Enabling HTTPS in Siren Investigate

It is recommended that you protect your Siren Investigate installation by using a reverse proxy.

You can implement one of the following example configurations.

Option 1: Using NGINX as a reverse proxy with HTTPS (Linux)

Add the following virtual server to your configuration. Here, we assume that 'letsencrypt' has been used to provide the certificate.

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name siren.example.com;

    root /var/www/html;
    index index.html index.htm;

    ssl_certificate /etc/letsencrypt/live/siren.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/siren.example.com/privkey.pem;

    access_log /var/log/nginx/siren-ssl.access.log;
    error_log /var/log/nginx/siren-ssl.error.log error;

    include snippets/ssl-params.conf;

    location / {
        proxy_pass http://127.0.0.1:5606;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Edit the /etc/nginx/snippets/ssl-params.conf file as follows:

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Also do not include subdomains by default
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

The SSL configuration in ssl-params.conf can be shared among multiple virtual servers.

Now generate a unique set of Diffie-Helman parameters (this mitigates the LOGJAM vulnerability):

openssl dhparam 2048 -out /etc/ssl/certs/dhparam.pem
This constitutes a MINIMUM RECOMMENDED LEVEL of security. Your installation’s requirements may be more stringent.

Option 2: Using Apache as a reverse proxy with HTTPS (Linux)

Add the following virtual host to your configuration. Here we assume that 'letsencrypt' has been used to provide the certificate.

<VirtualHost *:443>
    ServerName siren.example.com
    DocumentRoot /var/www/html
    DirectoryIndex index.html index.htm

    CustomLog /var/log/apache2/siren-ssl.access.log combined
    ErrorLog /var/log/apache2/siren-ssl.error.log

    SSLEngine on
    SSLStrictSNIVHostCheck off
    SSLCertificateFile /etc/letsencrypt/live/siren.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/siren.example.com/privkey.pem
    SSLCACertificateFile /etc/letsencrypt/live/siren.example.com/chain.pem

    <location / >
        ProxyPass http://127.0.0.1:5606
        ProxyPassReverse http://127.0.0.1:5606
    </Location>
</VirtualHost>

Now configure /etc/apache2/conf.d/security.conf:

Header unset X-Powered-By
Header set X-Frame-Options: "sameorigin"
Header set X-Content-Type-Options: "nosniff"
TraceEnable Off
ServerTokens Prod
ServerSignature Off

And /etc/apache2/mods-available/ssl.conf:

<IfModule mod_ssl.c>

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
SSLSessionCache     shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite \
  "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
  EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 \
  EECDH EDH+aRSA !3DES \
  !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !KRB5 !DSS !RC4 !DES"
SSLCompression off

## Strict Transport Security
Header set Strict-Transport-Security "max-age=15768000"

## Apache 2.4 only
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

## Apache >=2.4.8 + OpenSSL >=1.0.2 only
SSLOpenSSLConfCmd DHParameters /etc/ssl/certs/dhparam.pem

</IfModule>

You must enable mod_headers for the SSL security settings to take effect.

Now generate a unique set of Diffie-Helman parameters (this mitigates the LOGJAM vulnerability):

openssl dhparam 2048 -out /etc/ssl/certs/dhparam.pem

Note that this constitutes a MINIMUM RECOMMENDED LEVEL of security. Your installation’s requirements may be more stringent.

Option 3: Enabling native SSL support

While it is recommended to run Siren Investigate behind an SSL reverse proxy, it is sometimes necessary to also enable SSL support on the Siren Investigate server itself - for example, when the reverse proxy is an appliance, it is installed on a separate server or client certificate authentication is enabled.

Native SSL support can be enabled by copying the certificate and key files to a location readable by the Siren Investigate process and setting the following parameters in config/investigate.yml:

  • server.ssl.enabled: set to true to enable SSL.

  • server.ssl.certificate: path to a certificate.

  • server.ssl.key: path to the certificate key.

  • server.ssl.keyPassphrase: the passphrase of the certificate key; if the key is not encrypted the parameter can be omitted.

The certificate and key files must be PEM encoded.

For example:

server.ssl.enabled: true
server.ssl.certificate: "pki/server.crt"
server.ssl.key: "pki/server.key"

The Siren Investigate demonstration distribution includes a sample certificate and key in the pki folder.

For additional SSL settings, see Configuring Siren Investigate.

The Siren Investigate demonstration distribution includes a sample key store and CA bundle in the pki folder.