Configuring SSL Reverse Proxy
Rocket.Chat is a middle tier application server, by itself it does not handle SSL. However, Rocket.Chat works well with several industrial grade, battle-tested reverse proxy servers (see nginx below, for example) that you can configure to handle SSL.
Note: When deploying Rocket.Chat, you must set the ROOT_URL
parameter to a HTTPS address without including a port number. So instead of ROOT_URL=http://localhost:3000
, use something like https://your_hostname.com
Note: When setting up a reverse proxy in front of your Rocket.Chat server you need to configure Rocket.Chat to use the correct clientAddress. The rate limiter (and maybe other features) will not work properly if this is not done. Set HTTP_FORWARDED_COUNT
Environment variable to the correct number of proxies in front of Rocket.Chat. If you are using snap there's documentation how to do it here.
Running behind a nginx SSL Reverse Proxy
Note: These instructions were written for Ubuntu. For Amazon Linux, the conf file for the proxy goes in /etc/nginx/conf.d/
and needs to have a discrete name ending in .conf
and nginx is installed using yum -y install nginx
.
Run this as root:
Add your private key to /etc/nginx/certificate.key
Lock down permissions: chmod 400 /etc/nginx/certificate.key
Add your certificate to /etc/nginx/certificate.crt
Edit /etc/nginx/sites-enabled/default
or if you use nginx from docker /etc/nginx/conf.d/default.conf
and be sure to use your actual hostname in lieu of the sample hostname "your_hostname.com" below.
Restart Nginx: service nginx restart
Running under Plesk Onyx behind Nginx
Plesk Onyx has now a docker installation and Nginx proxy docker rule generator built in, that doesn't support adding custom directives. Disable it and add the rules manually in the additional Nginx directives space. A scheme follows (replace 30000 with your external docker mapped port).
Running behind an Apache SSL Reverse Proxy
Note: When deploying Rocket.Chat, you must set the ROOT_URL
parameter to a HTTPS address without including a port number. So instead of ROOT_URL=http://localhost:3000
, use something like https://your_hostname.com
Run this as root:
Add your private key to /etc/ssl/private/chat.domain.com.key
Lock down permissions: chmod 400 /etc/ssl/private/chat.domain.com.key
Add your certificate to /etc/ssl/certs/chat.domain.com.crt
Add your intermediate to /etc/ssl/certs/intermediate.ca.pem
Edit /etc/apache2/sites-enabled/rocketchat.conf
and be sure to use your actual hostname in lieu of the sample hostname "your_hostname.com" below.
Restart Apache: service apache2 restart
Running behind a Caddy Reverse Proxy with Free SSL
First, download Caddy
curl https://getcaddy.com | bash
Now Caddy is installed, but you still need a service to run Caddy http server on the background.
You must have at least port 443 opened so the Caddy server will request an SSL certificate from Let's Encrypt
You can also open port 80 to redirect http requests to https.
Open /etc/caddy/Caddyfile
Insert
Last updated