Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ProfitTrailer SSL Encryption Tutorial (Ubuntu 16.04)

Read before you start

Since this little guide has been posted time has pased by. While it still should work you might want to look at a better alternative to get Profit Trailer on SSL and at the same time easily run a bunch of addons.

Check my project Profit Docker on its own Github Repo.


Securing ProfitTrailer behind SSL Reverse Proxy

ProfitTrailer's own WebUI (Monitor) comes with a basic password function that you should use to protect your bot from other people's eyes when it's reachable through the Internet.

This guide shows you how to secure the traffic to and from the Webinterface through SSL encryption so you don't transmit data to and from it in clear text.

Changelog

2017-11-10

  • renaming from ProxyBot to ProfitTrailer
  • moved from subdirectories to subdomains
  • removed basic auth and switched to PT password

Requirements

This guide is based on and made for Ubuntu 16.04 - if you're using other flavours of Linux or any other Operating System you might be able to use parts of it.

You also need a Domain name or sub domain / hostname that points to your server. Make sure to do this before you move on. Your provider probably already offers a subdomain for the server, otherwise it's on you to point one to it.

Install Packages

Note: This guide assumes you are acting as root user. If you don't do so you might need to add sudo to the commands below.

These commands install some basic packages, Nginx (Webserver used as Reverse Proxy), Certbot (used to aquire a free Let's Encrypt Certificate) and ufw (Firewall to secure ports)

apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update && apt-get install nginx certbot apache2-utils ufw

After installing ufw we need to make sure we still have access via SSH (Port 22) after enabling it, so the first thing we do is:

ufw default deny incoming
ufw default allow outgoing
ufw allow ssh

This denies all the incoming traffic by default and allows all outgoing traffic. Additionally it sets ssh default port (22) to allow. If you use any other port then the default for SSH please make sure you allow this one too.

We also want to make sure that http and https traffic can get it before enabling the firewall now:

ufw allow http
ufw allow https
ufw enable

you can always check the status of your firewall with

ufw status

This already disables access on all ports apart from SSH so that you monitor web interface now shouldn't be reachable anymore (it may take a few minutes until ufw becomes active). Find more information about famous ufw firewall through google.

Create SSL certificate

Now let's create your free SSL certificate.

Important Note: If you plan to use multiple instances of the bot on the same server, you can add more -d options with other domains/subdomains here. This will issue the cert for all of the domains while putting everything in one cert/key combination. This makes it easier to handle multiple subdomains. Read below for more information on multi bot setups.

certbot certonly --standalone -d example.com

where example.com is your domain name or subdomain. Certbot now keeps asking some questions and starts a temporary server to verify your domain/hostname is pointing to this server. Make sure this works already, otherwise this will fail. It also asks for your email so you can later get notifications about expiration of your cert.

Your cert and key files will be put into

/etc/letsencrypt/live/example.com

we need them further down the road.

now try this:

certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

This tests the renewal of your certificate. Let's Encrypt Certificates are only valid for 90 days and should be automatically renewed. If everything runs well you should be able to see text like this:

Congratulations, all renewals succeeded. The following certs have been renewed..

If that works edit your crontab (crontab -e) and paste the following line in the first line after the comments section:

@daily certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

This will run the renewal process daily and so makes sure it also works well also in case LE isn't reachable for a while.

Configure Nginx

And now let's configure your webserver. First we remove the default config:

rm /etc/nginx/sites-available/default

and create your own one:

nano /etc/nginx/sites-available/your-domain.conf

instead of your-domain.conf just write your domain or hostname there (or anything else you would want to write there - it doesn't matter).

Here's what to put in your config:

server {
	listen 80;
	return 301 https://$host$request_uri;
}

server {

	listen 443;
	server_name example.com;

	ssl_certificate           /etc/letsencrypt/live/example.com/cert.pem;
	ssl_certificate_key       /etc/letsencrypt/live/example.com/privkey.pem;

	ssl on;
	ssl_session_cache  builtin:1000  shared:SSL:10m;
	ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
	ssl_prefer_server_ciphers on;

	access_log            /var/log/nginx/nginx.log;

	location / {

	  proxy_set_header        Host $host;
	  proxy_set_header        X-Real-IP $remote_addr;
	  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
	  proxy_set_header        X-Forwarded-Proto $scheme;

	  proxy_pass          http://localhost:8081;
	  proxy_read_timeout  90;

	  proxy_redirect      http://localhost:8081 https://example.com;
	}
}

As you might probably have noticed you need to replace all occurances of example.com by your domain name. Make sure the path to your cert and key files are correct.

This config will start an http and an https server under your domain name, while the http server forwards everything to https. The proxy then forwards everything to the Proxy Bot behind after you have entered your login credentials.

Now we need to link this config from the sites-enabled directory:

ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled

(remember to change the name of your config file in this line)

So when you're done test your nginx config and if everything works restart your server:

nginx -t
service nginx restart

When you now hit https://example.com/monitoring you should be presented with a login mask. After entering your credentials you should see your Monitor as you did before but hidden behind a login and secured through an SSL encrypted connection.

Running multiple instances of ProfitTrailer

To run multiple instances of ProfitTrailer you basically need these things:

  • ProfitTrailer running from multiple directories with different port settings
  • An nginx vhost for every bot pointing its reverse proxy to the port of the bot
  • An SSL Cert for every subdomain.

To set your Bot to a different port change this in application.properties:

server.port = 8081

Change it to whatever port is available on the system. Using 8082, 8083,... would be a good option.

Now get an SSL cert for every subdomain. See above on how to create that in one step for multiple domains or alternatively do the same thing again for every subdomain.

Then just copy your ngingx config in the /etc/nginx/sites-available directory from bot1.example.com.conf to bot2.example.com.conf or whatever you would like to name it and change its content to reflect the new subdomain. You need to change all the occurances of the domain name of course and the port so it points to your new bot. You also might have to change the path to your SSL cert files depending on if you put all your (sub) domain names in one cert or created a new one for each subdomain.

Then repeat linking the config file to the sites-enabled directory like we did above but for the new config file of course.

ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled

After restarting nginx you should be good to go.

Did it work for you?

I hope this guide worked for you. Feel free to buy me a beer. If not, feel free to contact me on Telegram (@Helmi74) or on the ProfitTrailer Discord

Tip Jar

BTC 1MG4sknQdzsN9ukjEqqeuSsGBjCbnoVAsg
@ketonatus

This comment has been minimized.

Copy link

commented Jan 2, 2018

After the paste of the nginx config, you are missing the trailing } and it's outside of the code wrap:

proxy_redirect http://localhost:8081 https://example.com;
}
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.