Restrict Bareos WebUI only to specific consoles
39 views
Skip to first unread message
Łukasz Szczepanik
Nov 21, 2023, 3:51:28 AM11/21/23
to bareos-users
Hi,
I want to restrict login to Bareos WebUI only to specific consoles. Is there any way how to do it ?
I have many client's consoles and I don't want them to have login rights to Bareos WebUI.
Thanks,
Jörg Steffens
Dec 5, 2023, 7:58:41 AM12/5/23
to bareos...@googlegroups.com
Hi,
there are two options that comes to my mind:
1.
The fist thing the Bareos WebUI does upon login is to check for the
available commands. If the command ".help" is not allowed in the
profile, the login just shows an error message.
So: all consoles that are not indented to login to the webui should have
the ".help" denied.
https://docs.bareos.org/IntroductionAndTutorial/BareosWebui.html#section-webui-access-control-configuration
shows how to configure this.
2.
You can disable WebUI console logins and use WebUI PAM logins instead,
see https://docs.bareos.org/TasksAndConcepts/PAM.html and especially
https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration
I hope that helps.
Regards,
Jörg
On 21.11.23 at 09:51 wrote Łukasz Szczepanik:
--
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
https://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz
there are two options that comes to my mind:
1.
The fist thing the Bareos WebUI does upon login is to check for the
available commands. If the command ".help" is not allowed in the
profile, the login just shows an error message.
So: all consoles that are not indented to login to the webui should have
the ".help" denied.
https://docs.bareos.org/IntroductionAndTutorial/BareosWebui.html#section-webui-access-control-configuration
shows how to configure this.
2.
You can disable WebUI console logins and use WebUI PAM logins instead,
see https://docs.bareos.org/TasksAndConcepts/PAM.html and especially
https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration
I hope that helps.
Regards,
Jörg
On 21.11.23 at 09:51 wrote Łukasz Szczepanik:
Jörg Steffens joerg.s...@bareos.com
Bareos GmbH & Co. KG Phone: +49 221 630693-91
https://www.bareos.com Fax: +49 221 630693-10
Sitz der Gesellschaft: Köln | Amtsgericht Köln: HRA 29646
Komplementär: Bareos Verwaltungs-GmbH
Geschäftsführer: Stephan Dühr, Jörg Steffens, Philipp Storz
Łukasz Szczepanik
Dec 6, 2023, 9:17:40 AM12/6/23
to Jörg Steffens, bareos...@googlegroups.com
Hi Jörg,
We already did the first point. The problem with this approach is that you are still able login to WebUI. You have no sufficient rights to any resources but you are logged in.
It does not look too secure in my opinion.
Regarding the second point I will take a look :)
Thank you
Meggie Hallenbach
Dec 6, 2023, 4:47:12 PM12/6/23
to bareos-users
Hi,
*Use linux firewall to exclude any ip adr. from ports 80, 443 but the ones which should have access to it? To make it more secure i would drop any incoming packets from computers which are not backuped or should have control to the backup system...
or
*use webservers access control option like
<Directory /usr/share/davical/htdocs>
Order Deny,Allow
Deny From All
Allow from testdomain.blabla.blaba
Allow from xxx.xxx.xxx.xxx
Allow from xxx.xxx.xxx.xxx/sub.sub.sub.sub (or xxx.xxx.xxx.xxx/sub)
Options +Indexes
</Directory>
https://httpd.apache.org/docs/2.4/howto/access.html
cheers
G
*Use linux firewall to exclude any ip adr. from ports 80, 443 but the ones which should have access to it? To make it more secure i would drop any incoming packets from computers which are not backuped or should have control to the backup system...
or
*use webservers access control option like
<Directory /usr/share/davical/htdocs>
Order Deny,Allow
Deny From All
Allow from testdomain.blabla.blaba
Allow from xxx.xxx.xxx.xxx
Allow from xxx.xxx.xxx.xxx/sub.sub.sub.sub (or xxx.xxx.xxx.xxx/sub)
Options +Indexes
</Directory>
https://httpd.apache.org/docs/2.4/howto/access.html
cheers
G
Reply all
Reply to author
Forward
0 new messages