The HTTP server's purpose is to serve the HTML and supporting files that implement the web-based user-interface for the FB2900. It is not a general-purpose web server that can be used to serve user documents, and so there is little to configure.
By default, the FB2900 will allow access to the user interface from any machine, although obviously access to the user interface normally requires the correct login credentials to be provided. However, if you have no need for your FB2900 to be accessed from arbitrary machines, then you may wish to 'lock-down' access to the user interface to one or more client machines, thus removing an 'attack vector'.
Access can be restricted using allow
and local-only
controls as with any service.
If this allows access, then a user can try and login. However, access can also be restricted on a per user basis to IP addresses and using profiles, which block the login even if the passord is correct.
Additionally, access to the HTTP server can be completely restricted (to all clients) under the control of a profile. This can be used, for example, to allow access only during certain time periods.
There are a number of security related headers with sensible defaults. These can be changed in the config. If you wish to remove a header simply make it an empty string to override the default.
Trusted addresses are those from which additional access to certain functions is available. They are specified by setting the
trusted
attribute using address ranges or IP address group names.
This trusted access allows visibility of graphs without the need for a password, and is mandatory for packet dump access.
The trusted access list also has priorty over local-only
and allow
, i.e. if the source IP is in the trusted it is always allowed.
The FireBrick provides a means to access the control pages using https rather than http.
At this stage, to use this feature, you will need to install a key pair and certificate manually. This could be a self signed key/certificate or something signed by a certificate authority (CA) like Let's Encrypt. A proper signed certificate from a recognised CA will avoid any browser warnings when using https. The certificate generation / upload process is explained more in Section 12.1.4.
By default access is permitted using http and https, but you can lock down to http only, https only, or redirection from http to https. It is recommended that https is used for security reasons. FireBrick https works with all modern browsers (e.g. IE 10 and above, chrome, firefox, safari). It uses TLS1.2 only with TLS1.3 planned soon.