SSL/HTTPS¶
Introduction¶
In order to use SSL with ntopng (i.e. HTTPS) you need a certificate; you can create your own self signed certificate (1) or obtain it by a Certification Authorities (CA) (2):
- obtain the .pem files
- concatenate the privateKeyFile(.pem) and the certificate/certificateChainFile(.pem)
- Rename it in ntopng-cert.pem and put inside ntopng/httpdocs/ssl/.
The HTTPS server will start on port 3001
Below you can find instructions on how to run ntopng with either a self signed or a CA certificate generated by Let’s Encrypt (https://letsencrypt.org)
SELFSIGNED CERTIFICATE¶
To create the self-signed certificate you need to install OpenSSL
On Debian/Ubuntu: sudo apt-get install openssl OnRedHat/CentOS: sudo yum install openssl On OSX do: brew install openssl
From Source Code¶
If you are running from source code, you can create your SSL certificate inside the ntopng folder executing the command below:
make cert
Edit the /etc/ntopng/ntopng.conf file to enable https, adding:
--https-port=3001
You may choose ports other than 3001 but it must be a different port to the http port which is port 3000 by default Alternatively you can disable insecure http altogether by replacing the line -w=3000 with –http-port=0 (-w and –http-port are interchangeable)
Then start ntopng.
From Packages¶
Please find below the steps to generate a certificate manually. The certificate should be installed under the ntopng share directory, usually located at /usr/share/ntopng or at /usr/local/share/ntopng. The next instructions assume it’s located at /usr/local/share/ntopng.
Ubuntu and Centos¶
cd /tmp/
openssl req -new -x509 -sha256 -extensions v3_ca -nodes -days 365 -out cert.pem
cat privkey.pem cert.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
/bin/rm -f privkey.pem cert.pem
systemctl restart ntopng
HomeBrew Formula¶
cd /tmp/
openssl req -new -x509 -sha256 -extensions v3_ca -nodes -days 365 -out cert.pem
mkdir /usr/share/ntopng/httpdocs/ssl/
cat privkey.pem cert.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
/bin/rm -f privkey.pem cert.pem
cd /usr/local/bin/
ln -s /opt/local/lib/libssl.dylib /opt/local/lib/libcrypto.dylib .
ntopng
CA CERTIFICATE [ Let’s Encrypt ]¶
Please read https://www.ntop.org/ntopng/securing-ntopng-with-ssl-and-lets-encrypt/ for a complete tutorial on using Let’s Encrypt to secure ntopng.
HTTPS Client Authentication¶
By enabling this feature you may grant access to ntopng by the means of X.509 client certificates.
Clients that provides a valid certificate, issued by a trusted CA, are authenticated without the need of a password, if the X.509 Common Name (CN) matches an existing ntopng user.
Clients that otherwise fails to provide a certificate or a valid one, fallback to the usual login process.
Trusted CAs are read from httpdocs/ssl/ntopng-ca.crt, this file must contain the concatenated list of CAs certificates, in PEM format. Any change to this file requires a restart of ntopng to take effect.
Using openssl you may easily activate the feature and create client certificates with the following instructions.
Create your own CA:
openssl genrsa -des3 -out ca.key 2048 # create key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt # create CA self-signed cert
cat ca.crt >> ntopng/httpdocs/ssl/ntopng-ca.crt # add cert to trusted CAs
Create one or more Client Certificates:
openssl genrsa -des3 -out client.key 2048 # create key
openssl req -new -key client.key -out client.csr # create client cert request
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt # create client cert signed by CA
Export Client to preferred browser format (usually pkcs12):
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Then import client certificate in the browser and restart ntopng. Remember first to enable HTTPS Client Authentication in the Preferences->User Authetication.