How to secure Policyd web access

[bjron.mork]

Dear Experts,

I am using Zimbra's 7.1.4 ZCS. To enable cbpolicyd within Zimbra, I followed steps mentioned in your http://forums.zextras.com/zimbra-how...a-7-1-1-a.html.....

These steps helped me a lot. But securing its web-access via cluebringer-httpd.conf file is not correct ,

Alias /cluebringer /opt/zimbra/cbpolicyd/share/webui/
<Directory /opt/zimbra/cbpolicyd/share/webui/>
# Comment out the following 3 lines to make web ui accessible from anywhere
Order Deny,Allow
Deny from all
Allow from 10.16.1.0/255.255.255.0
</Directory>

I can access policyd Server via http://yourzimbraserver:7780/webui/index.php from anywhere rather than http://yourzimbraserver:7780/cluebringer/index.php

Can you please help and guide the procedure to secure cbpolicyd web-access via IP subnet or via htpasswd method.

Regards
Bjron Mork

[Cine]

Hello bjron,
welcome to the forums!

Let me get this straight... Can you access http://yourzimbraserver:7780/cluebringer/index.php only from the right IPs and http://yourzimbraserver:7780/webui/index.php from everywhere?


Have a nice day,
Cine

[bjron.mork]

Hi Cine,
Thanks for your reply.

I can access policyd Server via http://yourzimbraserver:7780/webui/index.php from anywhere..

And I cannot access http://yourzimbraserver:7780/cluebringer/index.php from anywhere...in fact i get this reply.

Not Found
The requested URL /cluebringer/index.php was not found on this server.
Apache/2.2.21 (Unix) PHP/5.3.6 Server at 10.16.1.1 Port 7780

Is this file placement issue? Please suggest.

Regards
B~Mork.

[Cine]

Hello Bjron,

I checked the guide and looks like it needs to be updated, I'm reworking it right now... Stay tuned!


Have a nice day,
Cine

[bjron.mork]

Thanks Cine.. I have sorted the issue. Here are steps I followed....


Step 1

First go to webui directy (that is symbolic linked with /opt/zimbra/httpd/htdoc/share/webui)

cd /opt/zimbra/cbpolicyd-2.0.10/share/webui/

Step 2

Create htaccess file

touch .htaccess

vi .htaccess

and add below lines

AuthUserFile /opt/zimbra/cbpolicyd-2.0.10/share/webui/.htpasswd
AuthGroupFile /dev/null
AuthName "User and Password"
AuthType Basic

<LIMIT GET>
require valid-user
</LIMIT>

Step 3:

touch .htpasswd

and issue below command to add user and passwod

htpasswd -c .htpasswd cbpadmin

This process will ask password for cbpadmin user.

Step 4

Edit apache config file

vi /opt/zimbra/conf/httpd.conf

And add below lines

Alias /webui /opt/zimbra/cbpolicyd-2.0.10/share/webui/
<Directory /opt/zimbra/cbpolicyd-2.0.10/share/webui/>
# Comment out the following 3 lines to make web ui accessible from anywhere
AllowOverride AuthConfig
Order Deny,Allow
Allow from all
</Directory>

And finally restart apache server from root

su - zimbra -c "cbpolicdctl restart"

And enjoy...

[Cine]

Hello Bjorn,

thanks for the suggestion!

I corrected the guide added a step that went missing (probably during an edit)...
After copying the cluebringer-policyd.conf you must edit /opt/zimbra/conf/httpd.conf and add "Include /opt/zimbra/conf/cluebringer-httpd.conf" at the end of the file...

Also, using the second option of the guide the WebUI configuration should survive any Zimbra update (watch out, as the "cd /opt/zimbra/cbpolicyd-2.0.10/share/webui/" folder will probably be deleted by Zimbra's upgrade procedure, so you might loose your config..)

Enjoy!

Cine