====== Performexa - HTTPS Support ======

"Requirement" and "Design & Implementation" remains same as Learnexa (Referrence: https://wiki.exphosted.com/doku.php/https_support)

====== HTTPS Migration - app Checklist ======

1> Change the environments/<environment>.rb file and add/modify the strings below
<code>
APP_URL            = "https://app-url.com"
API_URL            = "https://app-url.com"
AUTHENTICATION_URL = "https://app-url.com"


SSL_ENABLED = true
HTTP_ONLY_HEADER = "HTTP_X_HTTP_ONLY"
</code>

2> Update chat.yml

<code>
server: https://app-url.com:5280
bosh: https://app-url.com:5280/http-bind
websocket: wss://app-url.com:5280/websocket
</code>

3> Update ejabberd.yml (Path:- /opt/ejabberd<version>/conf/ejabberd.yml)

<code>
listen:
  - 
    port: 5280
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
      # "/pub/archive": mod_http_fileserver
    web_admin: true
    http_poll: false
    http_bind: true
    tls: true
    certfile: "/opt/ejabberd-15.04/conf/server.pem"
    ## register: true
    captcha: false

s2s_use_starttls: required
s2s_certfile: "/opt/ejabberd-15.04/conf/server.pem"
</code>

4> Get the certificate files needed and add for rails app and ejabberd. (Note: ejabberd expects .pem files)
a) For rails app - Configure your server to serve the certificate.
b) For ejabberd - place the certificate in /opt/ejabberd<version>/conf/server.pem and restart.


5> Modify Nginx configuration to work with SSL

<code>
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    passenger_root /home/expdev01/.rbenv/versions/2.2.3/lib/ruby/gems/2.2.0/gems/passenger-5.0.20;
    passenger_ruby /home/expdev01/.rbenv/versions/2.2.3/bin/ruby;
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

server {
       listen         80;
       server_name    performance.exphosted.com;
       rewrite ^/?(.*) https://$host/$1 redirect;
}

server {
  listen 443 ssl;
  ssl on;
  ssl_certificate /opt/nginx/ssl/server.crt;
  ssl_certificate_key /opt/nginx/ssl/server.key;
  server_name performance.exphosted.com;
  passenger_user expdev01;
  passenger_enabled on;
  passenger_app_env staging;
  root /deploy/performance/current/public;
}
}
</code>

==== Developer Notes ====

1) Generating private SSL Key and Certificate

<code>
openssl req -x509 -new -nodes -keyout server.key -days 365 -out server.crt -config /etc/pki/tls/openssl.cnf

> Country Name (2 letter code) [XX]:IN
> State or Province Name (full name) []: <state_name>
> Locality Name (eg, city) [Default City]: <city_name>
> Organization Name (eg, company) [Default Company Ltd]: <company_name>
> Organizational Unit Name (eg, section) []: <org_name>
> Common Name (eg, your name or your server's hostname) []: <hostname>
> Email Address []: <any_mail>
</code>

2) Starting THIN server in SSL mode

<code>
thin start -p 3000 --ssl --ssl-key-file <path to .key file> --ssl-cert-file <path to .crt file>
</code>

3) Generating PEM file for ejabberd and placing it to be served.

Take backup of server.pem, present inside /opt/ejabberd<version>/conf, as server.pem.bak
Then run this code to replace the .pem file with the generated key and certificate

<code>
> sudo cat <path to .key file> <path to .crt file> > /opt/ejabberd<version>/conf/server.pem
</code>

====== Reverting back to HTTP ======

1> Change the environments/<environment>.rb file and add/modify the strings below

<code>
APP_URL            = "http://app-url.com"
API_URL            = "http://app-url.com"
AUTHENTICATION_URL = "http://app-url.com"


SSL_ENABLED = false
</code>

2> Update chat.yml

<code>
server: http://app-url.com:5280
bosh: http://app-url.com:5280/http-bind
websocket: ws://app-url.com:5280/websocket
</code>

3> Revert changes in /opt/ejabberd<version>/conf/ejabberd.yml (## represents code is commented)

<code>
listen:
  - 
    port: 5280
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
      # "/pub/archive": mod_http_fileserver
    web_admin: true
    http_poll: false
    http_bind: true
    ## tls: true
    ## certfile: "/opt/ejabberd-15.04/conf/server.pem"
    ## register: true
    captcha: false

## s2s_use_starttls: required
## s2s_certfile: "/opt/ejabberd-15.04/conf/server.pem"
</code>

4> Revert back the /opt/ejabberd<version>/conf/server.pem file with the backup taken earlier (server.pem.bak)

5> Revert back Nginx configuration to work without SSL

<code>
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    passenger_root /home/expdev01/.rbenv/versions/2.2.3/lib/ruby/gems/2.2.0/gems/passenger-5.0.20;
    passenger_ruby /home/expdev01/.rbenv/versions/2.2.3/bin/ruby;
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

server {
  listen 80;
  server_name performance.exphosted.com;
  passenger_user expdev01;
  passenger_enabled on;
  passenger_app_env staging;
  root /deploy/performance/current/public;
}
}
</code>