Enabling and configuring SSL

Enabling SSL

By default, the Anaconda Server installation does not require the use of TLS/SSL certificates. You can enable the use of TLS/SSL after installation by completing the following steps:

1. Edit your docker-compose.yml file.

   1. Find the Services: section near the top of the file. Then, under the nginx_proxy: portion, add the following lines:

      secrets:
      - source: nginx_key
        target: /etc/nginx/certs/tls.key
      - source: nginx_cert
        target: /etc/nginx/certs/tls.crt
      

   2. Find the Keycloak: section further down in the file. Then, under the environment: portion, add this line:

      - PROXY_ADDRESS_FORWARDING=true
      

2. Edit your .env file.

   1. Change DOMAIN to new FQDN, if applicable.
   2. Change NGINX_PROXY_PORT to 443.
   3. Change PROTOCOL to https

3. Edit your /opt/anaconda/repo/config/nginx/conf.d/repo.conf file.

   1. Near the top of the file, change listen 8080; to listen 8080 ssl;.

   2. Add the following lines after the listen 8080 ssl; line:

      ssl_certificate     /etc/nginx/certs/tls.crt;
      ssl_certificate_key /etc/nginx/certs/tls.key;
      ssl_protocols       TLSv1.2 TLSv1.3;
      ssl_ciphers         HIGH:!aNULL:!MD5;
      

4. Add your certificate and private key, named tls.crt and tls.key, to the following directory:

   /opt/anaconda/repo/config/nginx/certs
   

5. Run the following command from the directory containing docker-compose.yml to apply the changes:

   docker-compose up -d
   

Configuring SSL

The following steps will allow you to configure the SSL:

1. Add or remove the following lines relating to the SSL in <BASE_INSTALL_DIR>/config/nginx/conf.d/repo.conf, where <BASE_INSTALL_DIR> is the installation directory:

   listen              8080 ssl;
   
   ssl_certificate     /etc/nginx/certs/tls.crt;
   ssl_certificate_key /etc/nginx/certs/tls.key;
   ssl_protocols       TLSv1.2 TLSv1.3;
   ssl_ciphers         HIGH:!aNULL:!MD5;
   

2. Add or remove certificates from the following directory:

   # Replace <BASE_INSTALL_DIR> with your base install directory.
   <BASE_INSTALL_DIR>/config/nginx/certs
   

3. Run the following command:

   docker-compose up -d
   

Refer to nginx’s documentation for the standard SSL configuration procedure.

Updating URL/URIs in Keycloak

Once your SSL cert and key are in place, you will need to update Keycloak to point to your new root URL and any valid URI redirects to your domain.

1. Navigate to your Keycloak instance at <FQDN>/auth/admin and log in.
2. Select Clients from the left-hand navigation.
3. Select repo-service from the list of available clients.
4. On the Settings tab, update your root URL and any necessary valid redirect URI’s.

Rebuilding your channel index

Migrating from HTTP to HTTPS or updating your FQDN will alter the file path to your channel’s packages. You must rebuild your channel index to correct the file path. If you do not, you will be unable to successfully download packages after migrating.