Run HTTPS instead of HTTP?

[triuk]

This is continuation of #70 (comment)
First I would like to clarify - is running HTTP really a threat? Well yes if you do not want your login to be somehow sniffed. In my case I do not care as the whole thing is running inside a separate environment, I connect to the webinterface from the intranet and run the server only when I use it.

For others, it might be useful to have a step by step guide with the reverse proxy. I can try it out for you.

[k0dat]

@triuk - Yes, if the webadmin is only accessible on your local network, then HTTP is fine. Still, setting up a reverse proxy in that scenario works around port 8080 being included in the rate limiting rule.

I'm personally running my servers on a VPS. I seem to recall reading the KF2 webadmin had security exploits - but I don't think there was any detail on what these were. So while it might not be the case, if allowing access to it via the Internet, it's wise to treat it as potentially exploitable, using HTTPS and also restricting access to only your own IP address.

Anyway, here's my draft notes on setting up a reverse proxy. @triuk - for you all the optional steps wouldn't apply, as they're only applicable to HTTPS and Cloudflare proxying.

First a few things to note:

• I'm using Fedora, which uses dnf for package management. If your using another package manager, adjust the dnf commands for your distro.
• The assumption is your haven't already installed and configured nginx for another purpose. These instructions are likely to mess up an already configured nginx install.

(Optional) - Setting up sub-domain for accessing webadmin

If you own a domain, for convenience and to setup an auto-renewing Let's Encrypt certificate for HTTPS, it's recommended to set up a sub-domain for accessing webadmin.

In the DNS records editor for your domain, create a new A name record set to the KF2 server IP address. Eg. kf2server. So when accessing the webadmin, you'll go to eg. https://kf2server.yourdomain.com

If your domain is with Cloudflare, recommend the new A name record is set to proxied to protect against DDOS attacks.

Installing nginx and configuring as a reverse proxy

Install nginx by running the following:
sudo dnf install nginx

If SELinux is enabled, run the following for the reverse proxy to work. Otherwise you'll get a bad gateway error when trying to access webadmin.

sudo setsebool -P httpd_can_network_connect 1

Setting up the reverse proxy in nginx.conf

Run the following (replacing nano with your editor of choice):
sudo nano /etc/nginx/nginx.conf

(Optional) If using sub-domain for accessing webadmin, change server_name from _ to sub-domain set up earlier. Eg. kf2server.yourdomain.com

(Optional) If using Cloudflare and record set to proxied, the following needs to be added to set the correct IP address in the request header. This is especially important if you want to only allow your own IP address to access webadmin for security purposes. In server section (after 'location = /50x.html {
}' add:

        set_real_ip_from 173.245.48.0/20;
        set_real_ip_from 103.21.244.0/22;
        set_real_ip_from 103.22.200.0/22;
        set_real_ip_from 103.31.4.0/22;
        set_real_ip_from 141.101.64.0/18;
        set_real_ip_from 108.162.192.0/18;
        set_real_ip_from 190.93.240.0/20;
        set_real_ip_from 188.114.96.0/20;
        set_real_ip_from 197.234.240.0/22;
        set_real_ip_from 198.41.128.0/17;
        set_real_ip_from 162.158.0.0/15;
        set_real_ip_from 104.16.0.0/13;
        set_real_ip_from 104.24.0.0/14;
        set_real_ip_from 172.64.0.0/13;
        set_real_ip_from 131.0.72.0/22;

        real_ip_header CF-Connecting-IP;

Now to add a new location for reverse proxying to the webadmin. Add the following in server section:

        location / {
            allow REPLACE_THIS_YOUR_IP_ADDRESS;
            deny all;
            proxy_pass         http://localhost:8080;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;        
        }

The 'allow REPLACE_THIS_YOUR_IP_ADDRESS;' and 'deny all;' lines are for only allowing your own IP address to access the webadmin and denying all others. Both these lines need to deleted if you're not doing this, but it's recommended the IP address is restricted for security purposes.

The IP address is your outwardly facing IP (not the IP address on your LAN). This can be found at the following http://whatismyipaddress.com/. You'll want to use your IPv4 address, not IPv6.

So now the server section should look something like the following:

    server {
        listen       80;
        listen       [::]:80;
        server_name  kf2server.yourdomain.com;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }

        set_real_ip_from 173.245.48.0/20;
        set_real_ip_from 103.21.244.0/22;
        set_real_ip_from 103.22.200.0/22;
        set_real_ip_from 103.31.4.0/22;
        set_real_ip_from 141.101.64.0/18;
        set_real_ip_from 108.162.192.0/18;
        set_real_ip_from 190.93.240.0/20;
        set_real_ip_from 188.114.96.0/20;
        set_real_ip_from 197.234.240.0/22;
        set_real_ip_from 198.41.128.0/17;
        set_real_ip_from 162.158.0.0/15;
        set_real_ip_from 104.16.0.0/13;
        set_real_ip_from 104.24.0.0/14;
        set_real_ip_from 172.64.0.0/13;
        set_real_ip_from 131.0.72.0/22;

        real_ip_header CF-Connecting-IP;

        location / {
            allow 123.456.789;
            deny all;
            proxy_pass         http://localhost:8080;
            proxy_redirect     off;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
        
        }
    }

Run the following commands to start nginx and add firewall rules for HTTP (and optional HTTPS) access.

sudo systemctl enable nginx.service
sudo systemctl start nginx.service

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https (Optional, only if you want HTTPS) 
sudo firewall-cmd --reload

Now in your VPS firewall or router, add port forwarding rules for HTTP (TCP port 80) and HTTPS (TCP port 443).

Test if we can get there via HTTP. Eg. navigate to http://kf2server.yourdomain.com in your browser.

(Optional) Setting up Certbot for automatic renewal of Let's Encrypt certificates for HTTPS

Run the following, replacing kf2server.yourdomain.com with your sub-domain.

sudo dnf install python3-certbot-nginx
sudo certbot --nginx -d kf2server.yourdomain.com

This will install Certbot and configure it for your sub-domain.

You'll be asked to accept ToS and for your email address.

Test if we can get there via HTTPS eg. https://kf2server.yourdomain.com

Note: Certbot will make changes to nginx.conf, so opening it up again, it will now look a bit different.

To test automatic renewal of certificates run following:
sudo certbot renew --dry-run

If your certificate renewal is working properly, it should display 'Congratulations, all simulated renewals succeeded' as part of the output.

Final step

If you've previously been accessing the webadmin via port 8080 over the Internet, that port forwarding rule should be removed in your VPS firewall or router. Otherwise, the reverse proxy can be by-passed via that port.