Configuring Nginx support SSL Server-https

Under abstract from: http://docs.bigbluebutton.org/install/install.html

Configuring HTTPS on Bigbluebuttonanchor link for:configuring https on BigBlueButton

You'll want to add HTTPS support to your BigBlueButton server for increased security. Also, as of chrome, chrome users would be unable to share their microphone via WebRTC unless BigBlueButton are loaded via HTTPS.

Configure BigBlueButton to use a domain Nameanchor link for:configure bigbluebutton to use a domain name

In order to obtain a valid SSL certificate for your servers, you must configure the server to use a domain name so you ow N or control.

For the purposes of documentation, we'll be using the domain name "example.com", with a BigBlueButton server hosted at " Bigbluebutton.example.com ".

Please run the commands as root.

Once You has a domain name and has configured it with a DNS host, the add an a record pointing to your server. You can then use the bbb-conf setip command to configure BigBlueButton to use this domain name, for example:

bbb-conf --setip bigbluebutton.example.com

Obtain an SSL Certificateanchor link for:obtain an SSL certificate

In order to serve BigBlueButton through HTTPS, you need to a valid SSL certificate. A domain validated (sometimes called "Class 1") certificate with a 2048 bit RSA key and SHA-256 checksum are the current re commended minimum, and it should be sufficient.

There is a number of providers that is could obtain a certificate from. Many domain name Sales companies also offer certificates.

Some well known large providers of SSL certificates include Comodo, Symantec, GoDaddy, GlobalSign, and DigiCert. In addition, free SSL certificates is available from Startssl and CACert, with some caveats:s Tartssl certificates can ' t be revoked without paying a service fee, and most people does not has the root for CACert instal Led in their Web browser.

Each provider would give you a series of steps to generating the certificate, but they would normally include generating a Private key and certificate request locally, sending the certificate request to being signed, and then receiving back the SIG Ned Certificate after they has performed any required verification steps.

To install the certificate in BigBlueButton, you'll need to the same files for the certificate, private key, and any interme Diate certificates in PEM format.

Configure nginx to use Httpsanchor link for:configure nginx-to-use HTTPS

Depending on your CA, you should now has 2 or more files, as follows:

• Certificate
• Private Key
• Intermediate certificate (there may is more than one, or could is none)

The next step is to install the files on the server.

Create the Directory/etc/nginx/ssl:

mkdir /etc/nginx/ssl

And now create the private key, file for Nginx-to-use (replace the hostname-the filename with your own). In addition, fix the permissions so then only root can read the private key:

cat >/etc/nginx/ssl/bigbluebutton.example.com.key <<‘END‘Paste the contents of your key file hereENDchmod 0600 /etc/nginx/ssl/bigbluebutton.example.com.key

and the certificate file. Note that Nginx needs your server certificate and the list of intermediate certificates together in one file (replace the Hostname in the filename with your own):

cat >/etc/nginx/ssl/bigbluebutton.example.com.crt <<‘END‘Paste (in order) the contents of the following files:  1. The signed certificate from the CA  2. In order, each intermediate certificate provided by the CA (but do not include the root).END

In addition, we'll generate a set of 2048-bit Diffie-hellman parameters to improve security for some types of ciphers. This step can take the several minutes to complete, the particularly if run on a virtual machine.

openssl dhparam -out /etc/nginx/ssl/dhp-2048.pem 2048

Now we can edit the Nginx configuration to use SSL. Edit the file to /etc/nginx/sites-available/bigbluebutton add the marked lines. Ensure that your ' re using the correct filenames to match the certificate and key files for you created above.

server {  server_name bigbluebutton.example.com;  listen 80;  listen 443 ssl;  ssl_certificate /etc/nginx/ssl/bigbluebutton.example.com.crt;  ssl_certificate_key /etc/nginx/ssl/bigbluebutton.example.com.key;  ssl_session_cache shared:SSL:10m;  ssl_session_timeout 10m;  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";  ssl_prefer_server_ciphers on;  ssl_dhparam /etc/nginx/ssl/dhp-2048.pem;  [...]

For reference, note that the SSL settings used above is based on those proposed in Https://hynek.me/articles/hardening-yo Ur-web-servers-ssl-ciphers/and provide support for all modern browsers (including IE8, and not IE6, on Windows XP). Please note that recommended SSL settings is subject to change as new vulnerabilities is found.

Test your HTTPS configurationanchor link for:test your HTTPS configuration

In order to ensure didn ' t do any mistakes that could cause security compromises, please test your HTTPS configuratio N. A well-respected site that can does A series of automated tests is https://www.ssllabs.com/ssltest/-simply enter your s Erver ' s hostname, optionally check the "Do not show results" checkbox if you would like to keep it private and then Submit.

At time of writing, the configuration shown on this page should achieve A "A" ranking in the SSL Labs test page.

Configuring Nginx support SSL Server-https