Configuring SSL certificates on the ThreatLockDown dashboard using NGINX

NGINX is an open source software for web serving, reverse proxying, caching, load balancing, and media streaming. It provides improved performance optimization during SSL decryption, better utilization, and complete end-to-end encryption of the ThreatLockDown dashboard server. NGINX can be installed directly on the endpoint hosting the ThreatLockDown dashboard or on a separate endpoint outside of the ThreatLockDown cluster. However, for this use case, NGINX is installed on the ThreatLockDown dashboard node.

Install and configure the Let’s Encrypt SSL certificate using NGINX on a ThreatLockDown dashboard by following the step-by-step instructions below.

Setting up NGINX as Reverse proxy

Installing the NGINX software on the ThreatLockDown dashboard

Install NGINX:

# yum install epel-release
# yum install nginx

# apt-get update
# apt-get install nginx

Start NGINX and verify the status is active:

# systemctl start nginx
# systemctl status nginx

Open ports 80 (HTTP) and 443 (HTTPS):

# systemctl start firewalld
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=80/tcp

# ufw allow 443
# ufw allow 80

Configure the proxy and the certificates

Install snap:

# yum install epel-release
# yum upgrade
# yum install snapd
# systemctl enable --now snapd.socket
# ln -s /var/lib/snapd/snap /snap

# apt-get update
# apt-get install snap
# snap install core; snap refresh core

Install certbot:

# yum remove certbot
# snap install --classic certbot

# apt remove certbot
# snap install --classic certbot

Configure a symbolic link to the certbot directory:
```
# ln -s /snap/bin/certbot /usr/bin/certbot
```

Edit the /etc/wazuh-dashboard/opensearch_dashboards.yml file and change the default dashboard port from 443 to another available port number:

server.host: 0.0.0.0
opensearch.hosts: https://127.0.0.1:9200
server.port: <PORT_NUMBER>
opensearch.ssl.verificationMode: certificate
# opensearch.username: kibanaserver
# opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
opensearch_security.cookie.secure: true

Navigate to the /etc/nginx/conf.d directory and create a wazuh.conf file for the certificate installation:
```
# unlink /etc/nginx/sites-enabled/default
# cd /etc/nginx/conf.d
# touch wazuh.conf
```

Edit wazuh.conf and add the following configuration.

server {
   listen 80 default_server;

   server_name <YOUR_DOMAIN_NAME>;

   location / {
      proxy_pass https://<WAZUH_DASHBOARD_IP>:<PORT_NUMBER>;
      proxy_set_header Host $host;
   }
}

Replace the following:

<YOUR_DOMAIN_NAME> with your domain name.
<WAZUH_DASHBOARD_IP> with your ThreatLockDown dashboard IP address.
<PORT_NUMBER> with your new port number.

Restart the ThreatLockDown dashboard and the ThreatLockDown server

# systemctl restart wazuh-dashboard
# systemctl restart wazuh-manager

Use certbot to generate an SSL certificate:

# certbot --nginx -d <YOUR_DOMAIN_NAME>

Check that NGINX is properly configured and verify that you have the same configuration in the /etc/nginx/conf.d/wazuh.conf file with the sample below:

server {

   server_name <YOUR_DOMAIN_NAME>;

   location / {
      proxy_pass https://<WAZUH_DASHBOARD_IP>:<PORT_NUMBER>;
      proxy_set_header Host $host;
   }

   listen 443 ssl; # managed by Certbot
   ssl_certificate /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/<YOUR_DOMAIN_NAME>/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
   if ($host = <YOUR_DOMAIN_NAME>) {
      return 301 https://$host$request_uri;
   } # managed by Certbot


   listen 80 default_server;

   server_name <YOUR_DOMAIN_NAME>;
   return 404; # managed by Certbot


}

Restart the NGINX service:

# systemctl restart nginx

# service nginx restart

Access the ThreatLockDown dashboard via the configured domain name.

The NGINX server has been configured and the Let’s Encrypt certificate installation is active on the ThreatLockDown dashboard. You can proceed to access it by using the configured domain name.