Sensible security defaults in dice/options/apacheconf.h
The
dice/options/apacheconf.h
header has been changed so that by
default it will include various
sensible apacheconf headers, or
configuration, to help secure your web server. Previously you had to
opt-in to use these settings, now you can opt-out if you so wish.
- IPLIMIT - Sets a default of 30 simultaneous connections from a single IP address.
- The default of 30 can be overriden by
#define DICE_OPTIONS_APACHECONF_IPLIMIT_DEFAULT 10
.
- More info: SecuringWebServers#IPLIMIT
- Skip:
DICE_OPTIONS_APACHECONF_SKIP_IPLIMIT
- DENYFRAME - Sets header to stop browsers from framing your site
- We actually override the default DENY option, to use a less restrictive SAMEORIGIN option, this allows pages to be framed as long as the page doing the framing is on the same site. This means that the plone edit page continues to work for example.
- More info: SecuringWebServers#DENYFRAME
- Skip:
DICE_OPTIONS_APACHECONF_SKIP_DENYFRAME
- SECURITY - Enable the mod_security module
- Can be over zealous, and lead to false positives and problems, you may want to further configure it.
- More info: SecuringWebServers#SECURITY
- Skip:
DICE_OPTIONS_APACHECONF_SKIP_SECURITY
- COSIGNFACTOR - Set INF.ED.AC.UK as the default Cosign Required Factor
- More info: SecuringWebServers#COSIGNFACTOR particularly if you are using EASE authentication for your web site/service.
- Skip:
DICE_OPTIONS_APACHECONF_SKIP_COSIGNFACTOR
So to skip any of these options individually,
#define
the specified
"Skip" varable before including apacheconf.h. To opt-out of all these
settings you can
#define DICE_OPTIONS_APACHECONF_SKIP_ALLSENSIBLE
before
including
dice/options/apacheconf.h
.
--
NeilBrown - 09 Feb 2015
Topic revision: r6 - 12 Mar 2015 - 12:27:14 -
NeilBrown