qacafe - ip test solutions
Knowledge Base > How can I password protect and encrypt BuddyWeb?

How can I password protect and encrypt BuddyWeb?

BuddyWeb
Authentication and encryption are not provided by BuddyWeb 2.0 (CDRouter 5.0 and up) due to the internal components used in its construction. These features are easily available by using the Apache web server as an authenticated proxy. These instructions are for Ubuntu but should be a guide for any supported Linux distribution.

For the remainder of this article, we will refer to BuddyWeb 2.0 as simply BuddyWeb.

In this model, an Apache server is configured with optional encryption and optional authentication to proxy requests to BuddyWeb. The Apache server can be a separate machine or the same as the BuddyWeb host. If the Apache server has a public Internet address, it can be used to proxy Internet traffic to a private BuddyWeb NAT address.

Our example model assumes that BuddyWeb is running on the host 172.16.1.99, port 8015.

NOTE: This configuration assumes a fresh install of Apache. If you are merging this configuration into an existing Apache setup, the results are undefined.

Please run the following from a terminal:

sudo apt-get install apache2
sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_http

Next you must edit the file /etc/apache2/mods-enabled/proxy.conf. First, turn ProxyRequests Off. If you enable it, you will turn your server into an open relay, which is very easily abused. Then, please replace the Proxy configuration block with the following, and save the file. Note that 172.16.1.99 is the address of the BuddyWeb server, which may or may not be the same IP as the server running the Apache proxy: 

        ProxyRequests Off #Setting to On makes you an open relay!   Be careful!
        <Proxy 172.16.1.99>
                AddDefaultCharset off
                Order deny,allow
                Deny from all
                Allow from 172.16.1.99
        </Proxy>

Please ensure that /etc/apache/ports.conf is configured to listen to port 443: 

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

In this htpasswd command, <buddyweb user> can be any username you wish. This is the username you will use to access BuddyWeb. The password will be asked for during this command.

sudo htpasswd -c /usr/buddyweb/etc/apache_auth <buddyweb user>

The following is a preconfigured apache host. Please edit the file /etc/apache2/sites-enabled/buddyweb-proxy. Paste the following configuration into the file. Be sure to update the example IP addresses below with your own: 

# To enable encrypted access to BuddyWeb on port 443, leave this VirtualHost defined.
# To disable access, delete or comment this block with leading #.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
  <Location />
    AuthType Basic
    AuthName "Login to Buddyweb 2.0"
    AuthUserFile /usr/buddyweb/etc/apache_auth
    Require valid-user
  </Location>

  ProxyPass / http://172.16.1.99:8015/
  ProxyPassReverse / http://172.16.1.99:8015/
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/ssl_access.log combined
  LogLevel warn

  SSLEngine on
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  SSLCertificateFile /usr/buddyweb/certs/server.pem
  SSLCertificateKeyFile /usr/buddyweb/certs/skey.pem
  BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>

# To enable unencrypted access to BuddyWeb on port 80, leave this VirtualHost defined.
# To disable access, delete or comment this block with leading #.
<VirtualHost _default_:80>
  <Location />
    AuthType Basic
    AuthName "Login to Buddyweb 2.0"
    AuthUserFile /usr/buddyweb/etc/apache_auth
    Require valid-user
  </Location>

  ProxyPass / http://172.16.1.99:8015/
  ProxyPassReverse / http://172.16.1.99:8015/
  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/ssl_access.log combined
  LogLevel warn

</VirtualHost>

If you enable port 80 access, you must remove the default port 80 configuration, otherwise the system will not connect to BuddyWeb, but instead the default test page provided by the system.

rm /etc/apache2/sites-enabled/000-default

Now that the above file is saved, you can issue a restart command to apache:

sudo /etc/init.d/apache2 restart

This will start the Apache server. There may be some runtime warnings, but it should start and be accessible at https://<your Apache IP>/. Please keep in mind that it is using the BuddyWeb self-signed certificates and you may have to make an initial security exception to import the certificate. This is normally done once per web browser, since it will store the certificate from then on. After the certificate has been accepted, the browser will ask for a username and password each time the browser is started.

Restricting direct access to the BuddyWeb port (8015)

To complete this security model, you may wish to block direct access to the BuddyWeb 8015 port. If this port remains open, users can connect directly to BuddyWeb, bypassing the above security requirements (encryption and authentication).

If your BuddyWeb uses a private NAT address and you wish for other clients in the same subnet to have direct access to BuddyWeb without authentication, you can simply skip this step.

The host running BuddyWeb, which may or may not also be the Apache host, must have the following two iptables firewall rules applied:

sudo iptables -t filter -A INPUT  -p tcp  -s 127.0.0.1/32 --dport 8015 -j ACCEPT

sudo iptables -t filter -A INPUT  -p tcp ! -s 172.16.1.99/32 --dport 8015 -j REJECT

Since iptables rules are executed top-down, these rules will not work if executed out of order. The first rule allows access to BuddyWeb from the BuddyWeb host itself. This is required, as BuddyWeb uses a localhost connection to manage itself. The second rule allows access to BuddyWeb from the Apache host. All other requests to port 8015 will be rejected.

Related articles that may also be helpful: