TLS/SSL

Add a TLS/SSL Reverse-Proxy

You should set-up a TLS/SSL reverse-proxy in front of your Cavaliba docker deployment.

A reverse-pproxy would perform the following tasks:

  • offload (terminate) HTTPS SSL/TLS uer connections
  • filter user source IP addresses if restricted exposure is needed
  • perform HTTP Basic/Digest user authentication if this auth mode is selected for Cavaliba
  • produce log/stats
  • on large / fault-tolerant setups, perfom user trafic load-balancing accross a multi-node cavaliba deployement
  • display a Maintenance/Sorry page if it detects that cavalliba stack is down

You may use an enterprise wide / netork managed reverse-proxy. You can also deploy a small NGINX or HA-PROXY component on your cavaliba host virtual machine.

Example : simple NGINX / Let’s Encrypt SSL/TLS reverse-proxy

Nginx / Let’s Encrypt
---------------------
$ sudo apt install nginx apache2-utils certbot python3-certbot-nginx
$ sudo certbot -n --agree-tos --email mycontact@mydomain.com --nginx -d mycavaliba.mydomain.com
$ sudo systemctl enable nginx

$ sudo cat /etc/nginx/sites-enabled/default

	upstream cavaliba {
	  keepalive 60;
	  server 127.0.0.1:8000;
	}
	server
	{
	    if ($host = mycavaliba.mydomain.com ) {
	        return 301 https://$host$request_uri;
	    } # managed by Certbot
	    listen 80 default_server;
	    server_name mycavaliba.mydomain.com;
	    return 404; # managed by Certbot
	}
	server
	{
	    server_name mycavaliba.mydomain.com;
	    listen 443 ssl; # managed by Certbot
	    ssl_certificate /etc/letsencrypt/live/mycavaliba.mydomain.com/fullchain.pem; # managed by Certbot
	    ssl_certificate_key /etc/letsencrypt/live/mycavaliba.mydomain.com/privkey.pem; # managed by Certbot
	    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	    # -------------
	    location /
	    {
	        proxy_set_header Host $http_host;
	        proxy_set_header X-Forwarded-Host $host;
	        proxy_set_header X-Forwarded-Server $host;
	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	        rewrite ^/oss/(.*)$  /$1  break;
	        proxy_pass https://127.0.0.1:9200;
	        #proxy_pass http://cavaliba;
	        proxy_http_version 1.1;
	        proxy_set_header Connection "";
	    }
	}