FWCloud-vm

DESCRIPTION

In case that you don't want to start installing FWCloud from scratch, you can download FWCloud-VM, an standard OVA virtual machine with a fully functional FWCloud installation.

An OVA file is a virtual appliance used by virtualization applications such as VMware Workstation and Oracle VM Virtualbox. It is a package that contains files used to describe a virtual machine, which includes an .OVF descriptor file, optional manifest (.MF) and certificate files, and other related files.

This virtual machine has a fixed pre-configured IP address 10.9.8.7/24. To connect to it you'll have to configure any of your PC's network interfaces to be inside this range.

There are two users to access through SSH:

  • User soltecsis with password soltecsis and administrator privileges.
  • User fwcloud with password fwcloud used for running the API.

The URL to access to FWCloud-UI is https://10.9.8.7 and it is not necessary URL for API access because the FWCloud-UI uses the proxy mode for access it.

Self-signed TLS certificates are used, so do take into account that when you access FWCloud-UI URL your browser will display a warning message stating that we're navigating to an insecure website. To avoid this hassle, it's recommended to use SSL certificates  issued by a valid Certificate Authority such as Let's Encrypt, as it's explained in the section below, that talks about FWCloud-VM configuration

CONFIGURATION

In this section we'll explain all the steps needed for changing our FWCloud-VM virtual machine configuration, to allow it to connect to our network as well as to use TLS certificates issued by a valid certificate authority such as Let's Encrypt.

As an example, we'll use the access following URL: https://ui.fwcloud.net

The first thing that we need to do is to change the virtual machine network configuration to match the network where it will be connected. We have to connect to the VM using SSH to its default IP (10.9.8.7) or, alternatively, using the console. We need administrative privileges, so we'll login as user soltecsis.

$ ssh soltecsis@10.9.8.7

Password:

Once that we've logged in, we need to create the host name ui.fwcloud.net with the same IP address that we've assigned to our server.

The next step is to replace the self-signed TLS certificates by others signed by a valid certificate authority such as Let's Encrypt.

 For the API, we have to update the files fwcloud-api.key and fwcloud-api.crt inside folder /opt/fwcloud-api/config/tls/ with the respective files of the new certificate.

$ sudo vi /opt/fwcloud-api/config/tls/fwcloud-api.crt

$ sudo vi /opt/fwcloud-api/config/tls/fwcloud-api.key

For the web server, running on Nginx, we'll need to update the files  fwcloud-ui.key and fwcloud-ui.crt inside folder /etc/ssl/certs with the respective files of the new certificate.

$ sudo vi /etc/ssl/certs/fwcloud-ui.crt

$ sudo vi /etc/ssl/certs/fwcloud-ui.key

Next, we have to change the Nginx web server configuration to change the default listening IP 10.9.8.7 to the DNS name ui.fwcloud.net. To do this, the best way is to edit the settings file using vi editor and run the following commands:

$ sudo vi /etc/nginx/conf.d/fwcloud-ui.conf

:1,$s/10.9.8.7/ui.fwcloud.net/g

:wq

We have to change the API configuration by editing the file /opt/fwcloud-api/.env and changing the value of the variable  CORS_WHITELIST by the new user interface URL. Following our example, this will be the result:

$ sudo vi /opt/fwcloud-api/.env

CORS_WHITELIST="https://ui.fwcloud.net"

We have to take into account that, since we are starting from a virtual machine that exists publicly on the Internet, it is convenient to improve the security of this so that we should modify the passwords of the soltecsis and fwcloud system users.

$ sudo passwd soltecsis

$ sudo passwd fwcloud

It is also appropriate to modify the encryption keys used by the API by modifying the configuration variables indicated below in the file /opt/fwcloud-api/.env. We can use the pwgen command to generate new random keys.

pwgen 64 1 -s
DPai8R51xIXZvSkCrmCmoeURT29pwPvosMjirCtGh3fK5gDF8VSIO8Pnw6hViz3u

pwgen 64 1 -s
gEIlQOFKkKqixw8w2hkrNtds4brEqmf2OMmhl6A7Hgb5zwxAPWFG9eohUpTfBjMJ

$ vi /opt/fwcloud-api/.env 

# Secret used for session cookies and CSRF (Cros-Site Rquest Forgery) tockens.
SESSION_SECRET="DPai8R51xIXZvSkCrmCmoeURT29pwPvosMjirCtGh3fK5gDF8VSIO8Pnw6hViz3u"

# Secret used for data encryption.
CRYPT_SECRET="gEIlQOFKkKqixw8w2hkrNtds4brEqmf2OMmhl6A7Hgb5zwxAPWFG9eohUpTfBjMJ"

To modify the password for accessing the FWCloud database we use the following commands. In addition, we have to modify the DB_PASS configuration variable in the /opt/fwcloud-api/.env file with the new password we just generated.

$ pwgen 24 1 -s
NZzghh0DXTFYy2ggn4Ndh2De

$ sudo mysql -u root
mysql> ALTER USER 'fwcdbusr'@'localhost' IDENTIFIED BY 'NZzghh0DXTFYy2ggn4Ndh2De';

Query OK, 0 rows affected (0.06 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> quit

$ vi /opt/fwcloud-api/.env

DB_PASS="NZzghh0DXTFYy2ggn4Ndh2De"

We can also regenerate the ssh keys of our virtual server using the following commands.

$ sudo /bin/rm -f /etc/ssh/ssh_host_*
$ sudo dpkg-reconfigure openssh-server

 
Lastly, we have to restart both the API and web server to load the new settings.

$ sudo systemctl restart fwcloud-api

$ sudo systemctl restart nginx

If everything went fine, we should be able to navigate to https://ui.fwcloud.net using your web browser and start using FWCloud from the FWCloud-VM virtual machine that we just set up using the next access data:
 
Customer code: 1
User name: fwcadmin
Password: fwcadmin
 
It is It is convenient that we modify the password of this user, which we can do through the user interface itself, in the configuration section.