The default libreNMS installation uses the insecure HTTP as its default protocol for web traffic.
This tutorial will describe how to change to the more secure HTTPS web protocol.
We will use self-signed certificates since there isn't a registered domain for the server.
1 - Creating the SSL Certificate
Let's create the self-signed key and certificate with the command below:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
While using OpenSSL, we should also create a strong Diffie-Hellman (DH) group, which is used in negotiating Perfect Forward Secrecy with clients.
sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
2 - Creating Nginx SSL Configurations
We will create SSL snippets to use them as blocks on our NGINX configuration files keeping it clean, organise and promote re-usability.
touch /etc/nginx/snippets/self-signed.conf
touch /etc/nginx/snippets/ssl-params.conf
In this file, we need to declare the certificates created in the previous step (/etc/ssl/certs/nginx-selfsigned.crt & /etc/ssl/private/nginx-selfsigned.key
).
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
Create the file ssl-params.conf
and paste the adapted parammeters recommendations from Cipherlist as follows.
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
3 - Adjusting libreNMS Nginx Configuration
Change the libreNMS nginx librenms.conf
file top section from:
server {
listen 80;
server_name librenms.arashitest.co.uk;
root /opt/librenms/html;
index index.php;
...
to:
server {
listen 443 ssl http2;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
server_name librenms.arashitest.co.uk;
root /opt/librenms/html;
index index.php;
access_log /opt/librenms/logs/access_log;
error_log /opt/librenms/logs/error_log;
...
Restart the nginx service.
systemctl restart nginx
Conclusion
The changes above redirects HTTP traffic to HTTPS and servers the content using our newly created self-signed certificates.
Resources

