zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-05-17 01:47:18 +02:00
Code Issues Projects Releases Packages Wiki Activity

Apache security config update

Browse source
This commit is contained in:
Priit Tark 2015-05-16 08:16:18 +03:00
parent 0345d57706
commit c77d38b6e3
2 changed files with 191 additions and 173 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGELOG.md
View file

@ -1,3 +1,8 @@
16.05.2015
* Security config update. Please replace all Location and RedirectMatch
in Admin, Registrar and Registrant Apache2 config. New one are in readme.
15.05.2015 15.05.2015
* Refer to doc/certificates.md for ID card login, note that CRL files in Apache config are not paths to CRL directory. (SSLCARevocationFile -> SSLCARevocationPath) * Refer to doc/certificates.md for ID card login, note that CRL files in Apache config are not paths to CRL directory. (SSLCARevocationFile -> SSLCARevocationPath)

359
README.md
View file

@ -20,8 +20,8 @@ Documentation
### Updating documentation ### Updating documentation
AUTODOC=true rspec spec/requests AUTODOC=true rspec spec/requests
EPP_DOC=true rspec spec/epp --tag epp --require support/epp_doc.rb --format EppDoc > doc/epp-examples.md EPP_DOC=true rspec spec/epp --tag epp --require support/epp_doc.rb --format EppDoc > doc/epp-examples.md
Installation Installation
------------ ------------
@ -32,53 +32,49 @@ Registry based on Rails 4 installation (rbenv install is under Debian build doc)
Manual demo install and database setup: Manual demo install and database setup:
cd /home/registry cd /home/registry
git clone git@github.com:internetee/registry.git demo-registry git clone git@github.com:internetee/registry.git demo-registry
cd demo-registry cd demo-registry
rbenv local 2.2.2 rbenv local 2.2.2
bundle bundle
cp config/application-example.yml config/application.yml # and edit it cp config/application-example.yml config/application.yml # and edit it
cp config/database-example.yml config/database.yml # and edit it cp config/database-example.yml config/database.yml # and edit it
bundle exec rake db:all:setup # for production, please follow deployment howto bundle exec rake db:all:setup # for production, please follow deployment howto
bundle exec rake assets:precompile bundle exec rake assets:precompile
### Apache with patched mod_epp (Debian 7/Ubuntu 14.04 LTS) ### Apache with patched mod_epp (Debian 7/Ubuntu 14.04 LTS)
sudo apt-get install apache2 sudo apt-get install apache2
sudo apt-get install apache2-threaded-dev # needed to compile mod_epp sudo apt-get install apache2-threaded-dev # needed to compile mod_epp
wget sourceforge.net/projects/aepps/files/mod_epp/1.10/mod_epp-1.10.tar.gz wget sourceforge.net/projects/aepps/files/mod_epp/1.10/mod_epp-1.10.tar.gz
tar -xzvf mod_epp-1.10.tar.gz tar -xzvf mod_epp-1.10.tar.gz
cd mod_epp-1.10 cd mod_epp-1.10
Patch mod_epp for Rack. Beacause Rack multipart parser expects specifically Patch mod_epp for Rack. Beacause Rack multipart parser expects specifically
formatted content boundaries, the mod_epp needs to be modified before building: formatted content boundaries, the mod_epp needs to be modified before building:
wget https://github.com/internetee/registry/raw/master/doc/patches/mod_epp_1.10-rack-friendly.patch wget https://github.com/internetee/registry/raw/master/doc/patches/mod_epp_1.10-rack-friendly.patch
wget https://raw.githubusercontent.com/domify/registry/master/doc/patches/mod_epp_1.10-frame-size.patch wget https://raw.githubusercontent.com/domify/registry/master/doc/patches/mod_epp_1.10-frame-size.patch
patch < mod_epp_1.10-rack-friendly.patch patch < mod_epp_1.10-rack-friendly.patch
patch < mod_epp_1.10-frame-size.patch patch < mod_epp_1.10-frame-size.patch
sudo apxs2 -a -c -i mod_epp.c sudo apxs2 -a -c -i mod_epp.c
Enable ssl: Enable ssl:
sudo a2enmod proxy_http sudo a2enmod proxy_http
