Tag: WFE

Categories
exacqVision Webservice Products

WFE Logs Growing Unexpectedly Large

Description 

The WFE log file was]observed to be 30 GB and was filling the OS partition

Product 

exacqVision Web Server v21.06

Solution

For reference the WFE Log File Locations are:

Linux

/var/log/webservice/wfe.log

Windows

C:\ProgramData\Webservice\logs\wfe.log
  • Fully purge the exacqVision Web Server software
  • Verify the exacqVision Web Server install folder has been removed
  • Reinstall exacqVision Web Server
  • WFE file sizes should then return and remain normal

NOTE:  See AES-13 for additional information

Categories
Knowledge Support Support Categories exacqVision Webservice Products

SCN-00000010 – Explaining Web Service Architecture Change

SCN #SCN-00000010
Title of SCNExplaining Web Service Architecture Change
TRAC #
Effective Version9.0.0
Products AffectedWeb Service
Reason for Change (Summary)To better address the root of customer questions about Web Service security without creating more confusion.

Change

Engineering has requested that Support Technicians refrain from explaining the new Web Service as “having a ‘Go’ Web Front End”.  Rather, let the customer know that the new Web Server is “Custom”, or “written in-house”.  As comparison, it’s unnecessary to offer that ESM is primarily written in Python, or that the Client uses C++ and wxWidgets.  For detailed information on why this is necessary, and what customers are really asking, see below.

Additional Documentation

Apache HTTP Server Project

Go Programming Language

https://trac.exacq.com/DVR/wiki/WebServiceRearch

https://tycosecurityproducts.com/CyberProtection/CyberProtection.aspx

https://www.johnsoncontrols.com/buildings/specialty-pages/product-security

KB 47080 – Configuring Nginx or Apache as web service gateway

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Other Information

Customers who have been receiving security compliance scans are accustomed to needing to update their Web Service to get the latest security fixes.  Since version 2.4.0, the open-source Apache has been used by the exacqVision Web Service.  Apache is widely used around the world, and is (along with every other major Web Server) a common target of malicious attack.  This necessitated a process of “ever-updating” to make sure the customer is not vulnerable to the latest threats.

Beginning in Web Service version 9.0, the Apache HTTP Server was removed in favor of using a custom, in-house built Web Server.  This was not simply to achieve “security through obscurity”, rather we now have much more control over what changes are made to our Web Server, as well as the ability to optimize the functionality with our product.  This has led to great gains in the speed of Web Service functions. 

Customers are now asking what the new Web Server is and what kind of implication this has to the Security of the Web Service.  In trying to understand the change, many Support Technicians are in the habit of explaining the new Web Service as “having a ‘Go’ Web Front End”.  This is because the new Web Server is written in the Go Programming Language.  However, it’s unnecessary to offer what Language the software is written in.  Engineering has requested that we refrain from offering that it’s written in “Go” since this will inevitably lead to further un-needed questions. 

What customers are really asking is: “What effect does this change have on maintaining a secure Web Service?”  The answer is: “It depends.”

Normally, customers’ concerns regarding Web Service security are raised by a PCI Compliance Scan as required by the ‘Payment Card Industry Data Security Standard’.  Since Apache versions are closely monitored in these scans, and the exacqVision Web Service required user interaction to update the embedded Apache, our software commonly showed as problematic on these scans.  Since all PCI scans are different, customers should re-run these scans after updating to 9.0 to see if they still show vulnerabilities.  If any are found, customers are encouraged to setup their own web service gateway and enforce custom security policies as required by their company’s requirements.  Instructions can be found in KB 47080.  Customization of the exacqVision Web Server security policies will be limited, but not impossible.  If many customers are reporting the same issue, this will need to be escalated to the Engineering team for consideration.

Categories
Knowledge Support Support Categories exacqVision Webservice Products

Enabling IPv6 Support for exacqVision Web Service 9.0 – 9.4

NOTE: The backend for the exacqVision Web Service was changed in version 9.6. This document does not apply to Web Service versions 9.6 and higher.

Best Practice is to use the latest version of Web Service available.

