Configuring SSL certificates on the ThreatLockDown dashboard using NGINX

NGINX is an open source software for web serving, reverse proxying, caching, load balancing, and media streaming. It provides improved performance optimization during SSL decryption, better utilization, and complete end-to-end encryption of the ThreatLockDown dashboard server. NGINX can be installed directly on the endpoint hosting the ThreatLockDown dashboard or on a separate endpoint outside of the ThreatLockDown cluster. However, for this use case, NGINX is installed on the ThreatLockDown dashboard node.

Install and configure the Let’s Encrypt SSL certificate using NGINX on a ThreatLockDown dashboard by following the step-by-step instructions below.

Setting up NGINX as Reverse proxy

Installing the NGINX software on the ThreatLockDown dashboard

  1. Install NGINX:

    # yum install epel-release
    # yum install nginx
    
  2. Start NGINX and verify the status is active:

    # systemctl start nginx
    # systemctl status nginx
    
  3. Open ports 80 (HTTP) and 443 (HTTPS):

    # systemctl start firewalld
    # firewall-cmd --permanent --add-port=443/tcp
    # firewall-cmd --permanent --add-port=80/tcp
    

Configure the proxy and the certificates

  1. Install snap:

    # yum install epel-release
    # yum upgrade
    # yum install snapd
    # systemctl enable --now snapd.socket
    # ln -s /var/lib/snapd/snap /snap
    
  2. Install certbot:

    # yum remove certbot
    # snap install --classic certbot
    
  3. Configure a symbolic link to the certbot directory:

    # ln -s /snap/bin/certbot /usr/bin/certbot
    
  4. Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and change the default dashboard port from 443 to another available port number:

    server.host: 0.0.0.0
    opensearch.hosts: https://127.0.0.1:9200
    server.port: <PORT_NUMBER>
    opensearch.ssl.verificationMode: certificate
    # opensearch.username: kibanaserver
    # opensearch.password: kibanaserver
    opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
    opensearch_security.multitenancy.enabled: false
    opensearch_security.readonly_mode.roles: ["kibana_read_only"]
    server.ssl.enabled: true
    server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
    server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
    opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
    uiSettings.overrides.defaultRoute: /app/wz-home
    opensearch_security.cookie.secure: true
    
  5. Navigate to the /etc/nginx/conf.d directory and create a wazuh.conf file for the certificate installation:

    # unlink /etc/nginx/sites-enabled/default
    # cd /etc/nginx/conf.d
    # touch wazuh.conf
    
  6. Edit wazuh.conf and add the following configuration.

    server {
       listen 80 default_server;
    
       server_name <YOUR_DOMAIN_NAME>;
    
       location / {
          proxy_pass https://<WAZUH_DASHBOARD_IP>:<PORT_NUMBER>;
          proxy_set_header Host $host;
       }
    }
    

    Replace the following:

    • <YOUR_DOMAIN_NAME> with your domain name.

    • <WAZUH_DASHBOARD_IP> with your ThreatLockDown dashboard IP address.

    • <PORT_NUMBER> with your new port number.

  7. Restart the ThreatLockDown dashboard and the ThreatLockDown server

    # systemctl restart wazuh-dashboard
    # systemctl restart wazuh-manager
    
  8. Use certbot to generate an SSL certificate:

    # certbot --nginx -d <YOUR_DOMAIN_NAME>
    
  9. Check that NGINX is properly configured and verify that you have the same configuration in the /etc/nginx/conf.d/wazuh.conf file with the sample below:

    server {
    
       server_name <YOUR_DOMAIN_NAME>;
    
       location / {
          proxy_pass https://<WAZUH_DASHBOARD_IP>:<PORT_NUMBER>;
          proxy_set_header Host $host;
       }
    
       listen 443 ssl; # managed by Certbot
       ssl_certificate /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem; # managed by Certbot
       ssl_certificate_key /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem; # managed by Certbot
       include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
       ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    server {
       if ($host = <YOUR_DOMAIN_NAME>) {
          return 301 https://$host$request_uri;
       } # managed by Certbot
    
    
       listen 80 default_server;
    
       server_name <YOUR_DOMAIN_NAME>;
       return 404; # managed by Certbot
    
    
    }
    
  10. Restart the NGINX service:

    # systemctl restart nginx
    
  11. Access the ThreatLockDown dashboard via the configured domain name.

The NGINX server has been configured and the Let’s Encrypt certificate installation is active on the ThreatLockDown dashboard. You can proceed to access it by using the configured domain name.