1

** This guide was updated on 16/03/2015 to include the suggested change by https://community.spiceworks.com/profile/show/Utegrad who provided the correct way to only rewrite external connections to HTTPS (since some Spiceworks queries use 127.0.0.1 as the URL if these are forced to SSL then it breaks the SSL cert) **

This brief How-to will explain how to improve your Spiceworks installations security by forcing everyone to use SSL to connect aswell as setting some minimum requirements for what type of SSL connections we want to accept.
This will remove some of the less secure options that some of the older SSL versions allowed such as being able to use no SSL cipher at all (allowing all traffic to be intercepted).

I make no claims as to the security of the ciphers we do allow so you may still want to do your own research and further enable/disable ciphers.

Step 1: Force all Connections to use SSL

httprewrite.png

As Spiceworks uses Apache we can easily force all connections to use SSL by implementing a URL rewrite rule.

To do this we need to edit the httpd.conf file that holds Apache’s configuration. This is stored within your Spiceworks installation folder under httpd\conf.

Scroll down towards the end of the httpd.conf file and around line 147 look for the lines that contain:

FcgidMaxProcessesPerClass 1
FcgidMinProcessesPerClass 1

Then underneath this line add the following:

RewriteEngine On #Force SSL on all connections RewriteCond %{HTTPS} off RewriteCond %{REMOTE_HOST} !^127\.0\.0\.1 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Step 2: Change the SSL Settings

sslcert.png
sslcert.png761×285 4.79 KB

Now we want to tell Apache what SSL protocols we will accept and disable some of the less secure ciphers that can be used.

To do this scroll to the very bottom of the httpd.conf file and find the section that begins with:

<VirtualHost *:443 >

Inside this either comment out or delete the line that begins with “SSLCipherSuite”.
Now add these two lines in its place:

	SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

This basically tells Apache that we only want to accept SSL version 3 and TLS version 1 connections aswell as limiting what ciphers can be used to handle the encryption, in this case we disable things like NULL ciphers (no encryption).

A bit of further research may allow you to edit this list even further depending on your security requirements.

Step 3: Save and Apply Changes

Save the httpd.conf changes and then to apply them restart Spiceworks.
You can verify they are working by trying to get to your Spiceworks Install by just using a http:// link, you should see it swap to https:// instantly.

Now you are using SSL for everything you might want to consider using a “proper” SSL certificate that doesn’t generate warnings in your web browser. There are two ways to do this, either buy a public SSL certificate from somewhere like GoDaddy, this is the best thing to do if you intend to have external users (such as customers), accessing your Spiceworks. Alternatively if you only use Spiceworks internally you can generate your own SSL certificate that is signed properly and then distribute this to all your users either manually or via Group Policy.

68 Spice ups
2

Updated the How-To to fix a problem where the SSL redirection was preventing Spiceworks from working correctly. It should now be able to redirect the initial /splash page after a restart and no longer breaks things like ticket updates.

3

I tried this exactly how it shows above, but the spice works server never seems to stay in a restart mode or loop. Any ideas?

4

How do you mean it never seems to stay in a loop?

5

For whatever reason this is breaking my network scanning. If I remove this it works fine. Same issue as here http://community.spiceworks.com/topic/116348

6

HI Mike, thanks for the link, I have been fighting all morning with this and can’t find a way to get SSL forced for everyone without also breaking the network scanning process.

If anyone has any suggestions on how to get this working again let me know as im out of ideas.

7

I just noticed this issue as well, my scanning will not work once I make this change. I only saw this with the newest version of spiceworks: 5.0.59341.

8

I also have had no luck getting this to even run at all. This apparently breaks my server. When loading, the bar is on the desktop (always means something is wrong) and it just gets stuck at full.

I doubt this makes a difference but I am using a different port than 443 for my SSL connection as well as simple http.

9

Okay for all of those who also haven’t gotten this to work, for some reason, Spiceworks does not like supporting this feature while you have specified different ports for either https or http. You must use the default 80, 443.

It works for me when defaulting the ports.

NOTE: Changing the port value will reset your entire httpd.conf file so backup any changes you have made.

10

It will appear to work however your network scans will no longer work and new tickets won’t automatically be loaded (you will have to manually click the Refresh Tickets button to get them to load).

I suspect that there are some hardcoded http:// entries in the spiceworks-finder.exe application and elsewhere in the code that causes the breakages so until HTTPS everywhere is officially supported by Spiceworks I’m not sure there is any workaround.
If you just want to force HTTPS for the user portal then there is an option for this in the HelpDesk Settings page, unfortunately this is the only option available for now.

11

Does this still not work in the current 5.0 release? These posts were from last year, and i can’t find anything else on it. I want to use the new iPhone app, but would like it to be secured.

12

Yes, this does not work with 5.0, currently it needs some work done by Spiceworks to enable SSL support fully, hopefully we will see it as an official feature at some point in the future.

13

I want to use a “proper” certificate from Go Daddy or something. What do I need to do to create a request and add the certificate. I have done this before for Apache but I took a reroute and created it in windows IIS and then exported it to PFX and then converted it and imported into the apache. There must be a simpeler way. Thx.

14

You can often use tools on your SSL providers website to create a certificate request, or if you already have the certificate in PFX format you can follow this guide to convert it to Apache format and install it for Spiceworks:

http://community.spiceworks.com/how_to/show/922

15

Whas this corrected in 5.1 or is forcing SSL still a no-go?

16

I believe there are still issues the last time I checked with an earlier 5.1 release, it might be possible to work around the problems by creating an advanced rewrite rule that allows Spiceworks to still use regular http connections to connect to itself but anyone accessing SW externally will be forced to use SSL.

17

Hi Nick,

I really need to open my spiceworks to the internet so that some of our users can access it remotely. Are you saying that is possible with 5.1 as long as everyone is accessing SW using SSL?

18

Hi Nick,

I have been asked to setup ssl on Spiceworks as we want to be able to access it externally. We do have a SBS 2003 server but our Spiceworks installation is running from an XP box (IIS is not installed on it so I am assuming its using Apache that comes with Spiceworks). I have tried following lots of different links from the community and I feel I am so close to understanding the process but I cannot figure part of it out.

Assuming I already have a GoDaddy cert (*.pfx), would I follow the procedures from http://community.spiceworks.com/how_to/show/922 but ignore parts 1 and 2? If I don’t have a cert already, am I to assume I would install IIS on the spiceworks box and request a cert that way first? If Apache is built into the spiceworks application, is there a way to just request a cert through that?

(Please forgive my ignorance, its been a long day and i’m probably just having a brain fart and cannot put the pieces together.)

Any help you could give would be truelly appreciated.

19

As long as SSL in enabled on your spiceworks installation, you can create a rule in your firewall with NAT to allow only 443 (or whatever port you have for SSL) connections to it. This way, you do not have to “force” external clients to use SSL via the application. You do it via the firewall. Hope this helps.

20

In order to become PCI Compliant we need to ensure that this ssl connection is SSLv3 only and does not support v2. I notice at the top this does not work for Spiceworks v5, is there any way to force SSLv3 only on the latest version of spiceworks? This is a major issue for us in gaining PCI Compliance.