iis

Tutorial: How to secure Traccar with SSL / HTTPS for free, using IIS and Let’s Encrypt on Windows Server

Introduction

In this guide, I’m going to show you how to secure your Traccar installation with SSL, so that it can be reached over https instead of http. Traccar is a free and open source modern GPS tracking system.
Since Traccar has no native support for encrypted connections, we’ll do so by setting up a Reverse Proxy using IIS (which is the recommended method by the developer). We’ll be using Let’s Encrypt to generate a free valid certificate for your Traccar installation.

Prerequisites

  • A working Traccar instance, reachable over http (by default http://localhost:8082), installed on Windows Server 2012 R2 or Windows Server 2016.
  • A Fully Qualified Domain Name (FQDN), for example ‘yourdomain.com’, with an A record pointing to the IP of your Traccar server:

    (Of course, in the screenshot above, change the variables to meet your environment, i.e. replace ‘123.123.123.123’ with the IP of your Traccar server and ‘traccar.yourdomain.com’ with your own (sub)domain.
    Please note that it can take up to 24 hours, but usually no more than 1-2 hours, for your DNS servers to ‘propagate’, i.e. sync your update with the rest of the world.)

Getting Started

First, install the URL Rewrite add-on module. From Windows Server 2012 R2 and up, you can use the Microsoft Web Platform Installer (WebPI) to download and install the URL Rewrite Module. Just search for ‘URL Rewrite’ in the search options and click ‘Add’.


After installing, do the same for the Application Request Routing 3.0 add-on module:


Next, open IIS and add a new website:

In the window that opens, fill in the following details:

Change the variables to meet your environment.

Close IIS for now and download and install ‘Certify the web’, a free (up to 5 websites) SSL Certificate Manager for Windows (powered by Let’s Encrypt). Certify will automatically renew your certificates before they expire, so it pretty much takes care of itself.

After installing, open Certify. Before we can request a new certificate, we first need to setup a new contact. This is mandatory. So, first, go to ‘Settings’ and set a ‘New Contact’:


Next, click on ‘New Certificate’:

Select the website you created in IIS, in my case named ‘Traccar’:

The rest of the information should now autofill, based on the details you entered in IIS.

Next, go to the Advanced tab and click ‘Test’ to verify if everything is setup correctly

If all goes well, you should get this popup:

Click OK and click ‘Save’.

Next, click ‘Request Certificate’ to request your free valid SSL certificate from Let’s Encrypt for your Traccar installation:

If all goes well, you should get ‘Success’

Next, close Certify and open IIS again. Go to the website you created (in my example Traccar) and click on URL Rewrite

Click on ‘Add Rule(s)’ in the top right corner:

In the window that opens, click on ‘Reverse Proxy’ and click ‘Ok’

In the window that opens, enter ‘localhost:8082’ in the Inbound Rules text field,
select ‘Enable SSL Offloading’,
select ‘Rewrite the domain names of the links in the HTTP responses’ from ‘localhost:8082’
and select your Traccar domain from the dropdown menu, i.e. ‘traccar.yourdomain.com’ and click OK.

Next, go to your website in IIS again and click on Compression:

Outbound rewriting can only be applied on un-compressed responses. If the response is already compressed then URL Rewrite Module will report an error if any of the outbound rules is evaluated against that response. Therefore, we need to disable Compression in order to get Traccar to play nicely with IIS. Uncheck both options and click Apply:

That’s it! We’re done! Your Traccar installation should now be reachable over HTTPS and have a valid SSL certificate:

If the website is not opening (times out), check if port 443 inbound is open in your firewall:

Optional

Since your website is now reachable over https, you can change the Challenge Type to tls-sni-01 in Certify:

This way, you can remove the port 80 binding in IIS if you want, to force all traffic to your Traccar installation over https:

Have fun! Any questions or comments, let me know down below.