UCS 4 - Change port that UMC listens on

UCS - Univention Corporate Server
#1

I am evaluating UCS 4 with Zarafa & Z-Push also installed. The necessity of having port 443 open to the outside world for Zarafa Webapp & Active-sync has me thinking I’d like to change the port that the UMC (& even UMC-Overview) is served on.

I found “umc/http/port” in the Configuration Registry (set to 8090, which tells me I don’t understand as much as I need to about the apache2 config to go fiddling). So is there an accepted best practice way to change the https port that the “univention-management-console” & “umc-overview” sites listen on?

Portal deaktivieren oder fail2ban
Mailarchivierung mit mailarchiva?
#2

Hi,
hope this helps/ucs-overview and /univention-management-console/ are served by Apache, changing “umc/http/port” will not solve your problem.

Instead of changing the port for the administration pages you might consider using Access Control in Apache.
The topic itself is currently in discussion. The more I think about it and the use cases for UCS, the more I would think that this is something which should be built in as a feature instead of just document a workaround.

In the meantime you can choose between

  • changing the templates for the Apache -Config files
  • placing a .htaccess into the directories you want to protect

The last one is obviously the quickest but may have drawbacks during upgrades or show side effects. It currently works for me.
Assuming your internal network is 192.168.1.0 you may try to create the file /var/www/univention-managment-console/.htaccess with the following content:

Order deny,allow Allow from 127.0.0.0/255.0.0.0 ::1/128 Allow from 192.168.1 Deny from all
You can also copy the .htaccess to /var/www/ucs-overview.
Of course, having a general access control for the whole Apache-DocRoot and defining exclusions for ActiveSync and WebAccess would provide more security.

HTH
Best Regards,
Dirk Ahrnke

OX App Suite unter Subdomain erreichbar machen
#3

Thank you Dirk. I appreciate your response.

I should have mentioned that I have already done something similar to what you describe (in my case I have just used Order/Allow/Deny statements in the “univention-management-console” apache config to restrict access to my LAN & VPN connected subnets). But the fact that it and the “umc-overview” site are handled in different areas of the apache config had me thinking that changing the port was perhaps a more elegant way of handling the issue.

I’m glad to hear this is under discussion, as I think having the email specific services & the web administration services sharing a port that has to be exposed to the public is cumbersome for security/routing/NAT reasons.

Thank you again so much for your response. Much appreciated.

#4

I’d too appreciate such a build-in feature!

#5

How far are the discussions about this?

Is there a more elegant way to restrict access to the umc?

Regards,
Joachim

#6

I havent seen a feature request in Bugzilla and created [bug]40811[/bug]

Best Regards,
Dirk

Mastodon