search

wazuh / wazuh-api

Wazuh - RESTful API
https://wazuh.com
GNU General Public License v2.0
69 stars 57 forks source link

Https enabled by default #436

Closed alberpilot closed 5 years ago

alberpilot commented 5 years ago

Hello team

We should consider enabling https by default in the Wazuh API installation. The change does not looks complex (https://github.com/wazuh/wazuh-api/blob/master/scripts/configure_api.sh#L117) and it will be helpful in order to provide a secure API to users.

Best regards, Alberto R

druizz90 commented 5 years ago

Hi team,

I am working in branch enable-https-by-default-436 for this issue.

I changed the value of config.https to yes in config.js file and I created a function for generating a self-signed certificate if it does not exist. It is necessary to have openssl installed for doing that (I am testing on a Docker image of CentOS and it has not got openssl by default).

I have a doubt about the behaviour of the installation script if openssl is not installed on the system. API installation should fail or it should continue with HTTPS disabled?

Best regards,

Demetrio.

druizz90 commented 5 years ago

Hi team,

This is an example of API installation in a Docker container which has not got openssl installed (branch enable-https-by-default-436):

# ./install_api.sh 
### Wazuh API ###

Installing Wazuh API 3.9.5 from current directory.

Installing API ['/var/ossec/api'].

Installing NodeJS modules.

Installing service.
----------------------------------------------------------------
Warning: Unknown init system. Please run the API with:
/usr/bin/node /var/ossec/api/app.js > /dev/null 2>&1 < /dev/null &
----------------------------------------------------------------
OpenSSL is not installed. HTTPS will be disabled.

API URL: http://host_ip:55000/
user: 'foo'
password: 'bar'
Configuration: /var/ossec/api/configuration
Test: curl -u foo:bar -k http://127.0.0.1:55000?pretty
Note: You can configure the API executing /var/ossec/api/scripts/configure_api.sh

### [API installed successfully] ###

API installation was successful but HTTPS could not be enabled.

If openssl is installed in the system, HTTPS is enabled properly:

# ./install_api.sh 
### Wazuh API ###

Installing Wazuh API 3.9.5 from current directory.

Installing API ['/var/ossec/api'].

Installing NodeJS modules.

Installing service.
----------------------------------------------------------------
Warning: Unknown init system. Please run the API with:
/usr/bin/node /var/ossec/api/app.js > /dev/null 2>&1 < /dev/null &
----------------------------------------------------------------
Generating RSA private key, 2048 bit long modulus
....................+++
.........................+++
e is 65537 (0x10001)
writing RSA key

API URL: https://host_ip:55000/
user: 'foo'
password: 'bar'
Configuration: /var/ossec/api/configuration
Test: curl -u foo:bar -k https://127.0.0.1:55000?pretty
Note: You can configure the API executing /var/ossec/api/scripts/configure_api.sh

### [API installed successfully] ###

Best regards,

Demetrio.

druizz90 commented 5 years ago

PR update

I generated .rpm packages in order to enable HTTPS by default. I am working on branch enable-https-by-default-436 in the wazuh-packages repository.

I tested clean installs and upgrades and it seems that all is OK.

I am working in the generation of .deb packages.