HTTPS Configuration with SSL
The application uses NGINX proxy to deliver HTTP requests from the browsers to the backend services. This proxy is responsible for SSL termination too.
To configure HTTPS, you need SSL certificates for Timeline. You can choose one of the following options:
- Use SSL certificate issued by the Certification Authority (CA).
This is the recommended approach for the application installation that is intended for a production environment. The connection to the server will be secure and users will not get any warnings from the browser. - Use a self-signed SSL certificate.
If you do not have a signed certificate or if you only require a certificate for testing purposes, use a self-signed SSL certificate. However, in this case users will get warnings from the web browser about the use of a self-signed certificate as the server will not be considered secure.
Note. If you install the program in a production environment, it is highly discouraged to use a self-signed SSL certificate.
Important. If you install the program in a production environment, it is strongly recommended to use HTTPS and highly discouraged HTTP.
Procedure
- Obtain an SSL certificate and a private key.
- Run the Timeline installation and follow the Installation Wizard.
For more information see 'Installing Timeline'. - To enable SSL between instances of PostgreSQL database and application provide path to your database SSL certificate in the Database Connection step. If your PostgreSQL is configured using SSL, provide the path to your SSL CA root certificate.
- To enable SSL between application and client specify HTTPS port and Base URL for HTTPS port in the Web Server step.
- After the Timeline installation process is complete, do the following:
- Find the ssl.conf.tpl and ssl.conf files in the $TIMELINE_INSTALLATION_DIR/nginx folder and rename the ssl.conf.tpl file to ssl.conf. Alternatively, merge the ssl.conf.tpl file with ssl.conf, if you made any changes in the ssl.conf file for the previous Timeline version.
Note. These files are copied to the $TIMELINE_INSTALLATION_DIR/nginx folder during the upgrade process. The folder is specified in the NGINX_CONF variable in .env. The ssl.conf.tpl file stores the latest SSL configuration settings. - Copy your SSL certificate and private key files to the $TIMELINE_INSTALLATION_DIR/nginx folder.
- If your private key and certificate files are not named cert.key and cert.pem, respectively, you should change the ssl_certificate and ssl_certificate_key entries in ssl.conf accordingly.
- If you have a password file for the SSL key, uncomment the line #ssl_password_file $TIMELINE_INSTALLATION_DIR_DIR/nginx/conf/pass.file; in ssl.conf. If necessary, change the path to the folder you specified during the installation process.
- If intermediate certificates should be specified in addition to a primary certificate, they should be specified in the same cert.pem file in the following order: the primary certificate comes first, then the intermediate certificates.
- Open .env file and check the following environment variables:
- PROXY_SSL_PORT
Make sure the HTTPS port you want to use is specified in the PROXY_SSL_PORT variable.
Example: PROXY_SSL_PORT=443 - BASE_URL
Make sure the HTTPS protocol is specified in the BASE_URL variable.
Example: BASE_URL=https://mytimeline.com - DB_SSL
If your remote PostgreSQL is configured with SSL support without root certificate, make sure that this variable is empty. - DB_SSL=./db-ssl
When remote PostgreSQL is configured with SSL support and a CA Root certificate file is used, make sure that this variable contains a full path to the certificate file. - PG_SSL_ROOT_CERT
The name of the certificate file copied into the folder specified in the DB_SSL variable. - Restart the Timeline application to apply all the changes:
systemctl restart timeline - Perform a health check.
22.09.2023 8:59:47