search

tusc / ntopng-udm

ntopng Docker image for the UDM base and UDM pro
162 stars 19 forks source link

Add support for TLS certificates #11

Open sit opened 3 years ago

sit commented 3 years ago

As documented, ntopng runs on port 3001 but with an old certificate. Safari doesn't really like that.

It's possible to provide a certificate to ntopng (howto) so that browsers are happy.

In the case of ntopng-udm, we need to put a private key and certificate chain into /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem. If using @kchristensen's https://github.com/kchristensen/udm-le to generate certs with LetsEncrypt, this information is available locally. Thus you can:

cd /mnt/data/ntopng
cat ../udm-le/lego/certificates/*.key ../udm-le/lego/certificates/*.crt > ntopng-cert.pem

And then create the container with:

podman run -d --net=host --restart always \
   --name ntopng \
   -v /mnt/data/ntopng/GeoIP.conf:/etc/GeoIP.conf \
   -v /mnt/data/ntopng/ntopng.conf:/etc/ntopng/ntopng.conf \
   -v /mnt/data/ntopng/redis.conf:/etc/redis/redis.conf \
   -v /mnt/data/ntopng/lib:/var/lib/ntopng \
   -v /mnt/data/ntopng/ntopng-cert.pem:/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem \
   docker.io/tusc/ntopng-udm:latest

Bonus points, it is necessary to update udm-le.sh to update ntopng-cert.pem. Ideally we'd build some sort of registry of things that need to get updated so that we can de-couple udm-le.sh from knowing specifically about ntopng but for now a quick hack this diff should work.

diff --git a/udm-le.sh b/udm-le.sh
index c4ca95d..85debe8 100755
--- a/udm-le.sh
+++ b/udm-le.sh
@@ -82,6 +82,7 @@ renew)
        ${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert
        if [ "${NEW_CERT}" = "yes" ]; then
                add_captive && unifi-os restart
+                cat ${UDM_LE_PATH}/lego/certificates/${CERT_NAME}.key ${UDM_LE_PATH}/lego/certificates/${CERT_NAME}.crt > /mnt/data/ntopng/ntopng-cert.pem && podman restart ntopng
        fi
        ;;
 bootrenew)

Thoughts? I can throw together a PR to update the docs if you want.

RW-7 commented 3 years ago

works great should possibly be in the readme

SamErde commented 3 years ago

Here's a possible alternative approach that provides automatic renewal. I'm using this project, udm-le, and udm-utilities with AdGuard Home on a UDM.

To simplify certificate configuration and renewal, I configured my udm-le instance with subject alternative names for UDM, AdGuard Home, ntopng, and a few others. I've not done SSL for ntopng yet, but was able to point AdGuard Home directly to the udm-le certificate folder after mounting it as a read-only volume. The new AdGuard container startup has one added line as you can see below. The SSL settings within AGH can then be configured through the GUI or directly in AdGuardHome.yaml. 

podman run -d --network dns --restart always  \
    --name adguardhome \
    -v "/mnt/data/AdguardHome-Confdir/:/opt/adguardhome/conf/" \
    -v "/mnt/data/AdguardHome-Workdir/:/opt/adguardhome/work/" \
    -v "/mnt/data/udm-le/lego/certificates/:/opt/adguardhome/certs/:ro" \
    --dns=127.0.0.1 --dns=1.1.1.1 \
    --hostname adguardhome \
    adguard/adguardhome:latest

Does this approach potentially make it easier?
Am I creating any security problems by mounting the lego/certificates folder in another container?
Does ntopng require the PEM file to be named "ntop-cert"?

Still, the idea of having a registry of sorts for providing certificates to different containers on UDM would be amazing.

jsermer commented 2 years ago

if you append --pem to the LEGO_ARGS value in udm-le.sh it will automatically create the combined certificate that ntopng expects..then you can simply adjust your ntopng volume mount directly to that file.

lego --help
   --pem                        Generate a .pem file by concatenating the .key and .crt files together.

automatically restarting ntopng is another matter all together