You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

In our previous articles we covered installation of Taiga Project Management Tool on CentOS 8 and Ubuntu 20.04 Linux servers. In this blog post we will be showing you how to harden your Taiga project management platform with Let’s Encrypt HTTPS certificates. Let’s Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG).

This guide assumes you’re using Nginx web server to expose Taiga over a domain name. NGINX is used as a static file web server to serve taiga-front-dist and send proxy requests to taiga-back. You need to stop nginx service before you proceed with this guide.

Stop nginx service

Check nginx service if running:

$ systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-10-03 00:03:47 CEST; 1 day 1h ago
 Main PID: 11870 (nginx)
    Tasks: 3 (limit: 24392)
   Memory: 5.8M
   CGroup: /system.slice/nginx.service
           ├─11870 nginx: master process /usr/sbin/nginx
           ├─11871 nginx: worker process
           └─11872 nginx: worker process

Oct 03 00:03:47 projects.hirebestengineers.com systemd[1]: Starting The nginx HTTP and reverse proxy server...
Oct 03 00:03:47 projects.hirebestengineers.com nginx[11866]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Oct 03 00:03:47 projects.hirebestengineers.com nginx[11866]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Oct 03 00:03:47 projects.hirebestengineers.com systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Oct 03 00:03:47 projects.hirebestengineers.com systemd[1]: Started The nginx HTTP and reverse proxy server.

If it is in running state stop it.

sudo systemctl stop nginx

Install certbot tool

Then install certbot tool which enables us to automatically deploying Let’s Encrypt certificates.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo mv certbot-auto /usr/local/bin
sudo chmod 0755 /usr/local/bin/certbot-auto

Run the certbot-auto tool to install OS dependencies.

certbot-auto --os-packages-only

Agree to package installation:

Transaction Summary
==================================================================================================================================================================
Install  36 Packages
Upgrade   1 Package

Total download size: 52 M
Is this ok [y/N]: y

Obtain Let’s Encrypt SSL certificates

Save Domain name for your Taiga platform.

DOMAIN='projects.hirebestengineers.com'

Do the same for email to receive certificate expiry notifications.

EMAIL="[email protected]"

If http and https ports are not allowed in the firewall, for CentOS servers, add it.

sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload

Request for certificates using certbot-auto command line tool.

certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring

Expect to get success message upon complete execution.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/projects.hirebestengineers.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/projects.hirebestengineers.com/privkey.pem
   Your cert will expire on 2021-01-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Next generate a strong DH parameter:

sudo openssl dhparam -out /etc/ssl/dhparam.pem 2048

Confirmation.

$  ll /etc/ssl/dhparam.pem
-rw-r--r--. 1 root root 424 Oct  4 02:14 /etc/ssl/dhparam.pem

Update Nginx Configuration file

I’ll now update Nginx Configuration file to set SSL options.

But first let’s backup current configuration.

$ sudo cp /etc/nginx/conf.d/taiga.conf{,.bak-$(date +%F:%T)}
$ $ ls /etc/nginx/conf.d/
taiga.conf  taiga.conf.bak-2020-10-04:02:01:47

Edit the taiga.conf file with your favorite file editor – replace domain names and SSL paths with your values.

sudo vim /etc/nginx/conf.d/taiga.conf

Update the configuration content as follows.

# Redirect http to https
server {   
    listen 80;
    server_name projects.hirebestengineers.com www.projects.hirebestengineers.com; # Set correct values
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name projects.hirebestengineers.com www.projects.hirebestengineers.com; # Set correct values

    large_client_header_buffers 4 32k;
    client_max_body_size 50M;
    charset utf-8;

    index index.html;

    # Frontend
    location / {
        root /home/taiga/taiga-front-dist/dist/;
        try_files $uri $uri/ /index.html;
    }

    # Backend
    location /api {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8001/api;
        proxy_redirect off;
    }

    # Admin access (/admin/)
    location /admin {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8001$request_uri;
        proxy_redirect off;
    }

