Enabling TLS to Unravel Web UI directly
The following steps show you how to directly enable TLS (SSL) to unravel_ngui
which is listening on port 3000. Alternatively, see Adding SSL and TLS to Unravel Web UI to add an Apache2 reverse proxy which supports listening on port 443, the usual HTTPS port.
In this example, we stay on default port 3000 but change the protocol to HTTPS. We need SSL/TLS certificate files accessible from the Unravel host. For more information, see Defining a Custom Web UI Port.
On Unravel Server, edit
/usr/local/unravel/etc/unravel.properties
as follows:OPTION 1 - Simple SSL config
Update or add the following properties. For example, to enable SSL with minimal configuration:
#ENABLE/DISABLE SSL com.unraveldata.ngui.ssl.enabled=true #PATH TO CERT FILE com.unraveldata.ngui.ssl.cert.file=/etc/certs/wildcard_unravelhost_ssl_certificate #PATH TO KEY FILE com.unraveldata.ngui.ssl.key.file=/etc/certs /wildcard_unravelhost_RSA_private.key #OPTIONAL - COMMA SEPARATED LIST OF CA FILES com.unraveldata.ngui.ssl.ca.files=/etc/certs/IntermediateCA1.crt,/etc/certs/IntermediateCA2.crt #OPTIONAL- PASSPHRASE IF NEEDED FOR KEY FILE com.unraveldata.ngui.ssl.passphrase=testp
OPTION 2 - Advanced ssl config
Update or add the following properties. For example, to enable SSL with advance configuration, update/add these properties:
#ENABLE/DISABLE SSL com.unraveldata.ngui.ssl.enabled=true #PROVIDE SSL CONFIG THROUGH JS FILE FOR ADVANCE CONFIG com.unraveldata.ngui.ssl.advance.config=/usr/local/unravel/etc/advanced_unravel_ssl.js
Content of
advanced_unravel_ssl.js
:/* advanced_unravel_ssl.js update below config variables SSL_KEY_FILE_PATH CA_CERT_FILE_PATH comment and uncomment the needed blocks */ const fs = require('fs'); const constants = require('constants'); /* absolute path for ssl key file */ const SSL_KEY_FILE_PATH= '/cert/unravel_ssl.key' /* absolute path for ssl cert file */ const SSL_CERT_FILE_PATH= '/certunravel_ssl.crt' /* absolute path for CA certs */ /* const CA_CERT_FILE_PATH=''*/ module.exports = { key: fs.readFileSync(SSL_KEY_FILE_PATH), passphrase:'The password you gave when you created the key', cert: fs.readFileSync(SSL_CERT_FILE_PATH), // un comment below if using custom ca certs // ca : fs.readFileSync(CA_CERT_FILE_PATH), // uncomment below to enable disable TLS version. // secureOptions: constants.SSL_OP_NO_TLSv1 | constants.SSL_OP_NO_TLSv1_1, /* LIST OF RECOMMENDED CIPHERS */ /* note OpenSSL-style format */ ciphers: ['TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'ECDHE_RSA_WITH_AES_128_CBC_SHA'].join(':') }
Set your advertised host in
/usr/local/unravel/etc/unravel.properties
. This prefix will be used by Unravel server right after login or logout.com.unraveldata.advertised.url=https://unravel.example.com:3000
Restart Unravel Web UI.
sudo service unravel_ngui restart