Page 1 of 1
WAPT server security (Debian/NGINX)
Published: November 18, 2022 - 2:02 PM
by Nicolas Pissard
Good morning,
I would like to password-protect access to the WAPT server's web pages.
I managed to set up .htaccess protection (by generating a .htaccess file beforehand) by adding the following to the NGINX configuration file:
/etc/nginx/sites-enabled/wapt.conf
Code: Select all
auth_basic "WAPT Restrict AREA";
auth_basic_user_file /etc/apache2/.htpasswd;
The problem is that from the console, I can't connect to the server because I don't know how to add the user and password to the URL.
When I add them, it doesn't work...
Do you have a solution to secure web access with a password and make it accessible via the console?
Thank you for your help.
Sincerely
Re: Securing WAPT server (Debian/NGINX)
Published: November 25, 2022 - 09:16
by alain17
Good morning,
I understand your need for security, but unfortunately I don't think it's possible this way. You can still try entering the following address for the server (
source) in your console to check if it is valid, recognized and functional:
Code: Select all
<user>:<password>@<adresse_serveur>/wapt
Replace username, password, and server_address with your preferred values, then manually update the HTTP or HTTPS paths, depending on your configuration. Keep in mind, however, that you are transmitting a password in plain text over your network, which is no more secure than not using one at all
I advise you to turn to a
IP address restriction If you really want to prevent someone from accessing it. And if your concern is preventing machines from declaring themselves, you should change the
registration method to use Kerberos, for example.
Re: Securing WAPT server (Debian/NGINX)
Published: November 29, 2022 - 4:41 PM
by Nicolas Pissard
Hello,
Thank you for your reply.
The idea behind this server is for it to be a reference/private repository for our other WAPT servers in our various locations.
Only one workstation will have the console, since we only want to use the repository.
Therefore, we have to make it accessible from the public IP address and thus the internet.
For this reason, the first security measure would be a password.
Secondly, IP restriction seems adequate, but I don't know how to configure NGINX in this way. Furthermore, we use a VPN, and the addresses are not often the same.
I will try your solution for the address and keep you informed.
Have a good day. Best
regards.
Re: Securing WAPT server (Debian/NGINX)
Published: November 29, 2022 - 4:53 PM
by florentR2
At our end, we filtered the /login at the reverse proxy level
Re: Securing WAPT server (Debian/NGINX)
Published: November 29, 2022 - 7:19 PM
by vcardon
Authenticating machines using client certificates appears to be the most suitable method.
Machines without a valid client certificate receive a 403 error when attempting to contact the server.
Re: Securing WAPT server (Debian/NGINX)
Published: February 8, 2023 - 1:18 PM
by Nicolas Pissard
Hello,
Still aiming for a centralized and secure repository, is it possible to use a simple FTP server with read access via a restricted username/password account for packages, instead of a full WAPT server installation?
Adding a package to this server would be done with a separate account with write permissions.
Then, would it be possible to add it (with a URL containing the restricted username/password account) as a repository in the local WAPT console?
Finally, if all of this is feasible, how can I list the packages so they are displayed in the local WAPT console (scanpackages)?
Thank you for your help.
Sincerely,
Re: Securing WAPT server (Debian/NGINX)
Published: March 9, 2023 - 2:11 PM
by Nicolas Pissard
Good morning,
I'm making progress in my private central repository without installing wapt.
I managed to create my server without installing Wapt Server and with Nginx secured with https and password (httpwd).
However, I cannot find the scripts to create a repository: tis-waptrepo for version 1.8.
To move forward, I imported the complete /opt/wapt folder from a working server onto my server.
I created a bash script that reproduces this:
Code: Select all
#!/bin/bash
chown -R wapt:www-data /var/www/wapt
PYTHONPATH=/opt/wapt PYTHONHOME=/opt/wapt python /opt/wapt/wapt-signpackages.py -s --message-digest=sha256,sha1 -c /tmp/cert.crt /var/www/wapt/*.wapt
PYTHONHOME=/opt/wapt PYTHONPATH=/opt/wapt /opt/wapt/bin/python /opt/wapt/wapt-scanpackages.py -r -f -ldebug /var/www/wapt
Everything works rather well, the debug does not display any errors, renaming the wapt file correctly with MD5, and generating the Packages file.
I can see my package list from the console of another server.
However, when I try to download it, I consistently get the following message:
"Download cancelled. The downloaded file xxxxx... is corrupted; the MD5 checksum does not match."
However, when you look at the file name, the contents of Packages, the MD5 sum is indeed the same...
I don't understand....
Could you tell me what I need to do? Or where I can find scripts to generate the packages without MD5 errors?
Thank you.
Sincerely
Re: Securing WAPT server (Debian/NGINX)
Published: March 10, 2023 - 11:27
by dcardon
Hello Nicolas,
please refrain from necroposting [1] (reviving an old thread). I'm locking this topic; you can open a new one with your question, specifying your OS version, WAPT version, and edition.
Regards,
Denis
[1]
https://www.urbandictionary.com/define. ... croposting