TWiki> DICE Web>ApacheConfSensible (revision 4)EditAttach

Sensible security defaults in dice/options/apacheconf.h

The dice/options/apacheconf.h header has been changed so that by default it will include various sensible apacheconf headers, or configuration, to help secure your web server. Previously you had to opt-in to use these settings, now you can opt-out if you so wish.

(not actually true - currently you still have to opt-in by defining DICE_OPTIONS_APACHECONF_SENSIBLE, but by the stable release of 4/2/2015 it will be true! )

  • IPLIMIT - Sets a default of 30 simultaneous connections from a single IP address.
  • The default of 30 can be overriden by #define DICE_OPTIONS_APACHECONF_IPLIMIT_DEFAULT 10.
  • More info: SecuringWebServers#IPLIMIT

  • DENYFRAME - Sets header to stop browsers from framing your site
  • We actually override the default DENY option, to use a less restrictive SAMEORIGIN option, this allows pages to be framed as long as the page doing the framing is on the same site. This means that the plone edit page continues to work for example.
  • More info: SecuringWebServers#DENYFRAME

  • SECURITY - Enable the mod_security module
  • Can be over zealous, and lead to false positives and problems, you may want to further configure it.
  • More info: SecuringWebServers#SECURITY

  • COSIGNFACTOR - Set INF.ED.AC.UK as the default Cosign Required Factor
  • More info: SecuringWebServers#COSIGNFACTOR

So to skip any of these options individually, #define the specified "Skip" varable before including apacheconf.h. To opt-out of all these settings you can #define DICE_OPTIONS_APACHECONF_SKIP_ALLSENSIBLE before including dice/options/apacheconf.h.

-- NeilBrown - 19 Jan 2015

Edit | Attach | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 27 Jan 2015 - 14:22:53 - NeilBrown
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies