How to enable HTTPS/TLS for the CubeBackup web console


HTTPS is necessary

Adding HTTPS/SSL to the CubeBackup web console provides another layer of protection for all communications to and from your backup server. This is especially useful when accessing the CubeBackup web console from outside of your company (provided this is allowed by your company’s security policy).

CubeBackup allows you to enable SSL/TLS access to the web console with a few simple operations:

Method 1: Automatically apply for a free TLS certificate

CubeBackup can apply for Let’s Encrypt’s free TLS certificate and install the certificate on the backup server automatically. Please follow the instructions below to enable the HTTPS/TLS for the web console.

Prerequisites:

  • The web console must use port 80 and be able accessible from the Internet. That is, access to the web console from outside of your company must be allowed by the firewall.
  • Assign a domain name (most likely, a subdomain name) to the backup server by adding an A record in the DNS manager’s panel. (this is usually a job for your Domain administrator)
  • HTTPS connections use TCP port 443, so port 443 must be allowed by your firewall. What’s more, if you run CubeBackup inside a docker container, port 443 on the container should already be bound to a host port.

To verify these prerequisites, the web console should be accessible via the domain name from outside your firewall using the standard HTTP protocol.

Modify configuration

Now you can simply modify the configuration file to enable SSL/TLS for the web console:

  • Open the config file config.toml on the backup server using a text editor.

    Note:
    Starting with version 4.7, the configuration file is located at <installation directory>/etc/config.toml for fresh installations of CubeBackup. For installations upgraded through the console, or versions prior to 4.7, the configuration file is still located at <installation directory>/bin/config.toml.
         On Windows, the installation directory is located at c:\Program Files\CubeBackup4.
         On Linux, the installation directory is locatied at /opt/cubebackup.

  • In the [Web] section, remove the comment character “#” from the beginning of the line for

    HTTPSEnabled = true

    By default, CubeBackup allows all versions of TLS access to the web console. If, for security reasons, you would like to disable the less secure TLS1.0/1.1, please change the value of AllowLessSecureTLS to false. If your config.toml file doesn’t contain an AllowLessSecureTLS line, you will need to add the following in the [Web] section:

    AllowLessSecureTLS = false

    The [Web] section should look like this after the modification:

    [Web]
    Bind = “:80”
    HTTPSEnabled = true
    AllowLessSecureTLS = false
    Domains = [“backupserver.yourdomain.com”]  # this is optional
  • Restart the CubeBackup service.

    On Linux:

    sudo  /opt/cubebackup/bin/cbsrv restart

    On Windows:

    Enter services.msc in the command line, then in the Services list that pops up, right click the CubeBackup Service entry, and select Restart.

    On Docker:

    sudo docker restart <container-name>

Method 2: Use your own certificate

If your CubeBackup’s web service does not use port 80, or you want to use your own certificate on the web console, CubeBackup also allows you to encrypt web communication using your own certificate.

Get a certificate

To get your own certificate, you can:

  • Use a SSL/TLS certificate you already own.
  • Purchase or apply for a free an SSL/TLS certificate from a CA (Certification Authority)
  • Generate a free self-signed SSL/TLS certificate

    Note: Securing your website with a self-signed SSL/TLS certificate protects the web console by encrypting communications to and from the backup server, but self-signed certificates are not automatically recognized by web browsers, so your browser may give a warning about the certificate’s lack of official validity.

Modify configuration

To enable the certificate on your web console:

  • Open the config file on the backup server using a text editor.

    Note: On Linux, the configuration file is located at “/opt/cubebackup/bin/config.toml”
    On Windows, the configuration file is located at “c:\Program Files\CubeBackup4\bin\config.toml”

  • Add the following lines to the [Web] section:

    On Linux:

    HTTPSEnabled = true
    CertFile = “/<path>/<mydomain.pem>”
    KeyFile = “/<path>/<mydomain.key>”

    The [Web] section should look like this after the modification:

    [Web]
    Bind = “:80”
    HTTPSEnabled = true
    CertFile = “/opt/cubebackup/db/abc.pem”
    KeyFile = “/opt/cubebackup/db/abc.key”
    Domains = [“yourdomain.com”]  # this is optional

    Tip: The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file.

    On Windows:

    HTTPSEnabled = true
    CertFile = “\\<path>\\<mydomain.pem>”
    KeyFile = “\\<path>\\<mydomain.key>”

    The [Web] section should look like this after the modification:

    [Web]
    Bind = “:80”
    HTTPSEnabled = true
    CertFile = “c:\\certificates\\mydomain.pem”
    KeyFile = “c:\\certificates\\mydomain.key”
    Domains = [“mydomain.com”]  # this is optional

    Tips:

  • The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file.

  • Please use the double-backslash “\\” in the file path for Windows operating systems.

  • Restart the CubeBackup service.

    On Linux:

    sudo /opt/cubebackup/bin/cbsrv restart

    On Windows:

    Enter services.msc in the command line, then in the Services list that pops up, right click the CubeBackup Service entry, and select Restart.

    On Docker:

    sudo docker restart <container-name>

    To access the HTTPS/TLS web console, port 443 on the container needs to be bound to a host port.