Securing Zegami with SSL

The default Zegami installation on Linux contains a self-signed SSL certificate which is created during installation. For a higher level of security and usability it is advisable to use an organisational SSL certificate.

Creating an SSL Certificate

Your organisation will normally have a policy on how SSL certificates are created. Typically this can be done with an IT support request. As a quick guide, you will first need to create a private key and a certificate signing request for the subdomain you want to put Zegami on and then send it to a certificate authority such as GoDaddy to obtain a signed certificate. Be sure to get a highly secure encryption method as otherwise Zegami will not work with some browsers. The certificate authority (or higher level IT department will then send back a zipfile containing the signed certificates.

Linux installation

The signed certificates should be combined into a single "chain" file as described here.

Save the chain file and the key file to a locations like this using tools like cat and scp.

/opt/zegami_python/anaconda/etc/ssl/mydomain.key
/opt/zegami_python/anaconda/etc/ssl/mydomain_chain.crt

Ensure these belonged to Zegami and could only be read by the zegami user.

sudo chown -R zegami:zegami /opt/zegami_python/anaconda/etc/ssl/
sudo chmod -R 700 /opt/zegami_python/anaconda/etc/ssl/

The next step is to point nginx at the certificate files. This is done by editing the file:

/opt/zegami/conf/nginx.conf

(formerly /opt/zegami_python/anaconda/etc/nginx/nginx.conf)

The lines of interest are the SSL certificate, SSL certificate key and the https 301 redirect which ensures all traffic goes to HTTPS.

Change the file so that it reads as below.

#template for zegami with a custom SSL certificate

daemon off;
worker_processes  1;

events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;

    keepalive_timeout  65;
    server {
       listen      80;
        server_name _;
        return 301 https://$host$request_uri;
    }

    server {
       listen      443;
       ssl    on;
       ssl_certificate    /opt/zegami_python/anaconda/etc/ssl/mydomain_chain.crt;
       ssl_certificate_key    /opt/zegami_python/anaconda/etc/ssl/mydomain.key;
        server_name localhost;
        charset     utf-8;
        client_max_body_size 75M;

        location / {
            try_files $uri @yourapplication;
        }
        location @yourapplication {
            include uwsgi_params;
            uwsgi_pass unix:/tmp/zegami-uwsgi.sock;
        }
    }

}

Finally, restart nginx to see the changes take effect by running:

sudo supervisorctl restart zegami_nginx