How to run enketo-express with SSL certificate

242 views
Skip to first unread message

Bowen Li

unread,
Apr 18, 2015, 1:58:19 AM4/18/15
to enketo...@googlegroups.com, Bowen Li
Dear all,

I currently run enketo-express on http with ODK aggregate. I would like to run enketo-express on https instead. server.key and server.crt have been generated and self-signed using openssl. In the github enketo-express it is mentioned that security setting can be added in config/config.json. In config/default-config.json ssl cinfiguration is not included. Is there any example that we can follow?  Thanks.

Regards,
Bowen

Martijn van de Rijdt

unread,
Apr 18, 2015, 11:13:14 AM4/18/15
to enketo...@googlegroups.com
Hi Bowen,

I think using a reverse proxy in front of Enketo is the best way to run a nodeJS app on https, so I haven't added any code for running on ssl inside the app. Would a reverse proxy work for you? The advantage of this solution is that it is much more straightforward to fend off any new security threats using NGINX (or Apache), especially for as long as we still need to use the old node.js 0.10.x.

FWIW, this is the NGINX config I found and used that scores an A+ on ssllabs.com (nothing enketo-specific about this): https://gist.github.com/MartijnR/2e03a7938d74dd884136

Cheers,
Martijn

--
You received this message because you are subscribed to the Google Groups "enketo-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enketo-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


-- 
Revolutionizing data collection since 2012.

Enketo    |    LinkedIn    |    GitHub    |    Twitter    |    Blog

Li Bowen

unread,
Apr 18, 2015, 11:15:33 AM4/18/15
to enketo...@googlegroups.com, mar...@enketo.org

really appreciate your expert advise. it would save me days. i will try this out.

cheers,
bowen

You received this message because you are subscribed to a topic in the Google Groups "enketo-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/enketo-users/g9lH7PzueoQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to enketo-users...@googlegroups.com.

Bowen Li

unread,
Apr 19, 2015, 4:21:42 AM4/19/15
to enketo...@googlegroups.com
I managed to set up the reverse proxy and would like to add in some more details for beginners like me.

The ssl_ciphers is truncated in https://gist.github.com/MartijnR/2e03a7938d74dd884136. I found a recommended one online:

ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


nginx can be easily installed in ubuntu:
sudo apt-get install nginx
Configuration files of nginx reside in /etc/nginx/nginx.conf
nginx.conf will load site-enabled/*.

So save the gist script in site-available/enketo and link site-enabled/default to it. Only need to modify the server_name.

After that block 8005 port. 

Thanks.
Reply all
Reply to author
Forward
0 new messages