Change url from /univention to something different to hide mgmt interface

UCS - Univention Corporate Server
#1

hi there everyone,

for one specific task i want to use univention ucs to provide some services. the server will be publicly available. therefore i want to change the default path of the univention-url to something different to hide it from automated scripts and attacks against ucs. best example i can find is phpmyadmin where you easily can change the url by editing the alias in the apache config.

is there something similar in ucs? some ucr variable or the like?

as a result i would like to access the webinterface at
https://myserver/myhiddenunivention

thank you for any ideas.

best
sebastian

#2

Hey Sebastian,

it’s great that you make your thoughts about security when running UCS publicly available. To get more advise I would like to point you to these articles:

Regarding your concrete need: Unfortunately I expect that this is not possible as the path /univention stems from the directory /var/www/univention and is hardcoded in multiple places. (On a side note I am not that keen of security by obscurity although it can make sense in your case)
But there are some other things you can do: Best in my opinion would be to make UCS available via a reverse proxy so that you can prohibit access from outside to the UMC, ideally with internal access via VPN. If you want to hide that the server is running UCS at first glance it might already suffice to change the apache2/startsite.

Best regards
Jan-Luca

1 Like
#3

jan-luca!

thank you for your quick response. yeah i kind of was expecting that.

my next approach then could be to bind apache2 to localhost only, and have an instance of nginx listen on public 80 and 443. (i need a webserver on 80 and 443 to redirect other stuff.) is this reflected in ucr variables? i did not find one in the existing apache2 values… is there a way to get a reading of all existing ucr variables? it seems to sometimes work to add a new one and sometimes does not. adding ssh on 10022 in iptables did work. the documentation (developer guide) is a bit short in this regard; though in general quite good.

thank you for your help
sebastian

Mastodon