Page Guide

HTL
Herrick Technology Labs
Infrastructure Console
Sign In
Enter your credentials to continue
Verification Required Enter the 6-digit code from your authenticator application.
Enter the 6-digit code from your authenticator app
Open Classic NPM Admin
🛡 Authorized Access Only
This system is restricted to authorized users. All activity is monitored, logged, and subject to audit. Unauthorized access is prohibited and may result in disciplinary or legal action.
© Herrick Technology Labs · All rights reserved
🔒 Controlled Access System — Activity monitored per CMMC AU.L2-3.3.1
ConsoleDashboard
🔒
Session ·
15:00

Dashboard

Live infrastructure overview — data pulled from NPM REST API

Proxy Hosts
-
Loading...
SSL Certificates
-
Loading...
Next Cert Expiry
-
Loading...
Total Domains
-
Loading...

🛡 CMMC Level 2 Compliance Status LIVE

HTTPS / TLS 1.3
SC.L2-3.13.8
Multi-Factor Auth
AC.L2-3.1.1
Session Management
AC.L2-3.1.10
Audit Logging
AU.L2-3.3.1
Security Headers
SC.L2-3.13.11
Brute Force Protection
AC.L2-3.1.8

Active Proxy Hosts

Domain(s) Backend SSL Type Status Expiry Actions
Loading proxy hosts...

⏱ Recent Activity

Loading recent events...

Proxy Hosts

All reverse proxy routing rules — click Edit to modify any host

All Proxy Hosts

ID Domain(s) Forward To Scheme SSL Cert Enabled Actions
Loading...

Redirection Hosts

HTTP redirections — redirect one domain to another URL with 301/302 codes

All Redirection Hosts

ID Source Domain(s) HTTP Code Scheme Destination SSL Status Actions
Loading...
CMMC AC.L2-3.1.1 — Redirection hosts managed through NPM API. All changes are audit-logged. Use 301 for permanent redirects, 302 for temporary.

SSL Certificates

TLS certificate inventory with expiry tracking and renewal method details

Loading certificates...

New Domain Wizard

Guided setup — creates a proxy host via NPM API and shows required DNS records

Enter only the subdomain prefix. Zones (herricklabs.com, herricktechlabs.com) are applied automatically below. The resulting A records must be added to GoDaddy DNS before the domain will work.
Select a known internal server, or choose "Custom" to enter an arbitrary IP:port. The backend must be reachable from nginx-htl (172.16.177.224).
The wildcard cert (DNS-01) is recommended. It covers all subdomains of both zones automatically. LE certs require per-domain HTTP-01 validation and are at SonicWall renewal risk.
Live Preview
URLs:-
Backend:
Certificate:Wildcard (htl-cerberus-wildcard)
📋 Required DNS Records (GoDaddy)
_____.herricklabs.comA71.246.225.101
_____.herricktechlabs.comA71.246.225.101
All subdomains must resolve to 71.246.225.101 (SonicWall public IP). SonicWall NATs port 443 to NPM at 172.16.177.224. NPM uses the Host header to route to the correct backend.

Network Topology

Interactive architecture view — hover to see live traffic flow

HTTPS :443 NAT :443 🌐 Internet Clients 🛡 SonicWall NSa2700 71.246.225.101 ⚙️ nginx-htl (NPM) 172.16.177.224 TLS Termination - hosts / - domains Live traffic flow — hover nodes for details

Backend Server Map LIVE

Routing table generated from NPM API

Server IP Port Scheme Domains Served

SSL Certificate Coverage

🔒 Wildcard Certificate (DNS-01)

Covers: herricklabs.com, *.herricklabs.com, *.herricktechlabs.com
NPM Cert ID: 19 (htl-cerberus-wildcard)
Method: acme.sh with GoDaddy DNS-01 TXT challenge
Renewal: Manual every 90 days. SonicWall does NOT block this method.
Status: Preferred. All new proxy hosts should use this cert.

⚠ Let's Encrypt Certificates (HTTP-01)

Count: - individual certs
Method: NPM built-in Certbot via HTTP-01 challenge on port 80
Renewal: Automatic by NPM, but requires LE validators to reach port 80
Risk: SonicWall NSa2700 blocks some LE validation IPs. Renewal WILL fail for some certs. Migrate to wildcard before expiry.

