Anton Eyntrop
November 16, 2022 ・ Basics
How To Enable SSL For PMM Server
This article assumes you have already installed PMM on your machine.
Securing your web services by moving them to use HTTPS instead of plain HTTP is one of the best ways to make sure the exchange remains encrypted for all the parties involved in transporting data between the service and the client browser. Extra protection against man-in-the-middle (MITM) attacks is a welcome feature as well.
Your PMM instance is already secured with a self-signed certificate: you’d want to keep your credentials safe from eavesdropping. This is no help against MITM attacks, though, and not the best practice in general. To fully utilize HTTPS you will need to acquire a certificate issued by one of the global authority centers.
The process involves:
-
Creating a DNS record for your PMM instance to be accessed over the web
-
Obtaining an SSL/TLS certificate for the PMM instance
-
Installing the certificate and verifying the setup
-
(optionally) Hosting PMM behind a reverse proxy
We will use mypmm.example.com as an address we want our PMM to be available at, example.com being a domain under our control.
Creating a DNS record for the PMM instance with the address you prefer
You would need a new “type A” record pointing to the IP address that publicly serves your PMM:
A 1.1.1.1mypmm.example.com.
Make sure the record works as expected by opening https://mypmm.example.com in a browser.
Obtaining an SSL/TLS certificate for your PMM instance
In case you have a wildcard certificate for “*.example.com”, you can skip this step and move on to the next one.
Otherwise, we recommend using Let’s Encrypt — a service that issues SSL/TLS certificates for free. https://letsencrypt.org/
The simplest way to use it is via a recommended tool named Certbot. https://certbot.eff.org/
Certbot is provided as a drop-in Snap package (“snapd” daemon), supported by most Linux distributions, but there are alternatives available on the website.
Here’s how you proceed with Snap. Update it first:
sudo snap install core; sudo snap refresh core
Install Certbot package:
sudo snap install --classic certbot
Link new binary to a place inside your $PATH variable:
sudo ln -s /snap/bin/certbot /usr/bin/certbot
You should have certbot
command available to run in your terminal now. If you get “command not found” instead, restart your shell session by logging out.
Launch Certbot as a standalone Web server, temporarily binding it to TCP port 80. This will start the certificate acquistion:
sudo certbot certonly --standalone -dmypmm.example.com
You will be asked a number of questions on behalf of Let’s Encrypt. When the utility finishes its work, you will see a short summary.
Certificate is saved at: /etc/letsencrypt/live/mypmm.example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mypmm.example.com/privkey.pem
This certificate expires on 2023-01-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We got our certificate, time to install it.
Installing the certificate and verifying the setup
Replace the default self-signed certificates inside Docker image with your own:
docker cp -L /etc/letsencrypt/live/mypmm.example.com/cert.pem pmm-server:/srv/nginx/certificate.crt
docker cp -L /etc/letsencrypt/live/mypmm.example.com/chain.pem pmm-server:/srv/nginx/ca-certs.pem
docker cp -L /etc/letsencrypt/live/mypmm.example.com/privkey.pem pmm-server:/srv/nginx/certificate.key
Restart Docker container:
docker restart pmm-server
Check your new certificate by opening https://mypmm.example.com
. If you were logged into PMM before, you might need to clear your browser cache or use incognito mode to immediately see the difference.
Hosting PMM behind a reverse proxy
There’s a number of things you have to keep in mind when setting up PMM behind a reverse proxy (such as NGINX). You will have to pass a number of HTTP headers and enable WebSocket support for the web interface to work properly.
NGINX configuration example that serves locally available PMM mypmm.local.net
as a publicly accessible mypmm.example.com
:
http {
# [...skipped...]
# WebSocket handling for proxied connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# [...skipped...]
server {
server_name mypmm.example.com;
ssl_certificate /etc/letsencrypt/live/mypmm.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mypmm.example.com/privkey.pem;
listen 443 ssl;
location / {
proxy_set_header Origin https://mypmm.local.net;
proxy_set_header Host mypmm.local.net;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://mypmm.local.net/;
}
}
}
In addition, your PMM instance might require gRPC communication with remote pmm-agents. Depending on your web server, this might not be possible.
- Basics