Configure Seeq Ports (TLS/SSL)
By default Seeq will use port 34216, so when you first install Seeq it will be accessible with a URL like http://yoursite.example.com:34216/. For a secure and more friendly URL of https://yoursite.example.com/, Seeq needs to listen on port 80 and 443. When running with a secure port, Seeq will redirect http://yoursite.example.com/ to the secure version of Seeq.
Configuring Seeq
Enabling https
If you cannot obtain a certificate for the Seeq Server, this step can be skipped. In that case the publicly accessible URL will be an http:// url instead of a https:// and all requests to the server will use unencrypted, plain-text HTTP.
To enable Seeq to run securely a TLS certificate needs to be placed in the keys directory within the global folder. By default that directory should be in /var/opt/seeq/keys. Place a seeq-cert.pem and seeq-key.pem in that directory. Make sure the key is not encrypted (no password). For details on how to convert files please refer to this page.
After a TLS certificate is in place, turn on the secure mode by setting the following configuration:
seeq config set Network/Webserver/SecurePort 8443In this configuration, Seeq will run an https webserver on port 8443 and a plain HTTP server on port 34216.
This configuration will take effect the next time the Seeq is restarted.
Setting external url
Some Seeq features such as Organizer Topics and Exports require Seeq to know the external url that users will access Seeq through. This external url should always match the url that appears in the browser url bar. Because we’ll be redirecting port 443 to Seeq’s secure port of 8443, we can omit the port number (443) here.
seeq config set Network/Webserver/Url https://yoursite.example.comIf https wasn’t enabled instead use http://yoursite.example.com. In that case we’ll be redirecting port 80 to Seeq’s insecure port of 34216, but we can still omit the port number (80) here.
This configuration will take effect the next time the Seeq is restarted.
Port Forwarding
Seeq cannot bind directly to port 80 or 443 because those ports require elevated permissions. Instead traffic from those ports should be forwarded to ports that Seeq can bind to like 34216 and 8443. We recommend using firewall rules to port forward traffic from 80 → 34216 and 443 → 8443.
Modifying the firewall settings on your server may make other services inaccessible. We recommend running Seeq on its own server to avoid this problem, and for best performance. If you run other services on the same server, be sure to enable network access the appropriate ports.
Option 1: firewalld (Recommended for RHEL)
This section describes how to set up port forwarding using firewall-cmd the command line tool for firewalld, which uses iptables or nftables (depending on the configuration of the server) to forward traffic from an external port to an internal port. firewalld is available in modern RHEL versions.
Install
firewalldfrontend if necessary and enable itCODEsudo yum install firewalld sudo systemctl enable firewalld --nowAllow port 80 and 433 through the firewall
CODEsudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=https --permanentAdd a rule to forward the external ports to the internal ports
CODEsudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=34216 --permanent sudo firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanentReload the firewall rules
CODEsudo firewall-cmd --reload
Option 2: ufw, Uncomplicated Firewall (Recommended for Ubuntu)
This section describes how to set up port redirection using ufw (Uncomplicated Firewall), which uses iptables to redirect incoming traffic from an external port to an internal port. ufw is available in all modern Ubuntu versions.
Enable
ufw, which will blocking all incoming traffic except for specified ports and protocols.CODEsudo ufw allow ssh sudo ufw allow 443/tcp sudo ufw allow 8443/tcp sudo ufw allow 80/tcp sudo ufw allow 34216/tcp sudo ufw enableAdd the following to the top of the
/etc/ufw/before.rulesconfiguration file. These lines need to be at the very top of the file.CODE# Forward port 443/80 (external) to 8443/34216 (internal) for Seeq *nat :PREROUTING ACCEPT [0:0] -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443 -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 34216 COMMIT # End of Seeq modificationsRestart the server to allow the changes to take effect.
CODEsudo reboot
Option 3: iptables (Not recommended)
This section describes how to set up port redirection using iptables to redirect incoming traffic from port external to internal ports. Using ufw is recommended if it is available on your system.
Install
iptables-persistentpackage to be able to make theiptablesrules persistent.CODEsudo apt-get install iptables-persistentAdd the necessary rules.
CODEsudo iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443 sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443 sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 34216 sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 34216Persist the rules
CODEiptables-save > /etc/iptables/rules.v4Restart the server so the port-forwarding changes take effect.
CODEsudo reboot
Alternatives to Port Forwarding
Instead of using port forwarding, another alternative is to have external TLS termination such as a reverse proxy. This setup is only recommended for scenarios where a company’s policy mandates it. This can be common in situations where a security appliance that scans incoming connections to Seeq or where a proxy performs additional authentication.
In this scenario, you would not enable https in the Seeq configuration section above, but you would still configure the external url to be the https:// url since that is what will appear in the browser url bar:
seeq config set Network/Webserver/Url https://yoursite.example.comThese general principals can be applied to other proxies or TLS termination methods.