Hide/Secure FOG Client download page
-
I noticed the page/url where you can download the FOG client isn’t locked behind a login/auth so in case anyone is looking to lock it you can add these lines to /etc/apache2/apache2.conf:
# Restrict access to FOG Client <Location "/fog/client/download.php"> Require ip <*ip or subnet/mask*> Require all denied </Location> # Hide Server info ServerTokens Prod ServerSignature OffRestart apache2 service after making changes to apache2.conf
What this will do is restrict access to the FOG Client downloads to specific IP or subnet. I have mine restricted to my lab/imaging network. I don’t think it is a good idea to have this download available to all production network users. I’m not 100% sure (devs please correct me) but I believe the FOG Client has the private key embedded in order to connect to the FOG server via HTTPS. I wouldn’t want that private key extracted from the client installer.
-
@DBCountMan Private key is built to the client at install time. The Public server ca cert is pulled at install time.
So for this to be a “problem”
The person would have to know the IP to download, as well as when installing the client on a new machine configuring it to send to that same server.
What “problem” does this pose? The newly installed client would either already be registered to the FOG Server OR is a brand new and would be behind a “Pending Host/Pending MAC” on the FOG UI.
What you’re suggesting isn’t difficult or problematic itself, so glad you’re sharing, just trying to understand that issue you’re attempting to solve with this beyond restricting it to whatever ip/subnet is being worked.
-
@Tom-Elliott said in Hide/Secure FOG Client download page:
Private key is built to the client at install time. The Public server ca cert is pulled at install time
This is what I was unclear about. I thought the installer already had FOG’s private key. So each client gets its own private key?
