HTTPS and Certificates

For productive use of Enginsight, an encrypted connection via HTTPS is mandatory.

For this purpose, install and configure nginx on the application server. During the automatic installation of Enginsight, nginx is already installed.

So you get the following structure:

Container Ports: 80, 8080
internal Ports: 81, 82 (127.0.0.1:81, 127.0.0.1:82)

You need two domains pointing to the IP address of the application server:

ngs-api.domain.de (Port 80)
ngs-app.domain.de (Port 443)

If you have your own certificate, you can use it. Alternatively, we recommend using Let's Encrypt.

Install nginx

This step is required only if you perform a manual installation! If you're using the automated setup skip this section.

If you have done a manual installation, install nginx first. If you have an automatic installation, you can skip this step.

sudo apt install nginx

Define internal ports

This step is required regardless of the installation method. Port definitions are essential for internal communication between services.

Define an internal port in docker-compose.yml for the user interface (ui-m1) and API (server-m2).

1. Navigate to /opt/enginsight/enterprise

cd /opt/enginsight/enterprise

2. Open docker-compose.yml.

sudo nano docker-compose.yml

3. Adjust the ports.

  ui-m1:
    image: registry.enginsight.com/enginsight/ui-m1:x.x.x
    ports:
    - "127.0.0.1:81:80"
    restart: always
    volumes:
    - "./conf/ui-m1/environment.js.production:/opt/enginsight/ui-m1/config/environment.js"

  server-m2:
    image: registry.enginsight.com/enginsight/server-m2:x.x.x
    networks:
    - redis
    - mongodb
    ports:
    - "127.0.0.1:82:8080"

4. Save the file (Ctrl+o) and confirm the saving process. Close nano (Ctrl+x).

5. Run setup.sh for the changes to apply.

sudo ./setup.sh

Set up Let's Encrypt

If you want to use your own certificate, skip the following steps.

1. Customize the configuration of nginx. Open the configuration file.

Automatic installation

sudo nano /etc/nginx/sites-available/ngs.conf

Manual installation

sudo nano /etc/nginx/sites-available/default

2. Use the following template and set your domain.

server {
        listen 80;
        listen [::]:80;

        location ~ /.well-known {
                allow all;
        }

        location / {
                return 302 https://ngs-api.domain.de
        }

        root /var/www/ngs-api.domain.de

        server_name ngs-api.domain.de
}
 server {
        listen 80;
        listen [::]:80;

        location ~ /.well-known {
                allow all;
        }

        location / {
                return 302 https://ngs-app.domain.de
        }

        root /var/www/ngs-app.domain.de

        server_name ngs-app.domain.de
}

3. Check the status of nginx and see if the change was successful.

sudo nginx -t

4. Restart nginx.

sudo service nginx restart

5. Install certbot.

sudo apt-get install certbot

6. Create a folder for each domain.

sudo mkdir -p /var/www/ngs-api.domain.de
sudo mkdir -p /var/www/ngs-app.domain.de

7. Create the certificate.

sudo certbot certonly --rsa-key-size 4096 --webroot -w /var/www/ngs-api.domain.de -d ngs-api.domain.de
sudo certbot certonly --rsa-key-size 4096 --webroot -w /var/www/ngs-app.domain.de -d ngs-app.domain.de

8. Generate the Diffie-Hellman parameters.

sudo openssl dhparam -out dhparam.pem 2048

Please note that LetsEncrypt is only valid for 3 Months. Follow the manual tu update your SSL-ceritificate.

Configure certificates and SSL/TLS in nginx

With Let's Encrypt

Customize the configuration of nginx.

1. Open the configuration file.

Automatic installation

sudo nano /etc/nginx/sites-available/ngs.conf

Manual installation

sudo nano /etc/nginx/sites-available/default

2. Use the following template and insert your domain.

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}
server {
        listen 80;
        listen [::]:80;
 
        location ~ /.well-known {
                allow all;
        }
 
        location / {
                return 302 https://ngs-api.domain;
        }
 
        root /var/www/ngs-api.domain;
 
        server_name ngs-api.domain;
}
 
server {
        listen 80;
        listen [::]:80;
 
        location ~ /.well-known {
                allow all;
        }
 
        location / {
                return 302 https://ngs-app.domain;
        }
 
        root /var/www/ngs-app.domain;
 
        server_name ngs-app.domain;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ngs-app.domain.de;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE+AESGCM+AES256";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_certificate /etc/letsencrypt/live/ngs-app.domain.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ngs-app.domain.de/privkey.pem;

    client_max_body_size 200m;

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-Proto "https";
        proxy_set_header X-Forwarded-Ssl   "on";
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
    }

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ngs-api.domain.de;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE+AESGCM+AES256";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_certificate /etc/letsencrypt/live/ngs-api.domain.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ngs-api.domain.de/privkey.pem;

    client_max_body_size 200m;

    location / {
        proxy_pass http://127.0.0.1:82;
        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-Proto "https";
        proxy_set_header X-Forwarded-Ssl   "on";
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
    }
}

3. Check the status of nginx and see if the change was successful.

sudo nginx -t

4. Restart nginx.

sudo service nginx restart

With own certificate

Please make sure that the certificate is in PEM format. If not, convert the certificate to PEM format first.

Adjust the configuration of nginx.

1. Open the configuration file.

Automatic installation

sudo nano /etc/nginx/sites-available/ngs.conf

Manual installation

sudo nano /etc/nginx/sites-available/default

2. Use the following template and insert your domain and the paths to the certificates.

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ngs-app.domain.de;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE+AESGCM+AES256";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

#   ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_certificate /<Pfad>/fullchain.pem;
    ssl_certificate_key /<Pfad>/privkey.pem;

    client_max_body_size 200m;

    location / {
        proxy_pass http://127.0.0.1:81;
        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-Proto "https";
        proxy_set_header X-Forwarded-Ssl   "on";
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
    }

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ngs-api.domain.de;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE+AESGCM+AES256";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

#   ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_certificate /<Pfad>/fullchain.pem;
    ssl_certificate_key /<Pfad>/privkey.pem;

    client_max_body_size 200m;

    location / {
        proxy_pass http://127.0.0.1:82;
        proxy_set_header Host              $host;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-Proto "https";
        proxy_set_header X-Forwarded-Ssl   "on";
        proxy_set_header Upgrade           $http_upgrade;
        proxy_set_header Connection        $connection_upgrade;
    }
}

3. Check the status of nginx and see if the change was successful.

sudo nginx -t

4. Restart nginx.

service nginx restart

PreviousConfiguration NextLicences and Organisations

Last updated 3 months ago

Was this helpful?