Running CLOUDFLOW over SSL

It is possible to setup CLOUDFLOW to run over SSL.

To do so, follow these steps:

1. Obtain a certificate

An SSL server needs a certificate. It's important that the certificate is converted to the pem format. For example PFX or PKCS#12 formatted certificates (typically for Microsoft IIS) need to be converted to a PEM formatted certificate (for Apache).

The PEM file is normally supplied by the SSL provider. You don't have to generate the PEM file yourself.

The PEM file needs to contain the certificate and the key; the key cannot contain a password. For testing you can generate a PEM file with the following command on OSX:

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 30 -nodes

This will give you a cert.pem and key.pem, you need to append the key to the cert:

cat key.pem >> cert.pem

The end result is a single resulting pem file: cert.pem

The PEM data has the following format:

-----BEGIN something---- 
base64-encoded data
-----END something-----

It is possible that the PEM is delivered in separate parts. In that case you need to combine them using a text editor in the following order:

Your private key.
Your certificate.
Any intermediate certificates (only if they are supplied by the SSL provider).

Important: The certificate needs to be present before the intermediates.

Important: The certificate will only validate if you use the correct URL in the browser. If you use https://localhost, you will get an error.

Example

This is the content of such a self-signed pem file:

-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIJAN07dYJz/tVpMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkJFMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTUxMjAzMTQ0ODQ4WhcNMTYwMTAyMTQ0ODQ4WjBF
MQswCQYDVQQGEwJCRTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA36nuRpY2rG89T3Ygfnwn9k6pMerRDbb+MhZrT2SuQkp8bQv9hMhERZnP
rkvY6K7tQE5BkNYvlzjkr1+XAeDE1172I7/8VmrOv4wniatJWmPjU+MwZONJbIfk
DuWoiwGiN5iNARSwkKpEocQh1zihdDgwge/swLT2vqwEl2ljg+zgu9jv9Rkhn6Ak
nD8MPYnzsIlllPG2Rb7I/J5N6XQ9IwcZZCCkY+hdEx99w0NsVf4CJlN/Wj0s3Pjh
BCBHS0ihVW+Rwyd2nMlhmJCnXFx15UCncxfToy2Jrln/P0g9v3wIy0TGJ1pWtCOv
ZpdaUcY0MfffssJf+A7WF0u2QkqQgwIDAQABo4GnMIGkMB0GA1UdDgQWBBS/tn3p
60jmZcs4NukRY7vGCYAzYDB1BgNVHSMEbjBsgBS/tn3p60jmZcs4NukRY7vGCYAz
YKFJpEcwRTELMAkGA1UEBhMCQkUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV
BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAN07dYJz/tVpMAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAJGVBeQ7U0tEBM//C/zwq1qrUmsFvUPK
7zcQn1zKLIbdr/TQ/OcGwEGzte3QEyOquekXlTRWYLdvQ6/rbYA8fdBoHujTNTLL
1FYDaYvTOfjSPf+CvnN69VN2x3t2yjSyyK4JjyDNT+S/v7lrlDCQOPHCnV2oQBH5
