Availability Premium
This article explains how to secure your on-premise installation of Meisterplan with an SSL Proxy.
SSL by Default
As of June 2024, Meisterplan installation has enabled HTTPS by default.
A self-signed certificate is created in this quick start method when installing via mpctl install
.
We recommend replacing the automatically generated certificates after installation.
- If you already have SSL certificates for your machine, copy them to the ssl-certs-directory of your installation. The name for the public- and private-key-files is expected to be
cert.crt
andcert.key
. - You can generate self-signed certificates using
openssl
by executingopenssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ssl-certs/cert.key -out ./ssl-certs/cert.crt
in the root directory of your installation. We recommend using a CA that is already established within your infrastructure.
Alternative: SSL Using Your Own Proxy Server
We recommend to use the embedded HTTPS configuration of Meisterplan. However, you can also use other third-party software. This can be useful if you plan to install the proxy on another machine or if you already have an existing proxy in your infrastructure environment.
Requirements
A few requirements must be met to ensure that Meisterplan works properly behind your reverse proxy when you are using software other than mpctl:
- X-Forwarded-*-Headers (background) must be set:
- X-Forwarded-Proto
- X-Forwarded-Host
- X-Forwarded-Port
- Websocket packets must be allowed, as Meisterplan uses Websockets to distribute changes between clients.
- The following HTTP methods must be supported:
- GET
- POST
- PUT
- DELETE
- OPTIONS
- PATCH
Step 1: Configure Meisterplan
Proceed as follows to configure Meisterplan for usage behind your load balancer/reverse proxy:
- Enable the load balancer feature:
mpctl config loadbalancer true
- Set your load balancer URL as Meisterplan's Base URL:
mpctl config baseurl https://meisterplan.mycorp.com
Where https://meisterplan.mycorp.com is your load balancer URL. - Restart Meisterplan:
mpctl restart
Step 2: Configure Your Proxy Server
Configuration for Apache httpd
When using Apache, the version must be at least 2.4.10 (or higher).
The following section provides a step-by-step guide on how to setup Apache with SSL.
- Install Apache httpd as described in the official documentation.
- Prepare an SSL certificate. You can use your existing certificate or generate a self-signed certificate by using OpenSSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/cert.key -out /etc/apache2/cert.crt
- Enable the necessary Apache modules. On Ubuntu, you can do this with the a2enmod tool:
a2enmod proxy proxy_http proxy_wstunnel ssl headers
- Remove the line
Listen 80
from /etc/apache2/ports.conf. - Edit /etc/apache2/sites-enabled/000-default and replace it with:
<VirtualHost *:443>
ServerName meisterplan.mycorp.com
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes On
ProxyPass / http://mpsv1.server.mycorp.com/
ProxyPassReverse / http://mpsv1.server.mycorp.com/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
SSLEngine on
SSLCertificateFile /etc/apache2/cert.crt
SSLCertificateKeyFile /etc/apache2/cert.key
<VirtualHost *:443> - The
ServerName
line specifies where the SSL Proxy runs. TheProxyPass
line specifies where the Meisterplan installation runs. This must be consistent with how you configured your Meisterplan installation. See this article for details. - Start Apache (e.g.,
service apache2 start
orservice apache2 reload
in case it is already running).
Configuration for Nginx
Nginx is an alternative proxy solution to Apache. You can install it and set it up by following these step-by-step instructions:
- Install Nginx as described in the official documentation.
- Prepare an SSL certificate. You can use your existing certificate or generate a self-signed certificate (you might need to install openssl) via
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
- Edit /etc/nginx/sites-enabled/default and replace it with:
server {
listen 443;
server_name meisterplan.mycorp.com;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/meisterplan.access.log;
location/ {
proxy_pass http://mpsv1.server.mycorp.com;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
} - The
server_name
line specifies where the SSL proxy runs. Theproxy_pass
line specifies where the Meisterplan installation runs. Please keep this consistent with your configuration. - Start nginx, (e.g.,
service nginx start
ornginx -s reload
if it is already running).