Setting Up HTTPS for Core Hub Web UI and Secure Web Socket Connections
This guide explains how to enable and configure HTTPS with TLS encryption for secure connections to the Gluesync Core Hub web interface and secure web socket connections between nodes.
Overview
By default, Gluesync CoreHub runs with TLS encryption enabled, with a built-in self-signed certificate coming with the trial kit for Docker. To ensure secure communications, you should generate your own certificates and configure CoreHub to use TLS encryption.
The process involves the following steps:
-
Generating the required SSL certificates
-
Configuring CoreHub to use TLS encryption (enabled by default under any docker-compose kit)
-
Customizing the security configuration file
Generating SSL Certificates
While the trial kit comes with self-signed certificates, you may want to generate your own. Here’s how to create them:
#!/bin/bash
# Create a directory for certificates
mkdir certs
cd certs
# Generate root CA key (you'll be prompted for a password)
openssl genrsa -des3 -out rootCA.key 4096
# Generate root certificate
openssl req -x509 -new -nodes \
-key rootCA.key \
-sha256 \
-days 1825 \
-out rootCA.crt \
-subj "/C=IT/ST=Italy/O=YourOrganization/L=YourCity/OU=YourUnit/CN=gluesync.com"
# Generate Gluesync key
openssl genrsa -out gluesync.com.key 2048
# Generate Certificate Signing Request (CSR)
openssl req -new -sha256 \
-key gluesync.com.key \
-subj "/C=IT/ST=Italy/O=YourOrganization/L=YourCity/OU=YourUnit/CN=gluesync.com" \
-out gluesync.com.csr
# Generate Gluesync certificate
openssl x509 -req \
-in gluesync.com.csr \
-CA rootCA.crt \
-CAkey rootCA.key \
-CAcreateserial \
-out gluesync.com.crt \
-days 1825 \
-sha256
# Create PKCS12 keystore
openssl pkcs12 -export \
-name gluesync \
-in gluesync.com.crt \
-inkey gluesync.com.key \
-out gluesync.com.p12
# Convert to Java KeyStore (JKS)
keytool -importkeystore \
-destkeystore gluesync.com.jks \
-srckeystore gluesync.com.p12 \
-srcstoretype pkcs12 \
-alias gluesync
Remember to replace the certificate subject information (/C=IT/ST=Italy/O=YourOrganization/…) with your organization’s details.
|
Enabling TLS in Core Hub
To enable TLS encryption, modify your Core Hub service definition in the docker-compose or in your Kubernetes configuration file:
gluesync-core-hub:
image: molo17/gluesync-core-hub:LATEST
environment:
- type=corehub
- ssl_enabled=true # Enable TLS
- LOG_CONFIG_FILE=/opt/gluesync/data/logback.xml
volumes:
- ./gluesync.com.jks:/opt/gluesync/data/gluesync.com.jks
# ... other volume mappings ...
The ssl_enabled environment variable is set to true to enable TLS encryption. The default HTTPS port is 1717.
|
| Repeat this step for each node and agent present in your deployment. |
Customizing the Security Configuration File
To ensure that all nodes share the same secret for the TLS certificates, you need to customize the security configuration file. This file should include the following settings:
{
"ssl": {
"sslCertificatePath": "/opt/gluesync/data/gluesync.com.jks",
"certificateAlias": "gluesync",
"certificatePassword": "gluesync",
"certificateKeyPassword": "gluesync"
}
}Make sure to mount this configuration file on each node. This setup not only secures the communication between the client (browser) and the Core Hub UI but also secures the communication between each node by enabling WSS (WebSocket Secure).
This file should be named security-config.json and placed in the /opt/gluesync/data directory, just like the following example:
volumes:
- ./security-config.json:/opt/gluesync/data/security-config.json