zKcgEKMwKoCmnmh9KB0+AbUe+/ZCoqEu93uDX+sQZKZy6ev4oA7pKaIDayEcEqsA
95CWKVXFWwgGd00LeUtEFpl0SCeB8v1cfIOxBENhP2zfeOZ0uiMrHwfsfyfBgrAc
UNFE/i50UYmpD0mXv/MFV3M7yQZrIVBzyBlxRiQ3XODwZMqi+7zn5dE=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA36nuRpY2rG89T3Ygfnwn9k6pMerRDbb+MhZrT2SuQkp8bQv9
hMhERZnPrkvY6K7tQE5BkNYvlzjkr1+XAeDE1172I7/8VmrOv4wniatJWmPjU+Mw
ZONJbIfkDuWoiwGiN5iNARSwkKpEocQh1zihdDgwge/swLT2vqwEl2ljg+zgu9jv
9Rkhn6AknD8MPYnzsIlllPG2Rb7I/J5N6XQ9IwcZZCCkY+hdEx99w0NsVf4CJlN/
Wj0s3PjhBCBHS0ihVW+Rwyd2nMlhmJCnXFx15UCncxfToy2Jrln/P0g9v3wIy0TG
J1pWtCOvZpdaUcY0MfffssJf+A7WF0u2QkqQgwIDAQABAoIBAQDKwO8hyfZSJp07
tWgLgV1wqSoz+Bv/BM42daBd3nUh3wggimgNwMYzGhXseRFvDXRBgS9qrt+BhK+6
Uzs/FpUacBlNmzKS3EwD1HfbEw1yBW8EksVCD9B1tFKHNqWtLZPyNjZMrobI/bEt
u/C5e7rQ8kb245qJrwKnIqUe5Qizg4zKua2/ehsci21xOklaanAQyyaCF0b8Pu9q
MZ4AghW6F5ta/mRiiXyiaIe6j/9XZRStbyCNSGNl3glOEpgdysFZLT/dM14cCZRw
N1+HeYJ5NQsRbjsucwPU00jzSuDOeV6h4e2P5cmCmoh0lXQ75YW525fVGTe496/b
K9ynovpRAoGBAPY3gs2Dg6RMwip+eSZMDIkiV7z4M35cTNW3bU/A5v/4H8ydhRKG
Me5yTMy0eYWd5mrinWlsjqqooyq9OZY9yCM3j2rbwS+glF23Rb7aLdpyggPOMvdD
HuMC8lR36Y8zYZWNx9RVQyos7H+2QYrp65FXUqsyLZSw+4yuc75goTGtAoGBAOiN
A0lz5yBFgbqqzOksDPcppnZjrwUlFSKR7lBbakzcP8ru6mBMq8IGmyouHdd8Js9i
GXX1OiCNSNB3ge2gpt9l2ehyXozCfAsV7IzMxpHsEnLoJwlS/cr6a1bhGqrjK8a+
dIby2cOZ9a8wPr6jQDpI9axk3GggOA55td4Hh/DvAoGBALKoAO+i2Cil0dYHw1y4
nff7xXJHHwY3b0E8QcM3E+b0Yg6U1fRlD2IX6gY3hl4f/wvbt6DBtpu6lfrzJxAP
cGOtcxF0t68Zc860p5Uet1rk79ZXDsBAIe9TOgd0ozLXc52TLUazP3Mg+dKJqvFj
Xx0tIb07Qbu82Cpyg2XGs/BZAoGAPq3DNQkIQqp5TNa8ZBx7YiLXuxEjGz/jcm3i
zcXV4OF8UDYU9d+0a5dcOwIzCOFtlHfcZO6zvBJYjdeoLWQflhbdpMkussG4rUQ7
fbezzaDTWCU6YEj+HrdgNwp1JZoVMnwi7DyIdTAKCC34u2lE5nDDxrNotKf6c+xa
GH3vJgECgYEAg2M/Ogj+5x5rT7N+PQBzQXHBo/RKyYX0r9q6BJbiF/4KtJXEd8I0
CgzmjdcnjmwKtzdCMClkRg5yUAbvzW2R3sZrq6NUi/iZuLZkLxuq2F/36boMovGY
IOOr5MGrwmU48L2sHgOMquS6dVSeDnl6tKiDwGo6qM3aXYVTXll1zoY=
-----END RSA PRIVATE KEY-----

2. Install CLOUDFLOW so that it uses SSL

You can set up CLOUDFLOW to use SSL by specifying the --ssl option with the .pem file obtained in step 1.

Examples:

nucleusd --install --ssl cert.pem

This makes CLOUDFLOW listen to port 9090 using SSL with the default options. You will also need to specify the Webserver URL in the settings page to https://server_address:9090/

nucleusd --install -i serverid -d mongo_ip -p 443 --ssl cert.pem

This makes CLOUDFLOW listen to port 443 using SSL with a custom server id and mongoDB IP address. You will also need to specify the Web server URL in the settings page to https://server_address:443/

Note: When SSL has been set up, CLOUDFLOW will only accept SSL connections.