CloudShark Support

Enable HTTPS on a CloudShark Appliance

System Updates

Before enabling HTTPS or making any changes to the nginx configuration on your CloudShark Appliance, we recommend installing all system updates. This ensures that your system is running the most up to date software and security patches.

To update the system software on your CloudShark Appliance, run the following command from a terminal as the root user and then reboot:

yum update
reboot

If you do not want to do a full system update, we recommend at a minimum that you update the openssl package, which was patched in April of 2014 to fix a major bug known as the Heartbleed Bug. This will also enable TLSv1.1 and TLSv1.2 for systems with earlier OpenSSL libraries.

yum update openssl
reboot

CloudShark’s nginx Configuration

Since CloudShark version 2.4 we have enabled HTTPS support by default using a self-signed certificate. To use your own certificate upload your public certificate chain as the ssl_certificate file, and the private key as the ssl_certificate_key file in the nginx configuration below.

Configuration file locations

CloudShark uses nginx as the web server that listens to the external ports 80 for HTTP and 443 for HTTPS (SSL). HTTPS is disabled by default because it requires certificate files to be installed manually.

The CloudShark installer “owns” the nginx.conf file and will overwrite it during upgrades. The nginx-* files are not modified by the installer and their settings will persist between CloudShark upgrades.

Configure a certificate keypair

CloudShark ships with a self-signed certificate by default and allows access over both HTTP and HTTPS. The default SSL configuration is located at /var/www/cloudshark/shared/config/nginx-ssl.conf and contains the following:

# Basic configuration is three lines:
listen 443 ssl;
ssl_certificate       /var/www/cloudshark/shared/config/ssl/server.crt;
ssl_certificate_key   /var/www/cloudshark/shared/config/ssl/server.key;

# Extra configuration, optional.  Enable specific TLS versions, stronger
# ciphersuites (several support Forward-Secrecy), OCSP stapling
# (certificate revocation) and HSTS (tells clients it is ok to assume URLS
# with HTTP can be accessed as HTTPS  without testing it first)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_session_timeout 5m;
ssl_session_cache shared:NginxCache123:50m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security max-age=15768000;

To use a different certificate keypair that you have generated upload your certificate file to /usr/local/etc/cloudshark.crt and the private key to /usr/local/etc/cloudshark.key. Then configure CloudShark to use the new keypair by editing the file /var/www/cloudshark/shared/config/nginx-ssl.conf and changing the following two lines:

ssl_certificate       /var/www/cloudshark/shared/config/ssl/server.crt;
ssl_certificate_key   /var/www/cloudshark/shared/config/ssl/server.key;

To instead be

ssl_certificate       /usr/local/etc/cloudshark.crt;
ssl_certificate_key   /usr/local/etc/cloudshark.key;

Then restart the system so ensure that CloudShark will use the new certificate and private key that you have generated and not the default self-signed certificate that ships by default.

Please email us if this is not straight-forward and we will help you.

Decide if HTTP should remain enabled

This step is optional.

By default, CloudShark will accept connections on the unencrypted web port (80). To disable this remove the following from /var/www/cloudshark/shared/config/nginx-network.conf:

listen 80;

Redirect all HTTP traffic to HTTPS

This step is optional.

Redirection headers can be configured to indicate that HTTPS should be used instead of HTTP. Some clients cannot understand these headers and must be configured to access the HTTPS URL explicitly.

Edit the following file:

/var/www/cloudshark/shared/config/nginx-ssl.conf

Create a new line at the bottom of the file and add the following:

if ($ssl_protocol = "") {
   rewrite ^ https://cloudshark.example.com$request_uri? permanent;
}

Save the file and exit.

Restart to update changes

The easiest way to apply any changes to the nginx configuration is to restart the system.

Administrator Notes

Firewall Support

If you are running a firewall you must allow the https service, which runs on port 443 over tcp, through the firewall. Visit our firewall configuration page for information on how to configure this for your OS.

Intermediate SSL Certificates

Some certificates require that an intermediate certificate be installed with the public certificate for the server. These certificates are usually all bundled in the same ZIP archive that the Certificate Authority (CA) provides after signing your CSR (certificate signing request). The certificates must be stored in the ssl_certificate file together, with the server certificate as the first entry, and then its parent intermediate certificate, and then so on for as many intermediate certificates as the CA has provided. The intermediate certificates, as a convention, have file names identical to the certificate subject line.

You can learn the correct order by inspecting the certificate properties of the https site in most GUI web browsers. A final caveat: if the certificate delimiters share a single line, the format will invalidate the entire certificate chain and nginx will indicate an error:

SSL PEM routines:PEM_read_bio:bad end line error  

If this occurs, no harm is done - simply adjust the formatting of your .crt file contents until it is valid.

Note that some certificate authorities provide binary style certificates in DER format. You can convert these to ASCII format (PEM) with the following command:

openssl x509 -in binary_certificate.crt -inform der -outform pem -out ascii_certificate.crt

Private Key Passphrases

Sometimes a key file has a passphrase, so that a human must interactively decrypt the contents right before access.

Please note that CloudShark will not start properly with this configuration. You must remove any passphrases in the key file to allow CloudShark to start automatically. For example, if a key file named cloudshark.key.passphrase contains a passphrase, to remove the passphrase out of the key and save it in a new file called cloudshark.key:

openssl rsa -in cloudshark.key.passphrase -out cloudshark.key

After you have updated the configuration file, you must restart CloudShark for the new changes to take effect.

Remember to make a backup of your public certificate and private key files that are not saved on the same system!

Automated SSL Certificate Script

We provide a SSL Certificate Generator. You can paste this script into a file, set the execute bit, and then run the script as the root user to generate a self-signed certificate and key that work with the nginx configuration examples in this documentation.

After you have updated the configuration files, you must restart CloudShark for the new changes to take effect.

About CloudShark

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: