Difficulty configuring server protection using a client certificate

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
lrobinot
Messages: 2
Registration: Oct 29, 2019 - 08:55

December 10, 2020 - 8:34 AM

Hello, I am at step 2 of our installation.

I want to protect our WAPT server, accessible on the internet, using client certificate authentication.

I believe I followed the documentation https://www.wapt.fr/fr/doc/wapt-securit...ation.htmlwhich, incidentally, isn't entirely consistent with the nginx files generated by version 1.8.2.7334. After adding the line "include /etc/nginx/certificate-auth.conf;" wherever I think it's necessary, I can run "wapt-get update", but launching and attempting authentication on the console returns a 401 error. On the WAPT server, in the nginx logs I have:

xxxx - admin [07/Dec/2020:17:19:37 +0100] "POST /api/v3/login HTTP/1.0" 401 195 "-" "waptconsole/1.8.2.7334"

My nginx configuration file is as follows:

Code: Select all

server {
    listen                      80;
    listen                      [::]:80;
    server_name                 _;
    return 301                  https://$host$request_uri;
}

server {
    listen                      443 ssl;
    server_name                 _;

    ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
    ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";
    ssl_protocols               TLSv1.2;
    ssl_dhparam                 /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_stapling                on;
    ssl_stapling_verify         on;
    ssl_session_cache           none;
    ssl_session_tickets         off;

    ssl_client_certificate "/opt/wapt/conf/ca-wapt.public.geovar.net.crt";
    ssl_verify_client optional;

    gzip_min_length     1000;
    gzip_buffers        4 8k;
    gzip_http_version   1.0;
    gzip_disable        "msie6";
    gzip_types          text/plain text/css application/json;
    gzip_vary           on;

    index index.html;

    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # be sure these headers are not forwarded
        proxy_set_header X-Ssl-Client-Dn  "";
        proxy_set_header X-Ssl-Authenticated  "";

        client_max_body_size 4096m;
        client_body_timeout 1800;

        location /static {
            alias "/opt/wapt/waptserver/static";
        }
        
        location /ssl {
            alias "/var/www/ssl";
        }
        
        location ~ ^/(wapt/waptsetup-tis.exe|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json)$ {
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";

            include /etc/nginx/certificate-auth.conf;

            root "/var/www";
        }

        location ~ ^/(wapt/.*|waptwua/.*|wapt-diff-repos/.*)$ {
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";
    
            include /etc/nginx/certificate-auth.conf;

            root "/var/www";
        }
        
        location ~ ^/(wapt-host/.*)$ {
            log_not_found off;
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";
    
            include /etc/nginx/certificate-auth.conf;

            root "/var/www";
        }

        location / {
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            client_max_body_size 4096m;
            client_body_timeout 1800;
    
            location /add_host_kerberos {
                return 403;
            }
     
            location /wapt-host/Packages {
                    return 403;
            }

            location / {
                add_header X-Forwarded-List $http_x_forwarded_for;
                add_header X-Remote-IP $remote_addr;

                include /etc/nginx/certificate-auth.conf;

                proxy_pass http://127.0.0.1:8080;
            }

            location /socket.io {
                proxy_http_version 1.1;
                proxy_buffering off;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";

                include /etc/nginx/certificate-auth.conf;

                proxy_pass http://127.0.0.1:8080/socket.io;
            }
        }
    }
}
I'm a bit confused about which requests need to be protected and which don't. For example, if I open https://my-server/ In a browser, the response is a 401 error, which prevents me from navigating to the potential /store directory ;)

Thank you for your invaluable help.
High
Locked

Return to "WAPT Server"


  • To go further with WAPT