HTTPS Setup

Overview

HTTPS is strongly recommended for production environments. Glean doesn’t handle SSL directly, you need to use a reverse proxy.

Option 1: Caddy (Recommended)

Caddy automatically obtains and renews Let’s Encrypt certificates with the simplest configuration.

Install Caddy

# Ubuntu/Debian
sudo apt install caddy

# macOS
brew install caddy

Configure Caddyfile

Create Caddyfile:

glean.yourdomain.com {
    reverse_proxy localhost:80
}

admin.yourdomain.com {
    reverse_proxy localhost:3001
}

Start Caddy

caddy run --config Caddyfile

Caddy will automatically:

Obtain SSL certificates
Configure HTTPS
Auto-renew certificates

Option 2: Nginx + Certbot

Install Nginx and Certbot

# Ubuntu/Debian
sudo apt install nginx certbot python3-certbot-nginx

Configure Nginx

Create /etc/nginx/sites-available/glean:

# Web App
server {
    listen 80;
    server_name glean.yourdomain.com;

    location / {
        proxy_pass http://localhost:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# Admin Dashboard
server {
    listen 80;
    server_name admin.yourdomain.com;

    location / {
        proxy_pass http://localhost:3001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Enable Site

sudo ln -s /etc/nginx/sites-available/glean /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Obtain SSL Certificate

sudo certbot --nginx -d glean.yourdomain.com -d admin.yourdomain.com

Certbot will automatically:

Obtain certificates
Configure Nginx
Set up auto-renewal

Update CORS Configuration

After configuring HTTPS, update CORS settings:

# Edit .env file
CORS_ORIGINS='["https://glean.yourdomain.com", "https://admin.yourdomain.com"]'

Restart backend service:

docker compose restart backend

Using Self-Signed Certificates

For testing only, not recommended for production.

Generate Certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/glean.key \
  -out /etc/ssl/certs/glean.crt \
  -subj "/CN=glean.local"

Nginx Configuration

server {
    listen 443 ssl;
    server_name glean.local;

    ssl_certificate /etc/ssl/certs/glean.crt;
    ssl_certificate_key /etc/ssl/private/glean.key;

    location / {
        proxy_pass http://localhost:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Security Best Practices

SSL Configuration Optimization

# Add to server block
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;

# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;

Force HTTPS Redirect

server {
    listen 80;
    server_name glean.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Verify Configuration

Check SSL Certificate

# Verify with curl
curl -v https://glean.yourdomain.com

# Check with openssl
openssl s_client -connect glean.yourdomain.com:443

Online Testing

Use SSL Labs to check SSL configuration rating.

Common Issues

Certificate Renewal Failed

# Manual renewal
sudo certbot renew

# Check renewal status
sudo certbot certificates

Mixed Content Warning

Ensure all resources are loaded via HTTPS, check browser console for mixed content warnings.

Getting Real IP Behind Reverse Proxy

Ensure Nginx configuration correctly passes X-Forwarded-For and X-Real-IP headers.

Next Steps

Configuration - Environment variable settings
Troubleshooting - Common issue resolution