How to enable HTTP over TLS (HTTPS) for Web Administration

Step-by-step guide on how to enable HTTP over TLS (HTTPS) for Web Administration

This page describes how to use a certificate (provided by a Certificate Authority or self-signed) to enable HTTP over TLS (HTTPS) for Buru SFTP Server Web Administration.

1. Get a TLS certificate

We recommend getting a TLS certificate from a trusted Certificate Authority (CA). The request process is beyond the scope of this article but is usually described in detail on the Certificate Authority website.

For testing / internal purposes you can create a self-signed certificate. Such certificate will usually trigger a warning in client’s browser and therefore we strongly discourage against using self-signed certificates on public servers.

There are several ways to create a self-signed certificate. The snippets below will create a password-protected, RSA 4096-bit SHA-256 pfx certificate named burusftp.pfx in the current directory. Make sure to replace the password and common name (CN) with real values.

1a. Using `certgen` tool (recommended)

Run the following command in console

burusftpwa certgen -s "CN=yourdomain.com" -p "password" burusftp

The certgen command has many options available - see the documentation.

1b. Using PowerShell

Run the following commands in PowerShell as administrator

$cert = New-SelfSignedCertificate -Subject 'CN=yourdomain.com' -KeyLength 4096
$password = "password" | ConvertTo-SecureString -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath burusftp.pfx -Password $password

1c. Using OpenSSL (when available)

Run the following two commands

openssl req -x509 -newkey rsa:4096 -sha256 -keyout burusftp.key -out burusftp.crt -subj "/CN=yourdomain.com" -days 400
openssl pkcs12 -export -name “burusftp” -out burusftp.pfx -inkey burusftp.key -in burusftp.crt

2. Update the configuration file

Enable HTTPS in the webconfig.yaml configuration file. As in the previous step, replace the filePath and password with real values.

bindings:
  # listen for HTTPS requests on https://localhost:443
  - hostname: localhost
    port: 443
    certificateFromFile:
      filePath: C:\some\path\burusftp.pfx
      password: "password"

The Web Administration as configured in the example above will only be accessible from the same machine. In order to open the administration to outside access from all network interfaces, set hostname from localhost to 0.0.0.0.

Note: Loading a certificate from a .pfx file is the simplest way. For better security, you should put the certificate (as a non-exportable) to the certificate store provided by Windows OS. To use the certificate from there, see the config file documentation.

3. Restart the Web Administration service

For the changes to take effect, restart the Web Administration service either in the Services section of Windows’ Control panel or using the following command:

burusftpwa svc restart

Notes

You can also enable HTTPS using a standalone web server using a reverse proxy. These articles should get you started:

Rebex TLS Proxy
IIS - Setup IIS with URL Rewrite as a reverse proxy for real world apps
Apache - Reverse Proxy Guide
NGINX - NGINX Reverse Proxy

Web administration displays a warning when unencrypted HTTP endpoint is used, which might be the case when using a reverse proxy. To suppress this warning, use suppressHttpEndpointWarning: true option in web admin configuration file.