Setting up HTTPS

By default, communication with the Management Console is not encrypted.
If you enable HTTPS, the server can enforce secure connections between client and server on an SSL channel.

Enabling HTTPS on nginx

  1. Place your certificate on the system

  2. Edit the "server" block in "C:\Program Files (x86)\OPSWAT\Metadefender Kiosk\Client\REST\conf\dynamic.conf":

    1. Add the "ssl" parameter to the listening ports

    2. S pecify the locations of the certificate and private key files

      listen 8009 ssl;
      listen [::]:8009 ssl;
      ssl_certificate "C:/Program Files/cert/your.crt";
      ssl_certificate_key "C:/Program Files/cert/your.key";

      Use forward slashes in the certificate paths to avoid any nginx parsing issues.

    3. Limit connections to use specific versions of SSL/TLS

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

      Recommended setting:

      ssl_protocols TLSv1.2;
    4. Limit connections to use specific ciphers

      ssl_ciphers HIGH:!aNULL:!MD5;

      Recommended setting:

      ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;

      images/download/attachments/6684194/https_config.png

  3. In Task Manager, restart the MetadefenderSVC service