Securing the VoIPmonitor Web GUI HTTPS and Basic Auth

From VoIPmonitor.org
(Redirected from Https)


This guide provides a comprehensive, two-layer approach to securing your VoIPmonitor web interface. First, we will encrypt all traffic using HTTPS with a self-signed SSL/TLS certificate. Second, we will add an extra layer of protection by enabling web server-level password authentication (HTTP Basic Auth).

These instructions cover both Apache2 and Nginx web servers.

Introduction: The Two Layers of Security

  • Layer 1: Encryption (HTTPS) is essential. It encrypts the connection between the user's browser and the server, protecting login credentials and all viewed data from being intercepted in transit.
  • Layer 2: Access Control (Basic Auth) provides an additional password prompt before the VoIPmonitor login page is even displayed. This is a powerful way to protect against brute-force attacks and unauthorized access attempts targeting the application itself.

While this guide uses a self-signed certificate for HTTPS, which is suitable for internal use, production environments should use a certificate from a trusted authority like Let's Encrypt.

See the #Replacing an Expired SSL Certificate section below for information on renewing or replacing CA-issued certificates.

Layer 1: Enabling HTTPS (SSL/TLS Encryption)

Follow the path that corresponds to your web server.

Path A: Configuring Apache2 for HTTPS

Step 1: Enable Required Modules

By default, Apache's SSL and rewrite modules may not be enabled. Activate them now. 

sudo a2enmod ssl
sudo a2enmod rewrite

Step 2: Create a Directory and Generate the Certificate

We will create a dedicated directory for our SSL certificate and private key. 

sudo mkdir -p /etc/apache2/ssl

Generate a 2048-bit key and a self-signed certificate valid for one year with a single command: 

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/voipmonitor.key -out /etc/apache2/ssl/voipmonitor.crt

When prompted, the most important field to fill in is the Common Name, which should be your server's domain name or IP address.

Step 3: Configure Apache's SSL Virtual Host

Edit the default SSL virtual host file: 

sudo nano /etc/apache2/sites-available/default-ssl.conf

Find and update the following two lines to point to your new files: 

SSLCertificateFile      /etc/apache2/ssl/voipmonitor.crt
SSLCertificateKeyFile   /etc/apache2/ssl/voipmonitor.key

Step 4: Enable the SSL Site and Force HTTPS Redirect

Activate the SSL site and then configure your non-secure site to redirect all traffic to HTTPS. 

sudo a2ensite default-ssl.conf

Now, edit the default non-SSL virtual host file: 

sudo nano /etc/apache2/sites-available/000-default.conf

Add the following `Rewrite` block inside the `<VirtualHost *:80>` section: 

<VirtualHost *:80>
    ...
    RewriteEngine On
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</VirtualHost>

Step 5: Test and Restart Apache

Check your configuration for syntax errors before restarting. 

sudo apache2ctl configtest

If it returns `Syntax OK`, restart Apache to apply the changes. 

sudo systemctl restart apache2

Path B: Configuring Nginx for HTTPS

Step 1: Create a Directory and Generate the Certificate

sudo mkdir -p /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/voipmonitor.key -out /etc/nginx/ssl/voipmonitor.crt

Fill in the requested information, ensuring the Common Name matches your server's IP or domain name.

Step 2: Configure the Nginx Server Blocks

Edit your site's server block file (e.g., `/etc/nginx/sites-available/default`). We will set up two blocks: one to redirect from HTTP to HTTPS, and one to serve the secure site. 

# This block redirects all insecure HTTP traffic to HTTPS with a permanent 301 redirect.
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# This block handles the secure traffic on port 443.
server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    # Point to your certificate and key files
    ssl_certificate /etc/nginx/ssl/voipmonitor.crt;
    ssl_certificate_key /etc/nginx/ssl/voipmonitor.key;

    # Your existing root, index, and location blocks go here
    root /var/www/html;
    index index.php index.html;
    # ... other configurations ...
}

Step 3: Test and Restart Nginx

sudo nginx -t
sudo systemctl restart nginx

At this point, your GUI should be accessible via `https://` and encrypted.

Layer 2: Adding HTTP Basic Auth Password Protection

This optional but highly recommended step adds a password prompt at the web server level.

Path A: Adding Basic Auth to Apache2

Step 1: Create the Password File

Use the `htpasswd` utility to create a password file. It's best practice to store this file outside of the web root directory. 

# Create the file and add the first user. Use the -c flag ONLY for the first user.
sudo htpasswd -c /etc/apache2/voipmonitor.passwd your_username

# For any additional users, omit the -c flag
# sudo htpasswd /etc/apache2/voipmonitor.passwd another_user

You will be prompted to create a password for the user.

Step 2: Configure Apache to Use the Password File

Edit your SSL virtual host file again to add the authentication directives. 

sudo nano /etc/apache2/sites-available/default-ssl.conf

Add the following block inside your `<VirtualHost _default_:443>` section, typically within a `<Directory /var/www/html>` block or a `<Location />` block. 

