Countly Documentation

Countly Resources

Here you'll find comprehensive guides to help you start working with Countly as quickly as possible.

Configuring HTTPS and SSL

Configure your Countly installation to use HTTPS connection you need to modify Nginx configuration.

Directory of nginx configuration depends on the operating system you use, but for our recommended Ubuntu, Nginx configuration is under /etc/nginx/sites-available/default

If you want to have HTTPS only connection then replace current server clause with provided one, if you want to have HTTP and HTTPS simultaneously, then add this server clause to configuration file

server {
  listen   443;
  server_name  localhost;
  access_log  off;
  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_stapling on;

  # Use 2048 bit Diffie-Hellman RSA key parameters
  # (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption 
  # when using PFS)
  # Generated by OpenSSL with the following command:
  # openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
        
  ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
  ssl_certificate /etc/nginx/ssl/certificate.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

  location = /i {
    proxy_pass http://127.0.0.1:3001;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
  }
	
  location ^~ /i/ {
    proxy_pass http://127.0.0.1:3001;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
  }

  location = /o {
    proxy_pass http://127.0.0.1:3001;
  }
	
  location ^~ /o/ {
    proxy_pass http://127.0.0.1:3001;
  }

  location / {
    proxy_pass http://127.0.0.1:6001;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
  }
}

This configuration uses most latest and secure protocols and ciphers.

If your localhost is already taken, then replace the server_name value from localhost to the name you want to use.

Also check that the ssl_certificate points to your certificate bundle and that ssl_certificate_key points to your server key.

If you would like to create a self-signed ssl_certificate and ssl_certificate_key simply run:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/certificate.crt

By default Nginx server will use 1024 bit long RSA key parameters, to comply with latest security recommendations, we recommend to switch to 2048 bits.

It means that you would need to generate your own 2048 bit long params. To do that run :

openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048

(this command should take some time, like a few minutes).

And set ssl_dhparam to point to your generated dh param file (with this command, it already points to the right path).

If you receive the "/etc/nginx/ssl/dhparam2048.pem: No such file or directory" Error run the following code to created the needed directory:

sudo mkdir /etc/nginx/ssl
sudo chown -R root:root /etc/nginx/ssl
sudo chmod -R 600 /etc/nginx/ssl

And then generate your own 2048 bit long params again.

openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048

If you replaced your current configuration with provided exampe, then you also want to redirect all HTTP traffic to HTTPS. To do this, add this server clause in the beginning of configuration file

server {
        listen      80;
        server_name localhost;
        access_log  off;
        rewrite ^ https://yourdomain.com$request_uri? permanent;
}

Replace yourdomain.com with your domain or IP address where your Countly server is located. Also use the same value for localhost which you used in previous example.

If you did not replace your current configuration with the provided example and would like to Force Redirect Dashboard traffic to HTTPS, modify "location /" section section for 80 port as below:

server {
	listen   443;
	server_name  localhost;
	access_log  off;
  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_stapling on;

  # Use 2048 bit Diffie-Hellman RSA key parameters
  # (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption 
  # when using PFS)
  # Generated by OpenSSL with the following command:
  # openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
        
  ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
  ssl_certificate /etc/nginx/ssl/certificate.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

	location / {
		 rewrite ^ https://yourdomain.com$request_uri? permanent;
	}
  
	location = /i {
		proxy_pass http://127.0.0.1:3001;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP $remote_addr;
	}
	
	location ^~ /i/ {
		proxy_pass http://127.0.0.1:3001;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP $remote_addr;
	}

	location = /o {
		proxy_pass http://127.0.0.1:3001;
	}
	
	location ^~ /o/ {
		proxy_pass http://127.0.0.1:3001;
	}
  
}

Replace yourdomain.com with your domain or IP address where your Countly server is located.

All that is left to do is to reload Nginx configuration and HTTPS connection should work:

sudo nginx -s reload

Configuring HTTPS and SSL


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.