Setting up Secure HTTP (HTTPS) with AMP

warning

WE ARE USING CLOUDFLARE TUNNEL FOR HTTPS, NOT NGINX!

DO NOT USE THIS GUIDE!

THIS IS ONLY ON TESTING ENVIRONMENT!

DO NOT USE THIS IN PRODUCTION!

There are several methods to set up secure HTTP (HTTPS) within AMP, depending on your use case. Note that with AMP Enterprise, the use of HTTPS is mandatory.

1. Reverse proxy via nginx (recommended, Linux only)

1.1 Option 1

Run the following as root for distributions that support the getamp.sh script:

getamp postSetupHTTPS

1.2 Option 2

If the getamp.sh script is not supported for your distribution, use:

ampinstmgr setupnginx YOUR_DOMAIN/SUBDOMAIN INSTANCE_PORT

1.3 SELinux configuration

For distros that use SELinux, run the following as root:

semanage permissive -a httpd_t
setsebool -P httpd_can_network_relay 1
setsebool -P httpd_can_network_connect 1

More information about nginx and SELinux

2. Reverse proxy on Windows

The easiest option is Caddy.

3. Manual nginx reverse proxy setup on Linux (advanced)

3.1 Nginx configuration

Include the following nginx virtual host configuration:

server {
  listen 80;
  listen [::]:80;
  server_name EXAMPLE.DOMAIN.COM;
  if ($host = EXAMPLE.DOMAIN.COM) {
    return 301 https://$host$request_uri;
  }
  return 404;
}
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name EXAMPLE.DOMAIN.COM;
  ssl_certificate /etc/letsencrypt/live/EXAMPLE.DOMAIN.COM/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.DOMAIN.COM/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header X-AMP-Scheme $scheme;
    proxy_read_timeout 86400s;
    proxy_send_timeout 86400s;
    proxy_http_version 1.1;
    proxy_redirect off;
    proxy_buffering off;
    client_max_body_size 10240M;
    error_page 502 /NotRunning.html;
    location = /NotRunning.html {
      root /opt/cubecoders/amp/shared/WebRoot;
      internal;
    }
    location /shared/ {
      alias /opt/cubecoders/amp/shared/WebRoot/;
    }
  }
}

3.2 AMP configuration changes

Stop the ADS and run:

ampinstmgr reconfigure ADS01 +Core.Webserver.UsingReverseProxy True
ampinstmgr reconfigure ADS01 +Core.Webserver.ReverseProxyHost INSERT_IP

4. Internal HTTPS implementation (not recommended)

AMP has built-in support for HTTPS with its internal application server. It requires a certificate in PFX format with a passphrase.

4.1 Linux manual configuration

Edit /home/amp/.ampdata/instances/ADS01/AMPConfig.conf:

Webserver.CertificatePath=/path/to/your/certificate.pfx
Webserver.CertificatePassword=y0urc0mplexpa5$word

4.2 Windows manual configuration

Install the certificate to your system and edit AMPConfig.conf:

Webserver.CertificateSerial=CERTIFICATESERIALNUMBERGOESHERE

4.3 Re-configuring existing instances (Linux and Windows)

Update the login section for AMPConfig.conf for each instance and change the Default Auth Server URL in ADS.

1. Reverse proxy via nginx (recommended, Linux only)​

1.1 Option 1​

1.2 Option 2​

1.3 SELinux configuration​

2. Reverse proxy on Windows​

3. Manual nginx reverse proxy setup on Linux (advanced)​

3.1 Nginx configuration​

3.2 AMP configuration changes​

4. Internal HTTPS implementation (not recommended)​

4.1 Linux manual configuration​

4.2 Windows manual configuration​

4.3 Re-configuring existing instances (Linux and Windows)​