Home

Enabling TLS to Unravel Web UI directly

The following steps show you how to directly enable TLS (SSL) to unravel_ngui which is listening on port 3000. Alternatively, see Adding SSL and TLS to Unravel Web UI to add an Apache2 reverse proxy which supports listening on port 443, the usual HTTPS port.

In this example, we stay on default port 3000 but change the protocol to HTTPS. We need SSL/TLS certificate files accessible from the Unravel host. For more information, see Defining a Custom Web UI Port.

  1. On Unravel Server, edit /usr/local/unravel/etc/unravel.properties as follows:

    • OPTION 1 - Simple SSL config

      Update or add the following properties. For example, to enable SSL with minimal configuration:

      #ENABLE/DISABLE SSL 
      com.unraveldata.ngui.ssl.enabled=true 
      
      #PATH TO CERT FILE 
      com.unraveldata.ngui.ssl.cert.file=/etc/certs/wildcard_unravelhost_ssl_certificate 
      
      #PATH TO KEY FILE 
      com.unraveldata.ngui.ssl.key.file=/etc/certs /wildcard_unravelhost_RSA_private.key 
      
      #OPTIONAL - COMMA SEPARATED LIST OF CA FILES 
      com.unraveldata.ngui.ssl.ca.files=/etc/certs/IntermediateCA1.crt,/etc/certs/IntermediateCA2.crt 
      
      #OPTIONAL- PASSPHRASE IF NEEDED FOR KEY FILE 
      com.unraveldata.ngui.ssl.passphrase=testp 
    • OPTION 2 - Advanced ssl config

      Update or add the following properties. For example, to enable SSL with advance configuration, update/add these properties:

      #ENABLE/DISABLE SSL 
      com.unraveldata.ngui.ssl.enabled=true 
      
      #PROVIDE SSL CONFIG THROUGH JS FILE FOR ADVANCE CONFIG
      com.unraveldata.ngui.ssl.advance.config=/usr/local/unravel/etc/advanced_unravel_ssl.js

      Content of advanced_unravel_ssl.js:

       /* advanced_unravel_ssl.js 
       update below config variables 
       SSL_KEY_FILE_PATH 
       CA_CERT_FILE_PATH 
       comment and uncomment the needed blocks 
       */ 
      const fs = require('fs');
      const constants = require('constants');
      
      /* absolute path for ssl key file */
      const SSL_KEY_FILE_PATH= '/cert/unravel_ssl.key'
      
      /* absolute path for ssl cert file */
      const SSL_CERT_FILE_PATH= '/certunravel_ssl.crt'
      
      /* absolute path for CA certs */
      /* const CA_CERT_FILE_PATH=''*/
      module.exports = {
      key: fs.readFileSync(SSL_KEY_FILE_PATH),
      passphrase:'The password you gave when you created the key',
      cert: fs.readFileSync(SSL_CERT_FILE_PATH),
      // un comment below if using custom ca certs
      // ca : fs.readFileSync(CA_CERT_FILE_PATH),
      // uncomment below to enable disable TLS version.
      // secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1,
      
      /* LIST OF RECOMMENDED CIPHERS */
      /* note OpenSSL-style format */
      ciphers: ['TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
      'ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
      'ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
      'ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
      'ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
      'ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
      'ECDHE_RSA_WITH_AES_256_GCM_SHA384',
      'ECDHE_RSA_WITH_AES_128_GCM_SHA256',
      'ECDHE_RSA_WITH_AES_256_CBC_SHA384',
      'ECDHE_RSA_WITH_AES_128_CBC_SHA256',
      'ECDHE_RSA_WITH_AES_128_CBC_SHA'].join(':')
      }
  2. Set your advertised host in /usr/local/unravel/etc/unravel.properties. This prefix will be used by Unravel server right after login or logout.

    com.unraveldata.advertised.url=https://unravel.example.com:3000
  3. Restart Unravel Web UI.

    sudo service unravel_ngui restart