Audit Log

5W1H activity trail — CMMC AU.L2-3.3.1

Timestamp User Source IP Action Detail
Loading audit trail...
HTL NPM Portal DocumentationHerrick Technology Labs | CMMC Level 2 | Printed from npm.herricktechlabs.com
Getting Started
Overview
Quick Start
Infrastructure
Certificate Inventory
Proxy Host Inventory
Backend Server Map
Architecture
System Architecture
SSL / TLS Strategy
DNS Configuration
Operations
Add a New Domain
Manage Certificates
Troubleshooting
Compliance
CMMC L2 Controls
Compliance Evidence
Server Security
Security Findings

Firewall Management

⚡ Quick Templates
🔧 Manual Rule
Raw iptables -S

  

  
CMMC SC.L2-3.13.1 — Rules applied via sudo iptables. Changes are runtime-only until saved with iptables-save.
Active chains: HTL-SAFE (anti-lockout), HTL-MGMT (management gate), HTL-SSH-LIMIT (brute-force), HTL-GEOIP (country blocking: CN, RU, KP, IR, BY). GeoIP database auto-updates monthly via cron.







  
Fail2ban

  

    

    

      
Service
-

      
Active Jails
-

      
Currently Banned
-

    

    

    

      
Manual Ban/Unban

      

        
        
        
        
      

    

  







  
Log Viewer

  

    

      
      
      
      
    

    
Loading...

  

  







  
System Overview

  

    

    

      
Network Interfaces
Loading...

      
Docker Containers
Loading...

    

  

  

  
Active Connections

  

  
Listening Ports

  







  
Network Tools

  

    

      

        
Traceroute

        

          
          
        

        
      

      

        
DNS Lookup

        

          
          
        

        
      

    

    
Active Connections
Click Connections to load

    
Interface Bandwidth
Loading...

  

  

    

      
      
    

    

      
      
    

    
    
  

  







  
Settings

  


    
💻 System Info
Loading...


    

      
🔐 Security

      

        
        
        
      

    


    

      

        
🔔 Discord Webhooks (3x cascade)

        

      

      

        
💬 Teams Webhooks (3x cascade)

        

      

    


    

      
✉ SMTP Servers (3x cascade)

      

    


    

      
📡 Syslog Servers (3x cascade)

      

    


    

      
📱 SMS (VOIP.ms) (3x DID cascade)

      

    


    

      
📢 Alert Event Routing CMMC IR.L2-3.6.1

      

        
EventDiscordTeamsSMTPSMSSyslog

        
      

      

    


    

      
📊 Notification Priority Cascade order

      

      

        
        (try next server if first fails)
      

    


    

      

        
🎨 Appearance

        

          
        

      

      

        
🔐 Session

        

          -
          
        

      

    


  







  
User Management


  
  

    

      
NPM Accounts
-
Reverse proxy users

      
TOTP Enrolled
-
-

      
Pending Enrollment
-
Awaiting first login

      
TOTP Enforcement
-
Click to toggle

    

  


  
  

    

      

        

          📦
          

            
NPM Accounts

            
Nginx Proxy Manager native user database — controls who can manage proxy hosts

          

        

        

          NPM API
        

      

      

        

          
Create NPM Account

          

            
            
            
            
            
            
          

        

        
Loading NPM accounts...

      

    

  


  
  

    

      

        

          🔒
          

            
Portal Authentication (TOTP)

            
Two-factor authentication layer — same code works for this portal AND native NPM admin

          

        

        

          TOTP + SMS
          
          
          
        

      

      

        

          

            

              Email
              TOTP
              NPM 2FA Sync
              Phone (SMS)
              Last Login
              Count
              Actions
            

            
Loading...

          

        

      

    

  


  
  

    

      

        

          🛡
          

            
TOTP Enforcement Policy

            
When ON: all portal logins require TOTP verification (production mode).
When OFF: password-only login is allowed (troubleshooting mode). All bypass events are audit-logged.

          

        

        

          Loading...
          
        

      

    

    

      System overview: NPM Accounts control who can manage proxy hosts. Portal Authentication adds TOTP as a second factor.
      With TOTP unification, the same authenticator code works for both this portal and the native NPM admin at /npm-admin/.
      
CMMC: AC.L2-3.1.1, IA.L2-3.5.1, IA.L2-3.5.3
    

  








  
Changelog
Maintenance history, release notes, and audit trail for this portal

  


    

    
v6.12026-04-07DR-2026-0407

    
Major UX modernization — user management redesign, TOTP unification, profile menu, interactive firewall templates, and comprehensive visual polish across all pages.

