WAPT server security (Debian/NGINX)

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
nicolas.pissard
Messages: 5
Registration: Nov 18, 2022 - 1:53 p.m.

November 18, 2022 - 2:02 PM

Good morning,

I would like to password-protect access to the WAPT server's web pages.
I managed to set up .htaccess protection (by generating a .htaccess file beforehand) by adding the following to the NGINX configuration file:

/etc/nginx/sites-enabled/wapt.conf

Code: Select all

auth_basic                  "WAPT Restrict AREA";
auth_basic_user_file        /etc/apache2/.htpasswd;
The problem is that from the console, I can't connect to the server because I don't know how to add the user and password to the URL.
When I add them, it doesn't work...

Do you have a solution to secure web access with a password and make it accessible via the console?

Thank you for your help.

Sincerely
High
alain17
Messages: 24
Registration: June 17, 2022 - 07:32

November 25, 2022 - 09:16

Good morning,

I understand your need for security, but unfortunately I don't think it's possible this way. You can still try entering the following address for the server (source) in your console to check if it is valid, recognized and functional:

Code: Select all

<user>:<password>@<adresse_serveur>/wapt
Replace username, password, and server_address with your preferred values, then manually update the HTTP or HTTPS paths, depending on your configuration. Keep in mind, however, that you are transmitting a password in plain text over your network, which is no more secure than not using one at all ;)

I advise you to turn to a IP address restriction If you really want to prevent someone from accessing it. And if your concern is preventing machines from declaring themselves, you should change the registration method to use Kerberos, for example.
High
nicolas.pissard
Messages: 5
Registration: Nov 18, 2022 - 1:53 p.m.

November 29, 2022 - 4:41 PM

Hello,
Thank you for your reply.

The idea behind this server is for it to be a reference/private repository for our other WAPT servers in our various locations.
Only one workstation will have the console, since we only want to use the repository.
Therefore, we have to make it accessible from the public IP address and thus the internet.
For this reason, the first security measure would be a password.
Secondly, IP restriction seems adequate, but I don't know how to configure NGINX in this way. Furthermore, we use a VPN, and the addresses are not often the same.

I will try your solution for the address and keep you informed.

Have a good day. Best
regards.
High
florentR2
Messages: 100
Registration: February 13, 2020 - 5:23 PM

November 29, 2022 - 4:53 PM

At our end, we filtered the /login at the reverse proxy level
High
User avatar
vcardon
WAPT Expert
Messages: 278
Registration: Oct 06, 2017 - 10:55 p.m.
Location: Nantes, France

November 29, 2022 - 7:19 PM

Authenticating machines using client certificates appears to be the most suitable method.

Machines without a valid client certificate receive a 403 error when attempting to contact the server.
Vincent CARDON
Tranquil IT
High
nicolas.pissard
Messages: 5
Registration: Nov 18, 2022 - 1:53 p.m.

February 8, 2023 - 1:18 PM

Hello,

Still aiming for a centralized and secure repository, is it possible to use a simple FTP server with read access via a restricted username/password account for packages, instead of a full WAPT server installation?
Adding a package to this server would be done with a separate account with write permissions.

Then, would it be possible to add it (with a URL containing the restricted username/password account) as a repository in the local WAPT console?

Finally, if all of this is feasible, how can I list the packages so they are displayed in the local WAPT console (scanpackages)?

Thank you for your help.

Sincerely,
High
nicolas.pissard
Messages: 5
Registration: Nov 18, 2022 - 1:53 p.m.

March 9, 2023 - 2:11 PM

Good morning,

I'm making progress in my private central repository without installing wapt.

I managed to create my server without installing Wapt Server and with Nginx secured with https and password (httpwd).

However, I cannot find the scripts to create a repository: tis-waptrepo for version 1.8.

To move forward, I imported the complete /opt/wapt folder from a working server onto my server.

I created a bash script that reproduces this:

Code: Select all

#!/bin/bash
chown -R wapt:www-data /var/www/wapt

PYTHONPATH=/opt/wapt PYTHONHOME=/opt/wapt python /opt/wapt/wapt-signpackages.py -s --message-digest=sha256,sha1 -c /tmp/cert.crt /var/www/wapt/*.wapt

PYTHONHOME=/opt/wapt PYTHONPATH=/opt/wapt /opt/wapt/bin/python /opt/wapt/wapt-scanpackages.py -r -f -ldebug /var/www/wapt
Everything works rather well, the debug does not display any errors, renaming the wapt file correctly with MD5, and generating the Packages file.
I can see my package list from the console of another server.

However, when I try to download it, I consistently get the following message:

"Download cancelled. The downloaded file xxxxx... is corrupted; the MD5 checksum does not match."

However, when you look at the file name, the contents of Packages, the MD5 sum is indeed the same...

I don't understand....

Could you tell me what I need to do? Or where I can find scripts to generate the packages without MD5 errors?

Thank you.

Sincerely
High
User avatar
dcardon
WAPT Expert
Messages: 1932
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

March 10, 2023 - 11:27

Hello Nicolas,

please refrain from necroposting [1] (reviving an old thread). I'm locking this topic; you can open a new one with your question, specifying your OS version, WAPT version, and edition.

Regards,

Denis

[1] https://www.urbandictionary.com/define. ... croposting
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
Locked

Return to "WAPT Server"


  • To go further with WAPT