Skip to content

Commit

Permalink
add security group set up; fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
maitai committed Aug 18, 2023
1 parent 00e7746 commit d0ca93e
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 8 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
51 changes: 43 additions & 8 deletions wiki/Tutorials/PublicWebServer/index.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
# Secure hosting of a public Web Server

When providing an online service to the public, encryption and authentication are the two main security aspects to consider.
When providing an online service to the public, **encryption** and **authentication** are the two main security aspects to consider.
Neglecting either one of them, could potentially lead to unauthorized access, privacy violations or even server hijacking.

One quick way to encrypt and authenticate is explained below.
It is assumed, that you already have an instance running inside the de.NBI Cloud to host the web server, with a public floating IP attached.

It is assumed, that you already have a designated instance running inside the de.NBI Cloud with a public floating IP attached.
Please start the **backend service** (e.g. a Galaxy server) that you would like to make publicly available and configure it to listen on `localhost` or `127.0.0.1` only.

## Domain name registration

Expand All @@ -23,7 +25,7 @@ making it easy for attackers to intercept and read sensitive information.
Therefore, do not expose your HTTP-only-speaking web server software directly, but use an encrypting reverse proxy in front.

TLS encrypts data during transmission, preventing unauthorized access and eavesdropping.
One simple way to use TLS is to place a [Caddy server](https://caddyserver.com/) in between the internet and the web server you would like to make publicly available.
One simple way to use TLS is to place a [Caddy server](https://caddyserver.com/) in between the internet and the backend service you would like to make publicly available.
This way, Caddy will act as a [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) encrypting your traffic. Caddy will automatically provision a free TLS certificate for your domain name through the non-profit certificate authority Let's Encrypt and renew it when necessary.

### Caddy - Installation
Expand All @@ -44,16 +46,49 @@ The Caddy server should now be installed and running.

Source: [Caddy installation steps for Ubuntu/Debian](https://caddyserver.com/docs/install#debian-ubuntu-raspbian)

### Caddy - Reachability

To make your Caddy server publicly reachable, outside access to the network ports `80` (HTTP) and `443` (HTTPS) has to be granted.

- Launch the OpenStack Dashboard
- In the menu on the left go to `Network` -> `Security Groups`
- Click on the button `+ Create Security Group`
- Name the new security group "public-web-server" and confirm the creation by clicking on `Create Security Group`

Now the security group rules list should be visible.

- Click on `+ Add Rule`
- Select "**HTTP**" as the `Rule`
- Enter "0.0.0.0/0" as the `CIDR` and click on `Add`

- Click on `+ Add Rule` again
- This time select "**HTTPS**" as the `Rule`
- Enter "0.0.0.0/0" as the `CIDR` and click on `Add`

The result should look like this:

![](images/security-group-rules.png)

Next, the security group needs to be added to the instance hosting your web server.

- In the menu on the left go to `Instances`
- Find your instance and select `Edit Security Groups` from its `Actions` drop-down list
- Add your new security group "public-web-server" to the list of Instance Security Groups by clicking on the `+` next to it, then click `Save`

The Caddy server should now be publicly reachable via HTTP on port `80` and serve its default web page.

### Caddy - Configuration

This section will configure the Caddy server to set up TLS and to proxy requests to your backend service.

Requirements:

- A domain name pointing to the public floating IP of your web server instance.
- A web server that you would like to make public (e.g. a Galaxy server) listening on `localhost` or `127.0.0.1`.
- A backend service that you would like to make public (e.g. a Galaxy server) listening on `localhost` or `127.0.0.1`.

Replace the contents of `/etc/caddy/Caddyfile` on your instance with the snippet below.
Replace `example.bi.denbi.de` with your own domain name and replace port `8080` with the port the
web server is listening on.
backend service is listening on.

`/etc/caddy/Caddyfile`
```
Expand All @@ -65,17 +100,17 @@ example.bi.denbi.de {
Reload the Caddy server:
`sudo systemctl reload caddy`

Afterwards, you should be able to access your web server by simply entering the domain name (without any port).
Afterwards, you should be able to access your backend service by simply entering the domain name (without any port).
Your browser should now indicate that the connection is secure, as seen below.

![](images/connection-secure.png)

## Authentication

It is strongly advised to make use of the authentication and user management features your web server provides.
It is strongly advised to **make use of the authentication and user management features** your backend service provides.

In case the web server you make public does not offer any authentication methods,
access must be regulated by telling the Caddy server to ask visitors for their username and password.
**access must be regulated** by telling the Caddy server to ask visitors for their username and password.
Users are managed inside the Caddy server configuration file.
To create a new user, e.g. `alice`, generate a password hash using

Expand Down

0 comments on commit d0ca93e

Please sign in to comment.