Securing your API with HTTPS and Nginx

    Deploy your API

    Our API is live and publically accessible. However, traffic to our API is currently unencrypted, and therefore unsafe. In a fully-fledged production system, we'd like all communication to our APIs to be encrypted over HTTPS.

    Setting up HTTPS can be a daunting task, but luckily Emily can do most of the heavy lifting for us.

    Prerequisites

    Emily uses Let's Encrypt to issue SSL certificates. While you do not need to know anything about Let's Encrypt to secure your API, you need a domain name for your server since Let's Encrypt does not support SSL certificates for IP addresses.

    Go into the DNS management settings on your domain provider and add an A record pointing all requests to your domain (e.g. demo.ambolt.io) to your server's IP.

    Adding a reverse proxy

    To facilitate SSL encryption, Emily will host your API behind an Nginx reverse HTTP proxy server. The responsibility of this reverse proxy is to:

    1. Re-route all HTTP requests through HTTPS
    2. Terminate SSL encryption
    3. Rate-limit responses (can be disabled)
    4. Send request downstream to your API

    The reverse proxy is implemented as a configuration. You can either run emily configuration and navigate through the menus, or simply run the command directly:

    $ emily configuration add compose nginx
    --project my-project
    ? Emily: Please select a configuration(Use arrow keys, confirm with ENTER)
    dev    > prod
    + Add new configuration     · prod
    Emily: Please enter the domain name to create SSL (HTTPS) certificates for:
    · demo.ambolt.io    Emily: Please enter an email address for SSL certificate creation:
    · demo@ambolt.io    Emily: Added an Nginx reverse proxy to project my-project (66AWNR) in configuration prod. Created files:

    - <...>/my-project/configurations/prod/docker-compose.nginx.yml
    - <...>/my-project/configurations/prod/nginx/substitute.sh
    - <...>/my-project/configurations/prod/nginx/Dockerfile.nginx
    - <...>/my-project/configurations/prod/nginx/nginx.template.conf
    - <...>/my-project/configurations/prod/nginx/.docker-compose.certbot.yml
    Traffic is now rerouted:
    Request -> https://demo.ambolt.io -> http://emily-my-project-66awnr:${CONTAINER_PORT}
    Request -> http://demo.ambolt.io -> https://demo.ambolt.io -> http://emily-my-project-66awnr:${CONTAINER_PORT}
    Certificates are renewed (or created if missing) on deployment.
    IMPORTANT:
    Remember to remove the ports mapping from
    the docker-compose.emily.yml file. Unless removed, requesters
    will be able to circumvent HTTPS.

    After adding the reverse proxy, run emily deploy to deploy your project again. Once deployment finishes, your API should be securely accessible over https://.

    For details on configuring Nginx, see the emily configuration add compose nginx docs.

    Congratulations!

    You're officially in production. Now, all there's left to do is to apply some actual machine intelligence in your API. We'll leave that step to you.

    Deploy your API