No internet connection
  1. Home
  2. Support

configure https on prod-one

By Alberto @blur2018-08-03 14:28:09.242Z

Hello,

I would like to configure https access for my webserver using Talkyard.
I suppose I have to obtain a let's encrypt certificate and then install it somewhere in the project, enabling some configuration files.
Anybody can help me with a small tutorial?

Thank you so much!

  • 8 replies
  1. KajMagnus @KajMagnus2018-08-04 14:44:47.958Z

    Hello Alberto! I'll try to write about that tomorrow or on Monday

    1. In reply toblur:
      KajMagnus @KajMagnus2018-08-07 11:31:36.609Z2018-08-11 08:01:16.357Z

      Hi @blur, something like steps below should work. I'm posting this now, in case you want to read or ask something. I'll test the instructions myself tomorrow, and then I'll send you a message. Plz don't try to do this before I've tested myself :- )

      Do as follows to enable HTTPS: (Ubuntu 18.04)

      [EDIT] I'll simplify this. I'll remove some files. Wait ... tomorrow .... [/EDIT]

      [EDIT 2] Ok so never mind this whole reply. I'll post a new reply instead ... Here: https://www.talkyard.io/-104#post-9 — read that instead. [/EDIT 2]

      1. Update your DNS server so that the community hostname, like forum.yoursite.com, points to your Talkyard server's IP address.

      2. On the Talkyard server, install Certbot: (that's a Let'sEncrypt client; it generates free HTTPS certs)

        $ sudo apt install certbot
        

        (or read here if you use an earlier Ubuntu version).

      3. Generate a cert. Edit the below command: type your email and forum address. Then test it once, with --dry-run. Then remove --dry-run and run it for real — now, a cert should get generated.

        sudo -i  # become root
        cd /opt/talkyard/
        certbot certonly --dry-run --config-dir /opt/talkyard/data/certbot/ --email you@yoursite.com --webroot -w /opt/talkyard/data/certbot-challenges/ -d forum.yoursite.com
        
      4. Create a config file and start actually using the cert: (it'll get mounted inside the Nginx container and enabled automatically)

        nano /opt/talkyard/conf/web/sites-enabled-manual/my-talkyard-sites.conf

        The file should contain:

        server {
          include /etc/nginx/server-listen.conf;
        
          server_name forum.yoursite.com;
        
          ssl_certificate         /etc/certbot/live/forum.yoursite.com/fullchain.pem;
          ssl_certificate_key     /etc/certbot/live/forum.yoursite.com/privkey.pem;
        
          include /etc/nginx/server-ssl.conf;
          include /etc/nginx/server-limits.conf;
          include /etc/nginx/server-locations.conf;
        }
        

        Replace forum.yoursite.com with the address to your forum (at 3 locations in the file).

        (The file paths in the file, e.g. /etc/nginx/server-listen.conf, are to files already included in the Docker web image.)

      5. Change to HTTPS: edit docker-compose.yml and replace server-listen-http.conf with server-listen-https.conf, like so:

          ...
          web:
            ...
            volumes:
              - ./conf/web/server-listen-https.conf:/etc/nginx/server-listen.conf:ro
        
      6. Reload this new configuration: send the reload signal to Nginx, like so:

        # cd /opt/talkyard/
        # docker-compose exec web nginx -t  # this tests the config — don't continue if something is wrong
        # docker-compose exec web nginx -s reload 
        
      7. Go to https://forum.yoursite.com — check in the browser address bar that the cert is ok. (The page will be blank.)

      8. Edit /opt/talkyard/conf/app/play.conf so the app server starts generating https links:

        talkyard.secure=true
        

        and restart the app server; in Bash:

        cd /opt/talkyard/
        docker-compose restart app   # takes maybe 10 seconds
        

      What are your thoughts? What parts are maybe confusing and would be good if I explained better?
      1. BAlberto @blur2018-08-07 15:02:51.039Z

        Thanks for your reply: I'm going to wait your test before try it definitively.
        In these days I tried to figure it out in different ways, for example adding a path inside the docker compose file in order to mount the key and the certificate (I made a copy), because I can't understand how containers can reach my local /etc/letsencrypt folder.
        I think the following:

        ssl_certificate         /etc/certbot/live/forum.yoursite.com/fullchain.pem;
        ssl_certificate_key     /etc/certbot/live/forum.yoursite.com/privkey.pem;
        

        is trying to search files inside /etc/certbot/live/forum.yoursite.com which is a directory that should be mounted inside the docker compose file.
        What about include /etc/nginx/server-listen.conf;? Is still necessary enable the mountpoint for server-listen-https.conf?
        Should I add references about the newly created file forum.yoursite.com.conf somewhere or is it included by docker runtime?
        I also hope I am been clear.
        Thank you for your support!

        1. KajMagnus @KajMagnus2018-08-08 07:26:55.743Z2018-08-08 07:38:08.294Z

          (I need to wait 12 - 24 hours from now, with testing this. Because when I was going to add a new DNS server CNAME, Gandi.net first required me to migrate to some new "LiveDNS" something.)

          1. About containers and /etc/letsencrypt: If you loook in the docker-compose.yml file: (this is from a test server)

          root@ty-test-1cpu-1d7ram-ub1804:/opt/talkyard# cat docker-compose.yml  
          ...
          services:
            web:
              image: $DOCKER_REPOSITORY/talkyard-web:$VERSION_TAG
              # dockerfile: https://github.com/debiki/talkyard/blob/master/docker/web/Dockerfile
              restart: always
              volumes:
                - ./conf/web/server-listen-http.conf:/etc/nginx/server-listen.conf:ro
                - ./conf/web/sites-enabled-manual/:/etc/nginx/sites-enabled-manual/:ro
                - ./data/sites-enabled-auto-gen/:/etc/nginx/sites-enabled-auto-gen/:ro
           ———> - ./data/certbot/:/etc/certbot/:ro                                   <————— look
                - ./data/certbot-challenges/.well-known/:/opt/nginx/html/.well-known/:ro
                - ./data/uploads/:/opt/talkyard/uploads/:ro
                # Mount here so standard monitoring tools looking for Nginx logs will work.
                - /var/log/nginx/:/var/log/nginx/
          

          There you can see that the certs are placed in ./data/certbot/ on the host, which is /opt/talkyard/data/certbot/ (since the current directory ./ is /opt/talkyard/). That's where the certs are to be placed, on the host — and that's why the certbot command above has this flag: --config-dir /opt/talkyard/data/certbot/.

          That directory is, via docker-compose.yml, mounted at /etc/certbot/ inside the Nginx container. Therefore it's accessible to Nginx, at the standard /etc/certbot location. (Not /etc/letsencrypt — they renamed the client from Letsencrypt to Certbot and moved to /etc/certbot/)


          2. About server-listen.conf — oh seems I forgot one thing. You need to change http to https in docker-compose.yml, look here:

              volumes:
                ...
                - ./conf/web/server-listen-http.conf:/etc/nginx/server-listen.conf:ro
          

          That maps the server-listen-http.conf file, to the server-listen.conf file inside Nginx. And that -listen-http file listens on HTTP port 80:

          root@ty-test-1cpu-1d7ram-ub1804:/opt/talkyard# cat ./conf/web/server-listen-http.conf
          
          # The backlog should be the same as net.core.somaxconn in /etc/sysctl.conf,
          # set in ../../scripts/configure-ubuntu.sh.
          
          listen 80 backlog=8192;
          listen [::]:80 backlog=8192;
          

          You need to edit docker-compose.yml and add a s so becomes: - ./conf/web/server-listen-https.conf:/etc/nginx/server-listen.conf:ro

          That file, server-listen-https.conf, listens on HTTPS port 443:

          root@ty-test-1cpu-1d7ram-ub1804:/opt/talkyard# cat ./conf/web/server-listen-https.conf
          
          # The backlog should be the same as net.core.somaxconn in /etc/sysctl.conf,
          # set in ../../scripts/configure-ubuntu.sh.
          
          listen 443 ssl backlog=8192;
          listen [::]:443 ssl backlog=8192;
          

          3. About: "Should I add references about the newly created file forum.yoursite.com.conf somewhere" — when you do this:

          nano /opt/talkyard/data/sites-enabled/forum.yoursite.com.conf
          nano ./conf/web/sites-enabled-manual/forum.yoursite.com.conf

          it gets created in a directory that's mounted inside the Docker Nginx container already, at .... oops now I see I typed the wrong file path, fixed. Then it'll get included automatically, because in the container, it appears here: /etc/nginx/sites-enabled-manual/ and I've configured Nginx to auto-enable all sites in that directory . So you don't need to add it to anywhere else.

          4. You also want to redirect HTTP port 80 to HTTPS. Do that (when HTTPS works already) by editing: /opt/talkyard/conf/web/sites-enabled-manual/default-server.conf and comment in this line:

          #include /etc/nginx/http-redirect-to-https.conf
          

          (That file is already included in the Docker image, and creates a server at port 80 that redirects everything to 443.)


          B.t.w. the plan is that all this be done automatically, in the future. I've created a container, certgen, that later on will generate HTTPS certs as required, and create Nginx config files that loads the certs. (Probably will not happen the nearest 6 months.)

      2. In reply toblur:
        KajMagnus @KajMagnus2018-08-09 14:32:10.863Z

        Hmm @blur I actually got a bit confused myself, because there're so many Nginx files and sometimes included in the Docker image, sometimes on the host. I'm now making some changes, so there'll be only one single Nginx file to edit, to enable HTTPS. I'll notify you again in one or two days ...

        1. BAlberto @blur2018-08-09 20:08:47.438Z2018-08-10 09:49:46.432Z

          alright, let me know how you are going to think the whole file structure! thank you!

        2. In reply toblur:
          KajMagnus @KajMagnus2018-08-11 07:45:14.390Z

          Hello again @blur now I've simplified things, and written docs:

          You can comment out (e.g. rename to ... .conf.disabled) other files in your sites-enabled-manual/ directory, and instead copy-paste the talkyard-servers.conf file into there, and then follow the new docs instructions.

          (I moved the directory conf/web/sites-enabled-manual/ to just conf/sites-enabled-manual/, and I move-renamed the file conf/app/play.conf to conf/play-framework.conf. You can just ignore this, because your docker-compose.yml file mounts things in the correct way, regardless. If, however, you want to move-rename things in the same way, you too, ... then do that, and also update the corresponding paths in docker-compose.yml.)

          1. BAlberto @blur2018-08-13 13:25:59.744Z

            great, it is wonderful! i am going to test it out!
            thank you so much for everythin'.