ProxyBot's own WebUI (Monitor) comes without any protection and could therefore be viewed by any other person as long as the Server and Port are reachable from the Internet.
This guide shows you how to secure the traffic to and from the Webinterface through SSL encryption and also hide it from others by putting Basic HTTP authentication into place.
This guide is based on and made for Ubuntu 16.04 - if you're using other flavours of Linux or any other Operating System you might be able to use parts of it.
You also need a Domain name or sub domain / hostname that points to your server. Make sure to do this before you move on. Your provider probably already offers a subdomain for the server, otherwise it's on you to point one to it.
To make SSL work for Nginx in the following guide, you first need to tell your ProxyBot to move away from the default SSL/https port (443).
Change your application.properties file and add or change these lines:
server.port = 9991
server.additionalPort = 8081
server.port defaults to 443 but is most likely not existing in your config. The port chosen is here is totally random and doesn't matter. You can put any number in there as long as it doesn't conflict with anything else. However, you should leave 8081 untouched for now. We need this later.
Note: This guide assumes you are acting as root user. If you don't do so you might need to add sudo to the commands below.
These commands install some basic packages, Nginx (Webserver used as Reverse Proxy), Certbot (used to aquire a free Let's Encrypt Certificate) and ufw (Firewall to secure ports)
apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update && apt-get install nginx certbot apache2-utils ufw
After installing ufw we need to make sure we still have access via SSH (Port 22) after enabling it, so the first thing we do is:
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
This denies all the incoming traffic by default and allows all outgoing traffic. Additionally it sets ssh default port (22) to allow. If you use any other port then the default for SSH please make sure you allow this one too.
We also want to make sure that http and https traffic can get it before enabling the firewall now:
ufw allow http
ufw allow https
ufw enable
you can always check the status of your firewall with
ufw status
This already disables access on all ports apart from SSH so that you monitor web interface now shouldn't be reachable anymore (it may take a few minutes until ufw becomes active). Find more information about famous ufw firewall through google.
Now let's create your free SSL certificate.
certbot certonly --standalone -d example.com
where example.com is your domain name or subdomain. Certbot now keeps asking some questions and starts a temporary server to verify your domain/hostname is pointing to this server. Make sure this works already, otherwise this will fail. It also asks for your email so you can later get notifications about expiration of your cert.
Your cert and key files will be put into
/etc/letsencrypt/live/example.com
we need them further down the road.
now try this:
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
This tests the renewal of your certificate. Let's Encrypt Certificates are only valid for 90 days and should be automatically renewed. If everything runs well you should be able to see text like this:
Congratulations, all renewals succeeded. The following certs have been renewed..
If that works edit your crontab (crontab -e) and paste the following line in the first line after the comments section:
@daily certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"
This will run the renewal process daily and so makes sure it also works well also in case LE isn't reachable for a while.
Use this command to create your password for the login to your Monitor later. Replace username by the username of your choice and hit enter. You then need to enter your password twice.
htpasswd -c /etc/nginx/.htpasswd username
Here's something important about passwords: https://xkcd.com/936/ 😉
And now let's configure your webserver. First we remove the default config:
rm /etc/nginx/sites-available/default
and create your own one:
nano /etc/nginx/sites-available/your-domain.conf
instead of your-domain.conf just write your domain or hostname there (or anything else you would want to write there - it doesn't matter).
Here's what to put in your config:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/nginx.log;
location / {
auth_basic "Private Property";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fixes the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:8081;
proxy_read_timeout 90;
proxy_redirect http://localhost:8081 https://example.com;
}
}
As you might probably have noticed you need to replace all occurances of example.com by your domain name. Make sure the path to your cert and key files are correct.
This config will start an http and an https server under your domain name, while the http server forwards everything to https. The proxy then forwards everything to the Proxy Bot behind after you have entered your login credentials.
Now we need to link this config from the sites-enabled directory:
ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled
(remember to change the name of your config file in this line)
So when you're done test your nginx config and if everything works restart your server:
nginx -t
service nginx restart
When you now hit https://example.com/monitoring you should be presented with a login mask. After entering your credentials you should see your Monitor as you did before but hidden behind a login and secured through an SSL encrypted connection.
This solution can also help you to have multiple instances of ProxyBot accessible behind an SSL encrypted connection and auth.
You just need to setup your Proxybot to use different ports, otherwise it won't work. In addition to the example above you could set it to
server.port = 9992
server.additionalPort = 8082
Of course depending on your individual setup and ports in use. Additionally set your nginx config file and move each one of your servers to a directory so instead of
location / {
you would set something like
location /first {
which would make your bots monitor be reachable under
https://youdomain.com/first
then. For the second one you would just copy the block from above and also add some rewrite rule. Here's the whole block.
location /first {
auth_basic "Private Property";
auth_basic_user_file /etc/nginx/.htpasswd;
rewrite /first(.*) /$1 break;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fixes the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://localhost:8081;
proxy_read_timeout 90;
for your second block you would then change /first to /second or whatever as well es the port to your backend that you previously set in your ProxyBot config. proxy_redirect http://localhost:8081 https://example.com; }