Index


Overview

A Statseeker installation includes a configured and enabled web server to deliver the Statseeker User Interface. By default, a fresh install of Statseeker will:

  • Accept both HTTP and HTTPS
  • Redirect all HTTP connection attempts to HTTPS
  • Be configured with a self-signed SSL certificate
  • Allow both TLS v1.2 and 1.3
  • Have both Token TTL and Refresh periods set to 30 minutes
  • Have the API authentication method set to Token

[top]


Enabling HTTPS

By default, currently supported Statseeker versions are installed with both HTTP and HTTPS enabled, and redirect HTTP traffic to HTTPS. Servers installed from earlier versions and then upgraded may still be running in HTTP in some instances.

To enable HTTPS:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top-right corner)

  • check Enable HTTPS and click Save

The web server will:

  • Display details of which certificate will be used in the SSL Certificates section
  • Restart in HTTPS mode
Note: modern browsers will:

  • See connections to HTTP servers to be suspect/insecure and alert the user to the issue
  • See HTTPS connections to servers with self-signed certificates to be suspect/insecure and alert the user to the issue
  • Cache HTTPS connection records so, once a browser has connected to a server via HTTPS, any subsequent attempt to connect to that domain via HTTP will be redirected to HTTPS by the browser (until the cached record is removed by the user)

[top]



Redirect HTTP to HTTPS

The web server configuration allows you to redirect all HTTP connections to HTTPS. To configure this redirection:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Check HTTP Redirect
  • Click Save to confirm the change and restart the web server
Note:

  • HTTP Redirect requires that HTTPS is enabled on that web server
  • If HTTPS is enabled, HTTP requests to the API will be redirected to HTTPS via a 308 response code and some older user agents may not handle this. Update your API scripts to use HTTPS.

[top]

Editing the cipher List

::: WARNING :::

  • If the Statseeker cipher list does not contain a cipher shared by the browser’s cipher list, then the web interface will be unreachable via that browser
  • Keep your supported TLS versions in mind when restricting available ciphers
  • Typically, there is no need to edit this list

This is an advanced feature and should only be used in accordance with well understood requirements to respond to very specific needs.

To edit this list:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Check Override cipher list
  • Replace the content of the displayed cipher list with your required list of comma-separated values and click Close
  • Click Save to commit your changes and restart the web server

[top]

Allowed TLS Versions

By default, the Statseeker server supports communications using both Transport Layer Security (TLS) v1.2 and 1.3. This support may be restricted by:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Check/Uncheck the TLS versions support as needed
  • Click Save to confirm the change and restart the web server
Note: the TLS support settings are inactive and hidden if the web server is configured to use HTTP only.

[top]

Authentication Token Settings

Statseeker offers token-based authentication, with users being authenticated via the following methods:

  • File – authenticated directly with Statseeker server. The Statseeker admin account (an Apache user account used to manage the Statseeker installation), uses the file authentication method.
  • LDAP – use your existing Active Directory/LDAP authentication to manage access to Statseeker
  • RADIUS – use your existing RADIUS server to manage access to Statseeker
  • SAML – a SAML 2.0 driven single sign-on service, using your existing SAML Identity Provider (Okta, Azure AD, Auth0, etc.) implementation

When employing File, LDAP or RADIUS authentication, the Authentication Token TTL (time-to live) and Refresh periods are specified in the Web Server configuration.

