Nginx with SSL Certificates
We highly recommend that you run the OpenL2M application on a secure web server. Here are steps to add a CA-signed SSL certificate to the Nginx configuration. You can also use a self-signed certificate, but that is left as an exercise to the reader.
For more details, also see https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
Note: if you want to run OpenL2M on an existing Nginx install that already has an SSL website on it, you will need to look at the SNI or “Server Name Indication” capability. There are numerous tutorials around that show you how to configure this.
Django Configuration
When you enable SSL, you need to add two settings to openl2m/configuration.py make SSL more secure:
# if using SSL, these should be set to True:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
Prepare Nginx for SSL
First we create the directory to hold your SSL keys and certificate:
mkdir /etc/nginx/ssl
cd /etc/nginx/ssl
chmod g-rwx,o-rws .
This assumes your private key is installed in /etc/nginx/ssl, and that this directory is only accessible by the ‘root’ account. If your organization has different security requirements, change this as appropriate.
Create a strong Diffie-Hellman group
Run the following command to generate a good base for the SSL encryption. This will take a while, be patient:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Create a new Certificate Signing Request
As root, run the following commands to create a CSR:
cd /etc/nginx/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout openl2m.key -out openl2m.csr
On the last line, we generate the CSR. Fill in the questions as applicable to your organization.
Upload the CSR to your CA account
You now need to login to your favorite Certificate Authority account to generate a signed SSL certificate from the CSR. This process is very CA dependent, and will be left up to the reader.
Install the Signed Certificate
Once the certificate is issues or generated, download the X509 format file (*.cer) to the /etc/nginx/ssl directory. Name this file openl2m.crt
Reconfigure for SSL
Copy the “openl2m-ssl.conf” to nginx as a new site, and enable it:
cp ./scripts/openl2m-ssl.conf /etc/nginx/sites-available/openl2m-ssl
ln -s /etc/nginx/sites-available/openl2m-ssl /etc/nginx/sites-enabled/openl2m-ssl
Modify this files to set your proper domain name!
Next modify the regular port 80 default site to do a redirect to the SSL site:
vi /etc/nginx/sites-available/openl2m
and replace the content with the following. Note this is available in the scripts directory as openl2m-redirect.conf:
server {
listen 80;
server_name openl2m.yourcompany.com;
return 301 https://openl2m.yourcompany.com/;
}
Again, modify your domain name accordingly!
Finally, test the config:
nginx -t
Solve any errors that may show. If all is OK, restart Nginx, and you should have an SSL web site up:
sudo systemctl restart nginx
Renewing your SSL certificate
Renew the certificate at your CA> Download the new certificate in X509/.cer format. Replace the content of /etc/nginx/ssl/openl2m.crt with this new certificate. Then restart nginx per the above.