Set SSL/TLS Certificate for Server

In a small-scale or intranet server, it is usually not necessary to set up an SSL/TLS certificate. However, if you are setting up a public server, it is very necessary to set up an SSL/TLS certificate, which can effectively prevent some malicious attacks.

First, you need an available certificate. You can choose a free certificate from Let’s Encrypt or other commercial certificates.

In the next step, there are two ways to configure SSL/TLS encryption:

Combine with existing proxy services (Recommended)

In the following, we use nginx and Let’s Encrypt as an example to configure nginx’s SSL/TLS encryption:

• Use certbot to install a certificate

• Change the port mapped by the docker service (optional)

Modify the port in docker/compose.yml, for example, change 7777:7777 to 17777:7777, mapping the port to the local 17777 port

You may need to add {"iptables":false} in /etc/docker/daemon.json to disable iptables, and you may also need software like ufw to help disable the exposure of port 17777 to the public network.

• Add the following configuration to nginx.conf:

server {
    server_name  xxx.com;

    location / {
        grpc_pass grpc://127.0.0.1:17777;
    }

    http2 on;
    keepalive_timeout 1200s;
    grpc_read_timeout 1200s;

    listen 7777 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

so that external traffic is forwarded to internal ports. With certbot’s automatic management of SSL certificates, you can complete the SSL/TLS encryption setup. This method does not require special modifications to the server; in other words, tls.enable does not need to be set to true.

Enable SSL/TLS Encryption Individually

Ourchat Server itself can also configure certificate encryption without depending on nginx, the operation steps are as follows:

• Use certbot to get a certificate

• Set http.toml according to the certificate

Set tls.enable to true,

Please set as follows:

field	Use
tls.server_tls_cert_path	The .pem file path of the server certificate.
tls.server_key_cert_path	The .key file path of the server certificate.
tls.client_tls_cert_path	The .pem file path of the client certificate.
tls.client_key_cert_path	The .key file path of the client certificate.
tls.ca_tls_cert_path	The .pem file path of the root certificate for the server certificate.
tls.client_ca_tls_cert_path	The .pem file path of the root certificate for the client certificate.

At the same time, the client certificate is used for mutual authentication and is not mandatory, only set in special cases.