- Using The Backup Web Interface
- Implementation Details
- Download Files
- Installation Instructions
The intent of this enhancement was to implement a feature I felt was missing from IPCop. Though IPCop had a mechanism for backing up the configuration to a floppy disk, this would obviously not work if a floppy drive was not present in the machine. And, if a floppy drive was present, it could be inconvenient to use, especially if the floppy disk needed to be left in the machine or if the IPCop machine was not easily accessible. So, I set out to remedy that.
The basic feature set consists of:
- Backup configuration to an archive
- Restore configuration from an archive
- Download configuration archive
- Upload configuration archive
This provided the core functionality and the first implementation had this capability. To that, we need to add security, but still keep flexibility for setting up new IPCop machines and for managing multiple IPCop machines.
- Do not allow restoring an archive not created on that IPCop machine.
This requirement is met by encrypting/decrypting the archive using a random key that is generated and stored in a file on that IPCop machine. The randomness helps ensure uniqueness among different IPCop machines. Storing the key in a file allows restoring archives without having to manage the specifics of each individual archive that is created. Encrypted configuration archives have a .dat file extension.
The flexiblity requirements are:
- If it is a new IPCop setup, the configuration from another machine should be installable.
- Make managing multiple IPCop machines easier in this implementation compared with the first implementation.
The determination as to whether it is a new setup is whether the generated encryption key file exists. Once a configuration archive has been created and an encryption key file has been generated, that machine is no longer considered new. Unencrypted configuration archives have a .tar.gz file extension. In an effort to make the downloading/uploading of configuration archives easier for multiple machines, the base of the configuration archive file name is the name of the machine. For example, if an IPCop machine is named ipcop123, the configuration archives will be named ipcop123.dat and ipcop123.tar.gz on that machine.
To briefly recap what gets created and what gets restored, it is this:
- Creating a configuration archive results in both encrypted and unencrypted archives.
- If an encryption key file does not exist (new IPCop setup), creating configuration archives will generate the file.
- An unencrypted archive (.tar.gz) can only be restored on a machine that does not have an encryption key file, i.e., an archive has not yet been created on that machine.
- An encrypted archive (.dat) can only be restored on the machine it was created on because a matching encryption key file is required to decrypt the archive.
A web interface is provided for using the configuration backup functionality. It is located by navigating to System and to backup from the menus. A box surrounds the backup information and controls. The information box at the bottom of the page displays the output performed during a backup to floppy disk. If an error occurs during the upload, creation, or restoration of an archive, a message will be displayed in an error box above the backup configuration box. Normally, the error box is not displayed.
The center section contains the controls for managing the archives. The first row has the Create and Restore buttons. The Create button creates new configuration archives on the IPCop machine. If it is the first archive creation on that machine, the encryption key file is also created. The Restore button restores the configuration from one of the archive files displayed in the top section of the box. After restoring an archive, a reboot is suggested.
Below the row of Create/Restore buttons are controls for importing/uploading an archive file. An entry field for a local file name is on the left side. Immediately to the right of the entry field is a Browse button for locating a file on your computer. On the right side is an Import button. The full name of the button indicates what type of file to import. It will say Import .tar.gz if an unencrypted .tar.gz archive file can be imported. It will say Import .dat if a matching, encrypted .dat archive is required.
The bottom section is for backing up to a floppy disk. The Backup to floppy button initiates the process. In order to back up to a floppy disk, the floppy disk must be in the drive before the button is pressed.
In addition to the changes to the backup.cgi web page, there are two new binary files for backing up a configuration and restoring a configuration. These are named ipcopbkcfg and ipcoprscfg respectively. The source code for these is available separately. The backup web directory is protected with an httpd.conf entry. Additional languages entries are added to the en.pl file.
The encryption key file is generated by using ipsec ranbits 256. The encryption/decryption of the .dat archive is done using openssl des3.
ipcopbkcfg — If the encryption key file does not exist, one is created. The unencrypted .tar.gz archive is created and then encrypted to the .dat archive.
ipcoprscfg — If the encryption key file exists, the encrypted .dat must also exist. If it does, it is unencrypted to a temporary .tar.gz file. if the encryption key file does not exist, the encrypted .dat file must not exist either. The unencrypted .tar.gz is copied to a temporary .tar.gz file. A temporary directory is created for testing the .tar.gz file, which is untarred to that directory. The temporary directory is then removed and the real untar done to replace the configuration files.
install.sh — The install script handles untarring the archive, creating the backup directory, setting the file and directory, permissions, adding the ignore entry to exclude.system, including the backup.conf in httpd.conf and adding the new language entries to the en.pl language file. This makes for a much simpler installation process than the prior implementation.
These files work with IPCop v1.2 through v1.3.0. If you have a problem with them, please let me know. Caveat: Only the English language text is included at this time. Note: This functionality is included in IPCop starting with v1.4.0. Because of this, the files that were here are no longer available for download. This page is left for documentation purposes.
- ipcopbkcfg.tar.gz (New backup files)
- install.sh (Installation script)
- ipcopbkcfg_src.tar.gz (Source files for new binaries)
- Use SCP to put the files on the IPCop machine.SCP ipcopbkcfg.tar.gz to /tmp/ipcopbkcfg.tar.gzSCP install.sh to /tmp/install.sh
- SSH to the IPCop machine and log in as root
- Change to the /tmp directory# cd /tmp
- Make the install script executable# chmod +x install.sh
- Run the install script# ./install.sh
After the above, the new backup functionality should be installed and ready to use.