Overview
WebADM is a platform that provides multiple endpoints for various web applications and services. These endpoints are critical for facilitating secure communication and interaction between WebADM and other applications or services. This document outlines the methods for publishing these endpoints, whether on-premises or via RCDevs' cloud infrastructure and limitations. By understanding the benefits and considerations of each method, organizations can manage their WebADM endpoints publication for web applications and services securely and efficiently.
Endpoints list
Below is the list of all endpoints available for services and applications when they are not published on WAProxy or any reverse proxy:
Services
OpenOTP server
Service URL (SSL): https://webadm1.rcdevsdocs.com:8443/openotp/
Service URL (STD): http://webadm1.rcdevsdocs.com:8080/openotp/
Mobile Token Endpoint: https://webadm1.rcdevsdocs.com/ws/openotp/
Mail/SMS Link Endpoint: https://webadm1.rcdevsdocs.com/ws/otplink/
SpanKey server
Service URL (SSL): https://webadm1.rcdevsdocs.com:8443/spankey/
Service URL (STD): http://webadm1.rcdevsdocs.com:8080/spankey/
SMS Hub server
Service URL (SSL): https://webadm1.rcdevsdocs.com:8443/smshub/
Service URL (STD): http://webadm1.rcdevsdocs.com:8080/smshub/
RSignd service (PKI)
OCSP Endpoint: https://webadm1.rcdevsdocs.com/ocsp/
CRL Endpoint: https://webadm1.rcdevsdocs.com/crl/
CA Issuer: https://webadm1.rcdevsdocs.com/cacert/
OpenID & SAML Provider (OpenID)
SAML Metadata: https://webadm1.rcdevsdocs.com/ws/saml/
OpenID Metadata: https://webadm1.rcdevsdocs.com/ws/openid/
Portals/Applications
WebADM Administrator Portal
https://webadm1.rcdevsdocs.com/admin/
WebADM Manager API
https://webadm1.rcdevsdocs.com/manag/
Administration Help Desk (HelpDesk)
https://webadm1.rcdevsdocs.com/webapps/helpdesk/
Secure Password Reset (PwReset)
https://webadm1.rcdevsdocs.com/webapps/pwreset/
User Self-Service Desk (SelfDesk)
https://webadm1.rcdevsdocs.com/webapps/selfdesk/
User Self-Registration (SelfReg)
https://webadm1.rcdevsdocs.com/webapps/selfreg/
OpenID & SAML Provider (OpenID)
https://webadm1.rcdevsdocs.com/webapps/openid/
Some of these endpoints are not intended to be published. With WAProxy, only permitted endpoints can be published. Using other Reverse Proxies or Web Application Firewalls, you have full control over what is published and publicly exposed. Below is a list of endpoints that are no published with WebADM Publishing Proxy (WAProxy):
WebADM Administrator Portal
https://webadm1.rcdevsdocs.com/admin/
WebADM Manager API
https://webadm1.rcdevsdocs.com/manag/
OpenOTP server
Service URL (STD): http://webadm1.rcdevsdocs.com:8080/openotp/
SpanKey server
Service URL (STD): http://webadm1.rcdevsdocs.com:8080/spankey/
SMS Hub server
Service URL (STD): http://webadm1.rcdevsdocs.com:8080/smshub/
Endpoint Publication Methods
WebADM supports two primary methods for publishing its endpoints:
- On-Premise Reverse Proxy or WebADM Publishing Proxy Component
- Description: In an on-premise setup, endpoints are exposed through a Reverse Proxy, a Web Application Firewall (WAF), or the WebADM Publishing Proxy (WAProxy) component within the organization's network. This approach offers complete control over network traffic, security, and endpoint accessibility, ensuring that all interactions are monitored and managed according to the organization's policies.
- Advantages:
- Enhanced security through internal network controls.
- Direct management of endpoint availability and performance.
- Considerations:
- Requires setup and maintenance of the on-premise infrastructure.
- Dependent on internal network reliability.
- In this mode, there is a one-way connection from the on-premise WebADM infrastructure to https://cloud.rcdevs.com to consume external cloud services. Any communications that need to reach the WebADM infrastructure will go through the on-premise WAProxy/Reverse Proxy (Push responses, Badging operations...).
- There are no limitations on endpoints which can be published.
- RCDevs Cloud Web Service Proxy Infrastructure
- Description: Alternatively, endpoints can be exposed through the RCDevs cloud infrastructure. This method involves establishing a permanent HTTPS connection between the WebADM on-premise infrastructure and the RCDevs cloud infrastructure.
The endpoints are published via cloud URLs that are randomly generated per customer, ensuring uniqueness and security.
- Advantages:
- Simplified deployment with minimal on-premise infrastructure requirements.
- Automatic generation and management of cloud URLs.
- Scalability and flexibility provided by the cloud environment.
- Considerations:
- Dependence on internet connectivity for accessing endpoints.
- RCDevs cloud infrastructure is responsible for endpoint availability and performance.
WebADM provides flexible options for endpoint publication, allowing organizations to choose between on-premise or cloud-based methods based on their security, scalability, and infrastructure needs.
Note that not all WebADM endpoints can be published using the RCDevs cloud proxy mode, while this is possible with the on-premise WAProxy/Reverse Proxy. For example, Web Application portals (such as PWReset, SelfDesk, SelfReg, IdP login page...) and SOAP Web Services (like OpenOTP, Spankey) cannot be published via the RCDevs Cloud Proxy. However, the following endpoints can be published in that mode:
- OpenOTP Token Endpoint: This includes all communications related to operations performed by the OpenOTP Token application, including authentication, badging, signature purposes, and signing certificate requests.
