SSL Certificates
MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox) uses the NGINX web server and its configuration is defined in /srv/backend/nginx/conf/production/default.conf
Any modifications to /srv/backend/nginx/conf/production/default.conf will be overwritten if you upgrade your Sandbox installation!
Always create a backup of this file if you modify it!
Alternatively, choose a solution below that does not require modifications to this file!
The following self-signed certificate and key files are used by default:
The /app/nginx/certs path only exists within the Sandbox docker containers, and the corresponding files are actually located in /home/sandbox/sandbox/webservice/nginx/certs (the path might differ if you installed Sandbox to a different target directory).
It is possible to modify the configuration to point to your certificate and key files, but it is recommended to overwrite the self-signed certificate and key with your own files instead! If you do that, you can upgrade Sandbox without losing these settings.
Please create a backup of the self-signed certificate and key files first:
sudo su sandboxcd /home/sandbox/sandbox/webservice/nginx/certssudo mv nginx-selfsigned.crt nginx-selfsigned-BACKUP.crtsudo mv nginx-selfsigned.key nginx-selfsigned-BACKUP.keyThen overwrite these files with your full certificate chain and private key files in PEM format (the original file extension does not matter). For example, if your custom files are located in ~/my.domain.com :
sudo cp ~/my.domain.com/fullchain.pem /home/sandbox/sandbox/webservice/nginx/certs/nginx-selfsigned.crtsudo cp ~/my.domain.com/privkey.pem /home/sandbox/sandbox/webservice/nginx/certs/nginx-selfsigned.keyMake sure that the certificate is readable by all users and the private key is owned by your sandbox user:
sudo chmod a+r /home/sandbox/sandbox/webservice/nginx/certs/nginx-selfsigned.crtsudo chown sandbox:sandbox /home/sandbox/sandbox/webservice/nginx/certs/nginx-selfsigned.keyAfter these preparations, please restart the Sandbox webservice (this should only take a minute):
/home/sandbox/sandbox/stop_sandbox.sh/home/sandbox/sandbox/start_sandbox.shAt this point, you should be able to reach your Sandbox instance at https://my.domain.com on port 443.
Special considerations for private key files with a passphrase
NGINX also supports PEM private key files that require a passphrase to use.
In this case, the ssl_password_file option should be added in /srv/backend/nginx/conf/production/default.conf as described in the NGINX documentation
For example:
ssl_password_file /etc/keys/global.pass;As the default.conf file must be changed for this, it is strongly encouraged to create a backup of this file before you upgrade Sandbox!
