Apache security config update

2025-05-17 01:47:18 +02:00 · 2015-05-16 08:16:18 +03:00 · 2015-05-16 08:16:18 +03:00 · c77d38b6e3
commit c77d38b6e3
parent 0345d57706
2 changed files with 191 additions and 173 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,8 @@
+16.05.2015
+
+* Security config update. Please replace all Location and RedirectMatch 
+  in Admin, Registrar and Registrant Apache2 config. New one are in readme.
+
 15.05.2015

 * Refer to doc/certificates.md for ID card login, note that CRL files in Apache config are not paths to CRL directory. (SSLCARevocationFile -> SSLCARevocationPath)
--- a/README.md
+++ b/README.md
@ -20,8 +20,8 @@ Documentation

 ### Updating documentation

-    AUTODOC=true rspec spec/requests
-    EPP_DOC=true rspec spec/epp --tag epp --require support/epp_doc.rb --format EppDoc > doc/epp-examples.md
+AUTODOC=true rspec spec/requests
+EPP_DOC=true rspec spec/epp --tag epp --require support/epp_doc.rb --format EppDoc > doc/epp-examples.md

 Installation
 ------------
@ -32,53 +32,49 @@ Registry based on Rails 4 installation (rbenv install is under Debian build doc)

 Manual demo install and database setup:

-    cd /home/registry
-    git clone git@github.com:internetee/registry.git demo-registry
-    cd demo-registry
-    rbenv local 2.2.2
-    bundle
-    cp config/application-example.yml config/application.yml # and edit it
-    cp config/database-example.yml config/database.yml # and edit it
-    bundle exec rake db:all:setup # for production, please follow deployment howto
-    bundle exec rake assets:precompile
+cd /home/registry
+git clone git@github.com:internetee/registry.git demo-registry
+cd demo-registry
+rbenv local 2.2.2
+bundle
+cp config/application-example.yml config/application.yml # and edit it
+cp config/database-example.yml config/database.yml # and edit it
+bundle exec rake db:all:setup # for production, please follow deployment howto
+bundle exec rake assets:precompile

 ### Apache with patched mod_epp (Debian 7/Ubuntu 14.04 LTS)

-    sudo apt-get install apache2
+sudo apt-get install apache2

-    sudo apt-get install apache2-threaded-dev     # needed to compile mod_epp
-    wget sourceforge.net/projects/aepps/files/mod_epp/1.10/mod_epp-1.10.tar.gz
-    tar -xzvf mod_epp-1.10.tar.gz
-    cd mod_epp-1.10
+sudo apt-get install apache2-threaded-dev     # needed to compile mod_epp
+wget sourceforge.net/projects/aepps/files/mod_epp/1.10/mod_epp-1.10.tar.gz
+tar -xzvf mod_epp-1.10.tar.gz
+cd mod_epp-1.10

 Patch mod_epp for Rack. Beacause Rack multipart parser expects specifically 
 formatted content boundaries, the mod_epp needs to be modified before building:

-    wget https://github.com/internetee/registry/raw/master/doc/patches/mod_epp_1.10-rack-friendly.patch
-    wget https://raw.githubusercontent.com/domify/registry/master/doc/patches/mod_epp_1.10-frame-size.patch
-    patch < mod_epp_1.10-rack-friendly.patch
-    patch < mod_epp_1.10-frame-size.patch
-    sudo apxs2 -a -c -i mod_epp.c
+wget https://github.com/internetee/registry/raw/master/doc/patches/mod_epp_1.10-rack-friendly.patch
+wget https://raw.githubusercontent.com/domify/registry/master/doc/patches/mod_epp_1.10-frame-size.patch
+patch < mod_epp_1.10-rack-friendly.patch
+patch < mod_epp_1.10-frame-size.patch
+sudo apxs2 -a -c -i mod_epp.c

 Enable ssl:

-    sudo a2enmod proxy_http
-    sudo mkdir /etc/apache2/ssl
-    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
-    sudo a2enmod ssl
-    sudo nano /etc/apache2/sites-enabled/epp_ssl.conf
+sudo a2enmod proxy_http
+sudo mkdir /etc/apache2/ssl
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
+sudo a2enmod ssl
+sudo nano /etc/apache2/sites-enabled/epp_ssl.conf

