How to switch Web Safety UI to HTTPS?

UI of Web Safety is only accessible by HTTP after installation. To switch it to use HTTPS, login to the terminal console as root user and perform the following steps.

Note

The following commands need to be run from /opt/qlproxy/etc (for version < 5.0) or /opt/websafety/etc (for version >= 5.0). Also note you MUST change the Common Name proxy.example.lan below to FQDN of your proxy box!

  1. Generate random number, private key and certificate signing request (CSR) that will later be used by Apache web server to serve incoming HTTPS connections.

    openssl rand -out gui.rand 1024
    openssl genrsa -out gui.rsa -rand gui.rand 2048 -days 1825
    openssl req -new -key gui.rsa -out gui.csr -subj "/C=NL/ST=Noord-Holland/O=Example Ltd./OU=IT/CN=proxy.example.lan/emailAddress=support@example.lan"
    
  2. Sign the CSR file with the Root CA certificate that Squid uses for HTTPS decryption. If you ever enabled HTTPS filtering on your proxy box, your workstation already trusts that Root CA.

    openssl x509 -req -CA myca.pem -CAkey myca.pem -CAcreateserial -in gui.csr -out gui.pem -days 1825 -sha256
    openssl x509 -outform der -in gui.pem -out gui.der
    
  3. Enable SSL module for apache by running a2enmod ssl.

  4. Modify configuration file /etc/apache2/sites-enabled/qlproxy.conf (for version < 5.0) or /etc/apache2/sites-enabled/websafety.conf (for version >= 5.0) - first change VirtualHost *:80 to VirtualHost *:443 and then add the following lines (only leave SSLCertificate* lines for your version of course).

    # enable HTTPS
    SSLEngine on
    
    # for version < 5.0
    SSLCertificateFile "/opt/qlproxy/etc/gui.pem"
    SSLCertificateKeyFile "/opt/qlproxy/etc/gui.rsa"
    
    # for version >= 5.0
    SSLCertificateFile "/opt/websafety/etc/gui.pem"
    SSLCertificateKeyFile "/opt/websafety/etc/gui.rsa"
    
    ../../_images/webui_ssl.png
  1. Restart Apache service by service apache2 restart.

The UI of Web Safety web filter should now be accessible on port 443 using https://fqdn.of.your.proxy.box/ address.

Note

Limitations:

  • You SHOULD NOT access UI running on HTTPS through Squid - the Squid does not trust the Root CA by default and you will get X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.
  • Access to UI by IP will not work as certificate we have generated only contains FQDN as Common Name
  • Chrome 58+ will show [missing_subjectAltName] error because certificate we have generated does not have subjectAltName extension set. It is possible to fix that but then you need to use more complex command line as explained in https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line