libreNMS - HTTPS with self-signed Certificates

The default libreNMS installation uses the insecure HTTP as its default protocol for web traffic.

This tutorial will describe how to change to the more secure HTTPS web protocol.

We will use self-signed certificates since there isn't a registered domain for the server.

1 - Creating the SSL Certificate

Let's create the self-signed key and certificate with the command below:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

While using OpenSSL, we should also create a strong Diffie-Hellman (DH) group, which is used in negotiating Perfect Forward Secrecy with clients.

sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096

2 - Creating Nginx SSL Configurations

We will create SSL snippets to use them as blocks on our NGINX configuration files keeping it clean, organise and promote re-usability.

touch /etc/nginx/snippets/self-signed.conf
touch /etc/nginx/snippets/ssl-params.conf

In this file, we need to declare the certificates created in the previous step (/etc/ssl/certs/nginx-selfsigned.crt & /etc/ssl/private/nginx-selfsigned.key).

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

Create the file ssl-params.conf and paste the adapted parammeters recommendations from Cipherlist as follows.

ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

3 - Adjusting libreNMS Nginx Configuration

Change the libreNMS nginx librenms.conf file top section from:

server {
 listen      80;
 server_name librenms.arashitest.co.uk;
 root        /opt/librenms/html;
 index       index.php;
 
 ...

to:

server {
 listen      443 ssl http2;
 include     snippets/self-signed.conf;
 include     snippets/ssl-params.conf;
 server_name librenms.arashitest.co.uk;
 root        /opt/librenms/html;
 index       index.php;
 access_log  /opt/librenms/logs/access_log;
 error_log   /opt/librenms/logs/error_log;
 
 ...

Restart the nginx service.

systemctl restart nginx

Conclusion

The changes above redirects HTTP traffic to HTTPS and servers the content using our newly created self-signed certificates.

Resources

How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 20.04 | DigitalOcean

In this guide, we will show you how to set up a self-signed SSL certificate for use with an Nginx web server on an Ubuntu 20.04 server.

DigitalOceanBrian Boucheron

SSL Configuration - LibreNMS Docs

LibreNMS user and developer documentation

logoLibreNMS

Cipherlist.eu - Strong ciphers for Apache, nginx and Lighttpd

Cipherlist.eu - Strong ciphers for Apache, nginx and Lighttpd

Strong Ciphers for Apache, nginx and LighttpdRemy van Elst