Monday, October 29, 2018

Setting up HTTPS access for RocketChat

Here's how you can configure HTTPS access for RocketChat.  

Want some HTTPS access for RocketChat?  Here's a really easy way.  This is a summary of steps that I did from https://rocket.chat/docs/installation/manual-installation/ubuntu/
Just tons of info.  These steps worked with my server implementation, so they might help you!

This was tested in UBUNTU 18.04 server using RocketChat 0.70.4

This document is how to use NGINX SSL reverse proxy

You'll need to have a server that the name can be resolved like "rocketchat.company.com"

You'll need to be able request a certificate from a cert authority

Login to Ubunut CLI then install NGINX with the following command:

sudo apt-get install nginx

Request a key via OPENSSL

This is a bit of a chore from the CLI, so I used this page (hope it works still)

https://www.digicert.com/easy-csr/openssl.htm

to help me generate the SSL certificate request syntax (highlighted in blue) which I paste into my CLI



EXAMPLE key for server called "rocketchat"

openssl req -new -newkey rsa:2048 -nodes -out rocketchat.csr -keyout rocketchat.key -subj "/C=US/ST=California/L=Oakland/O=Company/CN=rocketchat"

The system will generate two files.  One is your private .key, the other one is the .CSR or "request" key that you would submit to your certificate authority.

Once you get your public key back, perform these functions:

The private key that is generated, put it into

/etc/nginx/certificate.key

make it harder to change by assigning permission 400

chmod 400 /etc/nginx/certificate.key

Now copy your certificate provided to you by your authority to

/etc/nginx/certificate.crt

Now edit the file

/etc/nginx/sites-enabled/default

Delete everything in there and paste in the following below.

Change "server_name servername.domainname.com;" to the host name of your server.  
Example using my configs would be: "server_name rocketchat.company.com;"


# Upstreams
upstream backend {
    server 127.0.0.1:3000;
}
# HTTPS Server
server {
    listen 443;
    server_name servername.domainname.com;
    error_log /var/log/nginx/rocketchat.access.log;
    ssl on;
    ssl_certificate /etc/nginx/certificate.crt;
    ssl_certificate_key /etc/nginx/certificate.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
    location / {
        proxy_pass http://backend/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;
    }
}

Save your changes

Now startup NGINX:

sudo service nginx restart

If it works, the prompt should come back with no errors. 
If it does show errors or if you are curious, type in the following to get status information

systemctl status nginx.service

You should now be able to connect via HTTPS

https://ServerName

No comments:

Post a Comment

Feel free to leave a comment! If you have any information that you think should be included, please do so here and I'll get it added in.