With 2.4.x you can use UrBackup with a HTTPS proxy. This way you can have the web interface and the clients connecting at the same port, secured by the same transport encryption (SSL). This post shows how to do this in combination with the Apache web server.
The idea is that the client connects to the web server and issues a HTTP CONNECT request to the actual UrBackup server.
First Enable CONNECT proxy module in apache. On debian via
Then allow connections to the UrBackup server Internet port by adding
to your apache configuration.
Next in your apache virtual host configuration, set proxy options such as the timeout, allow proxy connections to the UrBackup server, and disallow them to every other host:
ProxyTimeout 600 ProxyRequests On <Proxy 127.0.0.1:55415> </Proxy> <ProxyMatch ^(?!127.0.0.1:55415$).*$> Order Deny,Allow Deny from all </ProxyMatch>
Then, go to your UrBackup server web interface and setup your web server URL as Internet client proxy (https://example.com) and the Internet server name/IP as 127.0.0.1. Internet clients should then start connecting via your web server to your UrBackup server. Once all clients connect this way you could turn off UrBackup’s build in Internet transfer encryption and rely on SSL.
Fixing client IP addresses
You may notice that on the status page all Internet clients now show the IP address of your web server as their IP address. Fixing this is a bit difficult, as there is no standard way to forward the client IP address information from the web server (compared to a normal HTTP proxy where there is a X-Forwarded-For header). So, a bit of hacking to fix this is in order. I modified the mod_proxy_connect apache plugin to forward the client IP information in a 50 byte buffer to the backend: mod_proxy_connect.c
On debian you could replace your original mod_proxy_connect with the modified one via the following commands:
apt install apache2-dev
apxs -i -a -c mod_proxy_connect.c
Then in the UrBackup server advanced global settings set “List of server IPs (proxys) from which to expect endpoint information (forwarded for) when connecting to Internet service (needs server restart)” to include your web server IP (127.0.0.1 in the example here). After a server restart you should be able to see the actual client IP instead of the web server IP on the status screen.
Fixing SNI errors
If you have multiple virtual hosts with SSL there is an issue with SNI. Apache2 automatically compares the hostname in the CONNECT request with the server name in the SSL connection (SNI) and rejects the request if they differ. The only solution (or ugly hack) I found to fix this was to add the hostname with the target IP to /etc/hosts and then use the hostname instead of the IP in the CONNECT request. I.e., add “127.0.0.1 example.com” to /etc/hosts, then replace 127.0.0.1 with example.com in all the configuration above.
Additional proxy authentication
As additional security layer, one can require proxy authentication. Clients need to know a username+password to get through the web server to the UrBackup server. With apache2 e.g.:
htpasswd -c -b /etc/apache2/urbackup_password urbackup passw0rd
Then modify the proxy section to:
<Proxy 127.0.0.1:55415> AuthType Basic AuthName "Restricted UrBackup" AuthBasicProvider file AuthUserFile "/etc/apache2/urbackup_password" Require user urbackup </Proxy>
Afterward add username+password to the proxy url, that is e.g. https://urbackup:firstname.lastname@example.org