Securing ntopng with SSL and Let’s Encrypt

Posted · Add Comment

As you know ntopng web interface supports both HTTP (default) and HTTPS. The reason why ntopng does not default to HTTPS is because we provide self-signed certificates that web browsers dislike. Fortunately today you can create a free SSL certificate recognised by all browsers by using Let’s Encrypt open certificate authority (CA). This article describes how you can do this in a few simple steps: for simplicity we limit our scope to Ubuntu/Debian but on other distro’s the procedure is similar.

  1. Install certbot as described in this article
  2. Suppose that you want to run ntopng on a server named myntopng.ntop.org. Note that this host must have a public IP address and a web server installed such as Apache (with HTTP of course as we’re creating the certificate for HTTPS).
  3. Then type (as root) “certbot –apache -d myntopng.ntop.org” as shown in the example below
    root@myntopng:/home/deri/ntopng # certbot --apache  -d myntopng.ntop.org
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator apache, Installer apache
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for myntopng.ntop.org
    Waiting for verification...
    Cleaning up challenges
    Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
    Enabled Apache socache_shmcb module
    Enabled Apache ssl module
    Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
    Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
    
    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: No redirect - Make no further changes to the webserver configuration.
    2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
    new sites, or if you're confident your site works on HTTPS. You can undo this
    change by editing your web server's configuration.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Congratulations! You have successfully enabled https://myntopng.ntop.org
    
    You should test your configuration at:
    https://www.ssllabs.com/ssltest/analyze.html?d=myntopng.ntop.org
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  4. At this point Let’s Encrypt has created the certificate and modified the Apache configuration adding the path of the generated certificates
    SSLCertificateFile /etc/letsencrypt/live/myntopng.ntop.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/myntopng.ntop.org/privkey.pem
    
  5. Now you need to concatenate the private and public keys and place them into the httpdocs/ssl directory of the ntopng installation
    root@myntopng:/home/deri/ntopng # cat /etc/letsencrypt/live/myntopng.ntop.org/privkey.pem /etc/letsencrypt/live/myntopng.ntop.org/fullchain.pem > ./httpdocs/ssl/ntopng-cert.pem
  6. Then you need to restart ntopng with -W flag that allows you to specify the SSL port on which ntpng will be listening. In case you specify both -w (for HTTP) and -W (for HTTPS), whenever you connect to the HTTP port, ntopng will redirect you to the HTTPS port. If you want to disable HTTP at all you need to specify “-w 0”.

Now that you know how to secure ntopng with HTTPS you have no excuse for using the insecure HTTP protocol.

Enjoy!