CTS2-LE Security Configuration

CTS2-LE standard configuration allows unrestricted read access while administrative functionalities (e.g., loading/updating terminologies) are restricted . This section describes how to configure these default security settings.

Simple Access Control

By default each access to administrative HTTP and REST-based services of CTS2-LE is secured by means of the SSL/TLS protocol with a complementary HTTP Basic Authentication. We recommend that you secure your CTS2-LE instance with the help of a reverse proxy server. In case that no security applicance is available you can use an NGINX server instead. Use these instructions for setting up an NGINX instance.

1. Obtain the setup files from http://www.nginx.org/en/download.html for a Win32 installation or use the suitable package for your Linux distribution according to the instructions on http://wiki.nginx.org/Install.
2. After unpacking/installation adjust the nginx.conf file as follows to enable SSl/TLS and HTTP Basic Authentication for specific URL paths (for demonstration purposes 'manage', 'crud' and application.wadl).

http { ... server { listen 80 default_server; server_name dev.test.com; root html; index index.html index.htm; location ~ (?:manage|crud|application\.wadl) { rewrite ^ https://$server_name$request_uri? permanent; } location = / { rewrite ^ http://$server_name/WebCts2LE/ last; } location ~ /WebCts2LE { proxy_pass http://$server_name:8033; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_ignore_client_abort on; } } server { listen 443 ssl; server_name dev.test.com; ssl on; ssl_certificate cert.crt; ssl_certificate_key cert.key; # Perfect Forward Security ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; root html; index index.html index.htm; location = / { rewrite ^ http://$server_name$request_uri? permanent; } location ~ (?:manage|crud|application\.wadl) { proxy_pass http://$server_name:8033; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_ignore_client_abort on; auth_basic "Operation requires authentication"; auth_basic_user_file .htpasswd; } } }

3. The files cert.crt and cert.key must be a valid SSL certificate/key located in $NGINX/conf.
4. Replace '$server_name' with your actual server name according to the common name in your SSL certificate.
5. Configure '$proxy_pass' with your associated CTS2-LE server instance.
6. The .htpasswd file should be placed in $NGINX/conf. You can use the htpasswd program shipped with an Apache HTTP Server or an online tool (e.g., htpasswd generator) to produce the .htpasswd file.

Advanced Access Control

<forthcoming>