1. Introduction
2. Installation
3. Reference Deployment with SSL Termination
4. RPM Installation (Deprecated)
5. Container Installation
6. Upgrades
7. Running Sicura Console
8. Configuration - Accounts
9. Configuration - Database
10. Configuration - Collector
11. Configuration - Security
12. Configuration - Plugins
13. Configuration - Experimental
14. Sidebar - Administration
15. Sidebar - Infrastructure
16. Sidebar - Profiles
17. Sidebar - Reports
18. Sidebar - Scheduling
19. Known Issues
20. How To - Enforce compliance
21. How To - Enforce custom profiles
22. How To - Use the API

Reference Sicura Console Deployment with SSL Termination

Overview

This document provides instructions for deploying the Sicura Console web application using Podman with SSL termination via Nginx. The Nginx container will handle HTTPS requests and proxy them to the Sicura Console running inside a Podman pod.

Prerequisites

• A Linux system with: - Podman installed - TCP ports 443, 6468, and (optionally) 80 (for redirection to port 443) allowed
• A Sicura license key (referenced as the file license.key in the current directory in the code below)
• A Sicura Console configuration file (referenced as the file sicura-console.yaml in the current directory in the code below)
• SSL certificates (self-signed or from a certificate authority)

Install Packages

On a RHEL-based host, install the necessary packages:

dnf install podman podman-plugins containernetworking-plugins

Firewall Configuration

If the system is running a default firewalld configuration, the following commands can be used to allow the necessary ports:

firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --add-port=6468/tcp

SSL Certificate Preparation

If you do not have SSL certificates, generate a self-signed certificate:

mkdir -p certs
openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout certs/privkey.pem -out certs/fullchain.pem \
    -subj "/CN=$( hostname -f )"\
    -addext "subjectAltName=DNS:$( hostname -f)"

Note: The certificate must be added to the ca-trust on systems running the sicura-agent. The collector address configured in the agent must match exactly to the subjectAltName definitions for DNS names or IP addresses in the certificate.

Deployment Steps

Define Environment Variables

Set up necessary environment variables for the deployment:

export SICURA_CONSOLE_IMAGE="registry.customers.sicura.us/products/sicura-console:2025.5.0"
export SICURA_DB_IMAGE="docker.io/library/postgres:17"
export NGINX_IMAGE="docker.io/library/nginx:latest"
export SICURA_CONFIG="$(cat sicura-console.yaml)"
export SICURA_LICENSE_KEY="$(cat license.key)"

Pull the Images

podman pull "$SICURA_CONSOLE_IMAGE"
podman pull "$SICURA_DB_IMAGE"
podman pull "$NGINX_IMAGE"

Create a Random Password for the Database

openssl rand -base64 32 | podman secret create sicura-db-password -

Create a Volume for Database Persistence

podman volume create sicura-dbdata

Create a Container Network

podman network create sicura

Create a Podman Pod

This pod will contain both the database and the Sicura Console.

podman pod create --name sicura \
    --network sicura

Run the Database

podman run -d --name sicura-db --rm \
    --pod sicura \
    --env PGDATA=/var/lib/postgresql/data/dbdata \
    --secret sicura-db-password,type=env,target=POSTGRES_PASSWORD \
    --volume sicura-dbdata:/var/lib/postgresql/data \
    "$SICURA_DB_IMAGE"

Run the Console

podman run -d --name sicura-console --rm \
    --pod sicura \
    --env DB_DATABASE=postgres \
    --env DB_HOST=127.0.0.1 \
    --env DB_PORT=5432 \
    --env DB_SSLMODE=disable \
    --env DB_USER=postgres \
    --env SICURA_CONFIG="$SICURA_CONFIG" \
    --env SICURA_LICENSE_KEY="$SICURA_LICENSE_KEY" \
    --secret sicura-db-password,type=env,target=DB_PASSWORD \
    --requires sicura-db \
    "$SICURA_CONSOLE_IMAGE"

Deploy Nginx for SSL Termination

Create an Nginx Configuration Template

Create the file nginx/default.conf.template:

mkdir -p nginx
cat > nginx/default.conf.template <<'END_NGINX_CONF'
server {
    listen 443 ssl;
    server_name ${SERVER_NAME};

    ssl_certificate ${SSL_CERT};
    ssl_certificate_key ${SSL_KEY};

    client_max_body_size 20M;

    location / {
        proxy_pass http://sicura:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Scheme https;
        proxy_buffering off;
    }
}

server {
    listen 6468 ssl;
    server_name ${SERVER_NAME};

    ssl_certificate ${SSL_CERT};
    ssl_certificate_key ${SSL_KEY};

    client_max_body_size 20M;

    location / {
        proxy_pass http://sicura:6468;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Scheme https;
        proxy_buffering off;
    }
}

server {
    listen 80;
    server_name ${SERVER_NAME};

    return 301 https://$host$request_uri;
}
END_NGINX_CONF

Run the Nginx Container

podman run -d --name sicura-nginx --rm \
    -v "$( pwd )"/nginx:/etc/nginx/templates:ro,Z \
    -v "$( pwd )"/certs:/etc/nginx/certs:ro,Z \
    -e SERVER_NAME="$( hostname -f )" \
    -e SSL_CERT="/etc/nginx/certs/fullchain.pem" \
    -e SSL_KEY="/etc/nginx/certs/privkey.pem" \
    --publish 80:80 \
    --publish 443:443 \
    --publish 6468:6468 \
    --network sicura \
    "$NGINX_IMAGE"

Verify Deployment

Check the logs of the Sicura Console and Nginx containers to ensure everything is running correctly:

podman logs -f sicura-db sicura-console sicura-nginx

The Sicura Console should be accessible over HTTPS at https://<fqdn>/. The Nginx container handles SSL termination and forwards traffic to the Sicura Console running inside the Podman pod.