ntopng-udm
ntopng-udm copied to clipboard
tusc
Add support for TLS certificates
As documented, ntopng runs on port 3001 but with an old certificate. Safari doesn't really like that.
It's possible to provide a certificate to ntopng (howto) so that browsers are happy.
In the case of ntopng-udm, we need to put a private key and certificate chain into /usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem. If using @kchristensen's https://github.com/kchristensen/udm-le to generate certs with LetsEncrypt, this information is available locally. Thus you can:
cd /mnt/data/ntopng
cat ../udm-le/lego/certificates/*.key ../udm-le/lego/certificates/*.crt > ntopng-cert.pem
And then create the container with:
podman run -d --net=host --restart always \
--name ntopng \
-v /mnt/data/ntopng/GeoIP.conf:/etc/GeoIP.conf \
-v /mnt/data/ntopng/ntopng.conf:/etc/ntopng/ntopng.conf \
-v /mnt/data/ntopng/redis.conf:/etc/redis/redis.conf \
-v /mnt/data/ntopng/lib:/var/lib/ntopng \
-v /mnt/data/ntopng/ntopng-cert.pem:/usr/share/ntopng/httpdocs/ssl/ntopng-cert.pem \
docker.io/tusc/ntopng-udm:latest
Bonus points, it is necessary to update udm-le.sh to update ntopng-cert.pem. Ideally we'd build some sort of registry of things that need to get updated so that we can de-couple udm-le.sh from knowing specifically about ntopng but for now a quick hack this diff should work.
diff --git a/udm-le.sh b/udm-le.sh
index c4ca95d..85debe8 100755
--- a/udm-le.sh
+++ b/udm-le.sh
@@ -82,6 +82,7 @@ renew)
${PODMAN_CMD} ${LEGO_ARGS} renew --days 60 && deploy_cert
if [ "${NEW_CERT}" = "yes" ]; then
add_captive && unifi-os restart
+ cat ${UDM_LE_PATH}/lego/certificates/${CERT_NAME}.key ${UDM_LE_PATH}/lego/certificates/${CERT_NAME}.crt > /mnt/data/ntopng/ntopng-cert.pem && podman restart ntopng
fi
;;
bootrenew)
Thoughts? I can throw together a PR to update the docs if you want.
Here's a possible alternative approach that provides automatic renewal. I'm using this project, udm-le, and udm-utilities with AdGuard Home on a UDM.
To simplify certificate configuration and renewal, I configured my udm-le instance with subject alternative names for UDM, AdGuard Home, ntopng, and a few others. I've not done SSL for ntopng yet, but was able to point AdGuard Home directly to the udm-le certificate folder after mounting it as a read-only volume. The new AdGuard container startup has one added line as you can see below. The SSL settings within AGH can then be configured through the GUI or directly in AdGuardHome.yaml.
podman run -d --network dns --restart always \
--name adguardhome \
-v "/mnt/data/AdguardHome-Confdir/:/opt/adguardhome/conf/" \
-v "/mnt/data/AdguardHome-Workdir/:/opt/adguardhome/work/" \
-v "/mnt/data/udm-le/lego/certificates/:/opt/adguardhome/certs/:ro" \
--dns=127.0.0.1 --dns=1.1.1.1 \
--hostname adguardhome \
adguard/adguardhome:latest
Does this approach potentially make it easier?
Am I creating any security problems by mounting the lego/certificates folder in another container?
Does ntopng require the PEM file to be named "ntop-cert"?
Still, the idea of having a registry of sorts for providing certificates to different containers on UDM would be amazing.
if you append --pem to the LEGO_ARGS value in udm-le.sh it will automatically create the combined certificate that ntopng expects..then you can simply adjust your ntopng volume mount directly to that file.
lego --help
--pem Generate a .pem file by concatenating the .key and .crt files together.
automatically restarting ntopng is another matter all together
