Skip to main content

Home

Adding SSL and TLS to Unravel web UI

You can configure an Apache2 web server (HTTPD) as a reverse proxy to provide HTTPS (SSL/TLS) security to Unravel Web UI. Complete the following steps to make this work.

Warning

Secure cookies are not supported when using this Apache2 reverse-proxy method. Follow the instructions in Enabling TLS to Unravel Web UI Directly to enable TLS directly in ngui, which listens on port 3000.

Tip

These steps were tested with HTTPD 2.4 and support listening on port 443.

  1. Install the needed packages.

    sudo yum install httpd mod_ssl

    Note

    There is no need to change the default /etc/httpd/conf/httpd.conf file.

  2. Create /etc/httpd/conf.d/unravel_https.conf. Use the following as a model (replace unravelhost_FQDN and settings for SSLCertificate* with values appropriate for your installation).

    <VirtualHost *:80> 
    ServerName unravelhost_FQDN 
    Redirect permanent / https://unravelhost_FQDN

    
</VirtualHost> 
<VirtualHost *:443>

    DocumentRoot /var/www/html
    ServerName unravelhost_FQDN
    # use this if http to https errors #RequestHeader set X-FORWARDED-PROTO 'https'

    SSLEngine on 
    SSLCertificateFile /etc/certs/wildcard_unravelhost_ssl_certificate.crt 
    SSLCertificateKeyFile /etc/certs/wildcard_unravelhost_RSA_private.key 
    SSLCertificateChainFile /etc/certs/IntermediateCA.crt

    SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

    # set this off for reverse proxy security 
    ProxyRequests Off 
    # might be helpful in logs 
    ProxyPreserveHost On 
    ProxyPass / http://localhost:3000/ connectiontimeout=180 timeout=180 
    ProxyPassReverse / http://localhost:3000/
    <Location /> 
    Order deny,allow 
    Deny from all 
    Allow from al
       
</VirtualHost>

  3. Adjust or add property in /usr/local/unravel/etc/unravel.properties. (No trailing slash the :port is optional).

    com.unraveldata.advertised.url=https://unravelhost_FQDN

  4. Restart the ngui daemon.

    manager restart ngui

  5. Start the HTTP daemon.

    sudo service httpd start

  6. Visit https://unravelhost_FQDN (using value appropriate for your site) to test access.

Troubleshooting

To enable verbose logging in Apache2, add LogLevel where LogLevel can be set to debug, trace1,..., trace8.

LogLevel debug

Note

Don't leave debug settings enabled long term because they add overhead and can fill up the log area if logs aren't auto-rolled.

To force HTTPS protocol, even if a user requests http://.

  1. Add the following line after the ServerName line in the virtual host httpd

    RequestHeader set X-FORWARDED-PROTO 'https'

  2. Restart Apache2.

In this section: