Optionally, the web interface can be accessed via the WAN interface over the Internet. This is useful for remote teaching, or to allow students to do homework in the evenings.
In order to use remote access:
- Your WAN interface needs a public IP address, say
- Ports 80 and 443 (at least) inbound must be permitted
- You need a DNS domain name that you control, say
Create the following DNS records:
lab.example.org. A 184.108.40.206 *.p.lab.example.org. A 220.127.116.11
If your WAN interface has an IPv6 address then you can add AAAA records as well.
You should already have run the
websetupscript - if not, do it here.
- Now run the
sslsetupscript to obtain a LetsEncrypt certificate, passing your domain name as an argument:
cd /etc/apache2/nsrc-web ./sslsetup lab.example.org
Students then access the platform as https://lab.example.org/
If necessary you can omit steps 3-5, and just access the platform via its IP address (e.g. http://18.104.22.168/). However this will still redirect to HTTPS which means that users will need to click through the certificate error.
To prevent drive-by access, remote access is controlled by an additional
username and password. When you ran
websetup this will have generated and
displayed a username and random password.
The password file is
/etc/apache2/nsrc-web/etc/nsrc-passwd and you can
create or edit usernames as follows:
sudo htpasswd /etc/apache2/nsrc-web/etc/nsrc-passwd <username>
The password is hashed, so if you've forgotten it, you'll need to change it.
The browser will see a login form the first time the student acces the
platform, which is then stored in a cookie. Users can explicitly logout by
Please configure a unique username and password each time you create a new workshop. Re-using old login credentials is a security risk!
For example: anyone who knows the web password can connect to the web front-end, SSH to noc or srv1 using the well-known static password, and then use it to make outbound attacks to other devices on the Internet.
The wildcard DNS record is used for proxying to internal web sites. For example, the site http://noc.ws.nsrc.org/ is accessed from the outside as http://noc.p.lab.example.org/. When accessing by IP address only, it would be http://noc.p.22.214.171.124.xip.io/.
The topology index pages use short-form relative links like
These links dynamically redirect to the correct URL, depending on whether
the user is internal or external.