Configure HTTPS (Recommended)¶
Last Updated: September 2022
SSL and TLS are the standard technologies for establishing a secured connection between a web server and a browser. In order to create a secured connection, a certificate and key are needed.
Important
You will need to have assigned a domain name to the server_name field in the NGINX config.
Certbot¶
Certbot is a tool that automatically administers certificates on websites using Let's Encrypt, a free certificate authority. We recommend using Certbot because it automatically retrieves certificates and updates them regularly. It can also automatically configure NGINX to use the certificates.
Install the Snapcraft (CentOS and Ubuntu < 20 only):
Certbot is distributed with Snapcraft, a universal Linux package manager. Find instructions for installing the Snapcrafed daemon (snapd) on your distribution here: Installing snapd.
Update snapd to make sure you have the latest version:
sudo snap install core sudo snap refresh core
Install Certbot:
sudo snap install --classic certbot
Run the
certbotcommand using the NGINX plugin:sudo certbot --nginx
Note
If the
certbotcommand is not recognized as a command, you'll need to link it to/usr/bin:sudo ln -s /snap/bin/certbot /usr/bin/certbot
Follow the on-screen prompts to complete the process of setting up certbot.
Review the
tethys_nginx.confto see the changes thatcertbotmade:Ubuntu:
cat /etc/nginx/sites-enabled/tethys_nginx.conf
CentOS:
cat /etc/nginx/conf.d/tethys_nginx.conf
Verify that auto-renewal works:
sudo certbot renew --dry-run
That's it! Certbot will take care of automatically updating the certificates from now on. You shouldn't need to run the certbot command again. For additional help with installing and setting up Certbot, see: certbot instructions. Choose Nginx for the first field and either Ubuntu 20 or CentOS 8 for the second field.
Important
If you are using Single Sign On (e.g. Google, Facebook, LinkedIn), there is an additional configuration step that needs to be performed after setting up HTTPS. See Single Sign On and HTTPS.
Manually¶
Alternatively, you can manually configure HTTPS as follows:
Obtain a Certificate
An SSL certificate can be self-signed for testing but should be obtained from a Certificate Authority for a production installation. Search ssl certificate authorities for a list of providers. Most certificate authorities charge a fee for their services, however you can obtain free certificates from Let's Encrypt. If your instance of Tethys Portal is part of a larger organization website, contact your IT department to determine if an agreement with one of these authorities already exists.
Modify NGINX Configuration
Once a certificate is obtained, it needs to be referenced in the NGINX configuration. The configuration file can be found at
<TETHYS_HOME>/tethys_nginx.conf.Change the
listenport to 443 and enable SSL with the following options:server { listen 443 ssl; ssl_certificate /<path_to_your_ssl_certs>/your_domain_name.pem; # (or bundle.crt) ssl_certificate_key /<path_to_your_ssl_certs>/your_domain_name.key; ... }
Tip
If you need your site to be accessible through both secured (https) and non-secured (http) connections, you will need a server block for each type of connection. Simply copy the the server block and paste it below the original server block. Then modify one as show above.
Important
HTTPS traffic is expected to go through port 443 instead of port 80. hence the server block above listens on 443 instead of 80. Be sure to update your firewall accordingly if applicable (see: Firewall Configuration).
Single Sign On and HTTPS¶
If you are using Single Sign On, there is an additional setting you will need to set for Python Social Auth to allow the redirect after login to work properly:
tethys settings --set SOCIAL_AUTH_REDIRECT_IS_HTTPS True