yetangitu/lam
1
0
Fork 0
mirror of https://github.com/LDAPAccountManager/lam.git synced 2025-10-03 09:49:16 +02:00
Code Issues Releases Wiki Activity

HSTS

Browse source
This commit is contained in:
Roland Gruber 2023-01-14 14:17:15 +01:00
parent 97401e6c93
commit e29c33663d
5 changed files with 50 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
lam-packaging/RPM/lam.apache.conf
View file

@ -1,6 +1,9 @@
Alias /lam /usr/share/ldap-account-manager Alias /lam /usr/share/ldap-account-manager
# HSTS header to enforce https:// connections (requires active mod_headers)
# Header always set Strict-Transport-Security "max-age=31536000"
<Directory /usr/share/ldap-account-manager> <Directory /usr/share/ldap-account-manager>
Options +FollowSymLinks Options +FollowSymLinks
AllowOverride None AllowOverride None

2
lam-packaging/RPM/lam.nginx.conf
View file

@ -2,6 +2,8 @@ location /lam {
index index.html; index index.html;
alias /usr/share/ldap-account-manager; alias /usr/share/ldap-account-manager;
autoindex off; autoindex off;
# HSTS header to enforce https:// connections
# add_header Strict-Transport-Security "max-age=31536000";
location ~ /lam/tmp/(.|\n)*\.(php|inc)$ { location ~ /lam/tmp/(.|\n)*\.(php|inc)$ {
deny all; deny all;

3
lam-packaging/debian/lam.apache.conf
View file

@ -1,6 +1,9 @@
Alias /lam /usr/share/ldap-account-manager Alias /lam /usr/share/ldap-account-manager
# HSTS header to enforce https:// connections (requires active mod_headers)
# Header always set Strict-Transport-Security "max-age=31536000"
<Directory /usr/share/ldap-account-manager> <Directory /usr/share/ldap-account-manager>
Options +FollowSymLinks Options +FollowSymLinks
AllowOverride None AllowOverride None

2
lam-packaging/debian/lam.nginx.conf
View file

@ -2,6 +2,8 @@ location /lam {
index index.html; index index.html;
alias /usr/share/ldap-account-manager; alias /usr/share/ldap-account-manager;
autoindex off; autoindex off;
# HSTS header to enforce https:// connections
# add_header Strict-Transport-Security "max-age=31536000";
location ~ /lam/tmp/(.|\n)*\.(php|inc)$ { location ~ /lam/tmp/(.|\n)*\.(php|inc)$ {
deny all; deny all;

46
lam/docs/manual-sources/appendix-security.xml
View file

@ -188,6 +188,22 @@ semodule -i httpdlocal.pp</programlisting>
<section id="apache"> <section id="apache">
<title>Apache configuration</title> <title>Apache configuration</title>
<section>
<title>Security headers</title>
<para>LAM already sets several security headers by default. For
production machines it is recommended to run LAM with "https://"
enabled. In this case the HSTS header should be set, e.g. like
this:</para>
<programlisting>Header always set Strict-Transport-Security "max-age=31536000"</programlisting>
<para>This will enforce browsers to connect via "https://". Please note
that you need to make sure that your installation has a valid
certificate now and in the future. The configuration requires
mod_headers to be active.</para>
</section>
<section> <section>
<title>Sensitive directories</title> <title>Sensitive directories</title>
@ -372,6 +388,22 @@ semodule -i httpdlocal.pp</programlisting>
<para>There is no fully automatic setup of Nginx but LAM provides a <para>There is no fully automatic setup of Nginx but LAM provides a
ready-to-use configuration file.</para> ready-to-use configuration file.</para>
<section>
<title>Security headers</title>
<para>LAM already sets several security headers by default. For
production machines it is recommended to run LAM with "https://"
enabled. In this case the HSTS header should be set.</para>
<para>This will enforce browsers to connect via "https://". Please note
that you need to make sure that your installation has a valid
certificate now and in the future.</para>
<para>The example configurations below already include a commented
example for "Strict-Transport-Security" (HSTS). You can activate it if
needed.</para>
</section>
<section> <section>
<title>RPM based installations</title> <title>RPM based installations</title>
@ -390,9 +422,9 @@ semodule -i httpdlocal.pp</programlisting>
... ...
}</programlisting> }</programlisting>
<para>The included config file uses PHP 5. In case you run with PHP 7 <para>The included config file uses "127.0.0.1:9000" for PHP. In case
please update the parameter "fastcgi_pass" to you run PHP with a socket please update the parameter "fastcgi_pass" to
"/var/run/php7-fpm.sock".</para> e.g. "/var/run/php8-fpm.sock".</para>
</section> </section>
<section> <section>
@ -409,9 +441,9 @@ semodule -i httpdlocal.pp</programlisting>
... ...
}</programlisting> }</programlisting>
<para>The included config file uses PHP 7.0. In case you run with PHP <para>The included config file uses PHP 7.4. In case you run with PHP 8
7.1 or PHP 5 please update the parameter "fastcgi_pass" to please update the parameter "fastcgi_pass" to e.g.
"/var/run/php/php7.1-fpm.sock".</para> "/var/run/php/php8.1-fpm.sock".</para>
</section> </section>
<section> <section>
@ -429,6 +461,8 @@ semodule -i httpdlocal.pp</programlisting>
index index.html; index index.html;
alias /usr/share/ldap-account-manager; alias /usr/share/ldap-account-manager;
autoindex off; autoindex off;
# HSTS header to enforce https:// connections
# add_header Strict-Transport-Security "max-age=31536000";
location ~ \.php$ { location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;