HTTPS

Default Configuration

CloudShark uses nginx as a web server and listens to the external port 443 for HTTPS (SSL).

Configure a certificate keypair

CloudShark ships with a self-signed certificate by default and allows access over HTTPS. The default nginx configuration is located at /usr/cloudshark/etc/nginx.conf.

To use a different certificate keypair that you have generated upload your certificate file to /usr/cloudshark/etc/tls-certificate/cloudshark.crt and the private key to /usr/cloudshark/etc/tls-certificate/cloudshark.key

Then restart the system so ensure that CloudShark will use the new certificate and private key that you have generated and not the default self-signed certificate that ships by default.

 

Restart to update changes

Run the command nginx -s reload to apply the new configuration.

Administrator Notes

Firewall Support

If you are running a firewall you must allow the https service, which runs on port 443 over tcp, through the firewall. Visit our firewall configuration page for information on how to configure this for your OS.

Intermediate SSL Certificates

Some certificates require that an intermediate certificate be installed with the public certificate for the server. These certificates are usually all bundled in the same ZIP archive that the Certificate Authority (CA) provides after signing your CSR (certificate signing request). The certificates must be stored in the ssl_certificate file together, with the server certificate as the first entry, and then its parent intermediate certificate, and then so on for as many intermediate certificates as the CA has provided. The intermediate certificates, as a convention, have file names identical to the certificate subject line.

You can learn the correct order by inspecting the certificate properties of the https site in most GUI web browsers. A final caveat: if the certificate delimiters share a single line, the format will invalidate the entire certificate chain and nginx will indicate an error:

SSL PEM routines:PEM_read_bio:bad end line error  

If this occurs, no harm is done - simply adjust the formatting of your .crt file contents until it is valid.

Note that some certificate authorities provide binary style certificates in DER format. You can convert these to ASCII format (PEM) with the following command:

openssl x509 -in binary_certificate.crt -inform der -outform pem -out ascii_certificate.crt

Private Key Passphrases

Sometimes a key file has a passphrase, so that a human must interactively decrypt the contents right before access.

Please note that CloudShark will not start properly with this configuration. You must remove any passphrases in the key file to allow CloudShark to start automatically. For example, if a key file named cloudshark.key.passphrase contains a passphrase, to remove the passphrase out of the key and save it in a new file called cloudshark.key:

openssl rsa -in cloudshark.key.passphrase -out cloudshark.key

After you have updated the configuration file, you must restart CloudShark for the new changes to take effect.

Remember to make a backup of your public certificate and private key files that are not saved on the same system!