Production Environment

No more difirrence when deploy JiveIM on Production Environment.

Basic Setup

We make sure all steps of installation are ok. This mean you can run JiveIM Backend & Demo Widget locally. If not, please go back steps in section Installation

Public JiveIM

Public Directly

It is very simple. You just change default ports 9090 for Backend Web and 9091 for WebSocket in file app.properties.

And do not forget public above ports to Internet. You can refer below links

Use Proxy Server

Because secure reason. We should not public more port a server. We should use some default ports 80, 443 for service Web and Websocket. That why we must use a Proxy server to deploy JiveIM to Production Enviroment. Have many strong proxy server. But we only introduct Nginx because it is easy :).

1. Nginx on CentOS 6/7

Let start with familiar statement to install nginx

  • yum install nginx

After install success. Let check nginx version and plugins by nginx -V

  • nginx -V
[root@jiveim1 ~]# nginx -V
nginx version: nginx/1.6.3
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) 
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

Make sure you see below TLS SNI support enabled and --with-http_ssl_module when checking. Need for the next step 2. Public JiveIM on CentOS 7.

Next, run below commands to Enable/Start/Check nginx.

  • systemctl enable nginx
  • systemctl restart nginx
  • systemctl reload nginx
  • systemctl status nginx
[root@jiveim1 ~]# systemctl status nginx
nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled)
   Active: active (running) since Sat 2015-09-26 02:04:39 JST; 1 months 11 days ago
 Main PID: 18789 (nginx)
   CGroup: /system.slice/nginx.service
           ├─18789 nginx: master process /usr/sbin/nginx
           ├─18790 nginx: worker process
           ├─18791 nginx: worker process
           └─18792 nginx: cache manager process
  • systemctl list-unit-files | grep nginx.service
[root@jiveim1 ~]# systemctl list-unit-files | grep nginx.service
nginx.service                               enabled 
[root@jiveim1 ~]# 
  • nginx -t
[root@jiveim1 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@jiveim1 ~]# 

Congratulation!!!

2. Public JiveIM on CentOS 6/7

Run command vi /etc/nginx/nginx.conf to review and change some things.

...

http {
    ...
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    ...
}

Make sure include /etc/nginx/conf.d/*.conf; was opened to load some private configuration for next deployement likes Virtual-host, Proxy,.....

Review folder /etc/nginx/conf.d/

[root@jiveim1 ~]# ls -la /etc/nginx/conf.d/
total 24
drwxr-xr-x 2 root root  4096 Sep 26 02:05 .
drwxr-xr-x 4 root root  4096 Nov  6 18:21 ..
-rw-r--r-- 1 root root   449 Aug 15 20:19 gzip.conf
-rw-r--r-- 1 root root 10923 Sep 26 02:04 www.conf
[root@jiveim1 ~]# 

You can see i have 2 *.conf file here.

Configuration file gzip.conf just make all output from Nginx will be compressed. It is very good to speedup your server. Let check it vi /etc/nginx/conf.d/gzip.conf.

    # Enable gzip compression
    gzip on;
    gzip_http_version 1.1;
    gzip_comp_level 9;
    gzip_static on;
    gzip_vary  on;
    gzip_proxied any;
    gzip_min_length 1400;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js image/png image/gif image/jpeg;
    gzip_buffers 16 8k;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

Configuration file www.conf is file for JiveIM. Check it vi /etc/nginx/conf.d/www.conf.

#---jiveim.youdomain.com---
upstream jivesite {
    ip_hash;
    server 127.0.0.1:9090 weight=30 max_fails=3 fail_timeout=30s;
}

server {
    listen 80;
    server_name jiveim.youdomain.com;

    # Update headers
    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    # Remove E-Tag
    etag             off;

    client_max_body_size       10m;
    client_body_buffer_size    128k;

    proxy_redirect off;

    # Keep setting hide server information.
    proxy_pass_header Server;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;

    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;

    location / {
        proxy_pass http://jivesite;
        proxy_redirect off;
    }

    # Caching
    location ~* \.(?:ico|css|js|gif|jpe?g|png|woff)$ {
        proxy_pass http://jivesite;

        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";
    }
}
#---jiveim.youdomain.com---

#---im.youdomain.com---
upstream jiveim {
    server 127.0.0.1:9091 weight=5;
}

server {
    listen 80;
    server_name im.youdomain.com;

    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    location / {
        proxy_pass_header Server;

        # Enables WS support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;

        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;

        proxy_pass http://jiveim;
        proxy_redirect off;
    }
}
#---im.youdomain.com---

The last thing you should not forget is update parameter socketio.public in file app.properties.

socketio.public=http://localhost:9091 to socketio.public=http://im.youdomain.com

And now, restart JiveIM again and open http://jiveim.youdomain.com on Browser.

3. SSL Encryption on CentOS 6/7

3.1 Create SSL

Refer to Setting up a SSL Cert from Comodo

Generate *.key and *.csr files

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.com.key -out yourdomain.com.csr

....
Country Name (2 letter code) [AU]:US <--- Enter
State or Province Name (full name) [Some-State]:New York <--- Enter
Locality Name (eg, city) []:NYC <--- Enter
Organization Name (eg, company) [Internet Widgits Pty Ltd]: JiveIM Inc <--- Enter
Organizational Unit Name (eg, section) []: IT Dept <--- Enter
Common Name (e.g. server FQDN or YOUR name) []: yourdomain.com <--- Enter
Email Address []:webmaster@yourdomain.com <--- Enter
...
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <--- Enter <EMPTY>
An optional company name []: <--- Enter <EMPTY>

And then you buy a SSL certificate from some once. I used PositiveSSL Wildcard cost $93.99/YR

You get a file yourdomain.com.ca-bundle from Comodo over the service at SSLs.com

So, you have 2 files: yourdomain.com.key, yourdomain.com.ca-bundle. Then, copy yourdomain.com.key to directory /etc/ssl/ssl.key/, yourdomain.com.ca-bundle to /etc/ssl/ssl.crt/. Review full file paths:

  • /etc/ssl/ssl.key/yourdomain.com.key
  • /etc/ssl/ssl.crt/yourdomain.com.ca-bundle
3.2 Setup SSL

Update file /etc/nginx/conf.d/www.conf.

#---jiveim.youdomain.com---
...
server {
    listen 443 ssl;
    server_name jiveim.youdomain.com;
    ...
    ssl on;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         AES256+EECDH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_certificate      /etc/ssl/ssl.crt/yourdomain.com.ca-bundle;
    ssl_certificate_key  /etc/ssl/ssl.key/yourdomain.com.key;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;
    ssl_prefer_server_ciphers on;
    ...
}
#---jiveim.youdomain.com---

#---im.youdomain.com---
...
server {
    listen 443 ssl;
    server_name im.youdomain.com;
    ...
    ssl on;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         AES256+EECDH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_certificate      /etc/ssl/ssl.crt/yourdomain.com.ca-bundle;
    ssl_certificate_key  /etc/ssl/ssl.key/yourdomain.com.key;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;
    ssl_prefer_server_ciphers on;
    ...
}
#---im.youdomain.com---

The last thing you should not forget is update parameter socketio.public in file app.properties.

socketio.public=http://im.youdomain.com to socketio.public=https://im.youdomain.com

Try access Backend with SSL https://jiveim.youdomain.com.