Quick SSL Setup Guide#

This guide assumes you have configured your DNS properly to point to the server you wish to secure. It will assume you are using Apache to serve MonsterUI and as a reverse proxy for Crossbar (the API server) for SSL termination.

Let's Encrypt Cert Setup#

We'll use Let's Encrypt to generate a free SSL certificate for us. See these instructions for a more detailed guide.

# First, get the script from EFF
sudo wget -O /usr/local/sbin https://dl.eff.org/certbot-auto

# Make it executable
sudo chmod a+x /usr/local/sbin/certbot-auto

Setup Let'sEncrypt and Apache#

To start an interactive session to setup the certificate for your domain (in this case, kazoo.mycompany.com):

certbot-auto --apache -d kazoo.mycompany.com

Certificates will be installed to `/etc/letsencrypt/live`

Auto-renew#

Let's Encrypt certificates are valid for 90 days. Triggering the renewal process is straight-forward:

certbot-auto renew

Setup auto-renewal in the form of a cronjob:

sudo crontab -e
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log

Setup Apache as a reverse proxy#

Having Apache (or any HTTP server) proxy the requests for the API server makes sense. You can manage your certificates in fewer places and API servers can come and go since each request is independent of any others (no state shared between requests on a given API server).

We create two VirtualHost entries, one for serving MonsterUI assets and one for proxying to Crossbar.

MonsterUI#

<VirtualHost *:443>
    ServerName kazoo.mycompany.com:443

    DocumentRoot /var/www/html/monster-ui

    SSLEngine on
    SSLCertificateKeyFile "/etc/letsencrypt/live/kazoo.mycompany.com/privkey.pem"
    SSLCertificateFile "/etc/letsencrypt/live/kazoo.mycompany.com/cert.pem"

    <Directory />
        #Options FollowSymLinks
        Options Indexes FollowSymLinks Includes ExecCGI
        AllowOverride All
        Order deny,allow
        Allow from all
    </Directory>
</VirtualHost>

API Reverse Proxy#

Be sure to replace the IPs with the IP Crossbar is using.

<VirtualHost *:8443>
    ServerName kazoo.mycompany.com:8443
    ProxyPreserveHost On

    SSLEngine on
    SSLCertificateKeyFile "/etc/letsencrypt/live/pdx.2600hz.com/privkey.pem"
    SSLCertificateFile "/etc/letsencrypt/live/pdx.2600hz.com/fullchain.pem"

    ProxyPass / http://10.1.10.29:8000/
    ProxyPassReverse / http://10.1.10.29:8000/
</VirtualHost>

Reconfigure MonsterUI and the Apps#

Once you've reloaded Apache, you'll want to update MonsterUI's config.js:

vim /var/www/html/monster-ui/js/config.js
# Update api_url to 'https://kazoo.mycompany.com:8443/v2'

And re-init the apps:

# Re-initialize Monster Apps
sup crossbar_maintenance init_apps \
/var/www/html/monster-ui/apps \
https://kazoo.mycompany.com:8443/v2

Edit this page here