mirror of
https://github.com/internetee/registry.git
synced 2025-05-17 01:47:18 +02:00
Apache security config update
This commit is contained in:
Priit Tark
parent
0345d57706
commit
c77d38b6e3
2 changed files with 191 additions and 173 deletions
|
|
@ -1,3 +1,8 @@
|
||||||
|
16.05.2015
|
||||||
|
|
||||||
|
* Security config update. Please replace all Location and RedirectMatch
|
||||||
|
in Admin, Registrar and Registrant Apache2 config. New one are in readme.
|
||||||
|
|
||||||
15.05.2015
|
15.05.2015
|
||||||
|
|
||||||
* Refer to doc/certificates.md for ID card login, note that CRL files in Apache config are not paths to CRL directory. (SSLCARevocationFile -> SSLCARevocationPath)
|
* Refer to doc/certificates.md for ID card login, note that CRL files in Apache config are not paths to CRL directory. (SSLCARevocationFile -> SSLCARevocationPath)
|
||||||
|
|
|
||||||
59
README.md
59
README.md
|
|
@ -69,16 +69,12 @@ Enable ssl:
|
||||||
sudo nano /etc/apache2/sites-enabled/epp_ssl.conf
|
sudo nano /etc/apache2/sites-enabled/epp_ssl.conf
|
||||||
|
|
||||||
For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:
|
For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:
|
||||||
|
|
||||||
```
|
```
|
||||||
<VirtualHost *:443>
|
<VirtualHost *:443>
|
||||||
ServerName your-domain
|
ServerName your-domain
|
||||||
ServerAdmin your@example.com
|
ServerAdmin your@example.com
|
||||||
|
|
||||||
# Rewrite /login to /admin/login
|
|
||||||
RewriteEngine on
|
|
||||||
RewriteCond %{REQUEST_URI} ^/login [NC]
|
|
||||||
RewriteRule ^/(.*) /admin/$1 [PT,L,QSA]
|
|
||||||
|
|
||||||
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
||||||
PassengerRuby /home/registry/.rbenv/shims/ruby
|
PassengerRuby /home/registry/.rbenv/shims/ruby
|
||||||
PassengerEnabled on
|
PassengerEnabled on
|
||||||
|
|
@ -105,21 +101,29 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
|
||||||
SSLHonorCipherOrder On
|
SSLHonorCipherOrder On
|
||||||
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
||||||
|
|
||||||
|
RewriteEnginriteEngine on
|
||||||
|
RedirectMatch ^/$ /admin
|
||||||
|
RedirectMatch ^/login$ /admin/login
|
||||||
|
|
||||||
<Directory /app/registry/registry/current/public>
|
<Directory /app/registry/registry/current/public>
|
||||||
# for Apache older than version 2.4
|
# for Apache older than version 2.4
|
||||||
Allow from all
|
Allow from all
|
||||||
|
|
||||||
# for Apache verison 2.4 or newer
|
# for Apache verison 2.4 or newer
|
||||||
# Require all granted
|
# Require all granted
|
||||||
|
|
||||||
Options -MultiViews
|
Options -MultiViews
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<Location ~ "/.+/" >
|
<Location />
|
||||||
|
Allow from none
|
||||||
Deny from all
|
Deny from all
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
<Location ~ "/(admin|assets)\/.+">
|
<Location /admin>
|
||||||
|
Allow from all
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location /assets>
|
||||||
Allow from all
|
Allow from all
|
||||||
</Location>
|
</Location>
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
@ -131,11 +135,6 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
|
||||||
ServerName your-registrar-domain
|
ServerName your-registrar-domain
|
||||||
ServerAdmin your@example.com
|
ServerAdmin your@example.com
|
||||||
|
|
||||||
# Rewrite /login to /registrar/login
|
|
||||||
RewriteEngine on
|
|
||||||
RewriteCond %{REQUEST_URI} ^/login [NC]
|
|
||||||
RewriteRule ^/(.*) /registrar/$1 [PT,L,QSA]
|
|
||||||
|
|
||||||
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
||||||
PassengerRuby /home/registry/.rbenv/shims/ruby
|
PassengerRuby /home/registry/.rbenv/shims/ruby
