BWeb Access using Apache as Web Access Layer

Enterprise

Bacula Enterprise Only

This solution is only available for Bacula Enterprise. For subscription inquiries, please reach out to sales@baculasystems.com.

This chapter describes how the Apache HTTP Server is configured to provide secure and structured access to the BWeb interface. Apache acts as the front-facing web access layer, routing user requests to static content, dynamic CGI scripts, and application data directories while enforcing authentication and basic hardening controls.

The following example shows a minimal and practical bweb.conf configuration:

Alias /bweb "/opt/bweb/html/"
Alias /bweb/fv "/opt/bweb/spool/"

# CGI entry point
ScriptAlias /cgi-bin/bweb "/opt/bweb/cgi"

# Versioned asset URLs -> real /bweb path
RewriteEngine On
RewriteRule "^/bweb/[0-9]+\.[0-9]+\.[0-9]+/(.*)$" "/bweb/$1" [L,PT]

# Environment for CGI
SetEnv PERLLIB /opt/bweb/lib
SetEnv BWEBCONF /opt/bweb/etc/bweb.conf

<Directory "/opt/bweb/cgi">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<Directory "/opt/bweb/html">
    AllowOverride None
    Options None
    Require all granted

    # Optional hardening
    <FilesMatch "^\.">
        Require all denied
    </FilesMatch>
</Directory>

<Directory "/opt/bweb/spool">
    AllowOverride None
    Options None
    Require all granted
</Directory>

# Optional: protect the whole app without relying on .htaccess
<LocationMatch "^/(bweb|cgi-bin/bweb)(/|$)">
    AuthType Basic
    AuthName "BWeb"
    AuthUserFile "/opt/bweb/etc/bweb.htpasswd"
    Require valid-user
</LocationMatch>

Explanation

This configuration exposes the BWeb application under the /bweb URL while keeping the actual files under /opt/bweb.

  • Aliases map public paths to internal directories:

    • /bweb serves the web interface.

    • /bweb/fv provides access to generated or stored files.

  • CGI handling is enabled via ScriptAlias, allowing dynamic requests to be processed by scripts in /opt/bweb/cgi.

  • URL rewriting supports versioned asset paths (e.g., /bweb/18.2.4/app.js), which are internally redirected to the real location. This improves browser caching without duplicating files.

  • Environment variables ensure that CGI scripts can locate required libraries and configuration.

  • Directory blocks explicitly define access rules:

    • No .htaccess overrides are allowed.

    • Only minimal options are enabled.

    • Hidden files in the web root are denied for basic hardening.

  • Authentication is applied centrally using a <LocationMatch> rule. All access to /bweb and its CGI endpoint requires valid credentials stored in bweb.htpasswd.

Summary

This setup uses Apache as a simple and controlled gateway to BWeb. It cleanly separates static content, dynamic processing, and data access, while applying consistent authentication and basic security restrictions.

See also

Previous articles:

Go back to: Installation.