Page 1 of 1
[Resolved] Question about publishing WAPT using a reverse proxy on the internet
Published: January 10, 2020 - 2:59 PM
by jeancharles
Hello everyone and Happy New Year, full of updated packages!
I'm considering setting up a reverse proxy publication (Kemp Free Load Master) for the WAPT service, to allow direct contact and deployment to machines connected to the internet via WAPT.
My questions are:
can port 443 be published to the server "simply," or is it necessary to use a workaround to allow WebSockets?
What are the security risks? Could an attacker easily brute-force accounts, and can this be blocked by adding Fail2ban or a similar solution?
Thank you for your insights,
Jean-Charles
Re: Question about publishing WAPT via reverse proxy on the Internet
Published: January 13, 2020 - 11:19 AM
by jeancharles
And more generally, do you think this is a good idea or an aberration?
My WAPT server is currently running Windows 2012 R2, and I manage 60 clients using community version 1.7.4 6232.
Re: Question about publishing WAPT via reverse proxy on the Internet
Published: January 13, 2020 - 4:43 PM
by sfonteneau
A very simple thing to do is install a WAPT repository in the DMZ.
Then, perform an rsync of the packages you want from the main WAPT repository to this DMZ repository.
And there you have it, you'll only be offered the WAPT packages you want.
Re: Question about publishing WAPT via reverse proxy on the Internet
Published: January 13, 2020 - 9:17 PM
by sfonteneau
Edit: I didn't understand the need
Yes, you can set up a proxy in the DMZ that acts as a reverse proxy towards your internal WAPT server; here's how to secure access
Example with a proxy reverse
APACHE:
Code: Select all
<VirtualHost 0.0.0.0:443>
ServerName wapt.domain.fr
SSLEngine On
SSLProxyEngine On
SSLCertificateKeyFile /etc/ssl/private/srvwapt.key
SSLCertificateFile /etc/ssl/private/srvwapt.crt
Include /etc/apache2/conf-available/ssl.conf
SSLProxyVerify on
SSLProxyCACertificateFile /etc/ssl/certs/ca-interne.crt
ErrorLog /var/log/apache2/wapt-error.log
CustomLog /var/log/apache2/wapt-access.log combined
SSLCACertificateFile /etc/apache2/cawapt.crt
<Location />
SSLVerifyClient require
ProxyAddHeaders On
ProxyPass "https://srvwapt.ad.domain.fr/"
</Location>
</VirtualHost>
You can retrieve the SSLCACertificateFile from /opt/wapt/conf/ca-srvwapt.ad.tranquil.it.crt on your wapt server.
Some related documentation:
https://www.wapt.fr/fr/doc/wapt-securit...ation.html
Example of reverse proxy configuration
NGINX:
Code: Select all
server {
listen 443 ssl http2;
server_name wapt.domain.fr;
ssl_certificate /etc/ssl/private/srvwapt.pem;
ssl_certificate_key /etc/ssl/private/srvwapt.pem;
client_max_body_size 50M;
ssl_client_certificate "/opt/wapt/conf/wapt-serverauth-ca.crt";
ssl_verify_client optional;
location / {
proxy_set_header X-Ssl-Authenticated $ssl_client_verify;
proxy_set_header X-Ssl-Client-DN $ssl_client_s_dn;
if ($ssl_client_verify != SUCCESS) {
return 401;
}
proxy_pass https://srvwapt.ad.domain.fr/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
There are probably still some modifications to be made to the DNS and HTTPS certificate records
Re: Question about publishing WAPT via reverse proxy on the Internet
Published: January 14, 2020 - 9:50 AM
by jeancharles
Thanks, that seems perfect. I have split DNS, so I can use the same DNS name and certificate internally and externally.
My main concern was that WebSockets wouldn't pass through the reverse proxy, and that it might be inadvisable to publish WAPT resources on the internet from a security standpoint.
I'll look into that; it will be more user-friendly for me since I use Kemp Free Load Master (free), which allows reverse proxying via a user interface.
https://support.kemptechnologies.com/hc ... LoadMaster