Secure bcfg2 web reports with apache2 HTTP authentication
The problem
bcfg2 web reports doesn’t require any authentication out-of-the-box. (As of today.) This means that anyone who knows the URL of your bcfg2 web reports can see (and manipulate?) your server and/or clients.
Possible solutions that I didn’t attempt
The settings.py file contains an AUTHORIZED_GROUP setting. It looks like this activates the NISAuth authentication backend. I have no idea what NIS is, so I’m moving on.
The settings.py also includes the standard Django authentication backend, so theoretically, you could hack the views.py and use the @login_required decorator. But I’m feeling lazy today and want an easier solution.
The simple solution: Apache2 HTTP Authentication
I only care about one user: myself. So, I created a password file, using this command:
sudo htpasswd -c /etc/apache2/bcfg2-passwords myusername
Then, I added this block of code in /etc/apach2/conf.d/bcfg2.conf:
<Location /bcfg2> AuthType Basic AuthName "Bcfg2 Web Reports" AuthBasicProvider file AuthUserFile /etc/apache2/bcgf2-passwords Require user myusername </Location>
Disclosure
I did this with:
- Ubuntu 12.04.2 LTS, Precise Pangolin
- 64-bit architecture
- on Rackspace Cloud
- Bcfg2 Version 1.2.2
- HTTPS enabled on my server (don’t forget to do this or your password will be passed in cleartext!)
I also followed these instructions to install bcfg2-web (after installing bcfg2):
http://docs.bcfg2.org/appendix/guides/web-reports-install.html#appendix-guides-web-reports-install
Thanks to http://stackoverflow.com/questions/8417810/deploying-a-django-app-on-apache-mod-wsgi-with-http-auth
Also, thanks to solj and scofflaw on the #bcfg2 IRC channel.