sudo mkdir /etc/apache2/ssl sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
sudo a2enmod ssl sudo a2enmod ssl
sudo nano /etc/apache2/sites-enabled/epp_ssl.conf sudo nano /etc/apache2/sites-enabled/epp_ssl.conf
For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example: For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:
``` ```
<VirtualHost *:443> <VirtualHost *:443>
ServerName your-domain ServerName your-domain
ServerAdmin your@example.com ServerAdmin your@example.com
# Rewrite /login to /admin/login
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/login [NC]
RewriteRule ^/(.*) /admin/$1 [PT,L,QSA]
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
PassengerRuby /home/registry/.rbenv/shims/ruby PassengerRuby /home/registry/.rbenv/shims/ruby
PassengerEnabled on PassengerEnabled on
@ -89,12 +85,12 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
RailsEnv production # or staging RailsEnv production # or staging
DocumentRoot /home/registry/registry/current/public DocumentRoot /home/registry/registry/current/public
# Possible values include: debug, info, notice, warn, error, crit, # Possible values include: debug, info, notice, warn, error, crit,
LogLevel info LogLevel info
ErrorLog /var/log/apache2/registry.error.log ErrorLog /var/log/apache2/registry.error.log
CustomLog /var/log/apache2/registry.access.log combined CustomLog /var/log/apache2/registry.access.log combined
SSLEngine On SSLEngine On
SSLCertificateFile /etc/ssl/certs/your.crt SSLCertificateFile /etc/ssl/certs/your.crt
SSLCertificateKeyFile /etc/ssl/private/your.key SSLCertificateKeyFile /etc/ssl/private/your.key
@ -105,22 +101,30 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
SSLHonorCipherOrder On SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH SSLCipherSuite RC4-SHA:HIGH:!ADH
<Directory /app/registry/registry/current/public> RewriteEnginriteEngine on
# for Apache older than version 2.4 RedirectMatch ^/$ /admin
Allow from all RedirectMatch ^/login$ /admin/login
# for Apache verison 2.4 or newer <Directory /app/registry/registry/current/public>
# Require all granted # for Apache older than version 2.4
Allow from all
Options -MultiViews
</Directory>
<Location ~ "/.+/" > # for Apache verison 2.4 or newer
Deny from all # Require all granted
Options -MultiViews
</Directory>
<Location />
Allow from none
Deny from all
</Location> </Location>
<Location ~ "/(admin|assets)\/.+"> <Location /admin>
Allow from all Allow from all
</Location>
<Location /assets>
Allow from all
</Location> </Location>
</VirtualHost> </VirtualHost>
``` ```
@ -131,11 +135,6 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
ServerName your-registrar-domain ServerName your-registrar-domain
ServerAdmin your@example.com ServerAdmin your@example.com
# Rewrite /login to /registrar/login
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/login [NC]
RewriteRule ^/(.*) /registrar/$1 [PT,L,QSA]
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
PassengerRuby /home/registry/.rbenv/shims/ruby PassengerRuby /home/registry/.rbenv/shims/ruby
PassengerEnabled on PassengerEnabled on
@ -146,12 +145,12 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
RailsEnv production # or staging RailsEnv production # or staging
DocumentRoot /home/registry/registrar/current/public DocumentRoot /home/registry/registrar/current/public
# Possible values include: debug, info, notice, warn, error, crit, # Possible values include: debug, info, notice, warn, error, crit,
LogLevel info LogLevel info
ErrorLog /var/log/apache2/registrar.error.log ErrorLog /var/log/apache2/registrar.error.log
CustomLog /var/log/apache2/registrar.access.log combined CustomLog /var/log/apache2/registrar.access.log combined
SSLEngine On SSLEngine On
SSLCertificateFile /etc/ssl/certs/your.crt SSLCertificateFile /etc/ssl/certs/your.crt
