Sponsored by
Hosted by
Differences
This shows you the differences between two versions of the page.
|
documentation:latest:security [2012/05/23 21:03] fxdeltombe |
documentation:latest:security [2013/02/04 20:58] (current) fxdeltombe |
||
|---|---|---|---|
| Line 11: | