In our previous articles we covered installation of Taiga Project Management Tool on CentOS 8 and Ubuntu Linux servers. In this blog post we will be showing you how to harden your Taiga project management platform with Let’s Encrypt HTTPS certificates. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).
This guide assumes you’re using Nginx web server to expose Taiga over a domain name. NGINX is used as a static file web server to serve taiga-front-dist and send proxy requests to taiga-back. You need to stop nginx service before you proceed with this guide.
Step 1: Stop nginx service
Check nginx service if running:
$ systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2022-10-03 00:03:47 CEST; 1 day 1h ago
Main PID: 11870 (nginx)
Tasks: 3 (limit: 24392)
Memory: 5.8M
CGroup: /system.slice/nginx.service
├─11870 nginx: master process /usr/sbin/nginx
├─11871 nginx: worker process
└─11872 nginx: worker process
Oct 03 00:03:47 projects.example.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Oct 03 00:03:47 projects.example.com nginx[11866]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Oct 03 00:03:47 projects.example.com nginx[11866]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Oct 03 00:03:47 projects.example.com systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Oct 03 00:03:47 projects.example.com systemd[1]: Started The nginx HTTP and reverse proxy server.
If it is in running state stop it.
sudo systemctl stop nginx
Step 2: Install Let’s Encrypt certbot tool
Then install certbot tool which enables us to automatically deploying Let’s Encrypt certificates.
# Install certbot on Ubuntu /Debian
sudo apt update
sudo apt install certbot
# Install certbot on CentOS / Rocky
sudo yum -y install epel-release
sudo yum -y install certbot
Step 3: Obtain Let’s Encrypt SSL certificates
Save Domain name for your Taiga platform.
DOMAIN='projects.example.com'
Do the same for email to receive certificate expiry notifications.
EMAIL="[email protected]"
If http and https ports are not allowed in the firewall, for CentOS servers, add it.
sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload
Request for certificates using certbot-auto command line tool.
sudo certbot certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
Expect to get success message upon complete execution.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/projects.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/projects.example.com/privkey.pem
Your cert will expire on 2021-01-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Next generate a strong DH parameter:
sudo openssl dhparam -out /etc/ssl/dhparam.pem 2048
Confirmation.
$ ll /etc/ssl/dhparam.pem
-rw-r--r--. 1 root root 424 Oct 4 02:14 /etc/ssl/dhparam.pem
Step 4: Update Nginx Configuration file
I’ll now update Nginx Configuration file to set SSL options.
But first let’s backup current configuration.
$ sudo cp /etc/nginx/conf.d/taiga.conf{,.bak-$(date +%F:%T)}
$ ls /etc/nginx/conf.d/
taiga.conf taiga.conf.bak-2020-10-04:02:01:47
Edit the taiga.conf file with your favorite file editor – replace domain names and SSL paths with your values.
sudo vim /etc/nginx/conf.d/taiga.conf
Update the configuration content as follows.
# Redirect http to https
server {
listen 80;
server_name projects.example.com www.projects.example.com; # Set correct values
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name projects.example.com www.projects.example.com; # Set correct values
large_client_header_buffers 4 32k;
client_max_body_size 50M;
charset utf-8;
index index.html;
# Frontend
location / {
root /home/taiga/taiga-front-dist/dist/;
try_files $uri $uri/ /index.html;
}
# Backend
location /api {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8001/api;
proxy_redirect off;
}
# Admin access (/admin/)
location /admin {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8001$request_uri;
proxy_redirect off;
}
# Static files
location /static {
alias /home/taiga/taiga-back/static;
}
# Media files
location /media {
alias /home/taiga/taiga-back/media;
}
# Events
location /events {
proxy_pass http://127.0.0.1:8888/events;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}
# SSL
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';
ssl on;
ssl_certificate /etc/letsencrypt/live/projects.example.com/fullchain.pem; # Set SSL cert path
ssl_certificate_key /etc/letsencrypt/live/projects.example.com/privkey.pem; # Set SSL key path
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
}
Validate nginx configuration.
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Step 5: Update Taiga Frontend and Backend configurations
Before activating the HTTPS site, the configuration for the frontend and the backend must be updated. Change the scheme from http
to https
throughout the configurations.
sudo su - taiga
Update backend configuration:
vim ~/taiga-back/settings/local.py
This is my updated configuration.
from .common import *
MEDIA_URL = "https://projects.example.com/media/"
STATIC_URL = "https://projects.example.com/static/"
SITES["front"]["scheme"] = "https"
SITES["front"]["domain"] = "projects.example.com"
SECRET_KEY = "OQOEJNSJIQHDBQNSUQEJSNNANsqQPAASQLSMSOQND"
DEBUG = False
PUBLIC_REGISTER_ENABLED = True
DEFAULT_FROM_EMAIL = "no-reply@projects.example.com"
SERVER_EMAIL = DEFAULT_FROM_EMAIL
#CELERY_ENABLED = True
EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"
EVENTS_PUSH_BACKEND_OPTIONS = {"url": "amqp://taiga:StrongPassword@localhost:5672/taiga"}
# Uncomment and populate with proper connection parameters
# for enable email sending. EMAIL_HOST_USER should end by @domain.tld
#EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
#EMAIL_USE_TLS = False
#EMAIL_HOST = "localhost"
#EMAIL_HOST_USER = ""
#EMAIL_HOST_PASSWORD = ""
#EMAIL_PORT = 25
# Uncomment and populate with proper connection parameters
# for enable github login/singin.
#GITHUB_API_CLIENT_ID = "yourgithubclientid"
#GITHUB_API_CLIENT_SECRET = "yourgithubclientsecret"
Do the same for frontend config file.
vim ~/taiga-front-dist/dist/conf.json
See below.
{
"api": "https://projects.example.com/api/v1/",
"eventsUrl": "ws://projects.example.com/events",
"eventsMaxMissedHeartbeats": 5,
"eventsHeartbeatIntervalTime": 60000,
"eventsReconnectTryInterval": 10000,
"debug": true,
"debugInfo": false,
"defaultLanguage": "en",
"themes": ["taiga"],
"defaultTheme": "taiga",
"publicRegisterEnabled": true,
"feedbackEnabled": true,
"supportUrl": "https://tree.taiga.io/support",
"privacyPolicyUrl": null,
"termsOfServiceUrl": null,
"GDPRUrl": null,
"maxUploadFileSize": null,
"contribPlugins": [],
"tribeHost": null,
"importers": [],
"gravatar": true,
"rtlLanguages": ["fa"]
}
Restart all Taiga services after configuration updates.
sudo systemctl restart 'taiga*'
Restart nginx service.
sudo systemctl restart nginx
Load Taiga web console and confirm if you’re redirected from http to https.
Check certificate details.
Add Certificate autorenew cron job.
$ sudo crontab -e
0 0,12 * * * root /usr/bin/certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
Similar guides:
- Setup Docker Container Registry with Podman & Let’s Encrypt SSL
- Secure iRedMail Server with Let’s Encrypt SSL Certificate
- Using Let’s Encrypt Wildcard SSL Certificate with Nginx and Apache