docker-compose.yml
for the user interface (ui-m1) and API (server-m2).
1. Navigate to /opt/enginsight/enterprise
cd /opt/enginsight/enterprise
2. Open docker-compose.yml
.
nano docker-compose.yml
3. Adjust the ports.
ui-m1:
image: registry.enginsight.com/enginsight/ui-m1:x.x.x
ports:
- "127.0.0.1:81:80"
restart: always
volumes:
- "./conf/ui-m1/environment.js.production:/opt/enginsight/ui-m1/config/environment.js"
server-m2:
image: registry.enginsight.com/enginsight/server-m2:x.x.x
networks:
- redis
- mongodb
ports:
- "127.0.0.1:82:8080"
4. Save the file (Ctrl+o) and confirm the saving process. Close nano (Ctrl+x).
5. Run setup.sh
for the changes to apply.
Set up Let's Encrypt
If you want to use your own certificate, skip the following steps.
1. Customize the configuration of nginx. Open the configuration file.
Automatic installation
nano /etc/nginx/sites-available/ngs.conf
Manual installation
nano /etc/nginx/sites-available/default
2. Use the following template and set your domain.
server {
listen 80;
listen [::]:80;
location ~ /.well-known {
allow all;
}
location / {
return 302 https://ngs-api.domain.de
}
root /var/www/ngs-api.domain.de
server_name ngs-api.domain.de
}
server {
listen 80;
listen [::]:80;
location ~ /.well-known {
allow all;
}
location / {
return 302 https://ngs-app.domain.de
}
root /var/www/ngs-app.domain.de
server_name ngs-app.domain.de
}
3. Check the status of nginx and see if the change was successful.
4. Restart nginx.
service nginx restart
5. Install certbot.
sudo apt-get install certbot
6. Create a folder for each domain.
mkdir -p /var/www/ngs-api.domain.de
mkdir -p /var/www/ngs-app.domain.de
7. Create the certificate.
certbot certonly --rsa-key-size 4096 --webroot -w /var/www/ngs-api.domain.de -d ngs-api.domain.de
certbot certonly --rsa-key-size 4096 --webroot -w /var/www/ngs-app.domain.de -d ngs-app.domain.de
8. Generate the Diffie-Hellman parameters.
openssl dhparam -out dhparam.pem 2048
Configure certificates and SSL/TLS in nginx
With Let's Encrypt
Customize the configuration of nginx.
1. Open the configuration file.
Automatic installation
nano /etc/nginx/sites-available/ngs.conf
Manual installation
nano /etc/nginx/sites-available/default
2. Use the following template and insert your domain.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ngs-app.domain.de;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE+AESGCM+AES256";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/ngs-app.domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ngs-app.domain.de/privkey.pem;
client_max_body_size 200m;
location / {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-Ssl "on";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ngs-api.domain.de;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE+AESGCM+AES256";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/ngs-api.domain.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ngs-api.domain.de/privkey.pem;
client_max_body_size 200m;
location / {
proxy_pass http://127.0.0.1:82;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-Ssl "on";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
3. Check the status of nginx and see if the change was successful.
4. Restart nginx.
service nginx restart
With own certificate
Please make sure that the certificate is in PEM format. If not, convert the certificate to PEM format first.
Adjust the configuration of nginx.
1. Open the configuration file.
Automatic installation
nano /etc/nginx/sites-available/ngs.conf
Manual installation
nano /etc/nginx/sites-available/default
2. Use the following template and insert your domain and the paths to the certificates.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ngs-app.domain.de;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE+AESGCM+AES256";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# ssl_dhparam /etc/nginx/dhparam.pem;
ssl_certificate /<Pfad>/fullchain.pem;
ssl_certificate_key /<Pfad>/privkey.pem;
client_max_body_size 200m;
location / {
proxy_pass http://127.0.0.1:81;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-Ssl "on";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ngs-api.domain.de;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE+AESGCM+AES256";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# ssl_dhparam /etc/nginx/dhparam.pem;
ssl_certificate /<Pfad>/fullchain.pem;
ssl_certificate_key /<Pfad>/privkey.pem;
client_max_body_size 200m;
location / {
proxy_pass http://127.0.0.1:82;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Forwarded-Ssl "on";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
3. Check the status of nginx and see if the change was successful.
4. Restart nginx.
service nginx restart