I would like to make the webgui only accessible from green.
so where is the apche config file.
Because I want to change:
listen :444 https
to
listen 10.77.77.100:444 https
since I set up green0 as 10.77.77.100
Also while I’m there, I’m going to delete port 81 since I don’t use it.
Also, why is the webgui not on a common port?
That is described in the documentation.
I didn’t see it in the documentation, but I manage to find it in the /etc/httpd/conf directory.
Here is the firewall rule info
and if you are using the web proxy (squid) then you also need an ACL as per
Warning O/T
Looking at the custom rule from the above link, Why do we need to specify a stop rule? Can the stop rule be defaulted to:
iptables -F CUSTOMINPUT
iptables -F CUSTOMOUTPUT
iptables -F CUSTOMFORWARD -t nat
I don’t think these rule could ever be wrong but they could be superfluous. The user can still add their own custom stop rules if they are using some wacky setup and are manipulating other chains.
That is so odd to use a firewall rule for something I just edit one line in a config file.
Since I wanted my gui on green only, which is set to 10.77.77.100 ,
I edit /etc/httpd/conf/listen.conf and change
listen :81
listen :444
to
listen 10.77.77.100:444
and removed port 81 entirely since I don’t use it.
When the interface or ip address is missing, it will listen to all ports regardless of network configuration and I would rather define it properly in a config file instead of relying on a software module to block the connection.
Now I wonder why port 444 was used instead of the classic https port 443.
Because using port 443 makes it more difficult to run a web server behind IPF?
it would have to be using that port for something else to logically justify moving it to 444. Like in previous versions having a different gui for something like Suicata Web gui. The only reason I can think off the top of my head that would use 443 is the web portal option on blue. But even this is a possible poor configuration excuse because blue is a separate networking leg on the inside networking universe.
Err, no. If you want your GUI to listen on red (some people do), if it listens on 443 then you can’t also forward 443 to green/blue etc. It is quite common for routers to allow you to configure an alternate port for their UI for exactly that reason.
The only guide I found for the web gui to be accessible to red only removes the firewall rule on red so it can access the default globally set port 444 when its listen configuration is all interfaces (listen :444)
if you have to set port forwarding to 444 from 443 red, then 443 is manually disabled or blocked.
but if the green interface uses port 443 for forward to red, then either a additional ip can be added to service the webgui or an interface added but not configured in ipfire for out of band management or connected back onto the green so the local DNS can serve it on green and added to hosts.