OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: RobLatour on November 11, 2021, 12:21:54 am
-
I have created a certificate for xxx.duckdns.org (where xxx is my unique duckdns.org identifier).
With it, I can securely sign on to my opnsense box with an url of:
https://xxx.duckdns.org
In conjunction with opnsense I am also using ntoping.
I can sign on to my ntopng dashboard by using either:
http://192.168.1.1:3000/
or
http://xxx.duckdns.org:3000/
However, I can not sign on securely using either:
https://192.168.1.1:3000/
or
https://xxx.duckdns.org:3000/
Using Chrome I get ERR_SSL_PROTOCOL_ERROR, using Firefox I get SSL_ERROR_RX_RECORD_TOO_LONG.
The attached screenshot shows how I have opnsense configured in relation to the above. For DNS mode, I have tried all options.
I have ensured both browsers are configured to use TLS 1.3 (as a few related posts from long ago indicated that might be an issue).
Any help would be appreciated.
-
HTTP and HTTPS on same port is likely the issue.
If you enable Advanced Mode does it reveal any options to disable HTTP?
According to the OPNsense guide at ntop.org (https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html): Configure a port and select a Certificate to run the GUI in HTTPS-only mode.
Given you can still connect on HTTP, maybe there is a bug...
I note the OPNsense manual (https://docs.opnsense.org/manual/how-tos/ntopng.html) says:
HTTP Port: The port ntopng’s UI should listen on. When you leave it on the default just open a browser and go to your Firewall IP with port 3000 and HTTP. If you want to secure the connection feel free to setup HAProxy or Nginx as a reverse proxy (SSL offloading).
The Best Practices to Secure ntopng page at ntop.org (https://www.ntop.org/ntopng/best-practices-to-secure-ntopng/) is informative.
-
Attached is the screen in advanced mode, with full help turned on.
That it allows access to either http or https via the same port does appear to be what the screen is suggesting should be possible.
However, according to what the screen seems to be saying, it really should just work as configured but does not.
I really don't know what "If you want to secure the connection feel free to setup HAProxy or Nginx as a reverse proxy (SSL offloading)." means or how to approach that.
-
bump
-
The error is related to the application itself so you better ask at ntop community
-
The error is related to the application itself so you better ask at ntop community
Michael, is it possible the controller is not setting --http-port=0 --https-port=3000 when the view is configured with the certificate?
Who maintains this plugin...?
According to the OPNsense guide at ntop.org (https://www.ntop.org/guides/ntopng/third_party_integrations/opnsense.html): Configure a port and select a Certificate to run the GUI in HTTPS-only mode.
Given you can still connect on HTTP, maybe there is a bug...
@RobLatour, you might want to raise a new issue here (https://github.com/opnsense/plugins/issues). If Michael confirms his previous advice, perhaps raise a new issue at ntop/ntopng instead (https://github.com/ntop/ntopng/issues).
-
benyamin - thank you, when I saw the post from mimugmail above I posted a question on the ntop discord support channel. I will wait a bit to hear what they say and report back here assuming I get a response.
As for the potential bug, the OPNsense 'full help' for the Services: ntopng Enterprise: Settings - HTTP(S) Port field reads: "HTTP port this service listens on. To enable HTTPS on this port please select a certificate below.".
Having that said, one thing I will point out is the OPNsense screens are entitled "ntopng Enterprise", and I am using the ntopng Community edition. So it may also be that the NTOP folks say that https is only supported on the Enterprise edition and not on the community edition.
In any case, as it stands, if an OPNsense code fix is not required, perhaps a documentation clarification may be.
Again, I will wait to see what the NTOP folks say and post back here.
-
Ntop folks are quick. The enterprise version is only acdaily snapshot, so dont update too often :)
-
Who maintains this plugin...?
Just for completeness, the plugin notes for os-ntopng at System: Firmware > Plugins answer this question...
Though it best not to drop an email here.
-
Thank you, https://docs.opnsense.org/manual/how-tos/ntopng.html does say:
"HTTP Port
The port ntopng’s UI should listen on. When you leave it on the default just open a browser and go to your Firewall IP with port 3000 and HTTP. If you want to secure the connection feel free to setup HAProxy or Nginx as a reverse proxy (SSL offloading)."
However, I went to this page https://docs.opnsense.org/manual/reverse_proxy.html and it says:
"Supported Reverse Proxies in OPNsense
ftp-proxy Makes FTP work
nginx HTTP, TCP- and UDP streams
HAProxy HTTP and TCP streams
postfix SMTP (e-mail)
relayd TCP streams"
so neither nginx or HAProxy seem to be supported for HTTPS
In any case, I may just leave it at this. I thought it was going to be perhaps simpler just to have a https url for ntopng, but it does look like I'd need to go a little too far down the rabbit hole for that.
Regardless, I appreciate the help provided by everyone.
Thank you.
-
Of course Nginx and HAProxy support both HTTPS perfectly :) There are extensive docs with plenty of examples out there