Taiga Hardening – HTTPS – (Taiga-events INCLUDED)

Posted on by colin

I run nginx as a reverse proxy to multiple web apps / sites in development

Following the production instructions, I kept hitting an error:
“wss failed: Error during WebSocket handshake: Unexpected response code: 42”

Below is my nginx conf which is working for me for secure websockets…

First, get Taiga running on Ubuntu 16.04 Xenial Xerus Linux

You can get a FREE SSL cert from letsencrypt with the certbot tool:
https://certbot.eff.org/all-instructions/#ubuntu-16-04-xenial-nginx

Then get a cert:
root@colinbsd:/usr/local/etc/nginx # certbot certonly –webroot -w /usr/local/www/nginx -d taiga.datasec.io

And harden your nginx proxy config (or real config, link to full instructions below):
root@colinbsd:/usr/local/etc/nginx # cat taiga.conf
######
server {
listen 192.168.69.174:80;
server_name taiga.datasec.io;
return 301 https://$server_name$request_uri;
}
server {
listen 192.168.69.174:443;
server_name taiga.datasec.io;
access_log /home/colin/taigaAccess.log main;
large_client_header_buffers 4 32k;
client_max_body_size 50M;
ssl on;
charset utf-8;
ssl_certificate /usr/local/etc/letsencrypt/live/taiga.datasec.io/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/taiga.datasec.io/privkey.pem;
location / {
# rem everything else-ish and uncomment below to simplify certbot (i’m doing this wrong)
# root /usr/local/www/nginx;
proxy_pass http://192.168.69.25;
proxy_set_header Host $remote_addr;
proxy_set_header Remote_Addr $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
###These below were the trick to get secure web sockets working for taiga-events:
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header Host $host;
}
}
######

Change http to https in local.py:

nano ~/taiga-back/settings/local.py

from .common import *

MEDIA_URL = “https://taiga.datasec.io/media/”
STATIC_URL = “https://taiga.datasec.io/static/”
SITES[“front”][“scheme”] = “https”
SITES[“front”][“domain”] = “taiga.datasec.io”

######
Change http to https and ws to was in conf.json:

nano ~/taiga-front-dist/dist/conf.json

{
“api”: “https://taiga.datasec.io/api/v1/”,
“eventsUrl”: “wss://taiga.datasec.io/events”,
“debug”: “true”,
“publicRegisterEnabled”: true,
“feedbackEnabled”: true,
“privacyPolicyUrl”: null,
“termsOfServiceUrl”: null,
“maxUploadFileSize”: null,
“contribPlugins”: []
}
######

Restart circus jobs: https://www.datasec.io/managing-circusd-jobs/

test and restart nginx:
nginx -t
service nginx restart

Test:

w00t! No wss: errors!!

Full instructions here: http://taigaio.github.io/taiga-doc/dist/setup-production.html

Leave a Reply

Your email address will not be published. Required fields are marked *