Configure basic authentication for the Mindbreeze configuration site on Linux (via Apache mod_ssl module)

Last update: 9 February 2018

Summary

In order to only grant specific users access to the Mindbreeze configuration on Linux it is possible to place the configuration site behind a reverse proxy requiring basic authentication.
This article describes the necessary steps to set up the proxy, a sample proxy configuration is available as download below.
The sample sets up a proxy at port 8443 which redirects https://Mindbreeze:8443/config to http://Mindbreeze:23000
On Windows exists the possibitly to define administrators on the Administrators-Tab.

Download SampleProxyConfiguration.zip

Information

To restrict the direct access to the configuration the port of the Mindbreeze configuration site will be blocked from external hosts – therefore only allowing connections made from the local host and connections established via proxy. This means on the host itself the Mindbreeze configuration site will still be accessible to any user. Users who access the Mindbreeze configuration site via proxy (which is he only possible way except being directly connected to the host) must authenticate themselves via basic authentication.

Solution

1. Installing the Apache HTTP Server and the Module mod_ssl:

yum install httpd mod_ssl

2. Adding the sample proxy configuration to the default Apache HTTP Server Configuration httpd.conf:

Download the sample proxy configuration (SampleProxyConfiguration.zip) and copy it to /etc/httpd/conf/ 
Include the proxy.conf by adding the following line to the configuration file /etc/httpd/conf/httpd.conf:
Include conf/proxy.conf

3. Creating a SSL-Certificate for the Proxy:

It is necessary to define a SSL certificate in PEM Format (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile ) as well as the corresponding private key (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatekeyfile).
Store the certificate as /etc/admin/certificates/ca.crt  and the private key as /etc/admin/certificates/ca.key.
The names and paths of the certificate and private key can be changed in lines 77 and 79 of the sample proxy configuration. 
For initial testing you can create a self-signed certificate via openssl – in a production environment please use certificates from your public key infrastructure (PKI).

4. Check the Apache HTTP Server configuration:

If there are no syntax errors and the SSL-certificate and private key are available at the specified location – see chapter2 - this check should return "Syntax OK".

apachectl configtest 

5. Define which users are allowed to open the Mindbreeze configuration site (set up basic authentication via htpasswd):

When executing the following command you need to specify a password for the user which is stored encrypted at etc/admin/htaccess/htpasswd. The path is specified in line 143 of the sample proxy configuration.

htpasswd -c /etc/admin/htaccess/htpasswd user

6. Configure Iptables:

Accepting connections to the management port 23000 from source localhost:

iptables -a INPUT -p tcp -s localhost --dport -j ACCEPT 

Denying all connections to destination port 23000

iptables -A INPUT -p tcp --dport 23000 -j DROP 

Due to iptables rules being a chain, connections from localhost to port 23000 are allowed (rule no. 1), external connections are dropped because of rule no. 2.

 

Useful links for further documentation:

Apache HTTP Server - https://httpd.apache.org/

mod_ssl Module - http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

htpasswd - https://httpd.apache.org/docs/2.4/programs/htpasswd.html

iptables - https://wiki.centos.org/HowTos/Network/IPTables