Securing the VoIPmonitor Web GUI HTTPS and Basic Auth
This guide provides a two-layer approach to securing your VoIPmonitor web interface: HTTPS encryption and HTTP Basic Auth password protection.
Overview
| Layer | Purpose | Protects Against |
|---|---|---|
| HTTPS (SSL/TLS) | Encrypts all traffic between browser and server | Credential interception, data sniffing, man-in-the-middle attacks |
| HTTP Basic Auth | Additional password prompt before GUI loads | Brute-force attacks, unauthorized access to login page |
ℹ️ Note: This guide uses a self-signed certificate suitable for internal use. For production environments, use a certificate from a trusted authority like Let's Encrypt.
Layer 1: Enabling HTTPS
Apache2
Step 1: Enable required modules
sudo a2enmod ssl rewrite
Step 2: Generate certificate
sudo mkdir -p /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/apache2/ssl/voipmonitor.key \
-out /etc/apache2/ssl/voipmonitor.crt
💡 Tip: When prompted, the Common Name should be your server's domain name or IP address.
Step 3: Configure SSL virtual host
sudo nano /etc/apache2/sites-available/default-ssl.conf
Update these lines:
SSLCertificateFile /etc/apache2/ssl/voipmonitor.crt
SSLCertificateKeyFile /etc/apache2/ssl/voipmonitor.key
Step 4: Enable SSL site and HTTP-to-HTTPS redirect
sudo a2ensite default-ssl.conf
sudo nano /etc/apache2/sites-available/000-default.conf
Add inside <VirtualHost *:80>:
RewriteEngine On
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
Step 5: Test and restart
sudo apache2ctl configtest
sudo systemctl restart apache2
Nginx
Step 1: Generate certificate
sudo mkdir -p /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/voipmonitor.key \
-out /etc/nginx/ssl/voipmonitor.crt
Step 2: Configure server blocks
Edit /etc/nginx/sites-available/default:
# Redirect HTTP to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
# Serve HTTPS
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate /etc/nginx/ssl/voipmonitor.crt;
ssl_certificate_key /etc/nginx/ssl/voipmonitor.key;
root /var/www/html;
index index.php index.html;
# ... other configurations ...
}
Step 3: Test and restart
sudo nginx -t
sudo systemctl restart nginx
Update GUI WEB URL Setting
After enabling HTTPS, update the GUI to generate HTTPS links in alerts and reports:
- Log in to VoIPmonitor GUI
- Navigate to Settings > System Configuration > Basic
- Update WEB URL from
http://tohttps:// - Click Save
⚠️ Warning: If this setting is not updated, email alerts and reports will still contain HTTP links.
Layer 2: HTTP Basic Auth
This adds an additional password prompt before the VoIPmonitor login page loads.
Apache2
Step 1: Create password file
# Create file with first user (-c flag only for first user)
sudo htpasswd -c /etc/apache2/voipmonitor.passwd your_username
# Add additional users (without -c)
# sudo htpasswd /etc/apache2/voipmonitor.passwd another_user
Step 2: Configure authentication
Edit /etc/apache2/sites-available/default-ssl.conf and add inside <Directory /var/www/html>:
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/voipmonitor.passwd
Require valid-user
Step 3: Restart
sudo apache2ctl configtest && sudo systemctl restart apache2
Nginx
Step 1: Create password file
sudo apt -y install apache2-utils
sudo htpasswd -c /etc/nginx/voipmonitor.passwd your_username
Step 2: Configure authentication
Add inside the server block listening on port 443:
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/voipmonitor.passwd;
Step 3: Restart
sudo nginx -t && sudo systemctl restart nginx
Replacing an Expired SSL Certificate
Use this procedure when your existing certificate has expired or you need to replace it with a new CA-issued certificate.
Step 1: Obtain new certificate files
Let's Encrypt:
sudo certbot renew
# New certs in /etc/letsencrypt/live/your-domain/
Commercial CA: Download your renewed certificate and any intermediate CA certificates.
Step 2: Create fullchain certificate (CA certificates only)
If you received separate server and intermediate certificates, concatenate them:
cat your_server.crt intermediate1.crt intermediate2.crt > your_fullchain.crt
ℹ️ Note: Do NOT include the root CA certificate. Let's Encrypt users can skip this step (pre-generated fullchain.pem exists).
