vrr/ntopng
2
0
Fork 0
mirror of https://github.com/ntop/ntopng.git synced 2026-04-29 15:39:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
ntopng/doc/README.SSL

108 lines
4.1 KiB
Text
Raw Blame History

In order to use SSL with ntopng (i.e. HTTPS) you need a certificate; you can create your own self signed certificate (1) or obtain it by a Certification Authorities (CA) (2):
- obtain the .pem files
- concatenate the privateKeyFile(.pem) and the certificate/certificateChainFile(.pem)
- Rename it in ntopng-cert.pem and put inside ntopng/httpdocs/ssl/.
The HTTPS server will start on port 3001
Below you can find instructions on how to run ntopng with either a self signed or a CA certificate generated by Let's Encrypt (https://letsencrypt.org)
==== SELFSIGNED CERTIFICATE ====
1 To create the self-signed certificate you need to:
1.1 Install OpenSSL
On Debian/Ubuntu: sudo apt-get install openssl
OnRedHat/CentOS: sudo yum install openssl
On OSX do: brew install openssl
1.2 Create your SSL certificate
inside the ntopng folder execute the command: make cert
and follow the instruction
1.3 Edit ntop.conf to enable https
Edit the /etc/ntopng/ntopng.conf file to include the text --https-port=3001
You may choose ports other than 3001 but it must be a different port to the http port which is port 3000 by default
Alternatively you can disable insecure http altogether by replacing the line -w=3000 with --http-port=0
(-w and --http-port are interchangeable)
1.5 Start ntopng
1.6 OPTIONAL
"make cert" will create the certificate but you can see below the
exact steps if you want to generate the certificate manually.
You now need to locate your ntopng `share` directory. It is usually located at `/usr/share/ntopng` or at `/usr/local/share/ntopng`.
The next instructions assume it's located at `/usr/local/share/ntopng`.
== Ubuntu and Centos packages ==
cd /tmp/
openssl req -new -x509 -sha256 -extensions v3_ca -nodes -days 365 -out cert.pem
cat privkey.pem cert.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
/bin/rm -f privkey.pem cert.pem
cd /usr/local/bin/
ln -s /usr/lib/x86_64-linux-gnu/libssl.so .
ntopng
== HomeBrew Formula ==
cd /tmp/
openssl req -new -x509 -sha256 -extensions v3_ca -nodes -days 365 -out cert.pem
mkdir /usr/share/ntopng/httpdocs/ssl/
cat privkey.pem cert.pem > /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem
/bin/rm -f privkey.pem cert.pem
cd /usr/local/bin/
ln -s /opt/local/lib/libssl.dylib /opt/local/lib/libcrypto.dylib .
ntopng
==== CA CERTIFICATE [ Let's Encrypt ] ====
Please read https://www.ntop.org/ntopng/securing-ntopng-with-ssl-and-lets-encrypt/ for
a complete tutorial on using Let's Encrypt to secure ntopng.
=== HTTPS Client Authentication ===
By enabling this feature you may grant access to ntopng by the means of X.509 client certificates.
Clients that provides a valid certificate, issued by a trusted CA, are authenticated
without the need of a password, if the X.509 Common Name (CN) matches an existing ntopng user.
Clients that otherwise fails to provide a certificate or a valid one, fallback to the usual
login process.
Trusted CAs are read from httpdocs/ssl/ntopng-ca.crt, this file must contain the concatenated
list of CAs certificates, in PEM format. Any change to this file requires a restart of ntopng
to take effect.
Using openssl you may easily activate the feature and create client certificates
with the following instructions.
1. Create your own CA:
openssl genrsa -des3 -out ca.key 2048 # create key
openssl req -new -x509 -days 365 -key ca.key -out ca.crt # create CA self-signed cert
cat ca.crt >> ntopng/httpdocs/ssl/ntopng-ca.crt # add cert to trusted CAs
2. Create one or more Client Certificates:
openssl genrsa -des3 -out client.key 2048 # create key
openssl req -new -key client.key -out client.csr # create client cert request
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt # create client cert signed by CA
3. Export Client to preferred browser format (usually pkcs12):
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Then import client certificate in the browser and restart ntopng.
Remember first to enable HTTPS Client Authentication in the Preferences->User Authetication.
Reference in a new issue View git blame Copy permalink