TLS with Docker
For Kubernetes installations, follow the instructions on the page Deploy using Kubernetes to setup TLS.
It is highly recommended to configure TLS for the Analysis Hub frontend, to secure traffic between the browser and the server. TLS can be configured by either:
- Using automated issuance and renewal of certificates from Let's Encrypt
- Using self-issued certificates
Use Let's Encrypt
To automatically issue certificates using Let's Encrypt, set ANALYSISHUB_AUTOCERT_ENABLED to true.
The Analysis Hub must be able to respond to challenges from the Let's Encrypt validation servers to validate that the used domain name is in your control, as defined by the ACME standard.
To respond to the ACME challenges, either port 80 (for http-01 challenges) or 443 (for tls-alpn-01 challenges) must be publicly accessible for the validations servers of Let's Encrypt.
If you're unsure, go with HTTP-01.
Configure autocert with HTTP-01 challenge
This option is most suitable when port 443 should be restricted, and port 80 can be publicly exposed.
To allow the Analysis Hub to respond to HTTP-01 challenges:
- Port
80should be publicly accessible for Let's Encrypt validation servers. ANALYSISHUB_AUTOCERT_HTTP01_ENABLEDshould be set totrue.
Port 80 will solely expose a simple challenge response server for domain name validation, and redirects all other traffic to the secure port 443.
Configure autocert with TLS-ALPN-01 challenge
This option is most suitable when port 443 is publicly exposed.
To allow the Analysis Hub to respond to TLS-ALPN-01 challenges:
- Port
443should be publicly accessible for Let's Encrypt validation servers. ANALYSISHUB_AUTOCERT_HTTP01_ENABLEDshould be set tofalse.
Use self-issued certificates
To use self-issued certificates, set ANALYSISHUB_FRONTEND_TLS_CERTFILE and ANALYSISHUB_FRONTEND_TLS_KEYFILE to the location of the certificate files.
More detailed instructions can be found in Optional variables table of the respective installations: