Enabling and configuring SSL


Enabling SSL

By default, the Anaconda Server installation does not require the use of SSL/TLS. To enable SSL/TLS after installation, the following steps must be taken:

  1. Edit your docker-compose.yml file.

    1. Find the Services: section near the top of the file. Then, under the nginx_proxy: portion, add the following lines:

      secrets:
      - source: nginx_key
        target: /etc/nginx/certs/tls.key
      - source: nginx_cert
        target: /etc/nginx/certs/tls.crt
      
    2. Find the Keycloak: section further down in the file. Then, under the environment: portion, add this line:

      - PROXY_ADDRESS_FORWARDING=true
      
  2. Edit your .env file.

    1. Change DOMAIN to new FQDN, if applicable.

    2. Change NGINX_PROXY_PORT to 443.

    3. Change PROTOCOL to https

  3. Edit your /opt/anaconda/repo/config/nginx/conf.d/repo.conf file.

    1. Near the top of the file, change listen 8080; to listen 8080 ssl;.

    2. Add the following lines after the listen 8080 ssl; line:

      ssl_certificate     /etc/nginx/certs/tls.crt;
      ssl_certificate_key /etc/nginx/certs/tls.key;
      ssl_protocols       TLSv1.2 TLSv1.3;
      ssl_ciphers         HIGH:!aNULL:!MD5;
      
  4. Add your certificate and private key, named tls.crt and tls.key, to the following directory:

    /opt/anaconda/repo/config/nginx/certs
    
  5. Run the following command from the directory containing docker-compose.yml to apply the changes:

    docker-compose up -d
    

Configuring SSL

The following steps will allow you to configure the SSL:

  1. Add or remove the following lines relating to the SSL in <BASE_INSTALL_DIR>/config/nginx/conf.d/repo.conf, where <BASE_INSTALL_DIR> is the installation directory:

    listen              8080 ssl;
    
    ssl_certificate     /etc/nginx/certs/tls.crt;
    ssl_certificate_key /etc/nginx/certs/tls.key;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    
  2. Add or remove certificates from the following directory:

    # Replace <BASE_INSTALL_DIR> with your base install directory.
    <BASE_INSTALL_DIR>/config/nginx/certs
    
  3. Run the following command:

    docker-compose up -d
    

Refer to nginx’s documentation for the standard SSL configuration procedure.