SSL/TLS Setup
Guide for securing the SBM CRM Platform with SSL/TLS certificates.
Overview
SSL/TLS certificates are required for:
- API endpoints (HTTPS)
- Admin Web App (HTTPS)
- WeChat Mini Program (HTTPS)
- Webhook endpoints (HTTPS)
Certificate Options
Option 1: Let's Encrypt (Recommended for Production)
Free, automated SSL certificates.
Install Certbot
# Ubuntu/Debian
sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx
# CentOS/RHEL
sudo yum install certbot python3-certbot-nginx
Obtain Certificate
# For Nginx
sudo certbot --nginx -d api.yourdomain.com -d admin.yourdomain.com
# For standalone (if not using Nginx)
sudo certbot certonly --standalone -d api.yourdomain.com
Auto-Renewal
Certbot sets up automatic renewal. Test renewal:
sudo certbot renew --dry-run
Option 2: Commercial Certificate
Purchase from certificate authority (e.g., DigiCert, GlobalSign).
Nginx Configuration
SSL Configuration
server {
listen 443 ssl http2;
server_name api.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/api.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.yourdomain.com/privkey.pem;
# SSL Configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name api.yourdomain.com;
return 301 https://$server_name$request_uri;
}
Application Configuration
Enable HTTPS in Application
{
"server": {
"https": {
"enabled": true,
"port": 3443,
"key": "/path/to/private.key",
"cert": "/path/to/certificate.crt"
}
}
}
Force HTTPS Redirects
// Express middleware
app.use((req, res, next) => {
if (req.header('x-forwarded-proto') !== 'https') {
res.redirect(`https://${req.header('host')}${req.url}`);
} else {
next();
}
});
Security Best Practices
TLS Configuration
- Use TLS 1.2 or higher
- Disable weak ciphers
- Enable perfect forward secrecy
- Use strong key sizes (2048+ bits)
Security Headers
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN" always;
# X-Content-Type-Options
add_header X-Content-Type-Options "nosniff" always;
# Content-Security-Policy
add_header Content-Security-Policy "default-src 'self'" always;
Certificate Monitoring
Set up monitoring for certificate expiration:
# Check certificate expiration
echo | openssl s_client -servername api.yourdomain.com -connect api.yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
Testing SSL Configuration
SSL Labs Test
Test your SSL configuration at SSL Labs.
Command Line Test
# Test SSL connection
openssl s_client -connect api.yourdomain.com:443
# Check certificate details
openssl x509 -in certificate.crt -text -noout
Troubleshooting
Certificate Not Trusted
- Ensure certificate chain is complete
- Check intermediate certificates are included
- Verify certificate matches domain
Mixed Content Warnings
- Ensure all resources use HTTPS
- Update API endpoints to use HTTPS
- Check for hardcoded HTTP URLs
Certificate Expiration
- Set up automatic renewal
- Monitor expiration dates
- Test renewal process regularly