How to enable HTTPS/TLS for the CubeBackup web console.


HTTPS is necessary

Adding HTTPS/TLS to the CubeBackup web console provides another layer of protection for all communications to and from your backup server. This is especially useful when accessing the CubeBackup web console from outside of your company (provided this is allowed by your company's security policy).

CubeBackup allows you to enable HTTPS/TLS access to the web console with a few simple operations:

Method 1: Automatically apply for a free TLS certificate

CubeBackup can apply for Let's Encrypt's free TLS certificate and install the certificate on the backup server automatically. Please follow the instructions below to enable HTTPS/TLS for the web console.

Prerequisites:

  • The web console must use port 80 and can be accessed from the Internet. That is, access to the web console from outside of your company must be allowed by the firewall.
  • Assign a domain name (most likely, a subdomain name) to the backup server by adding an A record in the DNS manager's panel. (this is usually a job for your Domain administrator)
  • HTTPS connections use TCP port 443, so port 443 must be allowed by your firewall.

To verify these prerequisites, the web console should be accessible via the domain name from outside your firewall using the standard HTTP protocol.

Modify configuration

Now you can simply modify the configuration file to enable HTTPS/TLS for the web console:

  • Open the config file <installation directory>\etc\config.toml on the backup server using a text editor.

    On Windows, the default installation directory is located at C:\Program Files\CubeBackup365.
    On Linux, the default installation directory is located at /opt/cubebackup365.

  • In the [Web] section, remove the comment character "#" from the beginning of the line for

    HTTPSEnabled = true

    The [Web] section should look like this after the modification:

    [Web]
    Bind = ":80"
    HTTPSEnabled = true
    Domains = ["backupserver.yourdomain.com"]  # this is optional
  • Restart the CubeBackup service using the following command.

    Please run this command.

    sudo /opt/cubebackup365/bin/cbsrv restart

    Open a Command Prompt as Administrator, and run this command.

    "C:\Program Files\CubeBackup365\bin\cbsrv.exe" restart

    Open the Windows PowerShell as Administrator, and run this command.

    & "C:\Program Files\CubeBackup365\bin\cbsrv.exe" restart

    Please run this command to restart the container.

    sudo docker restart <container-name>

Method 2: Use your own certificate

If your CubeBackup's web service does not use port 80, or you want to use your own certificate on the web console, CubeBackup also allows you to encrypt web communication using your own certificate.

Get a certificate

To get your own certificate, you can:

  • Use a SSL/TLS certificate you already own.
  • Purchase or apply for a free an SSL/TLS certificate from a CA (Certification Authority).
  • Generate a free self-signed SSL/TLS certificate

    Note: Securing your website with a self-signed SSL/TLS certificate protects the web console by encrypting communications to and from the backup server, but self-signed certificates are not automatically recognized by web browsers, so your browser may give a warning about the certificate's lack of official validity.

Modify configuration

Please follow the instructions appropiate for your operating system to enable the certificate on your web console:

  • Open the config file <installation directory>\etc\config.toml on the backup server using a text editor.

    On Windows, the default installation directory is located at C:\Program Files\CubeBackup365.

  • Add the following lines to the [Web] section:

    HTTPSEnabled = true
    CertFile = "\\<path>\\<mydomain.pem>"
    KeyFile = "\\<path>\\<mydomain.key>"

    The [Web] section should look like this after the modification:

    [Web]
    Bind = ":80"
    HTTPSEnabled = true
    CertFile = "c:\\certificates\\mydomain.pem"
    KeyFile = "c:\\certificates\\mydomain.key"
    Domains = ["mydomain.com"]  # this is optional

    Tips:
    1. The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file.
    2. Please use the double-backslash "\\" in the file path for Windows operating systems.

  • Restart the CubeBackup service:
    Open a Command Prompt or Windows Powershell as Administrator and run the following command:

    "C:\Program Files\CubeBackup365\bin\cbsrv.exe" restart # in Command Prompt 
    
    & "C:\Program Files\CubeBackup365\bin\cbsrv.exe" restart # in Windows Powershell 
    

  • Open the config file <installation directory>\etc\config.toml on the backup server using a text editor.

    On Linux, the default installation directory is located at /opt/cubebackup365.

  • Add the following lines to the [Web] section:

    HTTPSEnabled = true
    CertFile = "/<path>/<mydomain.pem>"
    KeyFile = "/<path>/<mydomain.key>"

    The [Web] section should look like this after the modification:

    [Web]
    Bind = ":80"
    HTTPSEnabled = true
    CertFile = "/opt/cubebackup365/data/abc.pem"
    KeyFile = "/opt/cubebackup365/data/abc.key"
    Domains = ["yourdomain.com"]  # this is optional

    Tips:
    1. The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file.
    2. Please make sure that cbuser has at least read permission to the cert and key file.

  • Restart the CubeBackup service.

    sudo /opt/cubebackup365/bin/cbsrv restart
  • Open the config file /opt/cubebackup365/etc/config.toml in the container using a text editor.

  • Add the following lines to the [Web] section:

    HTTPSEnabled = true
    CertFile = "/<path>/<mydomain.pem>"
    KeyFile = "/<path>/<mydomain.key>"

    The [Web] section should look like this after the modification:

    [Web]
    Bind = ":80"
    HTTPSEnabled = true
    CertFile = "/opt/cubebackup365/data/abc.pem"
    KeyFile = "/opt/cubebackup365/data/abc.key"
    Domains = ["yourdomain.com"]  # this is optional

    Tips:
    1. The certificate file must be a .pem file with BASE64 encoding. If your certificate file is in other format, please convert it to the PEM file.
    2. Please make sure that cbuser has at least read permission to the cert and key file.

  • Restart the CubeBackup service.

    sudo docker restart <container-name>

    To access the HTTPS/TLS web console, port 443 on the container needs to be bound to a host port.