Skip to content

10. SSL Configuration

Jonathan Casarrubias edited this page Jul 26, 2017 · 5 revisions

LoopBack SDK Builder

Working with SSL Secure Connections

If you have reached this point, it is really possible that you are about to publish to production environment, therefore a secure connection is -in most of the cases- required before going live.

This section will explain how to configure and work with SSL secure connections.

SSL over HTTP Server Proxy Pass (Recommended)

The recommended approach to configure secure connections is through Proxy Pass. Regardless the HTTP server you like you use (Nginx or Apache) the setup will almost be the same.

Nginx Block Example

The following is an example configuration for a Nginx Block (VirtualHost):

##
# Redirect all incoming requests to secure connection
##
server {
  listen 80;
  return 301 https://$host$request_uri;
}
##
# Configure SSL proxy pass
##
server {
        listen 443;
        server_name www.my.domain;

        ssl on;
        ssl_certificate      /cd/to/my.crt;
        ssl_certificate_key  /cd/to/my.key;

        location / {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
}

Apache Virtual Host

Special thanks go to @dmastag for sharing the Apache configuration.

<VirtualHost *:443>

  Servername          www.my.domain:443

  SSLEngine           on
  SSLHonorCipherOrder on
  SSLProtocol         -All +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3
  SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  
  SSLCertificateFile    /cd/to/my.crt
  SSLCertificateKeyFile /cd/to/my.key
  SSLCACertificateFile  /cd/to/my_ca.crt

  RewriteEngine On
  RewriteCond %{HTTP:Connection} Upgrade [NC]
  RewriteRule /(.*) ws://localhost:3000/$1 [P,L]

  ProxyPass / http://localhost:3000/ connectiontimeout=5 timeout=3
</VirtualHost> 

Configure Angular CLI

Within the Angular CLI environments you'll need to configure your apiUrl as follows //www.my.domain which is later used when configuring the SDK.

export const environment = {
  production: true,
  envName : 'prod',
  apiUrl : '//www.my.domain',
  apiVersion : 'api'
};

NOTE: Please check we are using // instead of http or https, by doing this the SDK will be able run in both HTTP and HTTPS for local development and for production

Then within your main.ts file

import { LoopBackConfig } from './app/shared/sdk';
import { environment } from './environments/environment';

LoopBackConfig.setBaseURL(environment.apiUrl);
LoopBackConfig.setApiVersion(environment.apiVersion);

And that's all... Easy huh?! other than that there is nothing else configured within in the LoopBack/FireLoop side, we left the back-end configurations untouched because in your local while you keep developing the project, it will run through HTTP, once in the server Nginx (or Apache, IIS) is the one with SSL configuration but then it proxy passes the request to http://localhost:3000

SSL over NodeJS / LoopBack

Follow this thread https://github.com/mean-expert-official/fireloop.io/issues/107#issuecomment-316489886