mirror of
https://github.com/internetee/registry.git
synced 2025-05-17 01:47:18 +02:00
Apache security config update
This commit is contained in:
Priit Tark
parent
0345d57706
commit
c77d38b6e3
2 changed files with 191 additions and 173 deletions
|
|
@ -1,3 +1,8 @@
|
|||
16.05.2015
|
||||
|
||||
* Security config update. Please replace all Location and RedirectMatch
|
||||
in Admin, Registrar and Registrant Apache2 config. New one are in readme.
|
||||
|
||||
15.05.2015
|
||||
|
||||
* Refer to doc/certificates.md for ID card login, note that CRL files in Apache config are not paths to CRL directory. (SSLCARevocationFile -> SSLCARevocationPath)
|
||||
|
|
|
|||
59
README.md
59
README.md
|
|
@ -69,16 +69,12 @@ Enable ssl:
|
|||
sudo nano /etc/apache2/sites-enabled/epp_ssl.conf
|
||||
|
||||
For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:
|
||||
|
||||
```
|
||||
<VirtualHost *:443>
|
||||
ServerName your-domain
|
||||
ServerAdmin your@example.com
|
||||
|
||||
# Rewrite /login to /admin/login
|
||||
RewriteEngine on
|
||||
RewriteCond %{REQUEST_URI} ^/login [NC]
|
||||
RewriteRule ^/(.*) /admin/$1 [PT,L,QSA]
|
||||
|
||||
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
||||
PassengerRuby /home/registry/.rbenv/shims/ruby
|
||||
PassengerEnabled on
|
||||
|
|
@ -105,21 +101,29 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
|
|||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
||||
|
||||
RewriteEnginriteEngine on
|
||||
RedirectMatch ^/$ /admin
|
||||
RedirectMatch ^/login$ /admin/login
|
||||
|
||||
<Directory /app/registry/registry/current/public>
|
||||
# for Apache older than version 2.4
|
||||
Allow from all
|
||||
|
||||
# for Apache verison 2.4 or newer
|
||||
# Require all granted
|
||||
|
||||
Options -MultiViews
|
||||
</Directory>
|
||||
|
||||
<Location ~ "/.+/" >
|
||||
<Location />
|
||||
Allow from none
|
||||
Deny from all
|
||||
</Location>
|
||||
|
||||
<Location ~ "/(admin|assets)\/.+">
|
||||
<Location /admin>
|
||||
Allow from all
|
||||
</Location>
|
||||
|
||||
<Location /assets>
|
||||
Allow from all
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
|
|
@ -131,11 +135,6 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
|
|||
ServerName your-registrar-domain
|
||||
ServerAdmin your@example.com
|
||||
|
||||
# Rewrite /login to /registrar/login
|
||||
RewriteEngine on
|
||||
RewriteCond %{REQUEST_URI} ^/login [NC]
|
||||
RewriteRule ^/(.*) /registrar/$1 [PT,L,QSA]
|
||||
|
||||
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
||||
PassengerRuby /home/registry/.rbenv/shims/ruby
|
||||
PassengerEnabled on
|
||||
|
|
@ -162,6 +161,10 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
|
|||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
||||
|
||||
RewriteEngine on
|
||||
RedirectMatch ^/$ /registrar
|
||||
RedirectMatch ^/login$ /registrar/login
|
||||
|
||||
<Directory /app/registry/registrar/current/public>
|
||||
# for Apache older than version 2.4
|
||||
Allow from all
|
||||
|
|
@ -172,11 +175,16 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
|
|||
Options -MultiViews
|
||||
</Directory>
|
||||
|
||||
<Location ~ "/.+/" >
|
||||
<Location />
|
||||
Allow from none
|
||||
Deny from all
|
||||
</Location>
|
||||
|
||||
<Location ~ "/(registrar|assets)\/.+">
|
||||
<Location /registrar>
|
||||
Allow from all
|
||||
</Location>
|
||||
|
||||
<Location /assets>
|
||||
Allow from all
|
||||
</Location>
|
||||
|
||||
|
|
@ -208,11 +216,6 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
|
|||
ServerName your-registrant-domain
|
||||
ServerAdmin your@example.com
|
||||
|
||||
# Rewrite /login to /registrant/login
|
||||
RewriteEngine on
|
||||
RewriteCond %{REQUEST_URI} ^/login [NC]
|
||||
RewriteRule ^/(.*) /registrant/$1 [PT,L,QSA]
|
||||
|
||||
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
|
||||
PassengerRuby /home/registry/.rbenv/shims/ruby
|
||||
PassengerEnabled on
|
||||
|
|
@ -239,6 +242,10 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
|
|||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite RC4-SHA:HIGH:!ADH
|
||||
|
||||
RewriteEngine on
|
||||
RedirectMatch ^/$ /registrant
|
||||
RedirectMatch ^/login$ /registrant/login
|
||||
|
||||
<Directory /app/registry/registrant/current/public>
|
||||
# for Apache older than version 2.4
|
||||
Allow from all
|
||||
|
|
@ -249,11 +256,16 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
|
|||
Options -MultiViews
|
||||
</Directory>
|
||||
|
||||
<Location ~ "/.+/" >
|
||||
<Location />
|
||||
Allow from none
|
||||
Deny from all
|
||||
</Location>
|
||||
|
||||
<Location ~ "/(registrant|assets)\/.+">
|
||||
<Location /registrant>
|
||||
Allow from all
|
||||
</Location>
|
||||
|
||||
<Location /assets>
|
||||
Allow from all
|
||||
</Location>
|
||||
|
||||
|
|
@ -302,10 +314,11 @@ For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp
|
|||
RequestHeader set SSL_CLIENT_S_DN_CN ""
|
||||
|
||||
<Location />
|
||||
Allow from none
|
||||
Deny from all
|
||||
</Location>
|
||||
|
||||
<Location /repp/*/*>
|
||||
<Location /repp>
|
||||
Allow from all
|
||||
SSLVerifyClient require
|
||||
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue