How to enable SSL in Spotipo using letsencrypt

Configuring SSL support in Spotipo

Enabling HTTPS will help you improve the security of your guest portal. Its mandatory if you are using Facebook login or payment login. In this tutorial we will explain the steps needed to enable it.

Prerequisites

To follow this tutorial, you will need:

  • One Ubuntu 16.04 server setup with latest version of Spotipo running 
  • A fully registered domain name. This tutorial will use example.com throughout. You can purchase a domain name on Namecheap, get one for free on Freenom, or use the domain registrar of your choice.
  • DNS records set up for your server. The A record of your domain name should point to the server
  • Ports 443 and 80 should be enabled on your server.

Installing Certbot

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to be outdated. However, the Certbot developers maintain a Ubuntu software repository with up-to-date versions, so we’ll use that repository instead.

First, add the repository.

sudo add-apt-repository ppa:certbot/certbot

You’ll need to press ENTER to accept. Then, update the package list to pick up the new repository’s package information.

sudo apt-get update

And finally, install Certbot

sudo apt-get install certbot

Check if your Nginx is configured for webroot 

Open  your ngnix configuration and check following 3 lines are present

Open it using below commad

 sudo vim /etc/nginx/sites-available/wifiapp.conf 

If not add/edit the file to have the lines

    location ~ /.well-known {
        allow all;
        root /usr/share/nginx/spotipo/unifispot;
    }

And reload nginx

sudo service nginx reload

Obtain your SSL certificate

Certbot provides a variety of ways to obtain SSL certificates, through various plugins. We will use the webroot  method to obtain the certificate.

Obtain the certificate for your domain. Replace example.com with your domain name.

sudo certbot certonly  -d example.com 

Choose option 2, Place files in webroot directory


Cetbot will ask for your email and a bunch of questions. Please provide your email address to receive SSL expiry notification and accept the Tos. Optionally optin to share your email with EFF

When asked for webroot location, please provide

/usr/share/nginx/spotipo/unifispot

After which you will see the following message if everything goes well.
Do note down the location of certificate.


Configure Nginx to serve SSL

Once the certificate is in place, we need to configure Nginx to use it. Just uncomment below lines available in /etc/nginx/sites-available/wifiapp.conf

Don’t forget to replace xxx.xxxx.com with your actual domain name.

    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/xxx.xxxx.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.xxxx.com/privkey.pem;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    keepalive_timeout   300;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;

Now restart nginx using

sudo service nginx restart

If everything went well, you should be able to get the SSL version of your spotipo by going to https://yourdomain

Force SSL usage

After testing that SSL works fine in last step. You can now force all requests to be served via SSL.

To do that add the following line to /usr/share/nginx/spotipo/instance/config.py

FORCE_SSL = 1

After that restart the app using

sudo service supervisor restart      


How did we do?