Change the Web Console NGINX Configuration to Modify Available Ciphers
The LogRhythm Web UI uses NGINX at its core to host the Web Console. NGINX uses the OpenSSL library for SSL and TLS. This includes the ciphers available for connections. LogRhythm will continue to update the default cipher list to meet industry standards and balance customer needs for confidentiality, integrity, and availability.
If there is a requirement in the system to modify the available ciphers or cipher suites from the default settings, use the following instructions to modify the cipher list.
In most cases, scanning software will provide the minimum suggested cipher list in the scan itself.
Edit the NGINX Template File
The nginx.conf.ejs template file can be edited to include the required ciphers. The default location for this file is C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\src\nginx\nginx.conf.ejs.
This file is used as the template to create the nginx.conf at C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\dest\conf\nginx.conf when the LogRhythm Web Console UI service is started, which is then used to configure the NGINX Web Server.
Do not modify the nginx.conf itself as it will be overwritten by the template on startup.
To edit the NGINX template file to include required ciphers:
- Make a backup copy of the nginx.conf.ejs file in the event it needs to be reverted to the default configuration.
Update the “ssl_ciphers” section of the nginx.conf.ejs.
The following example shows the default SSL section from the nginx.conf.ejs file:CODE# SSL Configuration ### listen <%= SSL_PORT %> ssl; ssl_certificate "<%= SSL_CERT_LOCATION %>"; ssl_certificate_key "<%= SSL_KEY_LOCATION %>"; ssl_protocols TLSv1.2; ssl_ciphers "FIPS@STRENGTH:!aNULL:!eNULL:!DES:!3DES"; ssl_prefer_server_ciphers on; server_name $hostname; server_tokens off; port_in_redirect <%= SSL_PORT_IN_REDIRECT %>;
Modify the value between the double quotes on the "ssl_ciphers" line to meet system requirements.
- Restart the LogRhythm Web Console UI Service.
- Verify that you are able to access the Web Console Login page.
Troubleshoot SSL Cipher Format
If you are experiencing issues with the format of the ciphers, refer to the OpenSSL Cipher List Format for more information on how this line is formatted to include or exclude specific ciphers or cipher suites.