Skip to main content
Version: 2.0

Enable SSL

GraphGrid's package contains multiple containerized services which users interact with through an Nginx reverse proxy. All the Nginx config files are exposed using Docker bind mounts and are stored at /data/nginx/config.

To enable SSL, start by deleting the symbolic link (symlink) at data/nginx/config/sites-enabled/api.conf and then link api-secure.conf to sites-enabled.

cd data/nginx/config/sites-enabled
rm api.conf
ln -s ../sites-available/api-secure.conf api-secure.conf
caution

It is very important to create the symbolic link using a relative path from the sites-enabled directory. This is to ensure the symlink will work inside the

Docker container with the configured bind mounts. Both sites-available and sites-enabled are mounted in the same directory, so the link to ../sites-available/api-secure.conf will still work. If you don't cd into the sites-enabled directory first, you will most likely have problems.

By default, all config files in the sites-enabled directory will be parsed by Nginx. This can be changed by editing data/nginx/config/nginx.conf. The api-secure.conf configuration redirects all http traffic on port 80 to https on port 443. Both api.conf and api-secure.conf use the same base configuration which is imported from global/api-base.conf.

The main SSL configuration is in global/secure-base.conf. Your SSL certificate files should go in data/nginx/certs/ which is mounted to /etc/nginx/ssl/certs/ in the Nginx container. We recommend storing SSL certs in domain specific subfolders. You will need the following files:

  • An SSL certificate like server.crt
  • SSL certificate private key like server.key
  • SSL certificate chain like server.chain.crt
  • A Diffie-Hellman parameters file like dhparams.pem

The first three files should come from your SSL certificate issuer. Diffie-Hellman parameters can be generated using OpenSSL by running the following command. Be aware that this will take some time.

openssl dhparam -out dhparams.pem 4096

Once your files are all in place, make any necessary adjustments to the file paths in global/secure-base.conf. You should now be able to start Nginx with SSL enabled!