The exacqVision Web Service listens for incoming connections from web browsers and the mobile app using IPv4 by default. Beginning with version 9.0 of the web service you may configure this to listen for connections using IPv6. The following instructions detail how to configure this:

Open the following file in a text editor:

Windows: C:\ProgramData\Webservice\conf\wfe.json
Linux: /etc/webservice/wfe.json

Add the “address” line as shown below. Replace the address in the following example with the IPv6 address of your outward bound network interface.

{<br>
    "webserver": {<br>
        "listen": 80,<br>
        "address": "cd5d::f0aa:3400",<br>
        "tls": {<br>
            "listen": 443,<br>
            "cert": "",<br>
            "key": "",<br>
        }<br>
    }<br>
}<br>

If you are configuring this file for HTTPS redirection, using Article 702, you may place the “address” line under the “tls” block. 

NOTE: This will only apply to inbound connections to the exacqVision Web Service. At this time, connections to the exacqVision Server/evAPI do not support IPv6.

<br>

Categories
Knowledge Support Support Categories exacqVision Webservice Products

Redirecting HTTP to HTTPS with Web Sevice 9.0 – 19.06

NOTE: This document does not apply to Web Service versions 19.09 and higher.

Best Practice is to use the latest version of Web Service available.

The way the web service handles HTTP requests when HTTPS is configured can be controlled with the webserver.tls.httpPolicy key:

Open the following file in a text editor:

Windows: C:\ProgramData\Webservice\conf\wfe.json
Linux: /etc/webservice/wfe.json

Add the “httpPolicy” line as shown below.

{<br>
    "webserver": {<br>
        "listen": 80,<br>
        "tls": {<br>
            "listen": 443,<br>
            "httpPolicy": "redirect",<br>
            [...]<br>
        }<br>
    }<br>
}

The key can be one of the following values:

  • “redirect” will cause HTTP traffic to be redirected to HTTPS
  • “disable” will reject any requests not sent over HTTPS

NOTE: This key will only take effect if after a Web Service restart, and if SSL is configured.

<br>

Categories
exacqVision Webservice Linux exacqVision Webservice Windows exacqVision Webservice Windows x64 exacqVision Webservice Linux x64 User Guides Documentation Categories exacqVision Webservice Products

Configuring Nginx or Apache as a Web Service Gateway

Description

The 9.0 release of the web service has replaced Apache with an in-house developed web frontend (WFE) for handling API requests. Certain users may wish to configure a gateway web server to enforce custom policies.

The following provides users with a reference for configuring either Nginx or Apache as a gateway. Additionally, it describes various undocumented settings in the new frontend configuration should the user need to modify them.

<br>

Gateway Configuration

The following sections explain how to set up Nginx or Apache to proxy requests to the web service. For the purposes of this guide, it is assumed the gateway server will be installed on the same machine as the web service and the service is listening on port 8080. The gateway must use a different listening port number than the ExacqVision Web Service.

Note: You may wish to backup the existing host files if they exist.

<br>

Nginx

Edit the virtual hosts file, located in:

Windows:
C:\nginx\conf\sites-available\default

Linux:
/etc/nginx/sites-available/default

with the following configuration:

server {
    listen 80 default_server;
    server_name localhost;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }
}

<br>

Apache

NOTE: The installation directory for Apache on Windows will vary based on how it was installed.

  1. Run the OS-specific command to enable the necessary modules for Apache.

Windows:
Ensure the following lines in <apache install directory>\conf\httpd.conf are UNcommented; they do NOT begin with a ‘#‘.

  • LoadModule proxy_module modules/mod_proxy.so
  • LoadModule proxy_http_module modules/mod_proxy_http.so
  • LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
  • LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so<br>

Linux:
Open Terminal, by pressing CTRL+ALT+T and run the following commands:

  • sudo a2enmod proxy
  • sudo a2enmod proxy_http
  • sudo a2enmod proxy_balancer
  • sudo a2enmod lbmethod_byrequests<br><br>
  1. Edit the virtual hosts file with the following configuration:

    <VirtualHost *:80>
        ProxyPreserveHost On

        ProxyPass / http://127.0.0.1:8080/
        ProxyPassReverse / http://127.0.0.1:8080/
    </VirtualHost>

NOTE: You MUST have the ‘/’ at the end of each address, unlike Nginx.<br><br>

  1. Apache and Nginx will require restart before they can accommodate proxy requests.

<br>

Modifying the Web Frontend (WFE) configuration

The configuration for WFE contains several options that are omitted by default. These options can be used to place additional constraints on the web service if necessary.

