» Do it. Now.

rdiffWeb behind Apache reverse proxy

rdiffWeb is a web interface for browsing and restoring from rdiff-backup repositories. It is written in Python and is distributed under the GPL license.

This describes a hardened setup in comparison to the default rdiffWeb CherryPy server listening on a non-ssl port and doing custom form-based authentication.

The rdiffWeb server will be bound to localhost only. External access is wrapped via Apache reverse proxy 1) using a ssl socket 2) in combination with HTTP Basic Authentication 3).

Note that this setup requires two ports - here 54322 bound to localhost (CherryPy) and 54321 bound to _ALL_/ssl (Apache).

Setup rdiffWeb

This is a copy & paste walkthrough: Almost all required actions might be done non-interactively.

  1. # Prerequisites
    aptitude install alien python-cherrypy3
  2. # Fetch and install rdiffWeb (“testing” release, as of 2010-01-22)
    wget http://www.rdiffweb.org/releases/rdiffWeb-0.6.3-1.noarch.rpm 
    alien rdiffWeb-0.6.3-1.noarch.rpm 
    dpkg -i rdiffweb_0.6.3-2_all.deb  
    chmod go+rx /etc/rdiffweb
  3. # Configuration
    cp /etc/rdiffweb/rdw.conf.sample /etc/rdiffweb/rdw.conf 
    cat >> /etc/rdiffweb/rdw.conf <<EOF 
    ServerHost=localhost 
    ServerPort=54322 
    EOF
  4. # Authentication
    cat <<COMMENT 
    username: admin    
    password: xxxxx 
     
    Each user has a user root directory.  This root directory acts much as the system root directory.  All backup repositories must be within this directory. 
    Examples: /var/backup/repos 
    Enter the root directory for 'admin': /data/backup 
    User added successfully. 
     
    Do you want me to automatically search the user's root directory for backup repositories? [yes]: yes 
    COMMENT 
    rdiff-web-config
  5. # Start daemon (cherrypy webserver)
    /etc/init.d/rdiff-web start

Configure Apache reverse proxy

This adds additional security through SSL and HTTP Authentication.

This is a copy & paste walkthrough: Almost all required actions might be done non-interactively.

  1. # Enable Apache's proxy modules
    a2enmod proxy 
    a2enmod proxy_http
  2. # Configure Authentication
    htpasswd -c /etc/rdiffweb/htpasswd admin
  3. # Apache configuration for rdiffWeb reverse proxy
    cat > /etc/rdiffweb/apache.conf <<EOF 
    ProxyRequests On 
     
    ProxyPass        / http://localhost:54322/ 
    ProxyPassReverse / http://localhost:54322/ 
     
    <Proxy *> 
        Order deny,allow 
        #Allow from all 
     
        AuthType basic 
        AuthName "rdiffWeb" 
        AuthUserFile /etc/rdiffweb/htpasswd 
        Require valid-user 
     
        SSLRequireSSL 
    </Proxy> 
    EOF
  4. # Apache configuration for SSL virtual host (we use an extra port here in order not to waste ip addresses)
    cat <<COMMENT 
    $ nano /etc/apache2/sites-enabled/www.example.net-ssl 
    Listen 54321 
    <VirtualHost www.example.net:54321> 
     
            ServerName www.example.net 
            ServerAlias www.example.net 
     
            SSLEngine On 
            SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
     
            SSLCACertificateFile /etc/apache2/ssl/certs/root.pem 
            SSLCertificateKeyFile /etc/apache2/ssl/keys/server.key 
            SSLCertificateFile /etc/apache2/ssl/certs/server.pem 
     
            SetEnvIf User-Agent ".*MSIE.*" \ 
                    nokeepalive ssl-unclean-shutdown \ 
                    downgrade-1.0 force-response-1.0 
            <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$"> 
                    SSLOptions +StdEnvVars 
            </Files> 
     
            # optional 
            #LogLevel debug 
     
     
            DocumentRoot /srv/www/www.example.net-ssl/htdocs 
     
            Include /etc/rdiffweb/apache.conf 
     
    </VirtualHost> 
    COMMENT 
     
    echo "Use CTRL + Z to send me to background in order to make required configuration to your Apache default SSL virtual host config" 
    echo "Please press ENTER to continue with restarting Apache (or CTRL + C if you won't)" 
    read 
     
    apache2ctl configtest && /etc/init.d/apache2 restart

Check

setup/rdiffweb-behind-apache-reverse-proxy.txt · Last modified: 2010/01/31 22:12 by amo