<Directory /var/www/html>
    # ... other settings like Options, AllowOverride ...
    
    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /etc/apache2/voipmonitor.passwd
    Require valid-user
</Directory>

Step 3: Test and Restart Apache

sudo apache2ctl configtest
sudo systemctl restart apache2

Path B: Adding Basic Auth to Nginx

Step 1: Create the Password File

First, install the necessary tools if you haven't already. 

sudo apt -y install apache2-utils

Create the password file. Again, store it in a secure, non-web-accessible location. 

# Create the file and add the first user
sudo htpasswd -c /etc/nginx/voipmonitor.passwd your_username

Step 2: Configure Nginx to Use the Password File

Edit your site's server block file again (e.g., `/etc/nginx/sites-available/default`). Add the `auth_basic` directives inside the `server` block that listens on port 443. 

server {
    listen 443 ssl default_server;
    # ... your ssl_certificate lines ...

    # Add these two lines for password protection
    auth_basic "Restricted Area";
    auth_basic_user_file /etc/nginx/voipmonitor.passwd;

    # Your existing root, index, and location blocks follow
    root /var/www/html;
    # ...
}

Step 3: Test and Restart Nginx

sudo nginx -t
sudo systemctl restart nginx

Now, when you access your GUI, your browser will pop up a password dialog before the VoIPmonitor login page is even loaded.

Replacing an Expired SSL Certificate

This section applies when you have an existing SSL certificate (either self-signed or CA-issued from a trusted authority like Let's Encrypt) that has expired. This is different from generating a new certificate from scratch, as covered in the sections above.

Use this procedure when:

  • Your web interface shows a certificate expired warning in the browser
  • You have renewal certificates from a Certificate Authority (CA)
  • You previously used a commercial certificate and need to replace it

Step 1: Obtain Your New Certificate Files

If using a commercial CA or Let's Encrypt:

  • Obtain your renewed certificate and private key from the Certificate Authority
  • Download all intermediate CA certificates provided by the CA

If using Let's Encrypt with certbot: 

sudo certbot renew

The new certificates will be automatically placed in `/etc/letsencrypt/live/your-domain/`

Step 2: Create the Fullchain Certificate (CA Certificates Only)

If you received a server certificate and separate intermediate CA certificates, you must combine them into a fullchain certificate. Most web servers require this concatenated format. 

# Example: Create fullchain by concatenating server cert and intermediate certs
cat your_server.crt intermediate1.crt intermediate2.crt > your_fullchain.crt

The fullchain file must contain: 1. Your server certificate (first) 2. All intermediate CA certificates (in order, after server cert) 3. Do NOT include the root CA certificate in most cases

Note: Let's Encrypt users typically have a pre-generated `fullchain.pem` file and can skip this step.

Step 3: Locate Your Current Certificate Configuration

Find where your existing SSL configuration is stored: 

# For Apache (RedHat/CentOS/AlmaLinux)
grep -i "SSLCertificateFile" /etc/httpd/conf.d/ssl.conf

# For Apache (Ubuntu/Debian)
grep -i "SSLCertificateFile" /etc/apache2/sites-available/default-ssl.conf

# For Nginx
grep -i "ssl_certificate" /etc/nginx/sites-enabled/default

This will show you the current paths to your certificate and key files.

Step 4: Back Up Existing Certificates

Before making changes, always back up your current certificate files: 

# Create a backup directory
sudo mkdir -p /tmp/backup_certs

# Back up existing certificates (adjust paths based on Step 3 output)
sudo cp /etc/apache2/ssl/voipmonitor.crt /tmp/backup_certs/
sudo cp /etc/apache2/ssl/voipmonitor.key /tmp/backup_certs/
sudo cp -R /etc/letsencrypt /tmp/backup_certs/  # For Let's Encrypt

Step 5: Copy the New Certificate Files

Place your new certificate files in the directory used by your web server: 

# Example for Apache
sudo cp your_new_fullchain.crt /etc/apache2/ssl/voipmonitor.crt
sudo cp your_private_key.key /etc/apache2/ssl/voipmonitor.key

# Example for Nginx
sudo cp your_new_fullchain.crt /etc/nginx/ssl/voipmonitor.crt
sudo cp your_private_key.key /etc/nginx/ssl/voipmonitor.key

# For Let's Encrypt with Apache
# certbot may have already updated the symlinks; verify:
ls -l /etc/letsencrypt/live/your-domain/
sudo a2enconf ssl-params  # Enable SSL parameters if needed

Security Note: Set restrictive permissions on certificate files: 

sudo chmod 600 /etc/apache2/ssl/voipmonitor.key
sudo chmod 644 /etc/apache2/ssl/voipmonitor.crt

Step 6: Verify the Certificate Chain (Optional but Recommended)

Check that your fullchain certificate is properly formatted: 

