Skip to main content
System StatusContact Support
VersionOne Community

Enabling SSL/TLS for Continuum

Overview 

This article describes the process of configuring the Nginx web server as front end proxy for Continuum to serve as a SSL termination endpoint.

Even though Continuum supports SSL termination, VersionOne now recommends using Nginx for SSL termination because of the widely documented options and supported features.

Install Nginx

Install Nginx at least version 1.4. The following directions can be used as an example but may differ depending on your flavor and version of Linux.

For RHEL 6.x add a yum repo file using the following command.

sudo tee /etc/yum.repos.d/nginx.repo > /dev/null <<'EOF'
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/rhel/6/$basearch/
gpgcheck=0
enabled=1
EOF

Then install Nginx for RHEL...

sudo yum install -y nginx

Or Ubuntu...

sudo apt-get install -y nginx

Configure SSL Certificate and Key Files

Gather the required SSL certificate and key files as needed. Place these files in the following directories.

For Ubuntu, place under the /etc/ssl/certs and /etc/ssl/private directories respectively. For RHEL these directories are /etc/pki/tls/certs and /etc/pki/tls/private. Take note of the paths and update the example Nginx config file below.

In the sample nginx config file below, these files are named continuum.crt and contiuum.key

Update the Nginx Config File

The code below will create an Nginx config file in the proper directory for RHEL, /etc/nginx/conf.d/default.conf. This directory is different for other flavors or Linux. For example in Ubuntu this file would be /etc/nginx/sites-enabled/default. Change in the script below as appropriate.

Make note the places in the example where the outward facing IP address 54.210.180.147 is used. This should be replaced with the address (FQDN or Ip address) that the user web client uses to access Continuum.

The ssl_ciphers and ssl_protocols settings below can be customized to enable (or disable) as necessary to meet the needs of internal IT security requirements.

The following will serve both the Continuum webserver and websocket server on the same port (443). Customize as appropriate. 


sudo tee /etc/nginx/conf.d/default.conf > /dev/null << 'EOF'
server {
        listen 443 default_server;
        listen [::]:443 default_server ipv6only=on;
        server_name localhost;
        ssl on;
        ssl_certificate     /etc/pki/tls/certs/continuum.crt;
        ssl_certificate_key /etc/pki/tls/private/continuum.key;
        ssl_session_timeout 15m;
        ssl_protocols TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        location /sub {
               proxy_set_header X-Real-IP  $remote_addr;
               proxy_set_header X-Forwarded-For $remote_addr;
               proxy_set_header Host $host;
               proxy_pass http://127.0.0.1:8083;
               proxy_redirect ws://54.210.180.147/ wss://54.210.180.147/;
               # WebSocket support (nginx 1.4)
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
        }
        location / {
               proxy_set_header X-Real-IP  $remote_addr;
               proxy_set_header X-Forwarded-For $remote_addr;
               proxy_set_header Host $host;
               proxy_pass http://127.0.0.1:8080;
               proxy_redirect http://54.210.180.147/ https://54.210.180.147/;
               proxy_redirect http://localhost/ http://localhost:8080/;
        }
        location ~ /\.ht {
                deny all;
        }
}
EOF

Bind Continuum to Local Ports Only

In this setup, Nginx will act as the SSL / TLS termination point and will serve as a proxy forwarding service to the Continuum webserver and websocket server. This will be transparent to the end user. However to make sure that Continuum is unable to serve external requests without them first passing through Nginx, the follow setting need to further be made. 

Make sure to disable SSL on both the Continuum webserver and websocket (messagehub) server. This is either done in the System Settings web config interface in Continuum setting "UI SSL" and "MessageHub SSL" to "false". If these settings were made in the /etc/continuum/continuum.yaml file, they can be turned off there. The local yaml file overrides like settings in the UI / database. The specific config file settings are as follows: ui_use_ssl, msghub_use_ssl

ui_use_ssl: false
msghub_use_ssl: false

The msghub_external_url and ui_external_url will need to be set either in the system settings or yaml file in the following format:

msghub_external_url: wss://54.210.180.147
ui_external_url: https://54.210.180.147

These corresponding settings in the System Settings  are "UI URL (External)" and "MessageHub URL (External)".

To force Continuum to serve only to local requests and not listen to the outward facing socket, set the following settings to 0.0.0.0: MessageHub Bind Address, UI Bind Address or in the yaml file: msghub_bind_address, ui_bind_address

ui_bind_address: 0.0.0.0
msghub_bind_address: 0.0.0.0


Once the settings are made, restart the continuum services: 

ctm-restart-services

and reload Nginx configurations:

sudo nginx -s reload

or restart the service:

Ubuntu
sudo service nginx restart

RHEL
sudo /etc/init.d/nginx restart

Now test logging into Continuum on port 443. 

Troubleshooting

First make sure Continuum is serving locally on ports 8080 and 8083:

curl -vvLk http://127.0.0.1:8080

(should response with html)

curl -vvLk http://127.0.0.1:8083

(should respond with text "Continuum Message Hub")

If either of those do not respond, check the Continuum log files in /var/continuum/log. 

Next, check the nginx log files in /var/log/nginx, starting with error.log.

If the following line shows in the error.log, try disabling SELinux or check the local firewall.

2017/01/18 13:07:31 [crit] 27231#27231: *13 connect() to 127.0.0.1:8080 failed (13: Permission denied) while connecting to upstream, client: 98.118.251.108, server: localhost, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:8080/", host: "54.210.180.147"

Change Inbound Service Links

Any other services that send webhooks or commit data into Continuum will also need to be changed. Typical systems that will need to change their Continuum urls would be source code management solutions (e.g. GitLab, Bitbucket, GitHub, etc.) and ALM solutions (e.g. VersionOne Lifecycle, Jira, etc.).

  • Was this article helpful?