    
    
      
  • FEAT
    User Management Redesign — Status dashboard with 4 live cards, clear NPM vs Portal sections with distinct color coding, TOTP enforcement toggle with server-side bypass and audit logging.
    • 
      
  • FEAT
    TOTP Unification — Portal and NPM now share the same TOTP secret. One authenticator app entry, one code, works for both systems. Syncs on enrollment, reset, and delete.
    • 
      
  • FEAT
    Profile Menu — Top-right avatar button with dropdown: change password (NPM API validated), TOTP status view, quick access to settings, sign out.
    • 
      
  • FEAT
    Firewall Quick Templates — 7 one-click buttons for common rules (Allow SSH, HTTPS, HTTP, NPM, Ping, Block IP, Log Traffic). Auto-fills the form and scrolls to it.
    • 
      
  • FEAT
    Network Topology Upgrade — Expanded SVG with service name detection, hover detail panels, better connection curves. Recognizes PRTG, UniFi, Mail, VPN, NAS, Git, RDP services.
    • 
      
  • UX
    Global Visual Polish — Micro-interactions, staggered card animations, table row accents, custom scrollbars, cert expiry progress bars, proxy status dots, sidebar live badges (8 indicators).
    • 
      
  • UX
    Log Viewer Enhancement — Syntax highlighting: IPs in blue, timestamps in grey, ports in orange, severity levels color-coded. Line count display.
    • 
      
  • UX
    Modal Modernization — All confirm()/prompt() dialogs replaced with styled modals. Dark modal headers, type-to-confirm for destructive actions, input validation.
    • 
      
  • SEC
    Production Hardening — healthcheck.sh (5-point check), disk-cleanup.sh, logrotate config, systemd v5.1 update. All branding updated to Herrick Technology Labs.
    • 
      
  • FIX
    Help Button — Page guide ? button redesigned from bare circle to labeled pill. All 14 pages have complete guide content with export buttons.
    • 
    

  

  

      

        v5.1
        2026-03-10
        DR-2026-0310-017, DR-2026-0310-019
      

      
Major backend and frontend upgrade. Server-side CMMC compliance scanner (20 controls with live evidence), triple-redundant notification engine (Discord/Teams/SMTP/Syslog x3 each with cascade failover), persistent settings, and fully rebuilt Settings page.

      
    
        
  • FEAT
    CMMC Compliance Scanner (20 controls) — Server-side live scan replacing 6 client-side checks. Covers AC, IA, AU, SC, SI, IR, CM, RA, AT families. Each control: ID, title, description, verification method, PASS/WARN/FAIL status, live evidence. Expandable evidence panels. Export Evidence Package button downloads JSON.
    server.py — /portal-api/cmmc-scan | index.html — runCMMCChecks()
    • 
        
  • FEAT
    Triple-redundant notification engine — 5 channel types x 3 endpoints each (15 total). Cascade failover: try Primary, fail to Backup, fail to Tertiary. Priority ordering (drag to reorder). 7 event types routed per channel.
    server.py — fire_alert(), _fire_channel() | settings.json
    • 
        
  • FEAT
    Settings page rebuilt — Security config (timeout, lockout, max failures), Discord x3 with test, Teams x3 with test, SMTP x3 with test, Syslog x3, Alert Event Matrix (events x channels grid), Notification Priority (reorderable), Cascade toggle. All persistent in vault (chmod 600).
    index.html — page-settings | server.py — /portal-api/settings
    • 
        
  • SEC
    Settings persistence — /opt/npm/portal/settings.json auto-created on first boot, chmod 600. SMTP passwords redacted in GET responses. Partial updates supported (POST merges with existing). Audit-logged.
    server.py — load_portal_settings(), save_portal_settings()
    • 
      

    


    

      

        v5.0.2
        2026-03-10
        DR-2026-0310-012, DR-2026-0310-013
      

      
Added contextual help system across all pages, integrated export engine for compliance evidence, and built-in changelog page. Every page now has a guide button explaining what it does and what you can export.

      
    
        
  • FEAT
    Page Guide system — Every page header now has a ? button that opens a slide-out panel with: what the page does, what actions are available, quick tips, and export options. Written in plain English for busy operators.
    index.html — 14 guide buttons, ~23KB of CSS + JS
    • 
        
  • FEAT
    Export engine — 16 export functions across the portal. Proxy hosts (CSV/JSON), certificates (CSV), audit log (CSV/JSON), firewall rules, Fail2Ban status, system report, user list (CSV), topology data (JSON), dashboard summary, changelog (HTML), log viewer (clipboard). All exports include timestamps and proper formatting for compliance packages.
    index.html — Export functions in JS block
    • 
        
  • FEAT
    Changelog page — New 16th SPA page with structured version history. Each entry has version number, date, session ID, change items with category badges (FIX/FEAT/PERF/SEC), file paths, and evidence. Known limitations section at bottom.
    index.html — page-changelog div + sidebar nav
    • 
      

    


    

      

        v5.0.1
        2026-03-09
        DR-2026-0309-003
      

      
Full codebase audit and targeted bug fixes. Fixed 3 bugs, 1 stub, 16 CSS duplicates, and enabled Classic NPM Admin access through the portal. All changes verified end-to-end with backup/rollback capability.

