CTS2-LE Security Configuration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „CTS2-LE standard configuration allows unrestricted read access while administrative functionalities (e. g. loading/updating terminologies) is restricted to reg…“) |
Billig (Diskussion | Beiträge) |
||
| (2 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | CTS2-LE standard configuration allows unrestricted read access while administrative functionalities (e. g. loading/updating terminologies) | + | CTS2-LE standard configuration allows unrestricted read access while administrative functionalities (e.g., loading/updating terminologies) are restricted <!-- to registered named users -->. This section describes how to configure these default security settings. <!-- and how enhanced security services (e.g., full access control) may be linked with CTS2-LE. --> |
== Simple Access Control == | == Simple Access Control == | ||
| − | By default each access to administrative HTTP and REST-based services of CTS2-LE is secured by means of the SSL/TLS protocol with a complementary HTTP Basic Authentication. We recommend that you secure your CTS2-LE instance | + | By default each access to administrative HTTP and REST-based services of CTS2-LE is secured by means of the SSL/TLS protocol with a complementary HTTP Basic Authentication. We recommend that you secure your CTS2-LE instance with the help of a reverse proxy server. In case that no security applicance is available you can use an NGINX server instead. Use these instructions for setting up an NGINX instance. |
| + | # Obtain the setup files from [http://www.nginx.org/en/download.html http://www.nginx.org/en/download.html] for a Win32 installation or use the suitable package for your Linux distribution according to the instructions on [http://wiki.nginx.org/Install http://wiki.nginx.org/Install]. | ||
| + | # After unpacking/installation adjust the nginx.conf file as follows to enable SSl/TLS and HTTP Basic Authentication for specific URL paths (for demonstration purposes 'manage', 'crud' and application.wadl). | ||
| + | ::{| | ||
| + | | | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | http { | ||
| + | ... | ||
| + | server { | ||
| + | listen 80 default_server; | ||
| + | server_name dev.test.com; | ||
| − | + | root html; | |
| + | index index.html index.htm; | ||
| + | |||
| + | location ~ (?:manage|crud|application\.wadl) { | ||
| + | rewrite ^ https://$server_name$request_uri? permanent; | ||
| + | } | ||
| + | |||
| + | location = / { | ||
| + | rewrite ^ http://$server_name/WebCts2LE/ last; | ||
| + | } | ||
| + | |||
| + | location ~ /WebCts2LE { | ||
| + | proxy_pass http://$server_name:8033; | ||
| + | proxy_redirect off; | ||
| − | + | proxy_set_header Host $host; | |
| + | proxy_set_header X-Real-IP $remote_addr; | ||
| + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| + | proxy_max_temp_file_size 0; | ||
| − | + | client_max_body_size 10m; | |
| − | + | client_body_buffer_size 128k; | |
| − | |||
| − | |||
| − | |||
| − | + | proxy_connect_timeout 90; | |
| − | + | proxy_send_timeout 90; | |
| + | proxy_read_timeout 90; | ||
| − | + | proxy_buffer_size 4k; | |
| − | + | proxy_buffers 4 32k; | |
| − | } | + | proxy_busy_buffers_size 64k; |
| + | proxy_temp_file_write_size 64k; | ||
| + | |||
| + | proxy_ignore_client_abort on; | ||
| + | } | ||
} | } | ||
server { | server { | ||
| − | listen | + | listen 443 ssl; |
| − | server_name | + | |
| − | ssl | + | server_name dev.test.com; |
| − | ssl_certificate | + | ssl on; |
| − | ssl_certificate_key | + | ssl_certificate cert.crt; |
| − | + | ssl_certificate_key cert.key; | |
| − | + | ||
| − | ssl_ciphers | + | # Perfect Forward Security |
| − | + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| − | + | ssl_prefer_server_ciphers on; | |
| − | root | + | ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"; |
| − | index | + | |
| + | ssl_session_cache shared:SSL:10m; | ||
| + | ssl_session_timeout 10m; | ||
| + | |||
| + | root html; | ||
| + | index index.html index.htm; | ||
| − | location / { | + | location = / { |
rewrite ^ http://$server_name$request_uri? permanent; | rewrite ^ http://$server_name$request_uri? permanent; | ||
} | } | ||
| − | location ~ (?:manage|crud) { | + | location ~ (?:manage|crud|application\.wadl) { |
