Quick SSL Setup Guide
This guide assumes you have configured your DNS properly to point to the server you wish to secure. It will assume you are using Apache to serve MonsterUI and as a reverse proxy for Crossbar (the API server) for SSL termination.
Let’s Encrypt Cert Setup
We’ll use Let’s Encrypt to generate a free SSL certificate for us. See these instructions for a more detailed guide.
# First, get the script from EFF
sudo wget -O /usr/local/sbin https://dl.eff.org/certbot-auto
# Make it executable
sudo chmod a+x /usr/local/sbin/certbot-auto
Setup Let’sEncrypt and Apache
To start an interactive session to setup the certificate for your domain (in this case, kazoo.mycompany.com):
certbot-auto --apache -d kazoo.mycompany.com
Certificates will be installed to `/etc/letsencrypt/live`
Auto-renew
Let’s Encrypt certificates are valid for 90 days. Triggering the renewal process is straight-forward:
certbot-auto renew
Setup auto-renewal in the form of a cronjob:
sudo crontab -e
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew.log
Setup Apache as a reverse proxy
Having Apache (or any HTTP server) proxy the requests for the API server makes sense. You can manage your certificates in fewer places and API servers can come and go since each request is independent of any others (no state shared between requests on a given API server).
We create two VirtualHost entries, one for serving MonsterUI assets and one for proxying to Crossbar.
MonsterUI
<VirtualHost *:443>
ServerName kazoo.mycompany.com:443
DocumentRoot /var/www/html/monster-ui
SSLEngine on
SSLCertificateKeyFile "/etc/letsencrypt/live/kazoo.mycompany.com/privkey.pem"
SSLCertificateFile "/etc/letsencrypt/live/kazoo.mycompany.com/cert.pem"
<Directory />
#Options FollowSymLinks
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
API Reverse Proxy
Be sure to replace the IPs with the IP Crossbar is using.
<VirtualHost *:8443>
ServerName kazoo.mycompany.com:8443
ProxyPreserveHost On
SSLEngine on
SSLCertificateKeyFile "/etc/letsencrypt/live/pdx.2600hz.com/privkey.pem"
SSLCertificateFile "/etc/letsencrypt/live/pdx.2600hz.com/fullchain.pem"
ProxyPass / http://10.1.10.29:8000/
ProxyPassReverse / http://10.1.10.29:8000/
</VirtualHost>
Reconfigure MonsterUI and the Apps
Once you’ve reloaded Apache, you’ll want to update MonsterUI’s config.js:
vim /var/www/html/monster-ui/js/config.js
# Update api_url to 'https://kazoo.mycompany.com:8443/v2'
And re-init the apps:
# Re-initialize Monster Apps
sup crossbar_maintenance init_apps \
/var/www/html/monster-ui/apps \
https://kazoo.mycompany.com:8443/v2