Description
You put this Charm in front of an http webservice to add https security. It deploys a TLS/SSL/HTTPS termination proxy. All https traffic going to this server will be sent to the webserver as http traffic.
SSL Termination Proxy
This charm installs an HTTPS reverse proxy. The proxy secures traffic to a webservice in the private network using a Let's Encrypt HTTPS certificate. The proxy can also add basic username/password authentication if the credentials config option is set.
This proxy receives an A+ rating on the Qualis SSL Server Test.
How to use
HTTPS proxy
# Deploy your http webservice.
juju deploy jenkins
# Deploy the Proxy.
juju deploy cs:~tengu-team/ssl-termination-proxy
# Expose the proxy.
juju expose ssl-termination-proxy
# Configure your DNS server to point to the ssl-termination-proxy's public ip.
# Let the proxy know what its DNS name is.
# (See https://www.duckdns.org for free DNS names)
juju config ssl-termination-proxy fqdn=www.example.com
# The proxy will now request a certificate from lets encrypt.
# Connect the webservice with the proxy.
juju add-relation jenkins ssl-termination-proxy
# Now you can surf to https://<proxy-public-ip> and you wil reach the webservice.
OpenStack environments
If you're using an OpenStack private cloud which uses floating IP addresses, you'll need to associate a floating IP address with the ssl-termination-proxy unit before setting the FQDN, and ensure that this FQDN is reachable from the public Internet. This is necessary for the Let's Encrypt registration to complete.
[Optional] Configure basic auth
juju config ssl-termination-proxy credentials="<username> <password>"
Multiple accounts aren't supported for the moment.
Note: Authentication is turned off for OPTIONS requests because this is required for CORS. As part of CORS preflight, OPTIONS will get called without authentication headers. If this call fails (with 401 unauthorized), the actual CORS call will not be initiated.
Authors
This software was created in the IBCN research group of Ghent University in Belgium. This software is used in Tengu, a project that aims to make experimenting with data frameworks and tools as easy as possible.
- Sander Borny sander.borny@ugent.be
- Merlijn Sebrechts merlijn.sebrechts@gmail.com
- Mathijs Moerman mathijs.moerman@qrama.io
Configuration
- contact-email
- (string) Contact email for Let's Encrypt
- fqdn
- (string) Fully-Qualified Domain Name of server to register
- port
- (int) NGINX listen port
- 80
- host
- (string) listen address
- 127.0.0.1
- package_status
- (string) The status of service-affecting packages will be set to this value in the dpkg database. Valid values are "install" and "hold".
- install
- extra_packages
- (string) Space separated list of extra deb packages to install.
- credentials
- (string) Space-separated username and password for basic authentication.
- install_keys
- (string) List of signing keys for install_sources package sources, per charmhelpers standard format (a yaml list of strings encoded as a string). The keys should be the full ASCII armoured GPG public keys. While GPG key ids are also supported and looked up on a keyserver, operators should be aware that this mechanism is insecure. null can be used if a standard package signing key is used that will already be installed on the machine, and for PPA sources where the package signing key is securely retrieved from Launchpad.
- install_sources
- (string) List of extra apt sources, per charm-helpers standard format (a yaml list of strings encoded as a string). Each source may be either a line that can be added directly to sources.list(5), or in the form ppa:<user>/<ppa-name> for adding Personal Package Archives, or a distribution component to enable.