  • These settings are specified in seconds
  • Tokens expire once their TTL period has elapsed
  • The Refresh period begins once the token’s TTL period has ended
  • Any request made within the refresh period will generate a new token
  • Once a token has expired, and the refresh period has ended, any request made will prompt the user to re-authenticate with Statseeker
  • Statseeker provides for setting default Token TTL and Refresh periods, as well as user specific overrides to these values
Note:

  • The Statseeker admin user account will always use basic file authentication, but additional ‘admin-level’ user accounts can be created and used in preference to this standard server account
  • Only one of LDAP, RADIUS or SAML can be in use with Statseeker at any time, basic File authentication is always available and can be applied on a per user basis
  • If LDAP, RADIUS or SAML is in use, the Statseeker webserver must be configured to use HTTPS (HTTPS is enabled by default on all Statseeker installations)
  • When employing SAML authentication, the token settings defined in Statseeker’s Web Server configuration are only applied to those accounts configured to use basic File authentication (such as the default Statseeker admin account), the tokens used in authenticating via SAML are configured and managed on the Identity Provider side of the integration

[top]

Editing Authentication Token Settings

Statseeker provides for setting default Token TTL and Refresh periods, as well as user specific overrides to these values.

Edit Default Token TTL and Refresh Periods

To update the default Authentication Token TTL and Refresh settings:

  • Select Admin Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Update the token settings (values are specified in seconds) as needed
  • Click Save

On Save, the Statseeker web server will be restarted with the updated settings applied.

Apply/Edit User Specific Token TTL and Refresh Periods

User specific overrides can be set from within the Statseeker User account, see Editing Users and Updating User Preferences.

[top]



SSL Certificates

The Statseeker web interface is delivered via the Statseeker web server. An installed SSL certificate is required for HTTPS connections to the web server and Statseeker allows you make use of either a self-signed certificate, or a certificate signed by a signing authority.

If Statseeker (version 5.4.2 and above) cannot locate an SSL certificate, it will create a self-signed certificate during the install/upgrade process which can be used for HTTPS connections. You can use this self-signed certificate, upload another existing certificate, or create a certificate signing request to be passed to a signing authority to create a signed certificate.

[top]


Creating and Installing a Self-Signed Certificate

To create a self-signed certificate:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Select Self-Signed Certificate from the SSL Certificates > Step 1 drop-down

Field Description
Host name The host name of the server
Country name (2 letter code) Two-character ISO format country code
State or province State or province in which the company is registered/licensed
Location (city) Location/city in which the company is registered/licensed
Organization Legal name under which the organization was registered/licensed
Organizational Unit (optional) The organizational unit within the company e.g. Marketing
Email address (optional) An email address to be associated with the management of this certificate
Note: the certificate also makes use of the server domain as configured during the installation process. This value is retrieved from the server configuration, so there is no need to supply it during certificate configuration.


  • Configure the certificate information as needed and click Save

A confirmation prompt will be displayed, advising you that updating the active certificate will initiate a web server restart. This does not affect Statseeker’s ability to monitor your network but will result in the web interface being unavailable until the reboot is complete (typically, 10-30 seconds).

[top]



Creating a Certificate Signing Request (CSR)

A certificate Signing Request is required to generate an SSL certificate from a third-party certificate signing authority (CA). A certificate from an established and recognized CA will be interpreted by browsers as a ‘trusted’ certificate, and consequently, that your Statseeker server web interface is a trusted destination.

When creating a CSR, Statseeker first generates a private encryption key, then generates the CSR using this private key. You then pass the CSR on to a trusted CA, and they will supply the signed certificate to use with your server. The resulting certificate is generated to work with your private key, consequently, Statseeker will prevent the uploading of SSL certificates that have been generated in response to another signing request i.e. utilizing a different private key.

To create a CSR:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Select Certificate Signing Request from the SSL Certificates > Step 1 drop-down

Field Description
Host name The host name of the server
Country name (2 letter code) Two-character ISO format country code
State or province State or province in which the company is registered/licensed
Location (city) Location/city in which the company is registered/licensed
Organization Legal name under which the organization was registered/licensed
Organizational Unit (optional) The organizational unit within the company e.g. Marketing
Email address (optional) An email address to be associated with the management of this certificate
  • Configure the certificate information as needed and click Save

A confirmation prompt will be displayed, advising you that creating the signing request will prevent the uploading of SSL certificates that have been generated in response to another signing request.

