Configuring SSL Reverse Proxy
    • Dark
      Light
    • PDF

    Configuring SSL Reverse Proxy

    • Dark
      Light
    • PDF

    Article summary

    Rocket.Chat is designed to be a robust middle-tier application server. While it doesn't handle SSL directly, it seamlessly integrates with trusted and high-performance reverse proxy servers like Nginx. By configuring one of these servers, you can effectively manage SSL for your Rocket.Chat instance, ensuring secure and reliable communication.

    When deploying Rocket.Chat, you must set the ROOT_URL parameter to a HTTPS address without including a port number. So instead of ROOT_URL=http://localhost:3000, use something like https://your_hostname.com

    When setting up a reverse proxy in front of your Rocket.Chat server, you must configure Rocket.Chat to use the correct clientAddress. The rate limiter and other features may not function properly if this is not done. Set HTTP_FORWARDED_COUNT environment variable to the correct number of proxies in front of Rocket.Chat - by default, it is set to 1. If you are using Snap, refer to the official documentation.

    Additionally, ensure that your proxies and load balancers ignore the X-Real-Ip header when making requests from end users. Rocket.Chat prioritizes the X-Real-Ip header when determining the clientAddress. Misconfigured proxies could allow users to bypass rate limiting and other security measures.

    Running behind an Nginx SSL reverse proxy

    These instructions were written for Ubuntu. For Amazon Linux, the conf file for the proxy goes in /etc/nginx/conf.d/ and needs to have a discrete name ending in .conf and nginx is installed using yum -y install nginx.

    Run this as root:

    apt-get install nginx

    Add your private key to /etc/nginx/certificate.key

    Lock down permissions: chmod 400 /etc/nginx/certificate.key

    Add your certificate to /etc/nginx/certificate.crt

    Edit /etc/nginx/sites-enabled/default or if you use Nginx from Docker /etc/nginx/conf.d/default.conf and be sure to use your actual hostname in lieu of the sample hostname "your_hostname.com" below.

    # Upstreams
    upstream backend {
        server 127.0.0.1:3000;
    }
    
    # HTTPS Server
    server {
        listen 443;
        server_name your_hostname.com;
    
        # You can increase the limit if your need to.
        client_max_body_size 200M;
    
        error_log /var/log/nginx/rocketchat.access.log;
    
        ssl on;
        ssl_certificate /etc/nginx/certificate.crt;
        ssl_certificate_key /etc/nginx/certificate.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don’t use SSLv3 ref: POODLE
    
        location / {
            proxy_pass http://backend;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $http_host;
    
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Nginx-Proxy true;
    
            proxy_redirect off;
        }
    }

    Restart Nginx: service nginx restart

    Running under Plesk Onyx behind Nginx

    Plesk Onyx now has a Docker installation and Nginx proxy Docker rule generator built in, but it doesn't support adding custom directives. Disable it and add the rules manually in the additional Nginx directives space. A scheme follows (replace 30000 with your external Docker mapped port).

    #manual extension docker with socket upgrade begin
    location ~ ^/.* {
        proxy_pass http://0.0.0.0:3000;
        proxy_set_header Host             $host;
        proxy_set_header X-Real-IP        $remote_addr;
        proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
    
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-Proto http;
        proxy_set_header X-Nginx-Proxy true;
        proxy_http_version 1.1;
    
        proxy_redirect off;
    }
    
    #extension docker end

    Running behind an Apache SSL reverse proxy

    Note: When deploying Rocket.Chat, you must set the ROOT_URL parameter to a HTTPS address without including a port number. So instead of ROOT_URL=http://localhost:3000, use something like https://your_hostname.com

    Run this as root:

    apt-get update
    apt-get install apache2
    a2enmod proxy_http
    a2enmod proxy
    a2enmod ssl
    a2enmod proxy_wstunnel
    a2enmod rewrite

    Add your private key to /etc/ssl/private/chat.domain.com.key

    Lock down permissions: chmod 400 /etc/ssl/private/chat.domain.com.key

    Add your certificate to /etc/ssl/certs/chat.domain.com.crt

    Add your intermediate to /etc/ssl/certs/intermediate.ca.pem

    Edit /etc/apache2/sites-enabled/rocketchat.conf and be sure to use your actual hostname in lieu of the sample hostname "your_hostname.com" below.

    <VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName chat.domain.com
    
        LogLevel info
        ErrorLog /var/log/chat.domain.com_error.log
        TransferLog /var/log/chat.domain.com_access.log
    
        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/chat.domain.com.crt
        SSLCertificateKeyFile /etc/ssl/private/chat.domain.com.key
        SSLCertificateChainFile /etc/ssl/certs/intermediate.ca.pem
    
        <Location />
            Require all granted
        </Location>
    
        RewriteEngine On
        RewriteCond %{HTTP:CONNECTION} Upgrade [NC]
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /(.*)           ws://localhost:3000/$1 [P,L]
        RewriteCond %{HTTP:Upgrade} !=websocket [NC]
        RewriteRule /(.*)           http://localhost:3000/$1 [P,L]
    
        ProxyPassReverse /          http://localhost:3000/
    </VirtualHost>

    Restart Apache: service apache2 restart

    Running behind a Caddy reverse proxy with free SSL

    First, download Caddy

    curl https://getcaddy.com | bash

    Now Caddy is installed, but you still need a service to run Caddy http server on the background.

    You must have at least port 443 opened so the Caddy server will request an SSL certificate from Let's Encrypt

    You can also open port 80 to redirect http requests to https.

    Open /etc/caddy/Caddyfile

    Insert

    yourdomain.com {
            reverse_proxy localhost:3000
            header Access-Control-Allow-Methods "POST, GET, OPTIONS"
            header Access-Control-Allow-Headers "*"
            import cors https://sub.domain.livechat
    }


    Was this article helpful?

    ESC

    Eddy AI, facilitating knowledge discovery through conversational intelligence