» Do it. Now.

rdiffWeb is a web interface for browsing and restoring from rdiff-backup repositories. It is written in Python and is distributed under the GPL license.

This describes a hardened setup in comparison to the default rdiffWeb CherryPy server listening on a non-ssl port and doing custom form-based authentication.

The rdiffWeb server will be bound to localhost only. External access is wrapped via Apache reverse proxy ¹⁾ using a ssl socket ²⁾ in combination with HTTP Basic Authentication ³⁾.

Note that this setup requires two ports - here 54322 bound to localhost (CherryPy) and 54321 bound to _ALL_/ssl (Apache).

1. # Prerequisites

   aptitude install alien python-cherrypy3 

2. # Fetch and install rdiffWeb (“testing” release, as of 2010-01-22)

   wget http://www.rdiffweb.org/releases/rdiffWeb-0.6.3-1.noarch.rpm 
   alien rdiffWeb-0.6.3-1.noarch.rpm 
   dpkg -i rdiffweb_0.6.3-2_all.deb  
   chmod go+rx /etc/rdiffweb 

3. # Configuration

   cp /etc/rdiffweb/rdw.conf.sample /etc/rdiffweb/rdw.conf 
   cat >> /etc/rdiffweb/rdw.conf <<EOF 
   ServerHost=localhost 
   ServerPort=54322 
   EOF 

4. # Authentication

   cat <<COMMENT 
   username: admin    
   password: xxxxx 
    
   Each user has a user root directory.  This root directory acts much as the system root directory.  All backup repositories must be within this directory. 
   Examples: /var/backup/repos 
   Enter the root directory for 'admin': /data/backup 
   User added successfully. 
    
   Do you want me to automatically search the user's root directory for backup repositories? [yes]: yes 
   COMMENT 
   rdiff-web-config 

5. # Start daemon (cherrypy webserver)

   /etc/init.d/rdiff-web start 

This adds additional security through SSL and HTTP Authentication.

1. # Enable Apache's proxy modules

   a2enmod proxy 
   a2enmod proxy_http 

2. # Configure Authentication

   htpasswd -c /etc/rdiffweb/htpasswd admin 

3. # Apache configuration for rdiffWeb reverse proxy

   cat > /etc/rdiffweb/apache.conf <<EOF 
   ProxyRequests On 
    
   ProxyPass        / http://localhost:54322/ 
   ProxyPassReverse / http://localhost:54322/ 
    
   <Proxy *> 
       Order deny,allow 
       #Allow from all 
    
       AuthType basic 
       AuthName "rdiffWeb" 
       AuthUserFile /etc/rdiffweb/htpasswd 
       Require valid-user 
    
       SSLRequireSSL 
   </Proxy> 
   EOF 

4. # Apache configuration for SSL virtual host (we use an extra port here in order not to waste ip addresses)

   cat <<COMMENT 
   $ nano /etc/apache2/sites-enabled/www.example.net-ssl 
   Listen 54321 
   <VirtualHost www.example.net:54321> 
    
           ServerName www.example.net 
           ServerAlias www.example.net 
    
           SSLEngine On 
           SSLCipherSuite  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
    
           SSLCACertificateFile /etc/apache2/ssl/certs/root.pem 
           SSLCertificateKeyFile /etc/apache2/ssl/keys/server.key 
           SSLCertificateFile /etc/apache2/ssl/certs/server.pem 
    
           SetEnvIf User-Agent ".*MSIE.*" \ 
                   nokeepalive ssl-unclean-shutdown \ 
                   downgrade-1.0 force-response-1.0 
           <Files ~ "\.(cgi|shtml|phtml|php3?|php|inc)$"> 
                   SSLOptions +StdEnvVars 
           </Files> 
    
           # optional 
           #LogLevel debug 
    
    
           DocumentRoot /srv/www/www.example.net-ssl/htdocs 
    
           Include /etc/rdiffweb/apache.conf 
    
   </VirtualHost> 
   COMMENT 
    
   echo "Use CTRL + Z to send me to background in order to make required configuration to your Apache default SSL virtual host config" 
   echo "Please press ENTER to continue with restarting Apache (or CTRL + C if you won't)" 
   read 
    
   apache2ctl configtest && /etc/init.d/apache2 restart 

https://www.example.net:54321/