SSLCertificateKeyFile /etc/ssl/private/your.key SSLCertificateKeyFile /etc/ssl/private/your.key
@ -162,22 +161,31 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
SSLHonorCipherOrder On SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH SSLCipherSuite RC4-SHA:HIGH:!ADH
<Directory /app/registry/registrar/current/public> RewriteEngine on
# for Apache older than version 2.4 RedirectMatch ^/$ /registrar
Allow from all RedirectMatch ^/login$ /registrar/login
# for Apache verison 2.4 or newer <Directory /app/registry/registrar/current/public>
# Require all granted # for Apache older than version 2.4
Allow from all
Options -MultiViews
# for Apache verison 2.4 or newer
# Require all granted
Options -MultiViews
</Directory> </Directory>
<Location ~ "/.+/" > <Location />
Deny from all Allow from none
Deny from all
</Location> </Location>
<Location ~ "/(registrar|assets)\/.+"> <Location /registrar>
Allow from all Allow from all
</Location>
<Location /assets>
Allow from all
</Location> </Location>
SSLVerifyClient none SSLVerifyClient none
@ -189,8 +197,8 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
<Location /registrar/sessions> <Location /registrar/sessions>
SSLVerifyClient require SSLVerifyClient require
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
</Location> </Location>
<Location /registrar/id> <Location /registrar/id>
@ -205,111 +213,116 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as follows: Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as follows:
``` ```
<VirtualHost *:443> <VirtualHost *:443>
ServerName your-registrant-domain ServerName your-registrant-domain
ServerAdmin your@example.com ServerAdmin your@example.com
# Rewrite /login to /registrant/login PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
RewriteEngine on PassengerRuby /home/registry/.rbenv/shims/ruby
RewriteCond %{REQUEST_URI} ^/login [NC] PassengerEnabled on
RewriteRule ^/(.*) /registrant/$1 [PT,L,QSA] PassengerMinInstances 10
PassengerMaxPoolSize 10
PassengerPoolIdleTime 0
PassengerMaxRequests 1000
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini RailsEnv production # or staging
PassengerRuby /home/registry/.rbenv/shims/ruby DocumentRoot /home/registry/registrant/current/public
PassengerEnabled on
PassengerMinInstances 10
PassengerMaxPoolSize 10
PassengerPoolIdleTime 0
PassengerMaxRequests 1000
RailsEnv production # or staging # Possible values include: debug, info, notice, warn, error, crit,
DocumentRoot /home/registry/registrant/current/public LogLevel info
ErrorLog /var/log/apache2/registrant.error.log
CustomLog /var/log/apache2/registrant.access.log combined
SSLEngine On
SSLCertificateFile /etc/ssl/certs/your.crt
SSLCertificateKeyFile /etc/ssl/private/your.key
SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem
SSLProtocol TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
RewriteEngine on
RedirectMatch ^/$ /registrant
RedirectMatch ^/login$ /registrant/login
<Directory /app/registry/registrant/current/public>
# for Apache older than version 2.4
Allow from all
# for Apache verison 2.4 or newer
# Require all granted
# Possible values include: debug, info, notice, warn, error, crit, Options -MultiViews
LogLevel info </Directory>
ErrorLog /var/log/apache2/registrant.error.log
CustomLog /var/log/apache2/registrant.access.log combined <Location />
Allow from none
Deny from all
</Location>
SSLEngine On <Location /registrant>
SSLCertificateFile /etc/ssl/certs/your.crt Allow from all
SSLCertificateKeyFile /etc/ssl/private/your.key </Location>
SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
SSLCACertificateFile /etc/ssl/certs/ca.pem <Location /assets>
Allow from all
</Location>
SSLProtocol TLSv1 SSLVerifyClient none
SSLHonorCipherOrder On SSLVerifyDepth 1
SSLCipherSuite RC4-SHA:HIGH:!ADH SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
