[FRS-225] Securing FusionReactor with HTTPS / SSL

Introduction


The technote is going to guide you step-by-step through the process of securing FusionReactor with HTTPS/SSL.
Note: The following technote should work on any version of FusionReactor.

Using the capabilities of the existing web server


This method is usually easiest to achieve as often you will already know how to configure your webserver. FusionReactor should be configured to process requests received through your existing web server. Please follow the steps below in order to enable FusionReactor been accessible externally.

  1. Access your FusioReactor instance.
  2. Navigate to FusionReactor > Enable / Disable.
  3. Enable the "FusionReactor UI access on the external web server" value.
  4. Save the Settings.
  5. Now you should be able to access FusionReactor externally. The URL for FusionReactor is "/fusionreactor/fhtml.cfm".
    Example:

The configuration above leaves FusionReactor open to external users, however, you can configure FusionReactor in order to be accessible via an HTTPS connection.
In order to achieve this, please follow the steps listed below.

  1. Access your FusionReactor instance.
  2. Navigate to FusionReactor > Settings
  3. Locate the Internal HTTPS tab.
  4. Change the value of the "Enabled" field to "Enabled".
  5. Save the Settings.
  • Additionally, in IIS you can do this by creating a virtual directory (with alias "fusionreactor") and setting appropriate security on that virtual directory (for example, restrict by IP address).
  • If your website is already configured to work over HTTPS then you should already be able to access fusionreactor over SSL using your normal SSL URL with the added extension "/fusionreactor/fhtml.cfm". Example:

For added security, you may wish to use the security rules of your web server to completely deny external website access to FusionReactor. Then you could create a new internal HTTPS website (virtual host in Apache) specifically for FusionReactor.

More information about the virtual directory configuration in IIS can be found here, http://www.iis.net/configreference/system.applicationhost/sites/site/application/virtualdirectory.

Using a generic TCP SSL wrapper tool


There are several generic tools available for wrapping TCP connections with an SSL layer. In our example we will use Stunnel for Windows (http://www.stunnel.org/)

  • Before adding the SSL wrapper we have the following connection stack:
    • HTTP Web Browser -> FusionReactor Internal HTTP Web Server
  • After adding the SSL wrapper we will have the following connection stack:
    • HTTP Web Browser -> SSL TCP Wrapper Tool (Client) -> SSL TCP Wrapper Tool (Server) -> FusionReactor Internal HTTP Web Server

FusionReactor should be configured to accept requests ONLY on the local/loopback interface using the built in web server. This can be done by following the steps below.

  1. Access your FusionReactor instance.
  2. Navigate to FusionReactor > Settings.
  3. Locate the Internal HTTP tab and add the following settings.
    • Web Server: Enabled
    • Web Server IP Address: 127.0.0.1
    • Web Server Port: 8088 (can be anything available on your system, the default should be OK)

Install your SSL TCP wrapper on the server (machine A) and configure to forward incoming traffic to the IP & port configured above

  • For Stunnel 4.27, you would do this with the following syntax
    • stunnel -d <external SSL wrapped HTTP port> -r 127.0.0.1:<internal HTTP server port>
  • Example:
    • stunnel -d 9000 -r 127.0.0.1:8088

Next, install your SSL TCP wrapper on the client (machine B) and configure to forward outgoing traffic to the SSL wrapper port configured above (in our example, this would be the IP of the server and port 9000)

  • For Stunnel 4.27, assuming our web server IP was 192.168.0.1 you would do this as follows:
    • stunnel -d 9050 -r 192.168.0.1:9000

Finally, the URL to access FusionReactor now becomes http://127.0.0.1:9050/ (Remember: This URL is only available from the machine where you installed the SSL wrapper client. In our example, machine B)

Details


  1. In this configuration, the client (machine B) web browser connects back to the SSL wrapper running on machine B (port 9050 in our example).
  2. The SSL wrapper then forwards this plain text connection over SSL to the wrapper server on machine A (port 9000 in our example).
  3. The SSL wrapper server on machine A, then decodes the TCP connection and forwards on as plain text to 127.0.0.1:8088
  4. This way, no external FusionReactor TCP traffic is sent over a plain text connection.

Important: This technote describes securing the FusionReactor interface with HTTPS / SSL. If you are running FusionReactor enterprise edition, you may also wish to secure the inter-server connections. This can be done using the principal with either of the above described methods.

Useful Links


Issue Details

Type: Technote
Issue Number: FRS-225
Components: Enterprise Dashboard, FR Enterprise Dashboard Desktop Application, FusionReactor Settings
Environment:
Resolution: Fixed
Last Updated: Today 1:16 PM
Affects Version: 1.0, 2.0, 2.0.3, 2.0.4, 3.0, 3.0.1
Fixed Version: 6.2.2
Server:
Platform:
Related Issues:

FRS-418: FusionReactor Cloud Firewall DNS and Static IP address rules

Comments are closed.