SSL (secure sockets layer), and is a security protocol that ensures that there is a encrypted link between the server and the client. Most people know this as the 's' in https. Without SSL, you can only use http, which is not secured. It may be vulnerable to man-in-the-middle attacks, or evesdropping. Adding SSL means that we can use https, which gives a private connection between server and client. SSL is somewhat of an older protocol that has been succeeded by TLS (transport layer security), but they're often referred to interchangeably (like here!).
SSL requires a set of certificates, so that you can prove that 1) you are the server that the client is trying to connect to, and that 2) you aren't trying to impersonate a different server. Certificate authorities, or CAs can grant these certificates. In the way back when, you had to pay for these, however these days there is a free (but still secure!) service called Let's Encrypt. They have a number of ways to verify that you are who you claim you are, and that you have control over the website that you're trying to secure. One is hosting a unique key as a HTTP resource that Let's Encrypt can use to verify ownership, and the other is by having a unique key as a TXT record in your DNS records. Let's Encrypt has fairly good documentation, it goes over these methods here.
UTAT uses GoDaddy as their name registrar, and therefore uses them as their default DNS nameserver. This means that if you want to change DNS records, you must go through the Exec team in order to get access to the utat.ca GoDaddy account.
UTAT-SS currently has two records for our subdomain, spacesys.utat.ca. They are as follows:
CNAME spacesys.utat.ca 60 spacesys-utat.duckdns.org.
CNAME *.spacesys.utat.ca 60 spacesys-utat.duckdns.org.
If you dig these domains, you will instead see them as A records to the current IP address of UTATSS' servers, as provided by the dynamic DNS service that we have running on the EdgeRouter. This is to be expected, since we're using a CNAME (canonical name) record.
For basic site SSL, no further action is needed. However, we want to add SSL to services that are internal to our network, which means that Let's Encrypt can't access them to verify ownership. Therefore, we must also have a GoDaddy API key, so that Let's Encrypt (and certbot) can automatically obtain and renew certificates by adding a temporary TXT record onto the utat.ca DNS records.
This is made very easy by Nginx Proxy Manager! First off, verify that port forwarding is applied correctly. Port 80 should forward to port 80, port 443 should forward to port 443. This is not how it was set up originally (port 443 was forwarded to port 80, causing some exotic browser SSL warnings), and it took quite a few hours to find this quirk!
Now, in Nginx Proxy Manager (accessable at nginx.spacesys.utat.ca only on the local network, if this doesn't resolve try 10.0.0.150:81), we can create our certificates. We need certs for the following domains: *.spacesys.utat.ca, spacesys.utat.ca, and rocketry.utat.ca. The wildcard domain must use the DNS Challenge, but the other two can use the normal method that doesn't require the API info. Very conveniently, these will be autorenewed for us, instead of expiring every 90 days. Thanks, certbot!
To apply these certs to domains, you just select the applicable certificate, force HTTPS, and you have encryption! While it's not a must for our use case, it feels pretty good to have that lock icon next to the URL.
Confluence is weird, and needs a little help adapting to the change of protocol. Two things must happen for everything to be back and operational.
In the Confluence docker-compose file, change the env variables for Tomcat port, scheme, and secure:
- ATL_PROXY_NAME=[spacesys.utat.ca](<http://spacesys.utat.ca/>)
- ATL_PROXY_PORT=443
- ATL_TOMCAT_SCHEME=https
- ATL_TOMCAT_CONTEXTPATH=/confluence
- ATL_TOMCAT_SECURE=true