Secure bcfg2 web reports with apache2 HTTP authentication

The problem

bcfg2 web reports doesn’t require any authentication out-of-the-box. (As of today.) This means that anyone who knows the URL of your bcfg2 web reports can see (and manipulate?) your server and/or clients.

Possible solutions that I didn’t attempt

The settings.py file contains an AUTHORIZED_GROUP setting. It looks like this activates the NISAuth authentication backend. I have no idea what NIS is, so I’m moving on.

The settings.py also includes the standard Django authentication backend, so theoretically, you could hack the views.py and use the @login_required decorator. But I’m feeling lazy today and want an easier solution.

The simple solution: Apache2 HTTP Authentication

I only care about one user: myself. So, I created a password file, using this command:

 sudo htpasswd -c /etc/apache2/bcfg2-passwords myusername

Then, I added this block of code in /etc/apach2/conf.d/bcfg2.conf:

    <Location /bcfg2>
        AuthType Basic
        AuthName "Bcfg2 Web Reports"
        AuthBasicProvider file
        AuthUserFile /etc/apache2/bcgf2-passwords
        Require user myusername
    </Location>

Disclosure

I did this with:

• Ubuntu 12.04.2 LTS, Precise Pangolin
• 64-bit architecture
• on Rackspace Cloud
• Bcfg2 Version 1.2.2
• HTTPS enabled on my server (don’t forget to do this or your password will be passed in cleartext!)

I also followed these instructions to install bcfg2-web (after installing bcfg2):

http://docs.bcfg2.org/appendix/guides/web-reports-install.html#appendix-guides-web-reports-install

Thanks to http://stackoverflow.com/questions/8417810/deploying-a-django-app-on-apache-mod-wsgi-with-http-auth

Also, thanks to solj and scofflaw on the #bcfg2 IRC channel.