Home

Enabling TLS to Unravel Web UI directly

The following steps show you how to directly enable TLS (SSL) to ngui which is listening on port 3000. Alternatively, see Adding SSL and TLS to Unravel Web UI to add an Apache2 reverse proxy that supports listening on port 443, the usual HTTPS port.

In this example, we stay on default port 3000 but change the protocol to HTTPS. We need SSL/TLS certificate files accessible from the Unravel host. For more information, see Defining a Custom Web UI Port.

  1. On Unravel Server, edit the unravel.properties file as follows:

    • OPTION 1 - Simple SSL config

      Update or add the following properties. For example, to enable SSL with minimal configuration:

      #ENABLE/DISABLE SSL 
      com.unraveldata.ngui.ssl.enabled=true 
      
      #PATH TO CERT FILE 
      com.unraveldata.ngui.ssl.cert.file=/etc/certs/wildcard_unravelhost_ssl_certificate 
      
      #PATH TO KEY FILE 
      com.unraveldata.ngui.ssl.key.file=/etc/certs /wildcard_unravelhost_RSA_private.key 
      
      #OPTIONAL - COMMA SEPARATED LIST OF CA FILES 
      com.unraveldata.ngui.ssl.ca.files=/etc/certs/IntermediateCA1.crt,/etc/certs/IntermediateCA2.crt 
      
      #OPTIONAL- PASSPHRASE IF NEEDED FOR KEY FILE 
      com.unraveldata.ngui.ssl.passphrase=testp 
    • OPTION 2 - Advanced SSL config

      Update or add the following properties. For example, to enable SSL with advance configuration, update/add these properties:

      #ENABLE/DISABLE SSL 
      com.unraveldata.ngui.ssl.enabled=true 
      
      #PROVIDE SSL CONFIG THROUGH JS FILE FOR ADVANCE CONFIG
      com.unraveldata.ngui.ssl.advance.config=/usr/local/unravel/etc/advanced_unravel_ssl.js

      Content of advanced_unravel_ssl.js:

       /* advanced_unravel_ssl.js 
       update below config variables 
       SSL_KEY_FILE_PATH 
       CA_CERT_FILE_PATH 
       comment and uncomment the needed blocks 
       */ 
      const fs = require('fs');
      const constants = require('constants');
      
      /* absolute path for ssl key file */
      const SSL_KEY_FILE_PATH= '/cert/unravel_ssl.key'
      
      /* absolute path for ssl cert file */
      const SSL_CERT_FILE_PATH= '/certunravel_ssl.crt'
      
      /* absolute path for CA certs */
      /* const CA_CERT_FILE_PATH=''*/
      module.exports = {
      key: fs.readFileSync(SSL_KEY_FILE_PATH),
      passphrase:'The password you gave when you created the key',
      cert: fs.readFileSync(SSL_CERT_FILE_PATH),
      // un comment below if using custom ca certs
      // ca : fs.readFileSync(CA_CERT_FILE_PATH),
      // modify to enable/disable specific TLS versions
      // SSL v3 is disabled by default
      secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,
      
      /* List of ciphers per Mozilla's intermeidate compatibility recommendation */
      ciphers: [
      'TLS_AES_128_GCM_SHA256',
      'TLS_AES_256_GCM_SHA384',
      'TLS_CHACHA20_POLY1305_SHA256',
      'ECDHE-ECDSA-AES128-GCM-SHA256',
      'ECDHE-RSA-AES128-GCM-SHA256',
      'ECDHE-ECDSA-AES256-GCM-SHA384',
      'ECDHE-RSA-AES256-GCM-SHA384',
      'ECDHE-ECDSA-CHACHA20-POLY1305',
      'ECDHE-RSA-CHACHA20-POLY1305',
      'DHE-RSA-AES128-GCM-SHA256',
      'DHE-RSA-AES256-GCM-SHA384'
      ].join(':')
      }
      
  2. Set your advertised host in unravel.properties. This prefix will be used by the Unravel server immediately after login or logout.

    com.unraveldata.advertised.url=https://unravel.example.com:3000
  3. Restart Unravel Web UI.

    sudo service ngui restart