Protect unprotected websites with dhis2-tools-ng

[kfeina]

Hello,

If I'm not wrong, some websites like /munin or /project-glowroot are visible to the public internet.
This is not a big security issue but maybe someone could get valuable information about our systems.

To protect those web directories we could do it via htpasswd

For example:

mkdir /etc/apache2/htpasswd
htpasswd -c /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd admin
or (if inside an script): htpasswd -b -c /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd admin testpassword

And inside /etc/apache2/upstream, for each project to protect:

//////////////////////////////////////////////
<Location /tomcat1-glowroot>
#Require all granted
Require user admin
AuthType Basic
AuthName "Protected site"
AuthUserFile /etc/apache2/htpasswd/tomcat1-glowroot-htpasswd
ProxyPass "http://192.168.0.14:4000/tomcat1-glowroot"
ProxyPassReverse "http://192.168.0.14:4000/tomcat1-glowroot"

//////////////////////////////////////////////
For Munin we could do something like:
htpasswd -c /etc/apache2/htpasswd/munin-htpasswd admin

And inside /etc/apache2/upstream
<Location /munin>
# Require all granted
Require user admin
AuthType Basic
AuthName "Protected site"
AuthUserFile /etc/apache2/htpasswd/munin-htpasswd
ProxyPass "http://192.168.0.30/munin"
ProxyPassReverse "http://192.168.0.30/munin"

What do you think ? Does it make sense ?

Regards.

[tkipkurgat]

Hello Kfeina,
We are currently transitioning to the use of dhis2-server-tools, which are Ansible-based. These tools address the issues you are discussing, providing secure deployments.