# Check certificate dates
openssl x509 -in /etc/apache2/ssl/voipmonitor.crt -noout -dates

# Verify certificate chain integrity
openssl s_client -connect your-server-ip:443 -showcerts

Step 7: Update Web Server Configuration (If Paths Changed)

If your new certificate files have different names or locations, update the configuration:

For Apache2: 

sudo nano /etc/apache2/sites-available/default-ssl.conf
# Update these lines as needed:
SSLCertificateFile      /path/to/your/fullchain.crt
SSLCertificateKeyFile   /path/to/your/private.key
# If using CA chain separately:
SSLCertificateChainFile /path/to/chain.crt

For Nginx: 

sudo nano /etc/nginx/sites-available/default
# Update these lines as needed:
ssl_certificate /path/to/your/fullchain.crt;
ssl_certificate_key /path/to/your/private.key;

Step 8: Test and Restart the Web Server

Before restarting, test your configuration for syntax errors: 

# Apache2
sudo apache2ctl configtest

# Nginx
sudo nginx -t

If the test passes ("Syntax OK"), restart the web server: 

# Apache2
sudo systemctl restart apache2

# Nginx
sudo systemctl restart nginx

# For systemd-based systems (RedHat/CentOS)
sudo systemctl restart httpd

Step 9: Verify the New Certificate

1. Clear your browser cache (Ctrl+Shift+R or Cmd+Shift+R) 2. Navigate to your VoIPmonitor web interface 3. Click the lock icon in your browser's address bar 4. Verify the certificate shows valid and not expired 5. Check the issuer field shows your CA

You can also verify from the command line: 

# Check certificate validity
echo | openssl s_client -connect your-server-ip:443 2>/dev/null | openssl x509 -noout -dates

# Full certificate details
openssl s_client -showcerts -connect your-server-ip:443 </dev/null

Common Issues

  • Certificate chain incomplete: Ensure your fullchain.cert includes all intermediate CA certificates in the correct order
  • Permission denied: Verify the web server has read access to the certificate files (`chmod 644` for cert, `chmod 600` for key)
  • Restart fails: Check configuration syntax and file paths. Look for error messages in `/var/log/apache2/error.log` or `/var/log/nginx/error.log`
  • Let's Encrypt automatic renewal: Consider setting up a cron job or systemd timer for automatic certificate renewal to avoid future expired certificate issues

AI Summary for RAG

Summary: This guide provides a comprehensive two-layer approach to securing the VoIPmonitor web GUI, covering both Apache2 and Nginx. Layer 1 explains how to enable HTTPS for traffic encryption using a self-signed certificate. For Apache2, this involves enabling the `ssl` and `rewrite` modules, generating a key/certificate with `openssl`, configuring the `default-ssl.conf` virtual host, and forcing an HTTP-to-HTTPS redirect with a `RewriteRule`. For Nginx, it covers generating the certificate and setting up two server blocks: one for redirecting on port 80 and one for serving SSL on port 443 with the `ssl_certificate` and `ssl_certificate_key` directives. Layer 2 details how to add an extra password protection layer using HTTP Basic Authentication. It provides instructions for creating a password file with `htpasswd` and configuring Apache (`AuthType`, `AuthName`, `AuthUserFile`, `Require valid-user`) or Nginx (`auth_basic`, `auth_basic_user_file`) to use it. A third section covers replacing expired SSL certificates, including CA-issued certificates from trusted authorities like Let's Encrypt. This includes obtaining new certificates, creating fullchain files by concatenating server and intermediate CA certificates, locating and backing up existing configs, updating certificate files, testing configurations, restarting web servers, and verifying the new certificate. The guide emphasizes verifying configurations before restarting services and provides tips for certificate chain management and Let's Encrypt automatic renewal. Keywords: security, https, ssl, tls, encrypt, apache, apache2, nginx, basic auth, http authentication, password, htpasswd, self-signed certificate, openssl, a2enmod, `default-ssl.conf`, redirect, rewrite, server block, `ssl_certificate`, `AuthUserFile`, `auth_basic_user_file`, replace expired certificate, certificate renewal, fullchain certificate, certificate chain, CA certificate, intermediate certificate, let's encrypt, certbot Key Questions:

  • How do I secure the VoIPmonitor web interface?
  • How to enable HTTPS for VoIPmonitor on Apache2?
  • How to enable HTTPS for VoIPmonitor on Nginx?
  • How can I add an extra layer of password protection to the GUI?
  • What is HTTP Basic Authentication and how do I set it up?
  • How to create a password file with `htpasswd` for Apache or Nginx?
  • How do I redirect all HTTP traffic to HTTPS?
  • What is the difference between HTTPS and HTTP Basic Auth?
  • How to replace an expired SSL certificate?
  • How to create a fullchain certificate from CA certificates?
  • How to renew Let's Encrypt certificates for VoIPmonitor?
  • How do I update SSL certificate files in Apache or Nginx?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=Securing_the_VoIPmonitor_Web_GUI_HTTPS_and_Basic_Auth&oldid=6775"