Configure your Countly installation to use the HTTPS connection you need to modify your Nginx configuration.
The directory of Nginx configuration depends on the operating system you use, but for our recommended Ubuntu, the Nginx configuration is under /etc/nginx/sites-available/default.
If you would like to have an HTTPS-only connection, then replace the current server clause with the one provided, assuming you would like to have HTTP and HTTPS simultaneously, then add this server clause to the configuration file:
server {
listen 443;
server_name localhost;
access_log off;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_stapling on;
# Use 2048 bit Diffie-Hellman RSA key parameters
# (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption
# when using PFS)
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location = /i {
proxy_pass http://127.0.0.1:3001;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location ^~ /i/ {
proxy_pass http://127.0.0.1:3001;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location = /o {
proxy_pass http://127.0.0.1:3001;
}
location ^~ /o/ {
proxy_pass http://127.0.0.1:3001;
}
location / {
proxy_pass http://127.0.0.1:6001;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
}
This configuration uses the latest and most secure protocols and ciphers.
If your localhost is already taken, replace the server_name value from localhost
to the name you would like to use.
Also check that the ssl_certificate points to your certificate bundle and that ssl_certificate_key points to your server key.
If you would like to create a self-signed ssl_certificate and ssl_certificate_key simply run:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/certificate.crt
By default, the Nginx server will use 1024-bit long RSA key parameters to comply with the latest security recommendations. We recommend switching to 2048 bits.
That means you would need to generate your own 2048-bit long params. To do so, run:
openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
(this command could take some time, around a few minutes).
Then set ssl_dhparam to point to your generated dh param file (it already points to the right path with this command).
If you receive the "/etc/nginx/ssl/dhparam2048.pem: No such file or directory" error, run the following code to create the needed directory:
sudo mkdir /etc/nginx/ssl
sudo chown -R root:root /etc/nginx/ssl
sudo chmod -R 600 /etc/nginx/ssl
Then generate your own 2048-bit long params again.
openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
If you replaced your current configuration with the example provided, then you will also want to redirect all HTTP traffic to HTTPS. To do so, add this server clause in the beginning of the configuration file:
server {
listen 80;
server_name localhost;
access_log off;
rewrite ^ https://$host$request_uri? permanent;
}
Replace yourdomain.com with your domain or the IP address where your Countly server is located. Also, use the same value for localhost
that you used in the previous example.
If you did not replace your current configuration with the provided example and would like to Force Redirect Dashboard traffic to HTTPS, modify the "location /" section for the 80 port as shown below:
server {
listen 443;
server_name localhost;
access_log off;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_stapling on;
# Use 2048 bit Diffie-Hellman RSA key parameters
# (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption
# when using PFS)
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
location / {
rewrite ^ https://yourdomain.com$request_uri? permanent;
}
location = /i {
proxy_pass http://127.0.0.1:3001;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location ^~ /i/ {
proxy_pass http://127.0.0.1:3001;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
}
location = /o {
proxy_pass http://127.0.0.1:3001;
}
location ^~ /o/ {
proxy_pass http://127.0.0.1:3001;
}
}
Replace yourdomain.com with your domain or the IP address where your Countly server is located.
All that is left to do is reload the Nginx configuration, and the HTTPS connection should work:
sudo nginx -s reload