I would like to access my server by https. I was wondering if there are any caveats I should know or if there has been anything known to break after adding SSL. I have Centos 7 running apache. Thanks!
SSL and HTTP2 are recommended.
Are there any instructions on adding ssl for librenms?
Odd, I thought that was in the docsβ¦ Here is what I use for nginx, sorry, I donβt use Apache. perhaps someone else can help.
ssl.conf
ssl_certificate /etc/ssl/nginx/librenms.crt;
ssl_certificate_key /etc/ssl/nginx/librenms.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:EDH-DSS-DES-CBC3-SHA';
#more compatible ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA$
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ignore_invalid_headers on;
librenms.conf
server {
listen 80;
listen [::]:80;
server_name librenms.domain;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name librenms.domain;
root /opt/librenms/html;
index index.php;
access_log off;
# access_log /opt/librenms/logs/access_log;
error_log /opt/librenms/logs/error_log;
location / {
try_files $uri $uri/ @librenms;
}
location ~ \.php {
include fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
location @librenms {
rewrite api/v0(.*)$ /api_v0.php/$1 last;
rewrite ^(.+)$ /index.php/$1 last;
}
}
Thank you for the information. That does help a bit even though it is nginx.
If any one is willing to share an apache config tooβ¦ thatβd be awesome!
If your using enterprise linux 7 the TLS module should be enabled by default but you might want to double check.
Here is what I have for a TLS config.
Make sure that your www-user has read permissions to the CERT files.
As normal youβll need to restart apache to start the new virtual host.
Once you have the SSL endpoint working you can change your HTTP virtual host to redirect to 443.
https://wiki.apache.org/httpd/RedirectSSL
/etc/httpd/conf.d/librenms-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
#Set HTTP STS Header
#Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
#Set Clickjacking Header
#Header always append X-Frame-Options SAMEORIGIN
#Set XSS Reject Header
#Header set X-XSS-Protection "1; mode=block"
#SSL Config
SSLEngine on
SSLCertificateFile /var/local/cert/librenms.crt
SSLCertificateKeyFile /var/local/cert/librenms.key
SSLCertificateChainFile /var/local/cert/ca.crt
SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
#IE Downgrade mitigation
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
DocumentRoot /opt/librenms/html/
ServerName librenms.<domain>
CustomLog /opt/librenms/logs/access_log combined
ErrorLog /opt/librenms/logs/error_log
AllowEncodedSlashes NoDecode
<Directory "/opt/librenms/html/">
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
</VirtualHost>
</IfModule>Duplicate of Enabling HTTPS Centos 7 on Apache, but for completeness:
From my own LibreNMS/Centos 7 configuration notes (and assuming you have all your certs created as required):
sudo emacs /etc/httpd/conf.d/librenms-ssl.conf
<VirtualHost *:443>
DocumentRoot /opt/librenms/html/
ServerName your-server
SSLEngine on
SSLCertificateFile /certs/your-server.pem
SSLCertificateKeyFile /certs/your-server_ssl_key.pem
SSLCertificateChainFile /certs/your-server_chain.pem
CustomLog /opt/librenms/logs/access_log combined
ErrorLog /opt/librenms/logs/error_log
AllowEncodedSlashes NoDecode
<Directory β/opt/librenms/html/β>
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
sudo systemctl restart httpd
sudo systemctl status httpd
β httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-04-21 09:54:01 BST; 2s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 6727 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 7072 (httpd)
Status: "Processing requestsβ¦"
CGroup: /system.slice/httpd.service
ββ7072 /usr/sbin/httpd -DFOREGROUND
ββ7178 /usr/sbin/httpd -DFOREGROUND
ββ7179 /usr/sbin/httpd -DFOREGROUND
ββ7181 /usr/sbin/httpd -DFOREGROUND
ββ7182 /usr/sbin/httpd -DFOREGROUND
ββ7183 /usr/sbin/httpd -DFOREGROUND
Apr 21 09:54:01 lnms systemd[1]: Starting The Apache HTTP Serverβ¦
Apr 21 09:54:01 lnms systemd[1]: Started The Apache HTTP Server.
Now update the http vhost configuration file to redirect all http requests to https:
sudo emacs /etc/httpd/conf.d/librenms.conf
<VirtualHost *:80>
DocumentRoot /opt/librenms/html/
ServerName your-server
CustomLog /opt/librenms/logs/access_log combined
ErrorLog /opt/librenms/logs/error_log
AllowEncodedSlashes NoDecode
<Directory β/opt/librenms/html/β>
AllowOverride All
Options FollowSymLinks MultiViews
Require all granted
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
And restart httpd one last time:
sudo systemctl restart httpd
sudo systemctl status httpd
β httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-04-21 09:55:26 BST; 4s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 17448 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 17735 (httpd)
Status: "Processing requestsβ¦"
CGroup: /system.slice/httpd.service
ββ17735 /usr/sbin/httpd -DFOREGROUND
ββ17797 /usr/sbin/httpd -DFOREGROUND
ββ17799 /usr/sbin/httpd -DFOREGROUND
ββ17800 /usr/sbin/httpd -DFOREGROUND
ββ17801 /usr/sbin/httpd -DFOREGROUND
ββ17802 /usr/sbin/httpd -DFOREGROUND
ββ17998 /usr/sbin/httpd -DFOREGROUND
ββ18239 /usr/sbin/httpd -DFOREGROUND
ββ18240 /usr/sbin/httpd -DFOREGROUND
ββ18477 /usr/sbin/httpd -DFOREGROUND
ββ18479 /usr/sbin/httpd -DFOREGROUND
ββ18480 /usr/sbin/httpd -DFOREGROUND
ββ18481 /usr/sbin/httpd -DFOREGROUND
HTH
So far i only have expereince using letsencrypt certbot-auto which seems to work straight out of the box. Please note this only works if your machine is available and resovable on the public internet. The only other thing I did is to change the url in the cofig.php from http://my.librenmsadress.com to https://my.librenmsadress.com .
I notice that both of you use librenmssl.conf as the file name instead of ssl.conf. I tried that, but when I restarted the server, I noticed that my server is not listening on 443. Is the default for apache to look only at ssl.conf and if so how would I change that for it to look at ssl.conf instead???
I renamed my ssl.conf file to ssl.conf.bak just in case and used librenmsssl.conf in the directory only.
UPDATE: I put the ssl config into ssl.conf and it worked!!
Not sure if I am supposed to be using librenmssl.conf instead or if it is ok either way.
I keep them in separate files because I have other sites that share the same SSL (wildcard).
You can put them in any way you want as long as the ssl config is before the librenms config.
(I have a specific include ssl.conf line in my nginx.con)
Using certbot-auto is a great thing!
Just wanted to thank everyone for this thread.
It motivated me to finally use SSL for our server, Iβve been putting it off for ages.
But with the tips on this thread, plus this great tutorial on using LetsEncrypt, I was able to get SSL running in about 30 mins! With a green padlock no less!
1 Like