    # Static files
    location /static {
        alias /home/taiga/taiga-back/static;
    }

    # Media files
    location /media {
        alias /home/taiga/taiga-back/media;
    }

    # Events
    location /events {
        proxy_pass http://127.0.0.1:8888/events;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_connect_timeout 7d;
        proxy_send_timeout 7d;
        proxy_read_timeout 7d;
    }

    # SSL
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';

    ssl on;
    ssl_certificate /etc/letsencrypt/live/projects.hirebestengineers.com/fullchain.pem;   # Set SSL cert path
    ssl_certificate_key /etc/letsencrypt/live/projects.hirebestengineers.com/privkey.pem; # Set SSL key  path
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
}

Validate nginx configuration.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Update Taiga Frontend and Backend configurations

Before activating the HTTPS site, the configuration for the frontend and the backend must be updated. Change the scheme from http to https throughout the configurations.

$ sudo su - taiga

Update backend configuration:

$ vim ~/taiga-back/settings/local.py

This is my updated configuration.

from .common import *

MEDIA_URL = "https://projects.hirebestengineers.com/media/"
STATIC_URL = "https://projects.hirebestengineers.com/static/"
SITES["front"]["scheme"] = "https"
SITES["front"]["domain"] = "projects.hirebestengineers.com"

SECRET_KEY = "OQOEJNSJIQHDBQNSUQEJSNNANsqQPAASQLSMSOQND"

DEBUG = False
PUBLIC_REGISTER_ENABLED = True

DEFAULT_FROM_EMAIL = "[email protected]"
SERVER_EMAIL = DEFAULT_FROM_EMAIL

#CELERY_ENABLED = True

EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"
EVENTS_PUSH_BACKEND_OPTIONS = {"url": "amqp://taiga:[email protected]:5672/taiga"}

# Uncomment and populate with proper connection parameters
# for enable email sending. EMAIL_HOST_USER should end by @domain.tld
#EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
#EMAIL_USE_TLS = False
#EMAIL_HOST = "localhost"
#EMAIL_HOST_USER = ""
#EMAIL_HOST_PASSWORD = ""
#EMAIL_PORT = 25

# Uncomment and populate with proper connection parameters
# for enable github login/singin.
#GITHUB_API_CLIENT_ID = "yourgithubclientid"
#GITHUB_API_CLIENT_SECRET = "yourgithubclientsecret"

Do the same for frontend config file.

$ vim ~/taiga-front-dist/dist/conf.json

See below.

{
    "api": "https://projects.hirebestengineers.com/api/v1/",
    "eventsUrl": "ws://projects.hirebestengineers.com/events",
    "eventsMaxMissedHeartbeats": 5,
    "eventsHeartbeatIntervalTime": 60000,
    "eventsReconnectTryInterval": 10000,
    "debug": true,
    "debugInfo": false,
    "defaultLanguage": "en",
    "themes": ["taiga"],
    "defaultTheme": "taiga",
    "publicRegisterEnabled": true,
    "feedbackEnabled": true,
    "supportUrl": "https://tree.taiga.io/support",
    "privacyPolicyUrl": null,
    "termsOfServiceUrl": null,
    "GDPRUrl": null,
    "maxUploadFileSize": null,
    "contribPlugins": [],
    "tribeHost": null,
    "importers": [],
    "gravatar": true,
    "rtlLanguages": ["fa"]
}

Restart all Taiga services after configuration updates.

sudo systemctl restart 'taiga*'

Restart nginx service.

sudo systemctl restart nginx

Load Taiga web console and confirm if you’re redirected from http to https.

Check certificate details.

Add Certificate autorenew cron job.

# crontab -e
0 0,12 * * * root /usr/local/bin/certbot-auto renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

Similar guides:

Setup Docker Container Registry with Podman & Let’s Encrypt SSL

Secure iRedMail Server with Let’s Encrypt SSL Certificate

Using Let’s Encrypt Wildcard SSL Certificate with Nginx and Apache

You can support us by downloading this article as PDF from the Link below. Download the guide as PDF