Articles in this section

See more

SSL Configuration

Availability Premium

This article explains how to secure your on-premise installation of Meisterplan with an SSL Proxy.

Recommended: SSL Using mpctl

The following section provides a step-by-step guide on how to add SSL encryption using the mpctl binary. This is the recommended approach.

  1. a) If you already have SSL certificates for your machine, copy them to the ssl-certs-directory of your installation. The name for the public- and private-key-files is expected to be cert.crt and cert.key.
    b) If you do not have any certificates: You can generate self-signed certificates using openssl by  executing 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ssl-certs/cert.key -out ./ssl-certs/cert.crt
    in the root directory of your installation.
  2. Execute the command mpctl enablessl. The application will be restarted automatically, and it will be available via https only from now on.

Alternative: SSL Using Your Own Proxy Server

We recommend to use mpctl to encrypt the connections via SSL (see previous section). However, you can also use other third-party software. This can be useful if you plan to install the proxy on another machine or if you already have an existing proxy in your infrastructure environment.

Requirements

A few requirements must be met to ensure that Meisterplan works properly behind your reverse proxy, when you are using software other than mpctl:

  • X-Forwarded-*-Headers (background) must be set:
    • X-Forwarded-Proto
    • X-Forwarded-Host
    • X-Forwarded-Port
  • Websocket packets must be allowed, as Meisterplan uses Websockets to distribute changes between clients.
  • The following HTTP methods must be supported:
    • GET
    • POST
    • PUT
    • DELETE
    • OPTIONS
    • PATCH

Next, we'll show you how to configure two popular http servers in order to meet the requirements given above.

Step 1: Configure Meisterplan

Proceed as follows to configure Meisterplan for usage behind your load balancer/reverse proxy:

  1. Enable the load balancer feature: 
    mpctl config loadbalancer true
  2. Set your load balancer URL as Meisterplan's Base URL: 
    mpctl config baseurl https://meisterplan.mycorp.com
    Where https://meisterplan.mycorp.com is your load balancer URL.
  3. Restart Meisterplan: 
    mpctl restart

Step 2: Configure Your Proxy Server

Configuration for Apache httpd

When using Apache, the version must be at least 2.4.10 (or higher).

The following section provides a step-by-step guide on how to setup Apache with SSL.

  1. Install Apache httpd as described in the official documentation
  2. Prepare an SSL certificate. You can use your existing certificate or generate a self-signed certificate by using OpenSSL: 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/cert.key -out /etc/apache2/cert.crt
  3. Enable the necessary Apache modules. On Ubuntu, you can do this with the a2enmod tool:  
    a2enmod proxy proxy_http proxy_wstunnel ssl headers
  4. Remove the line Listen 80 from /etc/apache2/ports.conf.
  5. Edit /etc/apache2/sites-enabled/000-default and replace it with: 
    <VirtualHost *:443>
      ServerName meisterplan.mycorp.com
      ProxyRequests Off
      ProxyPreserveHost On
      AllowEncodedSlashes On
      
      ProxyPass / http://mpsv1.server.mycorp.com/
      ProxyPassReverse / http://mpsv1.server.mycorp.com/
      RequestHeader set X-Forwarded-Proto "https"
      RequestHeader set X-Forwarded-Port "443"

      SSLEngine on
      SSLCertificateFile /etc/apache2/cert.crt
      SSLCertificateKeyFile /etc/apache2/cert.key
    <VirtualHost *:443>
  6. The ServerName line specifies where the SSL Proxy runs. The ProxyPass line specifies where the Meisterplan installation runs. This must be consistent with how you configured your Meisterplan installation. See this article for details.
  7. Start Apache (e.g., service apache2 start or service apache2 reload in case it is already running).

Configuration for Nginx

Nginx is an alternative proxy solution to Apache. You can install it and set it up by following these step-by-step instructions:

  1. Install Nginx as described in the official documentation
  2. Prepare an SSL certificate. You can use your existing certificate or generate a self-signed certificate (you might need to install openssl) via  
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
  3. Edit /etc/nginx/sites-enabled/default and replace it with: 
    server {
      listen 443;

      server_name meisterplan.mycorp.com; 

      ssl_certificate /etc/nginx/cert.crt;
      ssl_certificate_key /etc/nginx/cert.key; 

      ssl on;
      ssl_session_cache shared:SSL:10m;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
      ssl_prefer_server_ciphers on; 

      access_log /var/log/nginx/meisterplan.access.log;

      location/ {
        proxy_pass http://mpsv1.server.mycorp.com;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port 443;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
      }
    }
  4. The server_name line specifies where the SSL proxy runs. The proxy_pass line specifies where the Meisterplan installation runs. Please keep this consistent with your configuration.
  5. Start nginx, (e.g., service nginx start or nginx -s reload if it is already running).

Share this article:

Was this article helpful?
4 out of 4 found this helpful
Need more help? Contact our support.
Return to top

Related articles