CTS2-LE Security Configuration
Version vom 9. Juni 2015, 12:04 Uhr von Kuhlisch (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „CTS2-LE standard configuration allows unrestricted read access while administrative functionalities (e. g. loading/updating terminologies) is restricted to reg…“)
CTS2-LE standard configuration allows unrestricted read access while administrative functionalities (e. g. loading/updating terminologies) is restricted to registered named users. This section describes how to configure these defaut security settings and how enhanced security services (e. g. full access control) may be linked with CTS2-LE.
Simple Access Control
By default each access to administrative HTTP and REST-based services of CTS2-LE is secured by means of the SSL/TLS protocol with a complementary HTTP Basic Authentication. We recommend that you secure your CTS2-LE instance With the help of a reverse proxy server.
The following sample configuration uses NGINX as a proxy.
nginx.conf
http {
server {
listen 80 default_server;
server_name localhost;
root html;
index index.html index.htm;
location ~ (?:manage|crud) {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
server {
listen 443 ssl;
server_name localhost;
ssl on;
ssl_certificate cert.crt;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root html;
index index.html index.htm;
location / {
rewrite ^ http://$server_name$request_uri? permanent;
}
location ~ (?:manage|crud) {
auth_basic "Managing operations require authentication";
auth_basic_user_file .htpasswd;
}
}
}
