-
Notifications
You must be signed in to change notification settings - Fork 176
10. SSL Configuration
If you have reached this point, it is really possible that you are about to publish to production environment, therefore a secure connection is -in most of the cases- required before going live.
This section will explain how to configure and work with SSL secure connections.
The recommended approach to configure secure connections is through Proxy Pass. Regardless the HTTP server you like you use (Nginx or Apache) the setup will almost be the same.
The following is an example configuration for a Nginx Block (VirtualHost):
##
# Redirect all incoming requests to secure connection
##
server {
listen 80;
return 301 https://$host$request_uri;
}
##
# Configure SSL proxy pass
##
server {
listen 443;
server_name www.my.domain;
ssl on;
ssl_certificate /cd/to/my.crt;
ssl_certificate_key /cd/to/my.key;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Special thanks go to @dmastag for sharing the Apache configuration.
<VirtualHost *:443>
Servername www.my.domain:443
SSLEngine on
SSLHonorCipherOrder on
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLCertificateFile /cd/to/my.crt
SSLCertificateKeyFile /cd/to/my.key
SSLCACertificateFile /cd/to/my_ca.crt
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteRule /(.*) ws://localhost:3000/$1 [P,L]
ProxyPass / http://localhost:3000/ connectiontimeout=5 timeout=3
</VirtualHost>
Within the Angular CLI environments you'll need to configure your apiUrl as follows //www.my.domain
which is later used when configuring the SDK.
export const environment = {
production: true,
envName : 'prod',
apiUrl : '//www.my.domain',
apiVersion : 'api'
};
NOTE: Please check we are using // instead of http or https, by doing this the SDK will be able run in both HTTP and HTTPS for local development and for production
Then within your main.ts file
import { LoopBackConfig } from './app/shared/sdk';
import { environment } from './environments/environment';
LoopBackConfig.setBaseURL(environment.apiUrl);
LoopBackConfig.setApiVersion(environment.apiVersion);
And that's all... Easy huh?! other than that there is nothing else configured within in the LoopBack/FireLoop side, we left the back-end configurations untouched because in your local while you keep developing the project, it will run through HTTP, once in the server Nginx (or Apache, IIS) is the one with SSL configuration but then it proxy passes the request to http://localhost:3000
Follow this thread https://github.com/mean-expert-official/fireloop.io/issues/107#issuecomment-316489886