How to use SSL to remotely access the server manager


Table of Contents

1. Initial Notes
2. Enabling SSL Access
3. Examples of ValidFrom Addresses
3.1. Viewing the ValidFrom settings
4. Disabling SSL Access

This document applies only to the SME Server V5.

With the SME Server V5, we added the ability to access the server manager remotely through a regular web browser using SSL encryption (also known as HTTPS).

Warning

Even with SSL encryption, there is an inherent risk in allowing any remote access to the server manager. Please examine the rules mentioned below and tightly restrict the external access you grant.

1. Initial Notes

A few notes before the process is outlined:

  • HTTPS access to the manager and password panel are always available from all configured local (internal) networks. Extra external IPs and/or networks/masks can be added through process outlined below.

  • External HTTP access (without SSL) is never allowed.

  • In all cases, the user must enter the username admin and your system password in order to be authenticated and gain access to the server manager.

  • There is no manager option to set the ValidFrom property outlined below at this stage. All configuration is from the Linux command line.

  • No special port numbers are required.

  • The ValidFrom property affects remote access to both the server manager and also the password panel where users can change their password.

2. Enabling SSL Access

To enable SSL access to the server manager, follow the steps outlined below.

  1. Set the properties of httpd-admin with a list of valid addresses. (Examples shown below.)

    
        /sbin/e-smith/db configuration setprop httpd-admin ValidFrom IP/Subnet[,IP/Subnet]
    
  2. Expand the httpd.conf templates:

    
        /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
    
  3. Gracefully restart apache:

    
        /etc/e-smith/events/actions/restart-httpd-graceful
    
  4. Access the server manager from the remote system using the full domain name and the regular url (make sure to use https):

       
       https://www.mydomain.xxx/server-manager
    

3. Examples of ValidFrom Addresses

Note

For the purposes of illustration, these examples use addresses found in the private IP ranges defined in RFC1918. You will need to provide the valid IP address (or range of addresses) on the Internet from which you will be connecting. If you are going to connect to the server manager across the Internet from behind another SME Server or another firewall/router that does NAT, you need to provide the IP address of that system's external interface that is directly connected to the Internet. Note that in entering that single IP address, you are enabling access (subject to password authentication) for all systems behind that SME Server or other device.

If you only want to allow remote access from a single IP address, use:


    /sbin/e-smith/db configuration setprop httpd-admin ValidFrom 10.123.54.24

If you want to allow remote access from a small number of individual IP addresses, use:

    
    /sbin/e-smith/db configuration setprop httpd-admin ValidFrom 10.123.54.24,10.123.54.25,192.168.120.51

If you wish to allow remote access from a range of IP addresses that can be addressed using an appropriate subnet mask[1], use:


    /sbin/e-smith/db configuration setprop httpd-admin ValidFrom 192.168.100.0/255.255.255.0

If there are several ranges that you wish to allow, you can combine them on a single line as follows:


   /sbin/e-smith/db configuration setprop httpd-admin ValidFrom 10.114.200.0/255.255.255.0,192.168.145.88/255.255.255.248
Warning

Be very careful to set as small of a ValidFrom range as possible to reduce the possibility of outsiders attempting to access your server manager.

3.1. Viewing the ValidFrom settings

It is possible to view your ValidFrom settings as shown in the example below:


    [root@server /root]# /sbin/e-smith/db configuration show httpd-admin
    httpd-admin=service
        InitscriptOrder=86
        ValidFrom=10.114.200.0/255.255.255.0
        status=enabled

4. Disabling SSL Access

To disable SSL access to the server manager, follow the steps outlined below.

  1. Delete the ValidFrom property for httpd-admin from the configuration database:

    
        /sbin/e-smith/db configuration delprop httpd-admin ValidFrom
    
  2. Expand the httpd.conf template:

    
        /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
    
  3. Gracefully restart apache:

    
        /etc/e-smith/events/actions/restart-httpd-graceful
    

    All attempts to connect to the server manager from the external network should now be refused.

Please send any comments about this document to documentation@e-smith.com.

$Revision: 1.8 $ $Date: 2001/10/23 19:59:23 $



[1] It is also possible to use CIDR notation for subnets where 192.168.120.0/24 would be used instead of 192.168.120.0/255.255.255.0. Both forms are supported.