Security

Encrypted Passwords

You can place hashed passwords in the password attributes, but only within the uchiwa object, in order to obfuscate users passwords in your configuration files.

Please note that you must absolutely use the {crypt} prefix when using an encrypted password. For example:

"password": "{crypt}$1$MteWnoFT$yhEi8KMxO794K0TIriZcI0"

The following algorithms are supported (along the commands to create the hashes):

Alternatively, you could use the [Passlib hashing library for Python 2 & 3] (https://passlib.readthedocs.io/en/stable/).

HTTPS Encryption

You can serve all content over HTTPS, using Uchiwa, without the need of a reverse proxy. To get started, follow these few steps:

Optional - Generate a private key:

openssl genrsa -out uchiwa.key 2048

Optional - Generate a self-signed certificate:

openssl req -new -x509 -key uchiwa.key -out uchiwa.pem -days 365

Adjust the uchiwa object in your configuration file in order to specify the path of the keys you just generated:

{
  "uchiwa": {
    "ssl": {
      "certfile": "/path/to/uchiwa.pem",
      "keyfile": "/path/to/uchiwa.key"
    }
  }
}

Finally, restart Uchiwa and access your dashboard over HTTPS.

TLS Configuration

Additional attributes can be provided to tweak the TLS configuration:

{
  "uchiwa": {
    "ssl": {
      "certfile": "/path/to/uchiwa.pem",
      "keyfile": "/path/to/uchiwa.key",
      "ciphersuite": [
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
        "TLS_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_RSA_WITH_AES_128_CBC_SHA",
        "TLS_RSA_WITH_AES_256_CBC_SHA",
      ],
      "tlsminversion": "tls10"
    }
  }
}