How to switch Web Safety UI to HTTPS?
UI of Web Safety is only accessible by HTTP after installation. To switch it to use HTTPS, login to the terminal console as root user and perform the following steps.
The following commands need to be run from
/opt/websafety/etc current directory. Also note you MUST change the Common Name proxy.example.lan below to FQDN of your proxy box!
Generate random number, private key and certificate signing request (CSR) that will later be used by Apache web server to serve incoming HTTPS connections.
openssl rand -out gui.rand 1024 openssl genrsa -out gui.rsa -rand gui.rand 2048 -days 1825 openssl req -new -key gui.rsa -out gui.csr -subj "/C=NL/ST=Noord-Holland/O=Example Ltd./OU=IT/CN=proxy.example.lan/emailAddressemail@example.com"
Sign the CSR file with the Root CA certificate that Squid uses for HTTPS decryption. If you ever enabled HTTPS filtering on your proxy box, your workstation already trusts that Root CA.
openssl x509 -req -CA myca.pem -CAkey myca.pem -CAcreateserial -in gui.csr -out gui.pem -days 1825 -sha256 openssl x509 -outform der -in gui.pem -out gui.der
Enable SSL module for apache by running
Modify configuration file
/etc/apache2/sites-enabled/websafety.conf- first change
VirtualHost *:443and then add the following lines (only leave SSLCertificate* lines for your version of course).
# enable HTTPS SSLEngine on # SSLCertificateFile "/opt/websafety/etc/gui.pem" SSLCertificateKeyFile "/opt/websafety/etc/gui.rsa"
- Restart Apache service by
service apache2 restart.
The UI of Web Safety web filter should now be accessible on port 443 using https://fqdn.of.your.proxy.box/ address.
- You SHOULD NOT access UI running on HTTPS through Squid - the Squid does not trust the Root CA by default and you will get X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.
- Access to UI by IP will not work as certificate we have generated only contains FQDN as Common Name
- Chrome 58+ will show [missing_subjectAltName] error because certificate we have generated does not have subjectAltName extension set. It is possible to fix that but then you need to use more complex command line as explained in https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-command-line