Let’s Encrypt

If you don’t need to bind FlashMQ to port 80, which you would only need if you want unencrypted websockets, it’s easy to install Nginx+certbot on the machine to obtain SSL certificates from Let’s Encrypt.

Example Nginx site config:

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                try_files $uri $uri/ =404;
        }

        location /.well-known/acme-challenge/ {
            proxy_pass http://127.0.0.1:20081;
            proxy_set_header Host $host;
            auth_basic off;
            allow all;

            add_header Cache-Control "no-cache, no-store";
        }
}

Alternatively, you can also define the following block at the server level, so it works for any site:

location /.well-known/acme-challenge/ {
    proxy_pass http://127.0.0.1:20081;
    proxy_set_header Host $host;
    auth_basic off;
    allow all;

    add_header Cache-Control "no-cache, no-store";
}

You can then run certbot:

certbot --email "admin@domain.com" --agree-tos --standalone --http-01-port 20081 certonly --domain my.domain.com

Then you can add a listener to FlashMQ like:

listen {
  protocol websockets                                                                                                                                                                                                                                                          
  port 443
  fullchain /etc/letsencrypt/live/demo.flashmq.org/fullchain.pem
  privkey /etc/letsencrypt/live/demo.flashmq.org/privkey.pem
}

Then you can renew the certificate and reload FlashMQ periodically (with cron):

certbot renew --standalone --preferred-challenges http-01 --http-01-port 20081 --quiet
systemctl reload flashmq.service