HTTPS Configuration
This guide explains how to configure HTTPS to secure PCH-SIG in production.
Why HTTPS?
- Encryption: Data is encrypted in transit
- Authentication: Verifies server identity
- Integrity: Protects against modifications
- Compliance: Required for sensitive data
Architecture
With reverse proxy
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ Client │────▶│ Nginx HTTPS │────▶│ Application │
│ (Browser) │ │ (Termination) │ │ (local HTTP) │
│ │ │ :443 │ │ :3000, :8000 │
└─────────────────┘ └─────────────────┘ └─────────────────┘
The Nginx reverse proxy handles HTTPS and forwards requests in HTTP to internal containers.
Obtain a certificate
Let's Encrypt certificate (recommended)
# Install Certbot
apt-get install certbot
# Generate certificate
certbot certonly --standalone -d pch-sig.example.com
# Certificates are in:
# /etc/letsencrypt/live/pch-sig.example.com/fullchain.pem
# /etc/letsencrypt/live/pch-sig.example.com/privkey.pem
Self-signed certificate (development)
# Create directory
mkdir -p deploy/certs
# Generate certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout deploy/certs/server.key \
-out deploy/certs/server.crt \
-subj "/CN=localhost"
Enterprise certificate
Contact your security team to obtain a certificate signed by an internal authority.
Nginx configuration
HTTPS configuration file
File: deploy/nginx-conf/https.conf
# HTTP to HTTPS redirect
server {
listen 80;
server_name pch-sig.example.com;
return 301 https://$server_name$request_uri;
}
# HTTPS configuration
server {
listen 443 ssl http2;
server_name pch-sig.example.com;
# Certificates
ssl_certificate /etc/nginx/certs/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/privkey.pem;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
# SSL Session
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Site root
root /usr/share/nginx/html;
index index.html;
# Compression
gzip on;
gzip_types text/plain text/css application/json application/javascript;
# Frontend SPA
location / {
try_files $uri $uri/ /index.html;
}
# API Proxy
location /api {
proxy_pass http://pch_nginx_backend:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
Docker Compose
Configuration with HTTPS
# docker-compose.https.yml
version: '3.8'
services:
frontend:
image: nginx:alpine
ports:
- "80:80"
- "443:443"
volumes:
- ./frontend/build:/usr/share/nginx/html:ro
- ./nginx-conf/https.conf:/etc/nginx/conf.d/default.conf:ro
- ./certs:/etc/nginx/certs:ro
depends_on:
- backend
Start with HTTPS
docker compose -f docker-compose.yml -f docker-compose.https.yml up -d
Automatic renewal
Renewal script
#!/bin/bash
# renew-certs.sh
# Renew
certbot renew --quiet
# Copy certificates
cp /etc/letsencrypt/live/pch-sig.example.com/fullchain.pem /path/to/deploy/certs/
cp /etc/letsencrypt/live/pch-sig.example.com/privkey.pem /path/to/deploy/certs/
# Reload Nginx
docker exec pch_frontend nginx -s reload
Cron job
# Add to crontab
0 0 1 * * /path/to/renew-certs.sh
Backend configuration
Trusted proxies
File: backend/config/packages/framework.yaml
framework:
trusted_proxies: '%env(TRUSTED_PROXIES)%'
trusted_headers: ['x-forwarded-for', 'x-forwarded-host', 'x-forwarded-proto']
Environment variable
# .env
TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR,172.0.0.0/8
Test configuration
Verify certificate
# With openssl
openssl s_client -connect pch-sig.example.com:443 -servername pch-sig.example.com
# With curl
curl -v https://pch-sig.example.com/
SSL Labs Test
Use SSL Labs Server Test to verify configuration.
Local checks
# Check ports
netstat -tlnp | grep -E "(80|443)"
# Test redirect
curl -I http://pch-sig.example.com
# Should return 301 to HTTPS
Content Security Policy
CSP configuration
add_header Content-Security-Policy "
default-src 'self';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data: https:;
font-src 'self';
connect-src 'self' https://api.example.com;
frame-ancestors 'none';
" always;
Troubleshooting
Certificate error
# Verify certificate
openssl x509 -in /path/to/cert.pem -text -noout
# Verify chain
openssl verify -CAfile /path/to/ca.pem /path/to/cert.pem
Mixed content
Make sure all resources are loaded over HTTPS:
# Force HTTPS for all content
add_header Content-Security-Policy "upgrade-insecure-requests" always;
Proxy error
# Check headers
curl -I https://pch-sig.example.com/api/health
# Headers should include:
# X-Forwarded-Proto: https
Windows Server environment
PowerShell configuration
# Import a PFX certificate
$cert = Import-PfxCertificate -FilePath "C:\pch-sig\certs\server.pfx" `
-CertStoreLocation "Cert:\LocalMachine\My" `
-Password (ConvertTo-SecureString -String "password" -AsPlainText -Force)
# Bind to port 443
netsh http add sslcert ipport=0.0.0.0:443 certhash=$cert.Thumbprint appid='{00000000-0000-0000-0000-000000000000}'
HTTPS proxy to Docker
# Local HTTPS redirect to Docker
netsh interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectport=443 connectaddress=192.168.99.100
Production checklist
- Valid certificate signed by recognized CA
- Automatic renewal configured
- HSTS enabled
- TLS 1.2+ only
- Secure ciphers
- OCSP Stapling enabled
- Security headers configured
- HTTP to HTTPS redirect
- SSL Labs test grade A or A+