Optionally, the web interface can be accessed via the WAN interface over the Internet. This is useful for remote teaching, or to allow students to do homework in the evenings.

Requirements

In order to use remote access:

  1. Your WAN interface needs a public IP address, say 1.2.3.4
  2. Ports 80 and 443 (at least) inbound must be permitted
  3. You need a DNS domain name that you control, say lab.example.org

  4. Create the following DNS records:

    lab.example.org. A 1.2.3.4 *.p.lab.example.org. A 1.2.3.4

    If your WAN interface has an IPv6 address then you can add AAAA records as well.

  5. You should already have run the websetup script - if not, do it here.

  6. Now run the sslsetup script to obtain a LetsEncrypt certificate, passing your domain name as an argument:
cd /etc/apache2/nsrc-web
./sslsetup lab.example.org

Students then access the platform as https://lab.example.org/

If necessary you can omit steps 3-5, and just access the platform via its IP address (e.g. http://1.2.3.4/). However this will still redirect to HTTPS which means that users will need to click through the certificate error.

Credentials

To prevent drive-by access, remote access is controlled by an additional username and password. When you ran websetup this will have generated and displayed a username and random password.

The password file is /etc/apache2/nsrc-web/etc/nsrc-passwd and you can create or edit usernames as follows:

sudo htpasswd /etc/apache2/nsrc-web/etc/nsrc-passwd <username>

The password is hashed, so if you've forgotten it, you'll need to change it.

The browser will see a login form the first time the student acces the platform, which is then stored in a cookie. Users can explicitly logout by visiting /auth/logout.html.

Warning

Please configure a unique username and password each time you create a new workshop. Re-using old login credentials is a security risk!

For example: anyone who knows the web password can connect to the web front-end, SSH to noc or srv1 using the well-known static password, and then use it to make outbound attacks to other devices on the Internet.

Subdomains

The wildcard DNS record is used for proxying to internal web sites. For example, the site http://noc.ws.nsrc.org/ is accessed from the outside as http://noc.p.lab.example.org/. When accessing by IP address only, it would be http://noc.p.1.2.3.4.xip.io/.

The topology index pages use short-form relative links like /p/noc/. These links dynamically redirect to the correct URL, depending on whether the user is internal or external.