HTTPS
Default Configuration
CloudShark uses nginx as a web server and listens to the external port 443 for HTTPS (TLS).
Configure a certificate keypair
CloudShark ships with a self-signed certificate by default and allows
access over HTTPS. The default nginx configuration is located at
/usr/cloudshark/etc/nginx.conf.
To use a different certificate keypair that you have generated upload
your certificate file to
/usr/cloudshark/etc/tls-certificate/cloudshark.crt and the private key
to /usr/cloudshark/etc/tls-certificate/cloudshark.key.
Then restart nginx to ensure that CloudShark will use the new certificate and private key that you have generated and not the default self-signed certificate that ships by default.
Restart to update changes
Run the command nginx -s reload to apply the new configuration.
Administrator Notes
Firewall Support
If you are running a firewall you must allow the https service, which runs on port 443 over tcp, through the firewall. Visit our firewall configuration page for information on how to configure this for your OS.
Intermediate TLS Certificates
Some certificates require that an intermediate certificate be installed
with the public certificate for the server. These certificates are
usually all bundled in the same ZIP archive that the Certificate
Authority (CA) provides after signing your CSR (certificate signing
request). The certificates must be stored in the ssl_certificate file
together, with the server certificate as the first entry, and then its
parent intermediate certificate, and then so on for as many intermediate
certificates as the CA has provided. The intermediate certificates, as a
convention, have file names identical to the certificate subject line.
You can learn the correct order by inspecting the certificate properties of the https site in most GUI web browsers. A final caveat: if the certificate delimiters share a single line, the format will invalidate the entire certificate chain and nginx will indicate an error:
SSL PEM routines:PEM_read_bio:bad end line error
If this occurs, no harm is done - simply adjust the formatting of your
cloudshark.crt file contents until it is valid.
Note that some certificate authorities provide binary style certificates in DER format. You can convert these to ASCII format (PEM) with the following command:
openssl x509 -in binary_certificate.crt -inform der -outform pem -out ascii_certificate.crt
Private Key Passphrases
Sometimes a key file has a passphrase, so that a human must interactively decrypt the contents right before access.
Please note that CloudShark will not start properly with this
configuration. You must remove any passphrases in the key file to allow
CloudShark to start automatically. For example, if a key file named
cloudshark.key.passphrase contains a passphrase, to remove the
passphrase out of the key and save it in a new file called
cloudshark.key:
openssl rsa -in cloudshark.key.passphrase -out cloudshark.key
After you have updated the certificate file, you must restart nginx for the new changes to take effect.
Remember to make a backup of your public certificate and private key files that are not saved on the same system!
