As you know ntopng web interface supports both HTTP (default) and HTTPS. The reason why ntopng does not default to HTTPS is because we provide self-signed certificates that web browsers dislike. Fortunately today you can create a free SSL certificate recognised by all browsers by using Let’s Encrypt open certificate authority (CA). This article describes how you can do this in a few simple steps: for simplicity we limit our scope to Ubuntu/Debian but on other distro’s the procedure is similar.
- Install certbot as described in this article
- Suppose that you want to run ntopng on a server named myntopng.ntop.org. Note that this host must have a public IP address and a web server installed such as Apache (with HTTP of course as we’re creating the certificate for HTTPS).
- Then type (as root) “certbot –apache -d myntopng.ntop.org” as shown in the example below
root@myntopng:/home/deri/ntopng # certbot --apache -d myntopng.ntop.org Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Obtaining a new certificate Performing the following challenges: http-01 challenge for myntopng.ntop.org Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://myntopng.ntop.org You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=myntopng.ntop.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- At this point Let’s Encrypt has created the certificate and modified the Apache configuration adding the path of the generated certificates
SSLCertificateFile /etc/letsencrypt/live/myntopng.ntop.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/myntopng.ntop.org/privkey.pem
- Now you need to concatenate the private and public keys and place them into the httpdocs/ssl directory of the ntopng installation
root@myntopng:/home/deri/ntopng # cat /etc/letsencrypt/live/myntopng.ntop.org/privkey.pem /etc/letsencrypt/live/myntopng.ntop.org/fullchain.pem > ./httpdocs/ssl/ntopng-cert.pem
- Then you need to restart ntopng with -W flag that allows you to specify the SSL port on which ntpng will be listening. In case you specify both -w (for HTTP) and -W (for HTTPS), whenever you connect to the HTTP port, ntopng will redirect you to the HTTPS port. If you want to disable HTTP at all you need to specify “-w 0”.
Now that you know how to secure ntopng with HTTPS you have no excuse for using the insecure HTTP protocol.
Enjoy!