[Resolved] Question about publishing WAPT using a reverse proxy on the internet

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
jeancharles
Messages: 21
Registration: June 11, 2019 - 10:02

January 10, 2020 - 2:59 PM

Hello everyone and Happy New Year, full of updated packages! :)

I'm considering setting up a reverse proxy publication (Kemp Free Load Master) for the WAPT service, to allow direct contact and deployment to machines connected to the internet via WAPT.
My questions are:

can port 443 be published to the server "simply," or is it necessary to use a workaround to allow WebSockets?

What are the security risks? Could an attacker easily brute-force accounts, and can this be blocked by adding Fail2ban or a similar solution?

Thank you for your insights,

Jean-Charles
Last edited by jeancharles on 03 Feb 2020 - 15:25, edited 1 time.
High
jeancharles
Messages: 21
Registration: June 11, 2019 - 10:02

January 13, 2020 - 11:19

And more generally, do you think this is a good idea or an aberration?

My WAPT server is currently running Windows 2012 R2, and I manage 60 clients using community version 1.7.4 6232.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

January 13, 2020 - 4:43 PM

A very simple thing to do is install a WAPT repository in the DMZ.

Then, perform an rsync of the packages you want from the main WAPT repository to this DMZ repository.

And there you have it, you'll only be offered the WAPT packages you want.
High
User avatar
sfonteneau
WAPT Expert
Messages: 2318
Registered: July 10, 2014 - 11:52 PM
Contact :
Contact Sfonteneau

January 13, 2020 - 9:17 PM

Edit: I didn't understand the need

Yes, you can set up a proxy in the DMZ that acts as a reverse proxy towards your internal WAPT server; here's how to secure access

Example with a proxy reverse APACHE:

Code: Select all

<VirtualHost 0.0.0.0:443>
   ServerName wapt.domain.fr

   SSLEngine On
   SSLProxyEngine On
   SSLCertificateKeyFile  /etc/ssl/private/srvwapt.key
   SSLCertificateFile /etc/ssl/private/srvwapt.crt
   Include /etc/apache2/conf-available/ssl.conf

   SSLProxyVerify on
   SSLProxyCACertificateFile /etc/ssl/certs/ca-interne.crt

   ErrorLog     /var/log/apache2/wapt-error.log
   CustomLog    /var/log/apache2/wapt-access.log combined

   SSLCACertificateFile /etc/apache2/cawapt.crt

<Location />
   SSLVerifyClient require
   ProxyAddHeaders On
   ProxyPass "https://srvwapt.ad.domain.fr/"
</Location>
</VirtualHost>
You can retrieve the SSLCACertificateFile from /opt/wapt/conf/ca-srvwapt.ad.tranquil.it.crt on your wapt server.

Some related documentation:
https://www.wapt.fr/fr/doc/wapt-securit...ation.html

Example of reverse proxy configuration NGINX:

Code: Select all


server {
  listen       443 ssl http2;
  server_name wapt.domain.fr;
    ssl_certificate /etc/ssl/private/srvwapt.pem; 
    ssl_certificate_key /etc/ssl/private/srvwapt.pem;
    client_max_body_size 50M;
  
    ssl_client_certificate "/opt/wapt/conf/wapt-serverauth-ca.crt";
    ssl_verify_client  optional;

  location / {
    proxy_set_header X-Ssl-Authenticated $ssl_client_verify;
    proxy_set_header X-Ssl-Client-DN $ssl_client_s_dn;
    if ($ssl_client_verify != SUCCESS) {
        return 401;
    }
    proxy_pass https://srvwapt.ad.domain.fr/;
    proxy_set_header        Host            $host;
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto  https;

  }


}

There are probably still some modifications to be made to the DNS and HTTPS certificate records
High
jeancharles
Messages: 21
Registration: June 11, 2019 - 10:02

January 14, 2020 - 9:50 AM

Thanks, that seems perfect. I have split DNS, so I can use the same DNS name and certificate internally and externally.

My main concern was that WebSockets wouldn't pass through the reverse proxy, and that it might be inadvisable to publish WAPT resources on the internet from a security standpoint.

I'll look into that; it will be more user-friendly for me since I use Kemp Free Load Master (free), which allows reverse proxying via a user interface.
https://support.kemptechnologies.com/hc ... LoadMaster
High
Locked

Return to "WAPT Server"


  • To go further with WAPT