===== rdiffWeb behind Apache reverse proxy =====

> [[http://www.rdiffweb.org/|rdiffWeb]] is a web interface for browsing and restoring from [[http://rdiff-backup.nongnu.org/|rdiff-backup]] repositories. It is written in Python and is distributed under the GPL license.

This describes a hardened setup in comparison to the default rdiffWeb [[http://www.cherrypy.org/|CherryPy]] server listening on a non-ssl port and doing custom form-based authentication.

The rdiffWeb server will be bound to ''localhost'' only. External access is wrapped via [[http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#examples|Apache reverse proxy]] ((http://en.wikipedia.org/wiki/Reverse_proxy)) using a [[http://httpd.apache.org/docs/2.2/mod/mod_ssl.html|ssl socket]] ((http://en.wikipedia.org/wiki/Secure_Sockets_Layer)) in combination with [[http://httpd.apache.org/docs/2.2/howto/auth.html#gettingitworking|HTTP Basic Authentication]] ((http://en.wikipedia.org/wiki/Basic_access_authentication)).

Note that this setup **requires two ports** - here 54322 bound to localhost (CherryPy) and 54321 bound to _ALL_/ssl (Apache).


==== Setup rdiffWeb ====

<note tip>
This is a copy & paste walkthrough: Almost all required actions might be done non-interactively.
</note>

  - # Prerequisites
   <code bash>
aptitude install alien python-cherrypy3
</code>
  - # Fetch and install rdiffWeb ("testing" release, as of 2010-01-22)
   <code bash>
wget http://www.rdiffweb.org/releases/rdiffWeb-0.6.3-1.noarch.rpm
alien rdiffWeb-0.6.3-1.noarch.rpm
dpkg -i rdiffweb_0.6.3-2_all.deb 
chmod go+rx /etc/rdiffweb
</code>
  - # Configuration
   <code bash>
cp /etc/rdiffweb/rdw.conf.sample /etc/rdiffweb/rdw.conf
cat >> /etc/rdiffweb/rdw.conf <<EOF
ServerHost=localhost
ServerPort=54322
EOF
</code>
  - # Authentication
   <code bash>
cat <<COMMENT
username: admin   
password: xxxxx

Each user has a user root directory.  This root directory acts much as the system root directory.  All backup repositories must be within this directory.
Examples: /var/backup/repos
Enter the root directory for 'admin': /data/backup
User added successfully.

Do you want me to automatically search the user's root directory for backup repositories? [yes]: yes
COMMENT
rdiff-web-config
</code>
  - # Start daemon (cherrypy webserver)
   <code bash>
/etc/init.d/rdiff-web start
</code>


==== Configure Apache reverse proxy ====

This adds additional security through SSL and HTTP Authentication.

<note tip>
This is a copy & paste walkthrough: Almost all required actions might be done non-interactively.
</note>

  - # Enable Apache's proxy modules
   <code bash>
a2enmod proxy
a2enmod proxy_http
</code>
  - # Configure Authentication
   <code bash>
htpasswd -c /etc/rdiffweb/htpasswd admin
</code>
  - # Apache configuration for rdiffWeb reverse proxy
   <code bash>
cat > /etc/rdiffweb/apache.conf <<EOF
ProxyRequests On

ProxyPass        / http://localhost:54322/
ProxyPassReverse / http://localhost:54322/

<Proxy *>
    Order deny,allow
    #Allow from all

    AuthType basic
    AuthName "rdiffWeb"
    AuthUserFile /etc/rdiffweb/htpasswd
    Require valid-user
    
    SSLRequireSSL
</Proxy>
EOF
</code>
  - # Apache configuration for SSL virtual host (we use an extra port here in order not to waste ip addresses)
   <code bash>
cat <<COMMENT
$ nano /etc/apache2/sites-enabled/www.example.net-ssl
Listen 54321
<VirtualHost www.example.net:54321>

        ServerName www.example.net
        ServerAlias www.example.net

        SSLEngine On
        SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

        SSLCACertificateFile /etc/apache2/ssl/certs/root.pem
        SSLCertificateKeyFile /etc/apache2/ssl/keys/server.key
        SSLCertificateFile /etc/apache2/ssl/certs/server.pem

        SetEnvIf User-Agent ".*MSIE.*" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$">
                SSLOptions +StdEnvVars
        </Files>
        
        # optional
        #LogLevel debug


        DocumentRoot /srv/www/www.example.net-ssl/htdocs

        Include /etc/rdiffweb/apache.conf

</VirtualHost>
COMMENT

echo "Use CTRL + Z to send me to background in order to make required configuration to your Apache default SSL virtual host config"
echo "Please press ENTER to continue with restarting Apache (or CTRL + C if you won't)"
read

apache2ctl configtest && /etc/init.d/apache2 restart
</code>


==== Check ====
https://www.example.net:54321/


{{tag>backup rdiff-backup}}