  • Confirm the creation of the CSR by clicking Save

The CSR will be saved to /home/system/etc/ssl_new on the Statseeker server. Certificate authorities will allow you to either upload a CSR or paste the content of a CSR into a field. Either way, the CSR will then be used to generate a signed certificate which you can, in turn, download and use to secure your Statseeker server.

  • Select Step 3 > View or Download as needed to retrieve the CSR
  • Provide the CSR to your selected certificate authority

Once you have received your signed certificate from the CA you can upload the certificate to your Statseeker server, see Upload a Signed Certificate

[top]



Upload a Signed Certificate

Your selected Certificate Authority will respond to your certificate signing request with a signed certificate that can be uploaded to your Statseeker server.

To upload a signed certificate to your Statseeker server:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Select Certificate Signing Request from the SSL Certificates > Step 1 drop-down
  • Select Browse, locate and select your signed certificate
  • Click Upload Certificate
  • Once uploaded, click Save to restart the web server

No changes are made to your existing certificate configuration prior to successfully uploading a new signed certificate and then clicking Save. Once you click Save, the existing configuration is discarded, and the new certificate and key will be used by your Statseeker server.

[top]



Upload a Signed Certificate and Private Key

This process is used when you have an existing signed certificate and its associated private key. To upload:

  • Select Administration Tool > Statseeker Administration > Web Server Configuration
  • Click Edit (top left corner)
  • Select Upload Certificate and Key from the SSL Certificates > Step 1 drop-down

  • Select Browse, locate and select your private key
  • Click Upload Key
  • Select Browse, locate and select your certificate
  • Click Upload Certificate
  • Once uploaded, click Save to restart the web server

No changes are made to your existing certificate configuration prior to successfully uploading a both the key, and the signed certificate, and then clicking Save. Once you click Save, the existing configuration is discarded, and the new certificate and key will be used by your Statseeker server.

[top]

API Authentication Method

The authentication method used to communicate with the Statseeker API is independent of that used for user authentication with the GUI. The authentication methods available are:

  • Token – (json web token based authentication) default value for new/fresh installations
  • Basic – (HTTP basic access authentication) default value for servers upgrading from 5.5.3 and earlier

For details on employing these authentication methods in your API requests (including sample code) see API Authentication.

[top]

Allowed Frame Ancestors

The HTTP Content-Security-Policy (CSP) header allows content owners to control what resources a browser is allowed to load for a given URL, this is a security measure to guard against cross-site scripting attacks. Frame Ancestors is one of the navigation directives which can be configured in a web page’s CSP header and is used to specify which ‘parent’ URLs can frame (embed/contain) that page. The Statseeker server’s Frame Ancestors directive specifies which 3rd-party web resources are allowed to display Statseeker content within a frame, iframe, or similar container.

[top]

Configuring Frame Ancestors

Configured frame ancestor directives are added to the CSP header for every page that the Statseeker webserver provides. The URLs specified in this directive are white-listed and are allowed to contain Statseeker content. To whitelist URLs:

  • Select Admin Tool > Server Administration > Web Server Configuration
  • Click Edit (top-right)
  • Enter URLs in the Allowed Frame Ancestors field (multiple values should be ‘space’ separated)
  • Click Save, the web server will be restarted, and the rule will be enforced
Syntax
  • A space separated list of content hosts by name or IP address
  • Optional URL scheme (http/https) and/or port number
  • Optional leading and/or port wildcard (*)
Examples:
  • https://*.example.com – matches any subdomain of example.com using the HTTPS URL scheme
  • store.example.com another.example.com – matches store.example.com or another.example.com
  • mail.example.com:443 – matches only port 443 on mail.example.com
Note: Statseeker’s web server defaults to HTTPS and, by default, will redirect any HTTP request to HTTPS. If no URL scheme is specified for a host-source, and Statseeker is configured to use HTTPS, the URL for the host page containing the Statseeker content must also be HTTPS.

[top]