3.8.1 Enabling HTTPS

MetaDefender Core supports accessing Web UI and REST interface via HTTPS. This feature is not enabled by default. There are two ways to enable the feature:

  • via Management Console or

  • modifying MetaDefender Core server configuration via configuration files.

If HTTPS is configured via both ways, only the settings made on Management Console will take effect. It is highly recommended not to use both configuration files and user interface for HTTPS settings at the same time.

Enabling HTTPS via Management Console

  1. Go to Settings→Security page

    images/download/attachments/32847598/image2018-8-30_21-35-7.png

  2. If there's no certificate-key pair added to the inventory, please go to Inventory→Certificates page and add one that is desired to use for securing HTTP connections.

    images/download/attachments/32847598/image2018-8-31_10-20-2.png

  3. Tick Enable HTTPS connection checkbox and choose a certificate-key pair.

    images/download/attachments/32847598/image2018-8-31_10-21-18.png

  4. As clicking on Save settings, you will be warned that Management Console is going to be restarted and this will take some time.

    images/download/attachments/32847598/image2018-8-31_10-23-2.png

  5. Approximately 30 seconds after confirming saving of configuration the Management Console will be reloaded via HTTPS.

Enabling HTTPS via configuration files

First create your certificate and key files in convenient directory. Let us take paths as an example /etc/ometascan/nginx.d/your.crt and /etc/ometascan/nginx.d/your.key for Linux and C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt and C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key for Windows accordingly.

On Linux

  1. Create file ssl.conf in the directory /etc/ometascan/nginx.d

  2. Enter SSL-configuration according to Nginx. To allow simple SSL one needs to add the following lines only:

    ssl on;
    ssl_certificate /etc/ometascan/nginx.d/your.crt;
    ssl_certificate_key /etc/ometascan/nginx.d/your.key;
  3. Service restart is required to take these changes into effect.

On Windows

  1. Create file ssl.conf in the directory <Installation Directory>\nginx.

  2. Enter SSL-configuration according to Nginx. To allow simple SSL one needs to add the following lines only (note the forward "/" slashes)

    ssl on;
    ssl_certificate "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.crt";
    ssl_certificate_key "C:/Program Files/OPSWAT/Metadefender Core/nginx/your.key";
  3. A restart of the “OPSWAT Metadefender Core” service is required.

'\n' sequences in paths

Using the standard Windows path separator backslash '\' may give unexpected results if directory or file names start with 'n'. The reason is that the sequence '\n' is interpreted as a new line by nginx.

For example the following directive

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt\nginx\your.crt";

will appear at nginx as

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt
ginx\your.crt";

As a workaround instead of backslash '\' use

  1. Forward slash '/' or

  2. Double backslash '\\'.

Note that certificate and key files are to provided by the user who can store them whenever it is convenient. Please adjust the paths accordingly.

Note: When choosing location for cert and key files, make sure the files are in a location which is readable to the service user.

For more SSL-options please consult Nginx documentation.