Sensible security defaults in dice/options/apacheconf.h

The dice/options/apacheconf.h header has been changed so that by default it will include various sensible apacheconf headers, or configuration, to help secure your web server. Previously you had to opt-in to use these settings, now you can opt-out if you so wish.

  • IPLIMIT - Sets a default of 30 simultaneous connections from a single IP address.
  • The default of 30 can be overriden by #define DICE_OPTIONS_APACHECONF_IPLIMIT_DEFAULT 10.
  • More info: SecuringWebServers#IPLIMIT

  • DENYFRAME - Sets header to stop browsers from framing your site
  • We actually override the default DENY option, to use a less restrictive SAMEORIGIN option, this allows pages to be framed as long as the page doing the framing is on the same site. This means that the plone edit page continues to work for example.
  • More info: SecuringWebServers#DENYFRAME

  • SECURITY - Enable the mod_security module
  • Can be over zealous, and lead to false positives and problems, you may want to further configure it.
  • More info: SecuringWebServers#SECURITY

  • COSIGNFACTOR - Set INF.ED.AC.UK as the default Cosign Required Factor
  • More info: SecuringWebServers#COSIGNFACTOR particularly if you are using EASE authentication for your web site/service.

So to skip any of these options individually, #define the specified "Skip" varable before including apacheconf.h. To opt-out of all these settings you can #define DICE_OPTIONS_APACHECONF_SKIP_ALLSENSIBLE before including dice/options/apacheconf.h.

-- NeilBrown - 09 Feb 2015

Topic revision: r6 - 12 Mar 2015 - 12:27:14 - NeilBrown
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies