Enabling TLS to Unravel Web UI directly
The following steps show you how to directly enable TLS (SSL) to ngui
which is listening on port 3000. Alternatively, see Adding SSL and TLS to Unravel Web UI to add an Apache2 reverse proxy that supports listening on port 443, the usual HTTPS port.
In this example, we stay on default port 3000 but change the protocol to HTTPS. We need SSL/TLS certificate files accessible from the Unravel host. For more information, see Defining a Custom Web UI Port.
On Unravel Server, edit the
unravel.properties
file as follows:OPTION 1 - Simple SSL config
Update or add the following properties. For example, to enable SSL with minimal configuration:
#ENABLE/DISABLE SSL com.unraveldata.ngui.ssl.enabled=true #PATH TO CERT FILE com.unraveldata.ngui.ssl.cert.file=/etc/certs/wildcard_unravelhost_ssl_certificate #PATH TO KEY FILE com.unraveldata.ngui.ssl.key.file=/etc/certs /wildcard_unravelhost_RSA_private.key #OPTIONAL - COMMA SEPARATED LIST OF CA FILES com.unraveldata.ngui.ssl.ca.files=/etc/certs/IntermediateCA1.crt,/etc/certs/IntermediateCA2.crt #OPTIONAL- PASSPHRASE IF NEEDED FOR KEY FILE com.unraveldata.ngui.ssl.passphrase=testp
OPTION 2 - Advanced SSL config
Update or add the following properties. For example, to enable SSL with advance configuration, update/add these properties:
#ENABLE/DISABLE SSL com.unraveldata.ngui.ssl.enabled=true #PROVIDE SSL CONFIG THROUGH JS FILE FOR ADVANCE CONFIG com.unraveldata.ngui.ssl.advance.config=/usr/local/unravel/etc/advanced_unravel_ssl.js
Content of
advanced_unravel_ssl.js
:/* advanced_unravel_ssl.js update below config variables SSL_KEY_FILE_PATH CA_CERT_FILE_PATH comment and uncomment the needed blocks */ const fs = require('fs'); const constants = require('constants'); /* absolute path for ssl key file */ const SSL_KEY_FILE_PATH= '/cert/unravel_ssl.key' /* absolute path for ssl cert file */ const SSL_CERT_FILE_PATH= '/certunravel_ssl.crt' /* absolute path for CA certs */ /* const CA_CERT_FILE_PATH=''*/ module.exports = { key: fs.readFileSync(SSL_KEY_FILE_PATH), passphrase:'The password you gave when you created the key', cert: fs.readFileSync(SSL_CERT_FILE_PATH), // un comment below if using custom ca certs // ca : fs.readFileSync(CA_CERT_FILE_PATH), // modify to enable/disable specific TLS versions // SSL v3 is disabled by default secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1, /* List of ciphers per Mozilla's intermeidate compatibility recommendation */ ciphers: [ 'TLS_AES_128_GCM_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305', 'DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES256-GCM-SHA384' ].join(':') }
Set your advertised host in
unravel.properties
. This prefix will be used by the Unravel server immediately after login or logout.com.unraveldata.advertised.url=https://unravel.example.com:3000
Restart Unravel Web UI.
sudo service ngui restart