Ntopng not working behind HAProxy with SSL Offload
-
In my setup, SSL is enabled for pfSense but also for all the websites (including ntopng). All these sites are located behind HAProxy (within pfSense), which acts as SSL termination, point reverse proxy and load balancer.
Everything works fine except for ntopng.
- pfSense offers a web interface to configure ntopng (Diagnostics -> ntopng Settings).
- When the user enables ntopng through that interface, the PHP code generates a script (named /usr/local/etc/rc.d/ntopng.sh) to launch ntopng and all the subsystem (like redis). If ntopng is disabled through the pfSense webpage, that script is deleted.
The issue is inside that generated script. PHP checks if pfSense is running on HTTPS: If so, then it runs ntopng with the parameters "-w 0 -W 3000" (meaning HTTP is disabled and HTTPS is enabled on port 3000).
OK, but what is the issue?
As ntopng is behind HAProxy (w/ SSL Offloading), ntopng must only listen on HTTP (and not HTTPS), even if the front is only accessible through HTTPS, but the script /usr/local/etc/rc.d/ntopng.sh states exactly the contrary.
My proposal: PHP should not try to guess how ntopng should work, but instead add an option "Enable HTTPS (Y/N)" on the "ntopng Settings"
For now, I found a quick-and-dirty workaround : I commented the line in PHP that adds the parameters "-w 0 -W 3000".
Thanks
-
I've been trying to get this running for 2 days now on 2.4.1 without HAProxy. It seems like it's the only way to get it working though huh. everything is over HTTPS. I tried setting up DNS for it etc. Nothing seems to want to work.
I get these errors.
Chrome: This site can’t provide a secure connection
<firewall>uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.Firefox: Secure Connection Failed
An error occurred during a connection to https://<firewall>:3000. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.IE This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://<firewall>:3000 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.btw when you said you commented out the "-w 0 -W 3000" you meant in the shell script right - not in PHP?</firewall></firewall></firewall>
-
All - apologies for necro posting. I have battled this off and on for years and I always come back to this post in my searching and wanted to provide my
best-so-far solution.I have discovered a temporary solution: modify the file (/usr/local/pkg/ntopng.inc) that is referenced during auto-generation (/usr/local/etc/rc.d/ntopng.sh) that creates the configuration for ntopng (/usr/local/etc/ntopng.conf).
I have modified this part by swapping the lines below if and else.
/* HTTP/HTTPS */ if (config_get_path('system/webgui/protocol') == "https") { unlink_if_exists(CERT_FILE); $config_lines = "--http-port=$listen_string\n"; } else { $cert = lookup_cert(config_get_path('system/webgui/ssl-certref')); ntopng_write_cert_file(CERT_FILE, $cert); $config_lines .= "--http-port=0\n--https-port=$listen_string\n"; }I was then able to configure pfSense HAProxy successfully.
I suspect this will certainly not survive an upgrade/reinstall of the ntopng package, but it is more sustainable than the prior methods with the latest package version (says 5.6.0 in Package Manager, but installs 6.0.240423).
If there is a better solution, please let me know. Thank you.
