This article explains how to secure your on-premise installation of Meisterplan with an SSL Proxy.
- Enabling SSL Using mpctl (Recommended)
- Using Other Proxy Servers
Enabling SSL Using mpctl (Recommended)
The following section provides a step-by-step guide on how to add SSL encryption using the mpctl binary. This is the recommended approach.
- a) If you already have SSL certificates for your machine, copy them to the ssl-certs-directory of your installation. The name for the public- and private-key-files is expected to be
b) If you do not have any certificates: You can generate self-signed certificates using
in the root directory of your installation.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ssl-certs/cert.key -out ./ssl-certs/cert.crt
- Execute the command
mpctl enablessl. The application will be restarted automatically, and it will be available via https only from now on.
Using Other Proxy Servers
We recommend to use mpctl to encrypt the connections via SSL (see previous section). However, you can also use other third-party software. This can be useful if you plan to install the proxy on another machine or if you already have an existing proxy in your infrastructure environment.
A few requirements must be met to ensure that Meisterplan works properly behind your reverse proxy, when you are using software other than mpctl:
- X-Forwarded-*-Headers (background) must be set:
- Websocket packets must be allowed, as Meisterplan uses Websockets to distribute changes between clients.
- The following HTTP methods must be supported:
Next, we'll show you how to configure two popular http servers in order to meet the requirements given above.
Configuration for Apache httpd
When using Apache, the version must be at least 2.4.10 (or higher).
The following section provides a step-by-step guide on how to setup Apache with SSL.
- Install Apache httpd as described in the official documentation.
- Prepare an SSL certificate. You can use your existing certificate or generate a self-signed certificate by using OpenSSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/cert.key -out /etc/apache2/cert.crt
- Enable the necessary Apache modules. On Ubuntu, you can do this with the a2enmod tool:
a2enmod proxy proxy_http proxy_wstunnel ssl headers
- Remove the line
Listen 80from /etc/apache2/ports.conf.
- Edit /etc/apache2/sites-enabled/000-default and replace it with:
ProxyPass / http://meisterplan.local/
ProxyPassReverse / http://meisterplan.local/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ServerNameline specifies where the SSL Proxy runs. The
ProxyPassline specifies where the Meisterplan installation runs. This must be consistent with how you configured your Meisterplan installation. See this article for details.
- Start Apache (e.g.,
service apache2 startor
service apache2 reloadin case it is already running).
Configuration for Nginx
Nginx is an alternative proxy solution to Apache. You can install it and set it up by following these step-by-step instructions:
- Install Nginx as described in the official documentation.
- Prepare an SSL certificate. You can use your existing certificate or generate a self-signed certificate (you might need to install openssl) via
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
- Edit /etc/nginx/sites-enabled/default and replace it with:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
server_nameline specifies where the SSL proxy runs. The
proxy_passline specifies where the Meisterplan installation runs. Please keep this consistent with your configuration.
- Start nginx, (e.g.,
service nginx startor
nginx -s reloadif it is already running).