| − | auth_basic | + | proxy_pass http://$server_name:8033; |
| − | auth_basic_user_file | + | proxy_redirect off; |
| + | |||
| + | proxy_set_header Host $host; | ||
| + | proxy_set_header X-Real-IP $remote_addr; | ||
| + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| + | proxy_max_temp_file_size 0; | ||
| + | |||
| + | client_max_body_size 10m; | ||
| + | client_body_buffer_size 128k; | ||
| + | |||
| + | proxy_connect_timeout 90; | ||
| + | proxy_send_timeout 90; | ||
| + | proxy_read_timeout 90; | ||
| + | |||
| + | proxy_buffer_size 4k; | ||
| + | proxy_buffers 4 32k; | ||
| + | proxy_busy_buffers_size 64k; | ||
| + | proxy_temp_file_write_size 64k; | ||
| + | |||
| + | proxy_ignore_client_abort on; | ||
| + | |||
| + | auth_basic "Operation requires authentication"; | ||
| + | auth_basic_user_file .htpasswd; | ||
} | } | ||
| − | } | + | } |
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| + | |} | ||
| + | <ol start="3"> | ||
| + | <li>The files cert.crt and cert.key must be a valid SSL certificate/key located in $NGINX/conf.</li> | ||
| + | <li>Replace '$server_name' with your actual server name according to the common name in your SSL certificate.</li> | ||
| + | <li>Configure '$proxy_pass' with your associated CTS2-LE server instance.</li> | ||
| + | <li>The .htpasswd file should be placed in $NGINX/conf. You can use the htpasswd program shipped with an [https://httpd.apache.org/docs/2.2/programs/htpasswd.html Apache HTTP Server] or an online tool (e.g., [http://aspirine.org/htpasswd_en.html htpasswd generator]) to produce the .htpasswd file.</li> | ||
| + | </ol> | ||
| + | |||
| + | == Advanced Access Control == | ||
| + | <!-- OAuth etc. --> | ||
| + | <forthcoming> | ||
Aktuelle Version vom 17. Januar 2016, 12:42 Uhr
CTS2-LE standard configuration allows unrestricted read access while administrative functionalities (e.g., loading/updating terminologies) are restricted . This section describes how to configure these default security settings.
Simple Access Control
By default each access to administrative HTTP and REST-based services of CTS2-LE is secured by means of the SSL/TLS protocol with a complementary HTTP Basic Authentication. We recommend that you secure your CTS2-LE instance with the help of a reverse proxy server. In case that no security applicance is available you can use an NGINX server instead. Use these instructions for setting up an NGINX instance.
- Obtain the setup files from http://www.nginx.org/en/download.html for a Win32 installation or use the suitable package for your Linux distribution according to the instructions on http://wiki.nginx.org/Install.
- After unpacking/installation adjust the nginx.conf file as follows to enable SSl/TLS and HTTP Basic Authentication for specific URL paths (for demonstration purposes 'manage', 'crud' and application.wadl).
http { ... server { listen 80 default_server; server_name dev.test.com; root html; index index.html index.htm; location ~ (?:manage|crud|application\.wadl) { rewrite ^ https://$server_name$request_uri? permanent; } location = / { rewrite ^ http://$server_name/WebCts2LE/ last; } location ~ /WebCts2LE { proxy_pass http://$server_name:8033; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_ignore_client_abort on; } } server { listen 443 ssl; server_name dev.test.com; ssl on; ssl_certificate cert.crt; ssl_certificate_key cert.key; # Perfect Forward Security ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; root html; index index.html index.htm; location = / { rewrite ^ http://$server_name$request_uri? permanent; } location ~ (?:manage|crud|application\.wadl) { proxy_pass http://$server_name:8033; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_ignore_client_abort on; auth_basic "Operation requires authentication"; auth_basic_user_file .htpasswd; } } }
- The files cert.crt and cert.key must be a valid SSL certificate/key located in $NGINX/conf.
- Replace '$server_name' with your actual server name according to the common name in your SSL certificate.
- Configure '$proxy_pass' with your associated CTS2-LE server instance.
- The .htpasswd file should be placed in $NGINX/conf. You can use the htpasswd program shipped with an Apache HTTP Server or an online tool (e.g., htpasswd generator) to produce the .htpasswd file.
Advanced Access Control
<forthcoming>