 For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:
+
 ```
 <VirtualHost *:443>
  ServerName your-domain
  ServerAdmin your@example.com

-  # Rewrite /login to /admin/login
-  RewriteEngine on
-  RewriteCond %{REQUEST_URI} ^/login [NC]
-  RewriteRule ^/(.*) /admin/$1 [PT,L,QSA]
-
  PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  PassengerRuby /home/registry/.rbenv/shims/ruby
  PassengerEnabled on
@ -105,21 +101,29 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
  SSLHonorCipherOrder On
  SSLCipherSuite RC4-SHA:HIGH:!ADH

+  RewriteEnginriteEngine on
+  RedirectMatch ^/$ /admin
+  RedirectMatch ^/login$ /admin/login
+
  <Directory /app/registry/registry/current/public>
      # for Apache older than version 2.4
      Allow from all

      # for Apache verison 2.4 or newer
      # Require all granted
-    
      Options -MultiViews
  </Directory>

-  <Location ~ "/.+/" >
+  <Location />
+      Allow from none
      Deny from all
  </Location>

-  <Location ~ "/(admin|assets)\/.+">
+  <Location /admin>
+      Allow from all
+  </Location>
+
+  <Location /assets>
      Allow from all
  </Location>
 </VirtualHost>
@ -131,11 +135,6 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
  ServerName your-registrar-domain
  ServerAdmin your@example.com

-  # Rewrite /login to /registrar/login
-  RewriteEngine on
-  RewriteCond %{REQUEST_URI} ^/login [NC]
-  RewriteRule ^/(.*) /registrar/$1 [PT,L,QSA]
-
  PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
  PassengerRuby /home/registry/.rbenv/shims/ruby
  PassengerEnabled on
@ -162,6 +161,10 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
  SSLHonorCipherOrder On
  SSLCipherSuite RC4-SHA:HIGH:!ADH

+  RewriteEngine on
+  RedirectMatch ^/$ /registrar
+  RedirectMatch ^/login$ /registrar/login
+
  <Directory /app/registry/registrar/current/public>
      # for Apache older than version 2.4
      Allow from all
@ -172,11 +175,16 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
      Options -MultiViews
  </Directory>

-  <Location ~ "/.+/" >
+  <Location />
+      Allow from none
      Deny from all
  </Location>

-  <Location ~ "/(registrar|assets)\/.+">
+  <Location /registrar>
+      Allow from all
+  </Location>
+
+  <Location /assets>
      Allow from all
  </Location>

@ -208,11 +216,6 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
    ServerName your-registrant-domain
    ServerAdmin your@example.com

-  # Rewrite /login to /registrant/login
-  RewriteEngine on
-  RewriteCond %{REQUEST_URI} ^/login [NC]
-  RewriteRule ^/(.*) /registrant/$1 [PT,L,QSA]
-
    PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
    PassengerRuby /home/registry/.rbenv/shims/ruby
    PassengerEnabled on
@ -239,6 +242,10 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
    SSLHonorCipherOrder On
    SSLCipherSuite RC4-SHA:HIGH:!ADH

+    RewriteEngine on
+    RedirectMatch ^/$ /registrant
+    RedirectMatch ^/login$ /registrant/login
+
    <Directory /app/registry/registrant/current/public>
        # for Apache older than version 2.4
        Allow from all
@ -249,11 +256,16 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
        Options -MultiViews
    </Directory>

-  <Location ~ "/.+/" >
+    <Location />
+        Allow from none
        Deny from all
    </Location>
  
-  <Location ~ "/(registrant|assets)\/.+">
+    <Location /registrant>
+        Allow from all
+    </Location>
+  
+    <Location /assets>
        Allow from all
    </Location>

@ -302,10 +314,11 @@ For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp
    RequestHeader set SSL_CLIENT_S_DN_CN ""

    <Location />
+        Allow from none
        Deny from all
    </Location>

-  <Location /repp/*/*>
+    <Location /repp>
        Allow from all
        SSLVerifyClient require
        RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"