You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If I'm not wrong, some websites like /munin or /project-glowroot are visible to the public internet.
This is not a big security issue but maybe someone could get valuable information about our systems.
To protect those web directories we could do it via htpasswd
For example:
mkdir /etc/apache2/htpasswd
htpasswd -c /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd admin
or (if inside an script): htpasswd -b -c /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd admin testpassword
And inside /etc/apache2/upstream, for each project to protect:
//////////////////////////////////////////////
<Location /tomcat1-glowroot>
#Require all granted
Require user admin
AuthType Basic
AuthName "Protected site"
AuthUserFile /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd
ProxyPass "http://192.168.0.14:4000/tomcat1-glowroot"
ProxyPassReverse "http://192.168.0.14:4000/tomcat1-glowroot"
//////////////////////////////////////////////
For Munin we could do something like:
htpasswd -c /etc/apache2/htpasswd/munin-htpasswd admin
And inside /etc/apache2/upstream
<Location /munin>
# Require all granted
Require user admin
AuthType Basic
AuthName "Protected site"
AuthUserFile /etc/apache2/htpasswd/munin-htpasswd
ProxyPass "http://192.168.0.30/munin"
ProxyPassReverse "http://192.168.0.30/munin"
What do you think ? Does it make sense ?
Regards.
The text was updated successfully, but these errors were encountered:
Hello Kfeina,
We are currently transitioning to the use of dhis2-server-tools, which are Ansible-based. These tools address the issues you are discussing, providing secure deployments.
Hello,
If I'm not wrong, some websites like /munin or /project-glowroot are visible to the public internet.
This is not a big security issue but maybe someone could get valuable information about our systems.
To protect those web directories we could do it via htpasswd
For example:
mkdir /etc/apache2/htpasswd
htpasswd -c /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd admin
or (if inside an script): htpasswd -b -c /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd admin testpassword
And inside /etc/apache2/upstream, for each project to protect:
//////////////////////////////////////////////
<Location /tomcat1-glowroot>
#Require all granted
Require user admin
AuthType Basic
AuthName "Protected site"
AuthUserFile /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd
ProxyPass "http://192.168.0.14:4000/tomcat1-glowroot"
ProxyPassReverse "http://192.168.0.14:4000/tomcat1-glowroot"
//////////////////////////////////////////////
For Munin we could do something like:
htpasswd -c /etc/apache2/htpasswd/munin-htpasswd admin
And inside /etc/apache2/upstream
<Location /munin>
# Require all granted
Require user admin
AuthType Basic
AuthName "Protected site"
AuthUserFile /etc/apache2/htpasswd/munin-htpasswd
ProxyPass "http://192.168.0.30/munin"
ProxyPassReverse "http://192.168.0.30/munin"
What do you think ? Does it make sense ?
Regards.
The text was updated successfully, but these errors were encountered: