Enabling and configuring SSL¶
Enabling SSL¶
By default, the Anaconda Server installation does not require the use of SSL/TLS. To enable SSL/TLS after installation, the following steps must be taken:
Edit your
docker-compose.ymlfile.Find the
Services:section near the top of the file. Then, under thenginx_proxy:portion, add the following lines:secrets: - source: nginx_key target: /etc/nginx/certs/tls.key - source: nginx_cert target: /etc/nginx/certs/tls.crt
Find the
Keycloak:section further down in the file. Then, under theenvironment:portion, add this line:- PROXY_ADDRESS_FORWARDING=true
Edit your
.envfile.- Change
DOMAINto new FQDN, if applicable. - Change
NGINX_PROXY_PORTto443. - Change
PROTOCOLtohttps
- Change
Edit your
/opt/anaconda/repo/config/nginx/conf.d/repo.conffile.Near the top of the file, change
listen 8080;tolisten 8080 ssl;.Add the following lines after the
listen 8080 ssl;line:ssl_certificate /etc/nginx/certs/tls.crt; ssl_certificate_key /etc/nginx/certs/tls.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5;
Add your certificate and private key, named
tls.crtandtls.key, to the following directory:/opt/anaconda/repo/config/nginx/certs
Run the following command from the directory containing
docker-compose.ymlto apply the changes:docker-compose up -d
Configuring SSL¶
The following steps will allow you to configure the SSL:
Add or remove the following lines relating to the SSL in
<BASE_INSTALL_DIR>/config/nginx/conf.d/repo.conf, where<BASE_INSTALL_DIR>is the installation directory:listen 8080 ssl; ssl_certificate /etc/nginx/certs/tls.crt; ssl_certificate_key /etc/nginx/certs/tls.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5;
Add or remove certificates from the following directory:
# Replace <BASE_INSTALL_DIR> with your base install directory. <BASE_INSTALL_DIR>/config/nginx/certs
Run the following command:
docker-compose up -d
Refer to nginx’s documentation for the standard SSL configuration procedure.