Enable HTTPS for the ZendHQ UI

The following instructions walk you through the process of enabling HTTPS for the ZendHQ UI, ensuring access to the web interface. Following is a high-level overview of what you will be doing:

1. Prepare your environment: Ensure ZendHQ is installed and accessible over HTTP. You’ll also need access to your server’s NGINX configuration and SSL certificate files.

2. Set up SSL certificates: While the following procedure uses CertBot as an example to obtain free SSL certificates from Let’s Encrypt, in production environments, you can and should use your organization’s preferred certificate authority (CA) or SSL proxy solution.

3. Configure NGINX: You’ll modify your NGINX configuration to:

   1. Define an upstream for the ZendHQ backend

   2. Redirect HTTP traffic to HTTPS

   3. Serve the ZendHQ UI securely over HTTPS using your SSL certificates

   4. Handle WebSocket upgrades if needed

4. Restart and verify: Restart NGINX and verify that ZendHQ is accessible via HTTPS on the specified port.

Prerequisites

Before you begin, ensure you have:

• ZendHQ installed and running

• Verified that ZendHQ is accessible via HTTP

Steps to enable HTTPS access

Enabling HTTPS access involves configuring NGINX to serve traffic securely using SSL certificates.

While this procedure demonstrates the process using CertBot for simplicity, enterprise environments should substitute this step with their organization's approved certificate management solution. This may involve certificates issued by an internal CA, integration with a centralized certificate management platform, or deployment via a reverse proxy or load balancer that handles SSL termination.

1 | Prepare SSL certificates (using CertBot or your organization's preferred method)

Prepare your environment to support SSL certificates for securing access to the ZendHQ UI:

• If you're using CertBot, install CertBot on your server using the following command:

  Copy

  sudo apt-get install certbot

• In enterprise environments, confirm that you have access to your organization's certificate management tools or internal CA.

2 | Obtain an SSL certificate

Obtain the SSL certificate files required to enable HTTPS:

• If you're using CertBot, run the following command. Replace yourdomain.com with your actual domain name.

  CertBot will automatically configure NGINX to use the obtained certificate.

  Copy

  sudo certbot --nginx -d yourdomain.com

• In enterprise environments, you may receive certificates from your internal CA or through a certificate management platform.

3 | Configure NGINX

To redirect HTTP traffic to HTTPS and to use the SSL certificate, edit your NGINX configuration file based on the following code snippet.

Make sure to:

• Replace yourdomain.com with your actual domain name and adjust paths if necessary.

• Replace the SSL configuration values (such as certificate paths and domain names) with the specific SSL settings and certificate files used by your organization. If your company already has an SSL proxy or certificate management process in place, you can integrate those settings into this configuration. The SSL configuration values shown in the following code snippet are examples only.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
upstream zend-hq-daemon-http {
    server 127.0.0.1:8000;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 172.31.22.27:10091 default_server;
    server_name _;

    location / {
        return 301 https://yourdomain.com:10491$request_uri;
    }
}

server {
    listen *:10491 ssl;
    server_name yourdomain.com;
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    add_header Strict-Transport-Security "max-age=63072000" always;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

4 | Verify the configuration

1. To apply the changes, restart NGINX by running the following command.

   Copy

   sudo systemctl restart nginx

2. Check that your site is accessible via HTTPS by navigating to https://yourdomain.com (replace with your actual domain name).

Troubleshooting tips

If you encounter issues, check the following:

• Ensure CertBot and NGINX are properly installed.

• Verify the paths to the SSL certificate and key in the NGINX configuration.

• Check NGINX logs for any errors by running the following command:

  Copy

  sudo tail -f /var/log/nginx/error.log