The configuration file, which is stored as JSON, is located at:

Windows:
C:\ProgramData\Webservice\conf\wfe.json

Linux:
/etc/webservice/wfe.json

If you wish to restrict the service to listen for HTTP requests on a particular NIC, you can do so by specifying the NIC’s address using the webserver.address key:

{
    "webserver": {
        "listen": 8080,
        "address": 192.168.1.115,
        [...]
    }
}

NOTE: If the target is an IPv6 address, you MUST enclose the address in square brackets [ ].

<br>

The same can be done for HTTPS requests with the webserver.tls.address key:

{
    "webserver": {
        "listen": 8080,
        "tls": {
            "listen": 443,
            "address": [fe80::...],
            [...]
        }
    }
}

<br>

The way the web service handles HTTP requests when HTTPS is configured can be controlled with the webserver.tls.httpPolicy key:

{
    "webserver": {
        "listen": 8080,
        "tls": {
            "listen": 443,
            "httpPolicy": (redirect|disable),
            [...]
        }
    }
}

The key can be one of the following values:

  • redirect” will cause HTTP traffic to be redirected to HTTPS
  • disable” will reject any requests not sent over HTTPS

NOTE: This key will only take effect if SSL is configured.

<br>

Categories
Knowledge Support Support exacqVision Server Categories Products

How to change web service ports

There are two ways to modify the ports used by the Web Service:

  1. Using the Web Service configuration interface
  2. Hand editing the configuration file

It is recommended to use the configuration interface, whenever possible. However, it is possible that you must hand edit the configuration in cases where the Web Service cannot start (for example, if there is a port conflict). This article provides instructions for both methods.

Important:  The structure and location of the Web Service config has changed over the life of the web service. Please pay close attention to the section headers in this article, as they indicate the versions to which particular instructions apply.

While various versions are mentioned in this article, it is recommend to keep your Web Service updated to the latest version to help prevent exposure to vulnerabilities and take advantage of the latest performance improvements.

<br>

Using the Web Service configuration UI

Versions 9.6 and above

Log into Web Service Configuration using your Web Service administrator account. Using the provided Web Service configuration interface navigate to Configuration > Ports.

Update the fields to change to your selected port number, then click ‘Apply’ to save your changes. The Web Service will need to restart to reflect your changes.

Versions 7.6 to 9.4

Web Service version 7.2 introduced Web Sockets for video streaming. Version 9.4 was the last version to feature Web Sockets, as it was replaced by other improvements.

When logging into Web Service Configuration, navigate to Configuration > Ports. Update the fields shown to your selected port numbers then click ‘Apply’ to save your changes. The Web Service will need to restart to reflect your changes.

Versions 7.2 to 7.6

Web Service version 7.2 introduced Web Sockets for video streaming. Version 9.4 was the last version to feature Web Sockets, as it was replaced by other improvements.

When logging into Web Service Configuration, navigate to Basic Service Configuration. You have the ability to update the Web Service Port and WebSocket Ports through the configuration page.

To change the HTTPS (SSL) or Secure WebSocket (SSL) ports requires manually editing the configuration file. See the section in this article titled ‘Manual Configuration‘ for more on these steps.

The Web Service will need to restart to reflect your changes.

Versions 7.0 and earlier

These versions are quite dated and as mentioned earlier, we recommend keeping your Web Services updated to help avoid vulnerabilities and take advantage of new features and performance enhancements.

<br>

Additional SSL Information

Note: Changing the SSL ports (https/wss) DOES NOT enable SSL. This merely allows you to easily modify those ports, but you still need to manually configure SSL support for both Apache and WebSockets. See the following article on configuring a certificate for HTTPS.