SSLCARevocationPath /home/registry/registry/shared/ca/crl
# Uncomment in Apache 2.4
# SSLCARevocationCheck chain
<Directory /app/registry/registrant/current/public>
# for Apache older than version 2.4
Allow from all
# for Apache verison 2.4 or newer
# Require all granted
Options -MultiViews
</Directory>
<Location ~ "/.+/" >
Deny from all
</Location>
<Location ~ "/(registrant|assets)\/.+">
Allow from all
</Location>
SSLVerifyClient none
SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
SSLCARevocationPath /home/registry/registry/shared/ca/crl
# Uncomment in Apache 2.4
# SSLCARevocationCheck chain
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
<Location /registrant/sessions>
SSLVerifyClient require
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
</Location> <Location /registrant/sessions>
SSLVerifyClient require
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
</Location>
<Location /registrant/id> <Location /registrant/id>
SSLVerifyClient require SSLVerifyClient require
Options Indexes FollowSymLinks MultiViews Options Indexes FollowSymLinks MultiViews
SSLVerifyDepth 2 SSLVerifyDepth 2
SSLOptions +StdEnvVars +ExportCertData SSLOptions +StdEnvVars +ExportCertData
</Location> </Location>
</VirtualHost> </VirtualHost>
``` ```
For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp.conf short example: For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp.conf short example:
``` ```
<VirtualHost *:443> <VirtualHost *:443>
ServerName your-repp-domain ServerName your-repp-domain
SSLEngine on SSLEngine on
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ProxyPass / http://localhost:8080/ ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https' RequestHeader set X_FORWARDED_PROTO 'https'
SSLVerifyClient none SSLVerifyClient none
SSLVerifyDepth 1 SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
SSLCARevocationPath /home/registry/registry/shared/ca/crl SSLCARevocationPath /home/registry/registry/shared/ca/crl
SSLCARevocationCheck chain SSLCARevocationCheck chain
RequestHeader set SSL_CLIENT_S_DN_CN "" RequestHeader set SSL_CLIENT_S_DN_CN ""
<Location /> <Location />
Deny from all Allow from none
</Location> Deny from all
</Location>
<Location /repp/*/*> <Location /repp>
Allow from all Allow from all
SSLVerifyClient require SSLVerifyClient require
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
</Location> </Location>
</VirtualHost> </VirtualHost>
``` ```
@ -318,33 +331,33 @@ Be sure to update paths to match your system configuration.
/etc/apache2/sites-enabled/epp.conf short example: /etc/apache2/sites-enabled/epp.conf short example:
```apache ```apache
<IfModule mod_epp.c> <IfModule mod_epp.c>
Listen 700 Listen 700
<VirtualHost *:700> <VirtualHost *:700>
SSLEngine on SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLVerifyClient require SSLVerifyClient require
SSLVerifyDepth 1 SSLVerifyDepth 1
SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
SSLCARevocationPath /home/registry/registry/shared/ca/crl SSLCARevocationPath /home/registry/registry/shared/ca/crl
# Uncomment this when upgrading to apache 2.4: # Uncomment this when upgrading to apache 2.4:
# SSLCARevocationCheck chain # SSLCARevocationCheck chain
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s" RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
EPPEngine On EPPEngine On
EPPCommandRoot /proxy/command EPPCommandRoot /proxy/command
EPPSessionRoot /proxy/session EPPSessionRoot /proxy/session
EPPErrorRoot /proxy/error EPPErrorRoot /proxy/error
EPPRawFrame raw_frame EPPRawFrame raw_frame
ProxyPass /proxy/ http://localhost:8080/epp/ ProxyPass /proxy/ http://localhost:8080/epp/
EPPAuthURI implicit EPPAuthURI implicit
EPPReturncodeHeader X-EPP-Returncode EPPReturncodeHeader X-EPP-Returncode
</VirtualHost> </VirtualHost>
</IfModule> </IfModule>
``` ```