Setting up SSL in Filestash
Various approaches for TLS
There’s 4 different methods to handle SSL in Filestash. Which one is best depends on your specific use case and the various assumptions of the environment in which you’re deploying the software. Each method is implemented as a plugin and you can choose between:
1) plg_starter_http: that’s the default one. The assumption is you have a load balancer that will do SSL termination and forward the traffic to your Filestash instance over HTTP. Using this method, Filestash will run as an HTTP only server on port 8334 by default.
2) plg_starter_https: this implementation kicks up an HTTPS server that will generate self signed certificates upon boot. Because those certificate are self signed, unless your users install the associated root certificate, they will see upon connect a message like this:
3) plg_starter_web: this implementation is for use cases where you want to deploy the software without having to think of SSL certificates. Under the hood it will leverage letsencrypt to automatically generate certificates. In a perfect world, this is the best approach, but in practice, if you’re using services like Cloudflare, options such as disabling all HTTP traffic can make it unworkable, as let’s encrypt challenges rely on HTTP traffic. In those scenarios, plg_starter_http or plg_starter_httpsfs are your best bet.
4) plg_starter_httpsfs: this implementation assume you have both a private key and a certicate that has been signed. You will need to install those certificates and Filestash will pick them up.
To find which option is in your build, access the /about page in your instance and look for the plugin with “starter” in its name:
Create certificates
If you use plg_starter_http or plg_starter_httpfs, it is assumed you will need to create certificates and sign those.
Generating certificates can be done using the following commands:
....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+....+
...+...+.....+............+...+.+.....++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++*..........+..............+...+.......+.....+.+..+...+.+...+.
...................+...+..........+..+......+.+.....+.+.....+...+....+...+++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+..+...+....+......+.....+...+....+..+.+.....+.......+..+......+.........+......+
...+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+
.....+.+............++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++*....+......+.....+.+.....+.+.....+.......+...........+............+...........
........+.....+...+.+..+....+........+.+..+....+...+...+..+......+.+.....+........
..+...+..+.........+....+..+.+...............+..+............+......+...+....+...+
...............+........+......+....+.....+....+........+...+.+.....+.+.....+.....
..+........+.........+....+..+...+............+.......+.....................+.....
.+........+.......+.........+.....+.........+...+.......+...........+.+......+++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:demo.filestash.app
Email Address []:support@filestash.app
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
~/$ ls *.{pem,csr}
key.pem unsigned.csr
Send the unsigned.csr file to your PKI infrastructure for signing. You should receive a cert.pem file in return. The final step is to install the certificates. If you’re using:
1) plg_starter_httpsfs, you will need to install those under /app/data/state/certs/key.pem and /app/data/state/certs/cert.pem
2) plg_starter_http, you will need to setup SSL termination at the proxy level. If using nginx this will typically looks like this:
server {
listen 443 ssl;
server_name demo.filestash.app;
ssl_certificate /path/cert.pem;
ssl_certificate_key /path/key.pem;
location / {
...
}
}