rdiffWeb is a web interface for browsing and restoring from rdiff-backup repositories. It is written in Python and is distributed under the GPL license.
This describes a hardened setup in comparison to the default rdiffWeb CherryPy server listening on a non-ssl port and doing custom form-based authentication.
The rdiffWeb server will be bound to localhost
only. External access is wrapped via Apache reverse proxy 1) using a ssl socket 2) in combination with HTTP Basic Authentication 3).
Note that this setup requires two ports - here 54322 bound to localhost (CherryPy) and 54321 bound to _ALL_/ssl (Apache).
aptitude install alien python-cherrypy3
wget http://www.rdiffweb.org/releases/rdiffWeb-0.6.3-1.noarch.rpm alien rdiffWeb-0.6.3-1.noarch.rpm dpkg -i rdiffweb_0.6.3-2_all.deb chmod go+rx /etc/rdiffweb
cp /etc/rdiffweb/rdw.conf.sample /etc/rdiffweb/rdw.conf cat >> /etc/rdiffweb/rdw.conf <<EOF ServerHost=localhost ServerPort=54322 EOF
cat <<COMMENT username: admin password: xxxxx Each user has a user root directory. This root directory acts much as the system root directory. All backup repositories must be within this directory. Examples: /var/backup/repos Enter the root directory for 'admin': /data/backup User added successfully. Do you want me to automatically search the user's root directory for backup repositories? [yes]: yes COMMENT rdiff-web-config
/etc/init.d/rdiff-web start
This adds additional security through SSL and HTTP Authentication.
a2enmod proxy a2enmod proxy_http
htpasswd -c /etc/rdiffweb/htpasswd admin
cat > /etc/rdiffweb/apache.conf <<EOF ProxyRequests On ProxyPass / http://localhost:54322/ ProxyPassReverse / http://localhost:54322/ <Proxy *> Order deny,allow #Allow from all AuthType basic AuthName "rdiffWeb" AuthUserFile /etc/rdiffweb/htpasswd Require valid-user SSLRequireSSL </Proxy> EOF
cat <<COMMENT $ nano /etc/apache2/sites-enabled/www.example.net-ssl Listen 54321 <VirtualHost www.example.net:54321> ServerName www.example.net ServerAlias www.example.net SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCACertificateFile /etc/apache2/ssl/certs/root.pem SSLCertificateKeyFile /etc/apache2/ssl/keys/server.key SSLCertificateFile /etc/apache2/ssl/certs/server.pem SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$"> SSLOptions +StdEnvVars </Files> # optional #LogLevel debug DocumentRoot /srv/www/www.example.net-ssl/htdocs Include /etc/rdiffweb/apache.conf </VirtualHost> COMMENT echo "Use CTRL + Z to send me to background in order to make required configuration to your Apache default SSL virtual host config" echo "Please press ENTER to continue with restarting Apache (or CTRL + C if you won't)" read apache2ctl configtest && /etc/init.d/apache2 restart