Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ntopng not working behind HAProxy with SSL Offload

    Traffic Monitoring
    2
    2
    1067
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      topkool
      last edited by

      In my setup, SSL is enabled for pfSense but also for all the websites (including ntopng). All these sites are located behind HAProxy (within pfSense), which acts as SSL termination, point reverse proxy and load balancer.

      Everything works fine except for ntopng.

      • pfSense offers a web interface to configure ntopng (Diagnostics -> ntopng Settings).
      • When the user enables ntopng through that interface, the PHP code generates a script (named /usr/local/etc/rc.d/ntopng.sh) to launch ntopng and all the subsystem (like redis). If ntopng is disabled through the pfSense webpage, that script is deleted.

      The issue is inside that generated script. PHP checks if pfSense is running on HTTPS: If so, then it runs ntopng with the parameters "-w 0 -W 3000" (meaning HTTP is disabled and HTTPS is enabled on port 3000).

      OK, but what is the issue?

      As ntopng is behind HAProxy (w/ SSL Offloading), ntopng must only listen on HTTP (and not HTTPS), even if the front is only accessible through HTTPS, but the script /usr/local/etc/rc.d/ntopng.sh states exactly the contrary.

      My proposal: PHP should not try to guess how ntopng should work, but instead add an option "Enable HTTPS (Y/N)" on the "ntopng Settings"

      For now, I found a quick-and-dirty workaround : I commented the line in PHP that adds the parameters "-w 0 -W 3000".

      Thanks

      1 Reply Last reply Reply Quote 0
      • P
        ProgressCity
        last edited by

        I've been trying to get this running for 2 days now on 2.4.1 without HAProxy.  It seems like it's the only way to get it working though huh. everything is over HTTPS.  I tried setting up DNS for it etc.  Nothing seems to want to work.

        I get these errors.

        Chrome: This site can’t provide a secure connection
        <firewall>uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH
        Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.

        Firefox: Secure Connection Failed
        An error occurred during a connection to https://<firewall>:3000. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
        The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

        IE This page can’t be displayed
        Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://<firewall>:3000 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

        btw when you said you commented out the "-w 0 -W 3000" you meant in the shell script right - not in PHP?</firewall></firewall></firewall>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post