Blog

Securing CC.rb from the world

I love CruiseControl.rb, but one of the things Ive found is that it exposes via the web interface a lot of what is potentially confidential data. From the cruise_config.rb containing accounts on our SVN server, to being able to browse source files, which would include database.yml, again, exposing usernames and passwords.


And, since CC.rb runs on port 3333 by default, I expect some enterprising hacker has been scraping the internet looking for all the IP addresses that have a server running on port 3333! A lot of folks have been using Apache and mod_proxy and mod_auth to try and wrap CruiseControl.rb, but you still need to add firewall rules so people dont just go directly to the server on port 3333. There has been quite a bit of traffic on the CC.rb mailing list lately about this. However, I found that HTPasswd was a much simpler solution. HTPasswd is one of those little know gems of a plugin. It makes it dirt simple to add both Basic and Digest authentication to Rails apps. I just SSHed into the server running CC.rb, browsed to the CC webapp directory and ran ./script/plugin install http://wota.jp/svn/rails/plugins/branches/stable/htpasswd/. I added the line htpasswd :user=>"MYUSER", :pass=>"MYPASS" to application.rb, restarted CC.rb, and now have a secure CruiseControl.rb instance! Much simpler then hacking around with Apache configuration files. Please go to the HTPasswd page on AgileWebDevelopment and vote for this great plugin!