|
||||||
PassengerEnabled on
|
PassengerEnabled on
|
||||||
|
|
@ -162,6 +161,10 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
|
||||||
SSLHonorCipherOrder On
|
SSLHonorCipherOrder On
|
||||||
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
||||||
|
|
||||||
|
RewriteEngine on
|
||||||
|
RedirectMatch ^/$ /registrar
|
||||||
|
RedirectMatch ^/login$ /registrar/login
|
||||||
|
|
||||||
<Directory /app/registry/registrar/current/public>
|
<Directory /app/registry/registrar/current/public>
|
||||||
# for Apache older than version 2.4
|
# for Apache older than version 2.4
|
||||||
Allow from all
|
Allow from all
|
||||||
|
|
@ -172,11 +175,16 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
|
||||||
Options -MultiViews
|
Options -MultiViews
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<Location ~ "/.+/" >
|
<Location />
|
||||||
|
Allow from none
|
||||||
Deny from all
|
Deny from all
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
<Location ~ "/(registrar|assets)\/.+">
|
<Location /registrar>
|
||||||
|
Allow from all
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location /assets>
|
||||||
Allow from all
|
Allow from all
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
|
@ -208,11 +216,6 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
|
||||||
ServerName your-registrant-domain
|
ServerName your-registrant-domain
|
||||||
ServerAdmin your@example.com
|
ServerAdmin your@example.com
|
||||||
|
|
||||||
# Rewrite /login to /registrant/login
|
|
||||||
RewriteEngine on
|
|
||||||
RewriteCond %{REQUEST_URI} ^/login [NC]
|
|
||||||
RewriteRule ^/(.*) /registrant/$1 [PT,L,QSA]
|
|
||||||
|
|
||||||
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
||||||
PassengerRuby /home/registry/.rbenv/shims/ruby
|
PassengerRuby /home/registry/.rbenv/shims/ruby
|
||||||
PassengerEnabled on
|
PassengerEnabled on
|
||||||
|
|
@ -239,6 +242,10 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
|
||||||
SSLHonorCipherOrder On
|
SSLHonorCipherOrder On
|
||||||
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
||||||
|
|
||||||
|
RewriteEngine on
|
||||||
|
RedirectMatch ^/$ /registrant
|
||||||
|
RedirectMatch ^/login$ /registrant/login
|
||||||
|
|
||||||
<Directory /app/registry/registrant/current/public>
|
<Directory /app/registry/registrant/current/public>
|
||||||
# for Apache older than version 2.4
|
# for Apache older than version 2.4
|
||||||
Allow from all
|
Allow from all
|
||||||
|
|
@ -249,11 +256,16 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
|
||||||
Options -MultiViews
|
Options -MultiViews
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<Location ~ "/.+/" >
|
<Location />
|
||||||
|
Allow from none
|
||||||
Deny from all
|
Deny from all
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
<Location ~ "/(registrant|assets)\/.+">
|
<Location /registrant>
|
||||||
|
Allow from all
|
||||||
|
</Location>
|
||||||
|
|
||||||
|
<Location /assets>
|
||||||
Allow from all
|
Allow from all
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
|
|
@ -302,10 +314,11 @@ For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp
|
||||||
RequestHeader set SSL_CLIENT_S_DN_CN ""
|
RequestHeader set SSL_CLIENT_S_DN_CN ""
|
||||||
|
|
||||||
<Location />
|
<Location />
|
||||||
|
Allow from none
|
||||||
Deny from all
|
Deny from all
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
<Location /repp/*/*>
|
<Location /repp>
|
||||||
Allow from all
|
Allow from all
|
||||||
SSLVerifyClient require
|
SSLVerifyClient require
|
||||||
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
|
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue