SSL on the web interface

NogNeetMachinaal · November 29, 2020, 1:44pm

Perhaps a somewhat strange question:
Is it indeed mandatory to install (for example) Apache or NGINX for having SSL? As in: this is not possible for the existing http part of the webserver?

Thank you - Will

xose · November 30, 2020, 12:12pm

Hi,

You can install FreeNas, create a Jail and install urbackup over.

So you will access by ssh to the Jail.

I don’t know if I have answered your question correctly or if I have not understood it well.

Best Regards

NogNeetMachinaal · November 30, 2020, 10:07pm

Hi Xose,

I guess my question left some room for interpretation…
I was referring to “4.2 Make webinterface accessible via SSL”
Any experience with this?

Kind regards - Will

DrRSatzteil · December 1, 2020, 2:39pm

Hi,

Yes you have to use a reverse proxy to be able to connect via HTTPS. I use nginx as a reverse proxy. You can then disable urbackup’s built-in webserver.

Best regards,
Thomas

NogNeetMachinaal · December 1, 2020, 6:25pm

Thanks Thomas.

Are you sure that the urbackup web-server can be disabled? Assuming yes: how would I do that?

Rationale behind this question:
On previous occasions, I have used NGINX for security and encryption reasons. Meaning the NGINX part is Internet facing. Every connect from the Internet is transferred to the webserver of the application behind it.

Kind regards - Will

DrRSatzteil · December 1, 2020, 8:29pm

Hi Will,

you can disable the web frontend by setting HTTP_SERVER to “false” in /etc/default/urbackupsrv.

You may still use port 55413 to proxy to your urbackup instance like this with nginx:

server {
    listen       80;
    server_name  YOUR_SERVER_NAME;
    rewrite        ^ https://$server_name:8443$request_uri? permanent;
}

server {
    listen                                   443 ssl http2;
    server_name                      YOUR_SERVER_NAME;

root /var/www;
index index.htm;

location /x {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass YOUR_SERVER_IP:55413;
}

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/YOURCERT.crt;
ssl_certificate_key /etc/nginx/certs/YOURKEY.key;
add_header Strict-Transport-Security "max-age=31536000" always;
}

You probably don’t need the weird rewrite rule. I need it as my reverse proxy runs in docker container and my externally mapped port is different from the nginx ssl port.

Please note that /var/www points to /usr/share/urbackup/www/ and static content is served directly from this folder. So if you use a different machine for the reverse proxy you would need to keep the web server running to be able to serve this data as well or somehow make this folder accessible by the reverse proxy.

NogNeetMachinaal · December 1, 2020, 9:20pm

Thank you for these detailed instructions.

In my case I would prefer using an external NGINX instance.
So that I can make this internet facing.

Any site affects to be aware of?

DrRSatzteil · December 1, 2020, 9:57pm

I dont’t see any side effects. I use the same configuration (but with proxy in docker on the same host) without problems.

Dmitrius7 · December 12, 2020, 12:32pm

UrBackup. Simple make web interface accessible via SSL (nginx)

NogNeetMachinaal · December 12, 2020, 9:04pm

Thank you Dmitry.

This seems to be the config for running nginx on the same server as urBackup.
Which is something I would like to prevent.

Any other suggestions?

Kind regards - Will

Dmitrius7 · December 13, 2020, 3:18pm

Hello!

I modifyed nginx config for use separete ngingx server.

Web interface at your local UrBackup server should works. Nginx connects to it and proxy traffic and add ssl (https).

You have to edit only proxy_pass http://your.UrBackup.server:55414;

# /etc/nginx/sites-available/urbackup.conf
# Make UrBackup webinterface accessible via SSL
server {
	# Define your listen https port
	listen 55416 ssl;
 
	# (optionally)
	# server_name urbackup.yourdomain; 
 
	# SSL configuration
	ssl on;
	include snippets/ssl-params.conf;
	ssl_certificate /etc/ssl/certs/urb-cert.crt;
	ssl_certificate_key /etc/ssl/certs/urb-cert.key;
	# SSL configuration
     	
	# Proxy to your UrBackup server	
	location / {
		# example:
		# proxy_pass  http://10.10.10.108:55414/
		proxy_pass http://your.UrBackup.server:55414;
		    		
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header  X-Forwarded-For   $remote_addr;
		proxy_buffering off;    			
		proxy_connect_timeout 20s;
		proxy_send_timeout   20;
		proxy_read_timeout   20;
	  }
 
	# If come here using HTTP, redirect them to HTTPS
	error_page 497 https://$host:$server_port$request_uri;
	
	# Disable logs
	access_log off;
	error_log off;
	
}

NogNeetMachinaal · December 13, 2020, 9:25pm

Thank you - works like a charm!

How did you know about these lines (below)?
Because they are not that obvious when looking at the examples in the manual?

 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $remote_addr;
 proxy_buffering off;

Cheers - Will

Dmitrius7 · December 14, 2020, 1:42am

Actially I don’t remember))
I got them from my old template.