Firewall/Router Configuration

Note: Be sure to forward the new port in your router. Exacq Technical Support does not provide assistance with port forwarding, but see the following links if necessary:

<br>

Manual Configuration (hand editing the configuration)

The steps here will change depending on the type of port (HTTP vs. WebSockets) you wish to edit.

HTTP / HTTPS (Web Service verions 7.2 and above)

The first step to manual editing is to find the location of the config file where the port numbers are held. This depends on both the platform (operating system) and version of the Web Service you have installed.

Windows:

  • 9.0.x+ (both HTTP and HTTPS are in the same file):
    C:\ProgramData\Webservice\conf\wfe.json
  • 7.2.x – 8.8.x:
    • HTTP:
      C:\Program Files[(x86)]\exacqVision\WebService\Apache\conf\httpd.conf
    • HTTPS:
      C:\Program Files[(x86)]\exacqVision\WebService\Apache\conf\extra\httpd-ssl.conf

Linux:

  • 9.0.x+ (both HTTP and HTTPS are in the same file):
    /etc/webservice/wfe.json
  • 7.2.x – 8.8.x:
    • HTTP: /etc/evapache/httpd.conf
    • HTTPS: /etc/evapache/extra/httpd-ssl.conf

Determine where this file is for your install before continuing.

Once you have found the file, open it using your editor of choice (be sure to do so with administrative privileges) and perform either of the following depending on its name:

  • For httpd.conf (HTTP port) and httpd-ssl.conf (HTTPS port):
    1. Find the Listen directive in the file
      • For example, if the current port is 80, the line should read Listen 80
    2. Modify the port number as desired
    3. Save the file and restart Apache and the Web Service
  • For wfe.json:
    1. Find the webserver section
    2. For the HTTP port:
      • Find the listen key, nested one level within the webserver section
      • Modify the port number as desired
    3. For the HTTPS port:
      • Find the tls key, nested one level within the webserver section
      • Under the tls section, find the listen key one level below
      • Modify the port number as desired
    4. Save the file and restart the web service

<br>

Web Sockets (7.2.x – 9.4.x)

Both the standard and SSL WebSocket ports are changed from the Web Service ini/conf file. The location and name of this file depends on the platform (operating system) and web service version:

Windows:

  • 7.2.x – 9.4.x: C:\Program Files[(x86)]\exacqVision\WebService\WebService.ini

Linux:

  • 7.2.x – 8.8.x: /etc/webservice.conf
  • 9.0.x – 9.4.x: /etc/webservice/webservice.conf

Determine where this file is for your install before continuing.

Once you have found the file, open it using your editor of choice (be sure to do so with administrative privileges) and perform the following:

  1. Find the [Broker] section.
    This will only appear if it was entered manually before, or you configured it previously using the UI. So if you do not see it, and are configuring it for the first time, you may need to enter it by hand.
  2. The standard websocket port configuration is websocket_port = 8082, while the secure websocket port (wss) is ssl_port = 8083. Modify the port numbers as desired.
  3. As mentioned above, if these configuration settings are not already present, or the [Broker] section is missing, the defaults are being used. You may manually add the section/settings with desired values should this be the case. The resulting section of the file should appear similar to the below example, with your custom port numbers.
    [Broker]
    websocket_port = 8082
    ssl_port = 8083
  4. Save the file and restart the web service.

<br>

Categories
Knowledge Support Support exacqVision Webservice Categories Products

Hiding a Web Server from Internet Searches (Legacy)

NOTE: This document only applies to exacqVision Web Service 2.4.0 to 8.8. Web Service 9.0.0 replaced Apache with proprietary WFE service.

If your exacqVision Web Service is connected to the Internet, the server could be located using certain search parameters in a search engine. To hide the server from an Internet search engine, complete the following procedure:

<br>

Note: Depending on the operating system, you might need to log in as an administrator to complete this process.

  1. Browse to C:\Program Files\exacqVision\WebService\Apache2.2\htdocs.
  2. Use Notepad to create a text file named robots.txt.
  3. Add the following lines to disallow all indexing on the entire Web Service:
  4. Restart the Web Service to ensure all changes are published.

<br>

For more information on configuring robots.txt, visit http://www.robotstxt.org/ .

<br>