Https in swish

Help!
1

Hi all,
I would like to add https support to http://cplint.eu but I have no idea where to start, any suggestion?

Thanks
Fabrizio

2
  1. Get a certificate from a certificate authority, everyone now days is using let’s encrypt as it is free: Getting Started - Let's Encrypt. This certificate needs to have a domain name associated, in this case cplint.eu. Note that the certificates need to be renewed periodically (so you need to setup a cron job to renew the certificates before they expire).
  2. Now you need to serve https to the clients. You can do this in two ways:
    2.1. Use a proxy, like haproxy or nginx to connect clients to your prolog server. The prolog server can still serve http.
    2.2. Serve https directly from prolog. Use the ssl(SSLOpts) option for http_server/2.

I’d rather use 2.2 to have the least amount of components, but if you plan on load balancing haproxy is a good option. Perhaps someone else has more/better tips.

3

thanks

| swi
May 15 |

  • | - |
  1. Get a certificate from a certificate authority, everyone now days is using let’s encrypt as it is free: Getting Started - Let’s Encrypt. This certificate needs to have a domain name associated, in this case [cplint.eu](http://cplint.eu). Note that the certificates need to be renewed periodically (so you need to setup a cron job to renew the certificates before they expire).
  2. Now you need to serve https to the clients. You can do this in two ways:
    2.1. Use a proxy, like haproxy or nginx to connect clients to your prolog server. The prolog server can still serve http.
    2.2. Serve https directly from prolog. Use the ssl(SSLOpts) option for http_server/2.

I’d rather use 2.2 to have the least amount of components, but if you plan on load balancing haproxy is a good option. Perhaps someone else has more/better tips.

I’m using a reverse proxy with apache without load balancing, can I do 2.1 without touching the prolog part?

4

Yes. You do need to proxy websockets to /chat The nginx proxy config for https://swish.swi-prolog.org goes like this (nginx running on the host, Prolog running inside an LXC container on the host.) Don’t ask me for Apache …

server {
        listen 80;

        server_name swish.swi-prolog.org swish.simply-logical.space;
        return 302 https://$host$request_uri;
}

server {
       server_name swish.swi-prolog.org swish.simply-logical.space;
       set $container swish.lxc;       

    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/swish.swi-prolog.org/fullchain.pem; # mana
ged by Certbot
ssl_certificate_key /etc/letsencrypt/live/swish.swi-prolog.org/privkey.pem; # ma
naged by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

        location / {
                resolver 10.0.3.1;
                proxy_pass http://$container$request_uri;
                proxy_http_version 1.1;
                proxy_buffering off;
                client_body_buffer_size 100k;
                proxy_cache off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-geoip-city $geoip_city;
                proxy_set_header X-geoip-latitude $geoip_latitude;
                proxy_set_header X-geoip-longitude $geoip_longitude;
                proxy_read_timeout 86400;
        }

        location /chat {
                resolver 10.0.3.1;
                proxy_pass http://$container$request_uri;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Real-IP $remote_addr;
                proxy_read_timeout 86400;
        }
}