TWiki> DICE Web>ApacheConfSensible (revision 2)EditAttach

Sensible security defaults in dice/options/apacheconf.h

The dice/options/apacheconf.h header has been changed so that by default it will include various sensible apacheconf headers, or configuration, to help secure your web server. Previously you had to opt-in to use these settings, now you can opt-out if you so wish.

(not actually true - currently you still have to opt-in by defining DICE_OPTIONS_APACHECONF_SENSIBLE, but after I've announced this at the Dev meeting, and agreed a date, it will be true! )

  • IPLIMIT - Sets a default of 30 simultaneous connections from a single IP address.
  • The default of 30 can be overriden by #define DICE_OPTIONS_APACHECONF_IPLIMIT_DEFAULT 10.
  • More info: SecuringWebServers#IPLIMIT

  • DENYFRAME - Sets header to stop browsers from framing your site
  • More info: SecuringWebServers#DENYFRAME

  • SECURITY - Enable the mod_security module
  • Can be over zealous, and lead to false positives and problems, you may want to further configure it.
  • More info: SecuringWebServers#SECURITY

  • COSIGNFACTOR - Set INF.ED.AC.UK as the default Cosign Required Factor
  • More info: SecuringWebServers#COSIGNFACTOR

So to skip any of these options individually, #define the specified "Skip" varable before including apacheconf.h. To opt-out of all these settings you can #define DICE_OPTIONS_APACHECONF_SKIP_ALLSENSIBLE before including dice/options/apacheconf.h.

-- NeilBrown - 19 Jan 2015

Edit | Attach | Print version | History: r6 | r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 20 Jan 2015 - 15:31:58 - NeilBrown
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies