Home

Adding SSL and TLS to Unravel web UI

You can configure an Apache2 web server (HTTPD) as a reverse proxy to provide HTTPS (SSL/TLS) security to Unravel Web UI. Complete the following steps to make this work.

Warning

Secure cookies are not supported when using this Apache2 reverse-proxy method. Follow the instructions in Enabling TLS to Unravel Web UI Directly to enable TLS directly in ngui, which listens on port 3000.

Tip

These steps were tested with HTTPD 2.4 and support listening on port 443.

  1. Install the needed packages.

    sudo yum install httpd mod_ssl

    Note

    There is no need to change the default /etc/httpd/conf/httpd.conf file.

  2. Create /etc/httpd/conf.d/unravel_https.conf. Use the following as a model (replace unravelhost_FQDN and settings for SSLCertificate* with values appropriate for your installation).

    <VirtualHost *:80> 
        ServerName unravelhost_FQDN 
        Redirect permanent / https://unravelhost_FQDN
    
        
    </VirtualHost> 
    <VirtualHost *:443>
    
        DocumentRoot /var/www/html
        ServerName unravelhost_FQDN
        # use this if http to https errors #RequestHeader set X-FORWARDED-PROTO 'https'
    
        SSLEngine on 
        SSLCertificateFile /etc/certs/wildcard_unravelhost_ssl_certificate.crt 
        SSLCertificateKeyFile /etc/certs/wildcard_unravelhost_RSA_private.key 
        SSLCertificateChainFile /etc/certs/IntermediateCA.crt
    
        SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder On
        SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    
        # set this off for reverse proxy security 
        ProxyRequests Off 
        # might be helpful in logs 
        ProxyPreserveHost On 
        ProxyPass / http://localhost:3000/ connectiontimeout=180 timeout=180 
        ProxyPassReverse / http://localhost:3000/
        <Location /> 
        Order deny,allow 
        Deny from all 
        Allow from al
           
    </VirtualHost>
          
  3. Adjust or add property in /usr/local/unravel/etc/unravel.properties. (No trailing slash the :port is optional).

    com.unraveldata.advertised.url=https://unravelhost_FQDN
  4. Restart the ngui daemon.

    manager restart ngui
  5. Start the HTTP daemon.

    sudo service httpd start
  6. Visit https://unravelhost_FQDN (using value appropriate for your site) to test access.

Troubleshooting

To enable verbose logging in Apache2, add LogLevel where LogLevel can be set to debug, trace1,..., trace8.

LogLevel debug

Note

Don't leave debug settings enabled long term because they add overhead and can fill up the log area if logs aren't auto-rolled.

To force HTTPS protocol, even if a user requests http://.

  1. Add the following line after the ServerName line in the virtual host httpd

    RequestHeader set X-FORWARDED-PROTO 'https'
  2. Restart Apache2.