- Mail/SMS Link Endpoint: Used for handling responses to authentication magic links.
- OCSP/CRL Endpoints: Revocation endpoints for Rsignd, the WebADM PKI service.
- SAML/OpenID Metadata Endpoints: IdP metadata endpoints for SAML and OpenID.
Configurations and specifications
Below are the configuration details and requirements necessary to achieve endpoints publication:
On-Premise Reverse Proxy/WAProxy
- Reverse Proxy/WAProxy IP(s) declaration in
webadm.conf
throughreverse_proxies
orwaproxy_proxies
settings according the reverse proxy used. - The
public_hostname
configuration inwebadm.conf
must be populated with the public endpoint values that are registered in public DNS systems.
WebADM Publishing Proxy (WAProxy)
Edit the webadm.conf
file on all nodes within the same WebADM cluster to configure the IP address(es) of the WAProxy server(s) and set the public hostname for various endpoints. The public hostname can be rewritten for specific endpoints, such as the Mobile Token Endpoint under the OpenOTP Server configuration or the User Self-Registration application URL under its respective configuration.
public_hostname "mfa.rcdevsdocs.com"
waproxy_proxies "172.16.0.10","172.16.0.11"
Restart the WebADM services or reload the WebADM configuration through the Admin
tab in the WebADM Administrator Portal.
Third-Party Reverse Proxy
Edit the webadm.conf
file on all nodes within the same WebADM cluster to configure the IP address(es) of your Reverse Proxies/Web Application Firewall server(s) and set the public hostname for various endpoints. The public hostname can be rewritten for specific endpoints, such as the Mobile Token Endpoint under the OpenOTP Server configuration or the User Self-Registration application URL under its respective configuration.
public_hostname "mfa.rcdevsdocs.com"
reverse_proxies "172.16.0.12","172.16.0.13"
Restart the WebADM services or reload the WebADM configuration through the Admin
tab in the WebADM Administrator Portal.
Your reverse proxy / WAF must create the HTTP_X_FORWARDED_FOR
and HTTP_X_FORWARDED_HOST
headers.
Complexe network infrastructures
If you are in a complex network infrastructure with multiple layers of trusted Reverse Proxies, you can define the trust depth as follows:
With WAProxy
public_hostname "mfa.rcdevsdocs.com"
waproxy_proxies "172.16.0.10 2","172.16.0.11 2"
With thrid party Reverse Proxy / WAF
public_hostname "mfa.rcdevsdocs.com"
reverse_proxies "172.16.0.12 2","172.16.0.13 2"
This configuration informs WebADM that you trust up to two levels of reverse proxies or WAFs. The client/user IP addresses will be extracted from the appropriate HTTP header based on the defined trust depth. For this setup to work correctly, each reverse proxy or WAF must add the HTTP_X_FORWARDED_FOR
headers.
reverse_proxies
settings can also be configured in auto
mode.
In that scenario, WebADM trust any reverse proxies that add the X-Forwarded-For
header for HTTP requests and it can be dangerous for several reasons:
-
Spoofed IP Addresses: Attackers can easily spoof the
X-Forwarded-For
header by inserting arbitrary IP addresses. If the system blindly trusts the header, it could misidentify the origin of the request, leading to security vulnerabilities such as unauthorized access. -
Bypassing Security Controls: Some security mechanisms rely on the client's IP address for access control or rate limiting. If the
X-Forwarded-For
header is manipulated, attackers could bypass these controls, making it easier to perform attacks. -
Lack of Accountability: Trusting all proxies without validation can obscure the true origin of requests, making it difficult to trace malicious activity back to its source. This can hinder incident response and forensic investigations.
-
Security Misconfigurations: In complex network environments, misconfigured proxies or firewalls might inadvertently expose internal services or information. Trusting any
X-Forwarded-For
header without proper validation could lead to internal network details being unintentionally exposed. -
Trust Exploitation: In scenarios where multiple proxies are involved, an attacker who gains control over one of the proxies could exploit the trust chain, injecting malicious headers to manipulate how requests are processed downstream.
Configure the reverse proxies/WAF or WAProxy is auto mode is done in webadm.conf
like below:
reverse_proxies "auto"
for WAProxy:
waproxy_proxies "auto"
If you have internal reverse proxies or WAFs that you do not want WebADM to control, you can exclude them by configuring the webadm.conf
file with the following setting:
ignored_proxies "172.16.0.14","172.16.0.15"
With this setting enabled, WebADM controls will not be enforced for requests forwarded by these specific reverse proxies or WAFs.
RCDevs Cloud Web Service Proxy
Starting with WebADM 2.3.19, a new feature called cloud_wsproxy
in the webadm.conf
file allows applications like OpenOTP to handle push approval logins, badging, and electronic signatures without the need for a WebADM Publishing Proxy or a reverse proxy. To use this mode, the cloud_services
option must be enabled.
Edit webadm.conf
file and add the following line:
cloud_wsproxy Yes
Check that the RCDevs Cloud Service are also enabled:
cloud_services Yes
Once this setting is enabled, you will notice from the WebADM Administrator portal that some endpoints are now routed through https://cloud.rcdevs.com/
. Below are examples for OpenOTP, including the Mobile Token Endpoint
and the Mail/SMS Link Endpoint
:
The identifier portion of the URL is randomly generated and provided by the RCDevs Cloud infrastructure.
Another example with SAML/OpenID Metadata URLs:
Here’s the final example with the Rsignd service. When certificates are issued after enabling the cloud_wsproxy
setting, the OCSP, CRL, and CA Issuer endpoints are routed to WebADM through the RCDevs cloud infrastructure: