Skip to content

Commit

Permalink
Tutorial: Secure hosting of a public Web Server
Browse files Browse the repository at this point in the history
  • Loading branch information
maitai committed Aug 17, 2023
1 parent 8ce6308 commit 00e7746
Show file tree
Hide file tree
Showing 6 changed files with 117 additions and 0 deletions.
1 change: 1 addition & 0 deletions config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,7 @@ nav:
- 'Kubermatic' : Tutorials/Kubermatic/index.md
- 'Loadbalancer' : Tutorials/Loadbalancer/index.md
- 'Object Storage' : Tutorials/ObjectStorage/index.md
- 'Public Web Server' : Tutorials/PublicWebServer/index.md
- 'Reverse Proxy with Elixir AAI': Tutorials/Elixir_AAI/Elixir_AAI.md
- 'Save FloatingIPs' : Tutorials/SaveFloatingIPs/index.md
- 'Set up RStudio' : Tutorials/RStudio_Server/index.md
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
113 changes: 113 additions & 0 deletions wiki/Tutorials/PublicWebServer/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
# Secure hosting of a public Web Server

When providing an online service to the public, encryption and authentication are the two main security aspects to consider.
Neglecting either one of them, could potentially lead to unauthorized access, privacy violations or even server hijacking.

One quick way to encrypt and authenticate is explained below.
It is assumed, that you already have an instance running inside the de.NBI Cloud to host the web server, with a public floating IP attached.

## Domain name registration

Every public website needs a domain name that people can type into their browser address bar to visit the site.
Domain names can usually be obtained from domain name registrars, which is out of scope of this document.

Please make sure your domain name points to the public floating IP of your web server instance.

For the Bielefeld site you may request a domain name ending in `.bi.denbi.de` (e.g. `myservice.bi.denbi.de`) by [contacting us](../../Compute_Center/Bielefeld.md#contact).

## Encryption

Using unencrypted HTTP communication is unsafe because it allows data to be transmitted in plain text,
making it easy for attackers to intercept and read sensitive information.

Therefore, do not expose your HTTP-only-speaking web server software directly, but use an encrypting reverse proxy in front.

TLS encrypts data during transmission, preventing unauthorized access and eavesdropping.
One simple way to use TLS is to place a [Caddy server](https://caddyserver.com/) in between the internet and the web server you would like to make publicly available.
This way, Caddy will act as a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) encrypting your traffic. Caddy will automatically provision a free TLS certificate for your domain name through the non-profit certificate authority Let's Encrypt and renew it when necessary.

### Caddy - Installation

Requirements:

- Operating system: Ubuntu/Debian

Execute the following commands on the instance that is going to be hosting the web server:
```
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
```

The Caddy server should now be installed and running.

Source: [Caddy installation steps for Ubuntu/Debian](https://caddyserver.com/docs/install#debian-ubuntu-raspbian)

### Caddy - Configuration

Requirements:

- A domain name pointing to the public floating IP of your web server instance.
- A web server that you would like to make public (e.g. a Galaxy server) listening on `localhost` or `127.0.0.1`.

Replace the contents of `/etc/caddy/Caddyfile` on your instance with the snippet below.
Replace `example.bi.denbi.de` with your own domain name and replace port `8080` with the port the
web server is listening on.

`/etc/caddy/Caddyfile`
```
example.bi.denbi.de {
reverse_proxy 127.0.0.1:8080
}
```

Reload the Caddy server:
`sudo systemctl reload caddy`

Afterwards, you should be able to access your web server by simply entering the domain name (without any port).
Your browser should now indicate that the connection is secure, as seen below.

![](images/connection-secure.png)

## Authentication

It is strongly advised to make use of the authentication and user management features your web server provides.

In case the web server you make public does not offer any authentication methods,
access must be regulated by telling the Caddy server to ask visitors for their username and password.
Users are managed inside the Caddy server configuration file.
To create a new user, e.g. `alice`, generate a password hash using

```
caddy hash-password
```

on the command line.
Add the username and the password hash by creating a new `basicauth` section as seen below.

`/etc/caddy/Caddyfile`
```
example.bi.denbi.de {
reverse_proxy 127.0.0.1:8000
basicauth / {
alice $2a$14$osbZTr.aovwDoO8WULE7hu0rF8YbrZt5Ltp0W.tIARgkE8525HLCG
}
}
```

To add more users, simply add more lines to the `basicauth` section:

```
basicauth / {
alice $2a$14$osbZTr.aovwDoO8WULE7hu0rF8YbrZt5Ltp0W.tIARgkE8525HLCG
bob $2a$14$INrlWVMNeuULZYnkVIBclefLHGmXLB.WQdKQGr/FjpeJYDrmGUN1e
carol $2a$14$nPEUHsqMDS7YfuVzo1n3iecRBexUI9wQINymbnedI0iG4E.Pchfe6
}
```

Finally, reload the Caddy server: `sudo systemctl reload caddy`

Visitors should now be prompted for username and password:

![](images/basic-auth.png)
1 change: 1 addition & 0 deletions wiki/includes/glossary.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,4 @@
*[url]: Uniform Resource Locator or web address
*[UUID]: Universally unique identifier, a 128-bit label
*[uuid]: Universally unique identifier, a 128-bit label
*[TLS]: Transport Layer Security
2 changes: 2 additions & 0 deletions wiki/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -89,5 +89,7 @@ attacks that were (easily) able to guess your instance's IP and port (which are
means). It is also highly recommended to protect your network traffic from prying eyes using TLS
which is available inside almost all server applications, especially webservers.

Feel free to take a look at the tutorial [Secure hosting of a public Web Server](Tutorials/PublicWebServer/index.md) for guidance.

**Always** change the default credentials of services as these are well known and
will be probed as soon as the service is exposed to the internet.

0 comments on commit 00e7746

Please sign in to comment.