      
    
        
  • FIX
    CMMC Compliance Panel stuck on spinning icons
    Dashboard panel never resolved because JS targeted nonexistent element ID cmmc-items and used wrong CSS classes. Fixed 4 references: element ID and 3 class names.
    index.html — Lines 1825, 1851
    cmmc-items → cmmc-checks | cmmc-icon → check-icon | cmmc-name → check-label | cmmc-sub → check-detail
    • 
        
  • FIX
    Classic NPM Admin white screen / API not healthy
    Three-layer nginx sub_filter fix. NPM v2.13.6 uses JS backtick template literals for API URLs, React Router needed basename injection, and Vite chunk loader needed base path rewrite.
    server_proxy.conf — 5 new sub_filter rules
    Layer 1: backtick /api/ rewrite | Layer 2: React Router basename="/npm-admin" | Layer 3: Vite VO() base URL resolver
    • 
        
  • FIX
    Server 500 on /?native=1
    Called undefined function _proxy_npm_raw(). Added redirect to Flask imports, replaced with redirect to /npm-admin/.
    server.py — Lines 33, 1162
    • 
        
  • FEAT
    DNS Lookup tool implemented
    Previously a stub showing "coming in v5." Now calls /portal-api/network/tool with dig. Output XSS-escaped. Auth uses Bearer TOKEN pattern matching all other portal API calls.
    index.html — Line 2564
    • 
        
  • PERF
    Removed unused Archivo font import
    Google Fonts link loaded Archivo (4 weights, ~100KB) but no CSS rule ever referenced it. Removed from link tag, keeping JetBrains Mono.
    index.html — Line 14
    • 
        
  • PERF
    CSS deduplication — 16 rules removed
    7 selectors had 2-4 duplicate definitions. CSS cascade means last definition wins, so earlier copies were dead code. Removed: .f2b-jail ×3, .f2b-jail-name ×3, .f2b-stat ×3, .sys-card ×3, .log-viewer ×1, .conn-table ×1, .sb-section ×2. Zero visual change due to cascade.
    index.html — Multiple lines in CSS block
    • 
        
  • SEC
    XSS fix in DNS error rendering
    DNS lookup error path rendered d.error directly into innerHTML without escaping. Added .replace(/</g,'&lt;') to prevent injection from server error messages.
    index.html — Line 2573
    • 
        
  • FIX
    Connections table monospace font restored
    Pre-existing bug: last CSS definition of .conn-table was missing font-family:var(--mono). Network connections were rendering in sans-serif instead of monospace. Added the missing property.
    index.html — Line 762
    • 
        
  • FIX
    Bandwidth section shows informative message
    loadBandwidth() was an empty stub causing "Loading..." to display forever. Now shows "Bandwidth monitoring not yet configured for this host."
    index.html — Line 2596
    • 
      

    


    

      

        v5.0
        2026-03-06
        Initial Release
      

      
Complete rewrite from v4 http.server to Flask. Custom portal SPA with integrated NPM management, TOTP authentication, CMMC compliance monitoring, and full admin dashboard.

      
    
        
  • FEAT
    Flask-based portal with SPA architecture
    Single-page application with 15 integrated pages: Dashboard, Proxy Hosts, Certificates, Wizard, Topology, Audit Log, Documentation, Firewall, Fail2Ban, Log Viewer, System, Network Tools, Settings, Users, Changelog.
    • 
        
  • SEC
    Two-step authentication
    Step 1: NPM username/password via NPM API. Step 2: Portal TOTP via pyotp. 15-minute sliding session window. Per-IP rate limiting with 5-attempt lockout.
    • 
        
  • SEC
    Security headers
    CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cache-Control. All enforced via Flask after_request hook.
    • 
        
  • FEAT
    CMMC L2 audit logging
    5W1H JSONL audit trail: WHO (user + session + IP + UA), WHAT (action), WHEN (UTC), WHERE (resource), HOW (detail). Append-only at /opt/npm/portal/audit.jsonl.
    • 
        
  • FEAT
    Integrated NPM proxy
    All NPM API calls proxied through /npm-api/* to localhost:81. Supports GET/POST/PUT/DELETE with auth passthrough.
    • 
      

    


    

      
⚠ Known Limitations

      
    
        
  • Classic NPM Admin — sub_filter rules target minified JS variable names (VG, VO). An NPM container upgrade will change these names and require updating server_proxy.conf.
    • 
        
  • Session keepalive race — If the NPM bearer token expires independently, the portal session remains "valid" until the next real API call triggers a 401.
    • 
        
  • Bandwidth monitoring — No backend data source exists. The Network Tools page shows an informational message.
    • 
      

    


    

      Maintained under CMMC L2 change control (CM.L2-3.4.3) — All modifications tracked via AI session protocol