HTTPS (SSL) Configuration BWeb Lighttp Bacula Enterprise

If you want to provide even more secure access to BWeb, you can use the HTTPS protocol.

Preparing the Machine Certificate

In the Bacula server shell that has BWeb installed, either copy a third-party certificate [1] or generate a self-signed certificate.

openssl req -new -x509 -keyout /opt/bweb/etc/lighttp.pem -out /opt/bweb/etc/lighttp.pem -days 365 -nodes

Important! During the questions, use your server’s local network IP or the fully qualified name (FQDN):

-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:189.6.77.101

Provide the necessary permissions to read the Certificate:

chmod 400 /opt/bweb/etc/lighttp.pem
chown bacula /opt/bweb/etc/lighttp.pem
mkdir /opt/bacula/etc/conf.d/ssl/
mkdir /opt/bacula/etc/conf.d/ssl/certs
chown -R bacula /opt/bacula/

Configuring the Lighttp

Edit the /opt/bweb/etc/httpd.conf file, and enter the following lines [2]:

$SERVER["socket"] == ":9143" {
ssl.engine = "enable"
ssl.pemfile = "/opt/bweb/etc/lighttp.pem"
}

In the same file, add the mod_openssl module in the components to load:

server.modules = ("mod_cgi", "mod_alias", "mod_setenv",
"mod_accesslog", "mod_auth", "mod_openssl" )

Save and exit.

In the shell, add the firewall rule to the SSL port:

firewall-cmd --permanent --zone=public --add-port=443/tcp
service firewalld restart

Restart the BWeb service:

service bweb restart

In case of problems, enter the BWeb by the script:

/opt/bweb/etc/starthttp

References

[1] https://www.digicert.com/ssl-certificate-installation-lighttpd.htm

[2] https://redmine.lighttpd.net/projects/lighttpd/wiki/HowToSimpleSSL

Disponível em: pt-brPortuguês (Portuguese (Brazil))enEnglishesEspañol (Spanish)

Leave a Reply