Appendix. Enable Data Encryption¶

To ensure data security, it is recommended to enable SSL encryption. Do the following:

Under the nginx configuration directory, create a directory that will be used to hold all of the SSL data:
```
sudo mkdir /etc/nginx/ssl
```
Create the SSL key and certificate files:
```
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/my-example-domain.com.key -out /etc/nginx/ssl/my-example-domain.com.crt
```
You will be asked a few questions about your server in order to embed the information correctly in the certificate. Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter the domain name or public IP address that you want to be associated with your server. Both of the files you created (my-example-domain.com.key and my-example-domain.com.crt) will be placed in the /etc/nginx/ssl directory.

Configure nginx to use SSL. Open the nginx configuration file. Copy the code from the example below into the file.

sudo vi /etc/nginx/nginx.conf

# redirect from http to https version of the site
server {
        listen 80;
        server_name my-example-domain.com www.my-example-domain.com;
        rewrite ^(.*) https://my-example-domain.com$1 permanent;
        access_log off;
}

server {
        listen 443 ssl;
        server_name my-example-domain.com;

        ssl_certificate     /etc/nginx/ssl/my-example-domain.com.crt;
        ssl_certificate_key /etc/nginx/ssl/my-example-domain.com.key;

        root /usr/share/ffsecurity-ui

        location / {
                try_files $uri $uri/ @ffsec;
        }

        location @ffsec {
                proxy_pass http://127.0.0.1:8002;
        }
}

Restart nginx.
```
sudo service nginx restart
```
Edit the ffsecurity configuration file. In the EXTERNAL_ADDRESS parameter, substitute the http:// prefix with https://.
```
sudo vi /etc/ffsecurity/config.py

EXTERNAL_ADDRESS="https://my-example-domain.com"
```