Step 3: Locate current configuration
# Apache (RedHat/CentOS)
grep -i "SSLCertificateFile" /etc/httpd/conf.d/ssl.conf
# Apache (Ubuntu/Debian)
grep -i "SSLCertificateFile" /etc/apache2/sites-available/default-ssl.conf
# Nginx
grep -i "ssl_certificate" /etc/nginx/sites-enabled/default
Step 4: Backup and replace certificates
# Backup existing certificates
sudo mkdir -p /tmp/backup_certs
sudo cp /etc/apache2/ssl/voipmonitor.* /tmp/backup_certs/
# Copy new certificates
sudo cp your_new_fullchain.crt /etc/apache2/ssl/voipmonitor.crt
sudo cp your_private_key.key /etc/apache2/ssl/voipmonitor.key
# Set permissions
sudo chmod 644 /etc/apache2/ssl/voipmonitor.crt
sudo chmod 600 /etc/apache2/ssl/voipmonitor.key
Step 5: Verify and restart
# Verify certificate dates
openssl x509 -in /etc/apache2/ssl/voipmonitor.crt -noout -dates
# Test configuration
sudo apache2ctl configtest # or: sudo nginx -t
# Restart
sudo systemctl restart apache2 # or: nginx / httpd
Step 6: Browser verification
- Clear browser cache (Ctrl+Shift+R)
- Navigate to GUI and check the lock icon
- Verify certificate shows valid dates
Command-line verification:
echo | openssl s_client -connect your-server-ip:443 2>/dev/null | openssl x509 -noout -dates
Troubleshooting
| Issue | Solution |
|---|---|
| Certificate chain incomplete | Ensure fullchain.crt includes all intermediate CA certificates in correct order |
| Permission denied | Set chmod 644 for cert, chmod 600 for key
|
| Restart fails | Check syntax and file paths. See /var/log/apache2/error.log or /var/log/nginx/error.log
|
| SSO fails behind reverse proxy | Add proxy_set_header X-Forwarded-Proto $scheme; to Nginx config. See Nginx and Google_Sign_in_usage
|
| Let's Encrypt renewal | Set up cron job or systemd timer: 0 0 1 * * certbot renew --quiet
|
See Also
- Nginx - Reverse proxy configuration and timeout settings
- Google_Sign_in_usage - OAuth/SSO setup (requires HTTPS)
- Microsoft_Sign_in_usage - Microsoft SSO setup
- GUI_troubleshooting - HTTP 500 errors and other GUI issues
AI Summary for RAG
Summary: Comprehensive guide for securing VoIPmonitor web GUI with two layers: (1) HTTPS/SSL encryption using self-signed certificates for Apache2 or Nginx, and (2) HTTP Basic Auth for additional password protection. Apache2 setup requires enabling ssl/rewrite modules, generating certificate with openssl, configuring default-ssl.conf, and adding RewriteRule for HTTP redirect. Nginx uses two server blocks (port 80 redirect, port 443 SSL). Basic Auth uses htpasswd to create password files. Includes procedure for replacing expired CA-issued certificates: obtain new certs, create fullchain by concatenating server and intermediate certs, backup existing files, update paths, verify with openssl, and restart web server. Important: update GUI WEB URL setting after enabling HTTPS. For SSO behind reverse proxy, add X-Forwarded-Proto header.
Keywords: security, https, ssl, tls, apache, apache2, nginx, basic auth, http authentication, htpasswd, self-signed certificate, openssl, a2enmod, default-ssl.conf, rewrite, ssl_certificate, AuthUserFile, auth_basic, replace expired certificate, certificate renewal, fullchain, let's encrypt, certbot, X-Forwarded-Proto, reverse proxy, SSO
Key Questions:
- How do I secure the VoIPmonitor web interface with HTTPS?
- How to enable HTTPS for VoIPmonitor on Apache2 or Nginx?
- How to add HTTP Basic Auth password protection to VoIPmonitor GUI?
- How to create a password file with htpasswd?
- How to replace an expired SSL certificate?
- How to create a fullchain certificate from server and intermediate CA certificates?
- How to redirect HTTP to HTTPS in Apache or Nginx?
- My SSL certificate expired - how do I fix it?
- How to renew Let's Encrypt certificates for VoIPmonitor?
- Why does SSO fail behind a reverse proxy after enabling HTTPS?