Optionally, the web interface can be accessed via the WAN interface over the Internet. This is useful for remote teaching, or to allow students to do homework in the evenings.
Requirements
In order to use remote access:
- Your WAN interface needs a public IP address, say
1.2.3.4
- Ports 80 and 443 (at least) inbound must be permitted
- You need a DNS domain name that you control, say
lab.example.org
-
Create the following DNS records:
lab.example.org. A 1.2.3.4 *.p.lab.example.org. A 1.2.3.4
If your WAN interface has an IPv6 address then you can add AAAA records as well.
-
You should already have run the
websetup
script - if not, do it here. - Now run the
sslsetup
script to obtain a LetsEncrypt certificate, passing your domain name as an argument:
cd /etc/apache2/nsrc-web
./sslsetup lab.example.org
Students then access the platform as https://lab.example.org/
If necessary you can omit steps 3-5, and just access the platform via its IP address (e.g. http://1.2.3.4/). However this will still redirect to HTTPS which means that users will need to click through the certificate error.
Credentials
To prevent drive-by access, remote access is controlled by an additional
username and password. When you ran websetup
this will have generated and
displayed a username and random password.
The password file is /etc/apache2/nsrc-web/etc/nsrc-passwd
and you can
create or edit usernames as follows:
sudo htpasswd /etc/apache2/nsrc-web/etc/nsrc-passwd <username>
The password is hashed, so if you've forgotten it, you'll need to change it.
The browser will see a login form the first time the student acces the
platform, which is then stored in a cookie. Users can explicitly logout by
visiting /auth/logout.html
.
Warning
Please configure a unique username and password each time you create a new workshop. Re-using old login credentials is a security risk!
For example: anyone who knows the web password can connect to the web front-end, SSH to noc or srv1 using the well-known static password, and then use it to make outbound attacks to other devices on the Internet.
Subdomains
The wildcard DNS record is used for proxying to internal web sites. For example, the site http://noc.ws.nsrc.org/ is accessed from the outside as http://noc.p.lab.example.org/. When accessing by IP address only, it would be http://noc.p.1.2.3.4.xip.io/.
The topology index pages use short-form relative links like /p/noc/
.
These links dynamically redirect to the correct URL, depending on whether
the user is internal or external.