How to enable HTTPS/TLS for the CubeBackup web console.
HTTPS is necessary
Adding HTTPS/SSL to the CubeBackup web console provides another layer of protection for all communications to and from your backup server. This is especially useful when accessing the CubeBackup web console from outside of your company (provided this is allowed by your company's security policy).
CubeBackup allows you to enable SSL/TLS access to the web console with a few simple operations:
Method 1: Automatically apply for a free TLS certificate
CubeBackup can apply for Let's Encrypt's free TLS certificate and install the certificate on the backup server automatically. Please follow the instructions below to enable the HTTPS/TLS for the web console.
Prerequisites:
- The web console must be accessible from the Internet. That is, access to the web console from outside of your company must be allowed by the firewall.
- Assign a domain name (most likely, a subdomain name) to the backup server by adding an A record in the DNS manager's panel. (This is usually a job for your Domain administrator.)
- HTTPS connections use TCP port 443, so port 443 must be allowed by your firewall. What's more, if you run CubeBackup inside a docker container, port 443 on the container should already be bound to a host port.
To verify these prerequisites, the web console should be accessible via the domain name from outside your firewall using the standard HTTP protocol.
Modify configuration
Now you can simply modify the configuration file to enable SSL/TLS for the web console:
Open the config file config.toml on the backup server using a text editor.
Note:
Starting with version 4.7, the configuration file is located at <installation directory>/etc/config.toml for fresh installations of CubeBackup. For installations upgraded through the console, or versions prior to 4.7, the configuration file is still located at <installation directory>/bin/config.toml.
On Windows, the installation directory is located at C:\Program Files\CubeBackup4 by default.
On Linux, the installation directory is located at /opt/cubebackup by default.In the [Web] section, remove the comment character "#" from the beginning of the line for
HTTPSEnabled = true
By default, CubeBackup allows all versions of TLS access to the web console. If, for security reasons, you would like to disable the less secure TLS1.0/1.1, please change the value of AllowLessSecureTLS to false. If your config.toml file doesn't contain an AllowLessSecureTLS line, you will need to add the following in the [Web] section:
AllowLessSecureTLS = false
The [Web] section should look like this after the modification:
[Web] Bind = ":80" HTTPSEnabled = true AllowLessSecureTLS = false Domains = ["backupserver.yourdomain.com"] # this is optional
Restart the CubeBackup service using the following command.
Please run this command.
sudo /opt/cubebackup/bin/cbsrv restart
Open a Command Prompt as Administrator, and run this command.
"C:\Program Files\CubeBackup4\bin\cbsrv.exe" restart
Open the Windows PowerShell as Administrator, and run this command.
& "C:\Program Files\CubeBackup4\bin\cbsrv.exe" restart
Please run this command to restart the container.
sudo docker restart <container-name>
Method 2: Use your own certificate
If you want to use your own certificate on the web console, CubeBackup also allows you to encrypt web communication using your own SSL certificate.
Get a certificate
To get your own certificate, you can:
- Use a SSL/TLS certificate you already own.
- Purchase or apply for a free an SSL/TLS certificate from a CA (Certification Authority)
Generate a free self-signed SSL/TLS certificate
Note: Securing your website with a self-signed SSL/TLS certificate protects the web console by encrypting communications to and from the backup server, but self-signed certificates are not automatically recognized by web browsers, so your browser may give a warning about the certificate's lack of official validity.
Modify configuration
To enable the certificate on your web console:
Open the config file on the backup server using a text editor.
Note:
Starting with version 4.7, the configuration file is located at <installation directory>/etc/config.toml for fresh installations of CubeBackup. For installations upgraded through the console, or versions prior to 4.7, the configuration file is still located at <installation directory>/bin/config.toml.
On Windows, the installation directory is located at C:\Program Files\CubeBackup4 by default.
On Linux, the installation directory is located at /opt/cubebackup by default.
Add the following lines to the [Web] section:
HTTPSEnabled = true CertFile = "/<path>/<mydomain.pem>" KeyFile = "/<path>/<mydomain.key>"
The [Web] section should look like this after the modification:
[Web] Bind = ":80" HTTPSEnabled = true CertFile = "/opt/cubebackup/db/abc.pem" KeyFile = "/opt/cubebackup/db/abc.key" Domains = ["yourdomain.com"] # this is optional
Tips:
1. The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file. 2. Please make sure thatcbuser
has at least read permission to the cert and key file.Restart the CubeBackup service.
sudo /opt/cubebackup/bin/cbsrv restart
Add the following lines to the [Web] section:
HTTPSEnabled = true CertFile = "\\<path>\\<mydomain.pem>" KeyFile = "\\<path>\\<mydomain.key>"
The [Web] section should look like this after the modification:
[Web] Bind = ":80" HTTPSEnabled = true CertFile = "c:\\certificates\\mydomain.pem" KeyFile = "c:\\certificates\\mydomain.key" Domains = ["mydomain.com"] # this is optional
Tips:
1. The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file.
2. Please use the double-backslash "\\" in the file path for Windows operating systems.Restart the CubeBackup service.
Open a Command Prompt or Windows Powershell as Administrator and run the following command:"C:\Program Files\CubeBackup4\bin\cbsrv.exe" restart # in Command Prompt
& "C:\Program Files\CubeBackup4\bin\cbsrv.exe" restart # in Windows Powershell
Add the following lines to the [Web] section:
HTTPSEnabled = true CertFile = "/<path>/<mydomain.pem>" KeyFile = "/<path>/<mydomain.key>"
The [Web] section should look like this after the modification:
[Web] Bind = ":80" HTTPSEnabled = true CertFile = "/opt/cubebackup/db/abc.pem" KeyFile = "/opt/cubebackup/db/abc.key" Domains = ["yourdomain.com"] # this is optional
Tips:
1. The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file.
2. Please make sure thatcbuser
has at least read permission to the cert and key file.Restart the CubeBackup service.
sudo docker restart <container-name>
To access the HTTPS/TLS web console, port 443 on the container needs to be bound to a host port.