3.2 Configuring TLS

For production MetaDefender ICAP Server deployments a more sophisticated TLS configuration is recommended than what is described below. Please consult the nginx documentation on Configuring HTTPS servers and stunnel manual for further details.

It is not recommended to use self-signed certificates in production environments. If you do not have a suitable certificate, you can apply to a Certificate Authority to obtain one.

Web Management Console

MetaDefender ICAP Server supports accessing Web Management Console via HTTPS. This feature is, however, not enabled by default. To enable the TLS/HTTPS you should modify MetaDefender ICAP Server configuration by following the next steps.

Linux

Let us assume that MetaDefender ICAP Server is installed in:

/path/to/mdicapsrv

and the server certificate is:

/path/to/certificate.crt

and the private key belonging to the certificate is:

/path/to/privatekey.key

To simply enable TLS:

  1. Create file ssl.conf in the directory /path/to/mdicapsrv/nginx.d

  2. Add the following lines:

    ssl on;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/privatekey.key;
  3. Restart mdicapsrv service.

Windows

Let us assume that MetaDefender ICAP Server is installed in:

C:\Path\To\Metadefender ICAP Server

and the server certificate is:

C:\Path\To\certificate.crt

and the private key belonging to the certificate is:

C:\Path\To\privatekey.key

To simply enable TLS:

  1. Create file ssl.conf in the directory C:\Path\To\Metadefender ICAP Serve\nginx.

  2. Add the following lines:

    ssl on;
    ssl_certificate "C:\Path\To\certificate.crt";
    ssl_certificate_key "C:\Path\To\privatekey.key";
  3. Restart OPSWAT MetaDefender ICAP Server service.

Important notes

When choosing location for certificate and key files, make sure that these files are in a location which is readable to the service user.

Certificate and key files should be obtained and saved by the user in a convenient location, adjust the paths accordingly.

ICAP interface

MetaDefender ICAP Server does not support TLS portocol on the ICAP interface out of the box. Stunnel can be configured to accept ICAP requests from a TLS connection, decrypt the request, and pass it to the local MetaDefender ICAP Server.

images/inline/a3d795af37d188585244fdc48d0080b6ece1953b.png

Installation

Linux

Debian / Ubuntu (.deb)

$ sudo apt-get install stunnel

Red Hat / CentOS (.rpm)

$ sudo yum install stunnel

Windows

  1. Download the Windows installer from stunnel's download page

  2. Start the installer and follow its steps (use default values if you are not sure)

  3. During the installation you will be asked to generate a self-signed certificate file. Fill in the required fields with your information

  4. Make sure that "Start stunnel after installation" is not checked at the end of the setup

Configuration

Linux

Red Hat / CentOS

  1. You need a valid certificate for stunnel regardless of what service you use it with. If you do not have a suitable certificate, you can apply to a Certificate Authority to obtain one, or you can create a self-signed certificate. To create the self-signed certificate for stunnel: [RHEL]

    # cd /etc/pki/tls/certs
    # make stunnel.pem
  2. The certificate is being created. Fill in the required fields with your information.

  3. Create and edit /etc/stunnel/stunnel.conf file and add the following lines:

    [icaps]
    accept = 11344
    connect = 1344
    cert = /etc/pki/tls/certs/stunnel.pem

    Where:

    1. accept: The port number where stunnel listens for TLS connections for the given service

    2. connect: The port number where the decrypted connections are forwarded to. (This should be the port used by MetaDefender ICAP Server)

    3. cert: The TLS certificate used by the service. You can set your own or use the one generated during stunnel setup (which is stunnel.pem next to stunnel.conf)

  4. Save and close the configuration file.

  5. Start stunnel with the following command:

    # stunnel /etc/stunnel/stunnel.conf

Windows

Let us assume that stunnel is installed in:

C:\Path\To\stunnel
  1. Locate and open the stunnel.conf file. It should be under the config directory in the stunnel installation directory. (e.g., C:\Path\To\stunnel\config\stunnel.conf)

  2. Add the following lines at the end of the file:

    [icaps]
    accept = 11344
    connect = 1344
    cert = C:\Path\To\stunnel\config\stunnel.pem

    Where:

    1. accept: The port number where stunnel listens for TLS connections for the given service

    2. connect: The port number where the decrypted connections are forwarded to. (This should be the port used by MetaDefender ICAP Server)

    3. cert: The TLS certificate used by the service. You can set your own or use the one generated during stunnel setup (which is stunnel.pem next to stunnel.conf)

  3. Save and close the configuration file.

  4. Start stunnel service.

Important notes

The certificate generated by stunnel is a self-signed certificate. It is not recommended to use self-signed certificates in production environments. If you do not have a suitable certificate, you can apply to a Certificate Authority to obtain one.