Why HTTPS?

HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. You should always use HTTPS on all your websites and all the resource should be HTTPS-enabled, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both your websites and your users’ personal information, it is a strict requirement for new browser features.

So how do we enable HTTPS for Botpress?

You can use any reverse proxy tool to place Botpress behind it. I will be using Nginx. It is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.

Download the latest mainline version distribution from here.

Install Nginx on Windows
Unpack the distribution, go to the extracted folder and run Nginx.

cd c:\
unzip nginx-1.17.8.zip
cd nginx-1.17.8
start nginx

Install Nginx on Linux

Unpack the distribution and run below mentioned 3 commands. Once all commands are executed Nginx will be installed inside `/data/tools/nginx` directory.

./configure --prefix=/data/tools/nginx --without-http_gzip_module --with-cc-opt="-DTCP_FASTOPEN=23" --with-http_ssl_module --with-openssl=/data/tools/openssl-1.0.1t
make -j2
make install

Nginx configuration /data/tools/nginx/nginx.conf file

In below configuration file replace `domain name/ip address` with your actual domain name or IP address

user  root;
worker_processes  1;

error_log  logs/error.log;

events {
    worker_connections  1024;
}

http {

	# Disable sending the server identification
	server_tokens off;

	# Prevent displaying Botpress in an iframe (clickjacking protection)
	add_header X-Frame-Options SAMEORIGIN;

	# Prevent browsers from detecting the mimetype if not sent by the server.
	add_header X-Content-Type-Options nosniff;

	# Force enable the XSS filter for the website, in case it was disabled manually
	add_header X-XSS-Protection "1; mode=block";

	# Configure the cache for static assets
	proxy_cache_path /data/tools/nginx/nginx_cache levels=1:2 keys_zone=my_cache:10m max_size=10g
	inactive=60m use_temp_path=off;

	# Set the max file size for uploads (make sure it is larger than the configured media size in botpress.config.json)
	client_max_body_size 10M;

	# Configure access
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log logs/access.log main;

	sendfile on;
	#tcp_nopush     on;

	#keepalive_timeout  0;
	keepalive_timeout 65;

	#gzip  on;

	upstream botpress  {
	  server localhost:3000;
	}

	server {
	  listen 80 default_server;
	  listen [::]:80 default_server;
	  server_name _;
	  return 301 https://$host$request_uri;
	}

	# HTTPS server
	server {
		listen       443 ssl;
		server_name  <domain name/ip address>;
				
		ssl_certificate      /data/tools/bundle.crt;
		ssl_certificate_key  /data/tools/domain.name.key;

		# Force the use of secure protocols only
		ssl_prefer_server_ciphers on;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

		# Enable session cache for added performances
		ssl_session_cache shared:SSL:50m;
		ssl_session_timeout 1d;
		ssl_session_tickets off;

		# Added security with HSTS
		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

		# Enable caching of assets by NGINX to reduce load on the server
		location ~ .*/assets/.* {
		  proxy_cache my_cache;
		  proxy_ignore_headers Cache-Control;
		  proxy_hide_header Cache-Control;
		  proxy_hide_header Pragma;
		  proxy_pass http://localhost:3000;
		  proxy_cache_valid any 30m;
		  proxy_set_header Cache-Control max-age=30;
		  add_header Cache-Control max-age=30;
		}

		# We need to add specific headers so the websockets can be set up through the reverse proxy
		location /socket.io/ {
		  proxy_pass http://localhost:3000/socket.io/;
		  proxy_http_version 1.1;
		  proxy_set_header Upgrade $http_upgrade;
		  proxy_set_header Connection "Upgrade";
		}		
		
		# All other requests should be directed to the server
		location / {			
		  #root   html;
		  #index  index.html index.htm;
		  proxy_read_timeout 120;
		  proxy_pass http://botpress;

		  proxy_set_header X-Forwarded-For $remote_addr;
		  proxy_set_header Host $http_host;
		  proxy_http_version 1.1;
		  proxy_set_header Upgrade $http_upgrade;
		  proxy_set_header Connection "upgrade";
		}
    }
}

Note: You must create an SSL certificate and key using either openssl or java keytool, assign them to ssl_certificate and ssl_certificate_key in nginx configuration. When this is a public facing bot then you must buy an SSL certificate for your site.

An example using OpenSSL to create local SSL certificates:

openssl genrsa -out domain.name.key 2048
openssl rsa -in domain.name.key -out domain.name.key
openssl req -sha256 -new -key domain.name.key -out server.csr -subj '/CN=localhost'
openssl x509 -req -sha256 -days 365 -in server.csr -signkey domain.name.key -out bundle.crt

Here replace localhost with your domain name/ip address.

Start Nginx

./nginx

Use the below URL to access the Botpress admin page.

https://<domain name/ip address>

That’s it. You have successfully configured HTTPS for Botpress


Simon

I am a Fullstack developer and Consultant with an experience of 9+ years in the industry. I mainly work on Java, React, Javascript, NodeJs, Elasticsearch and Botpress.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *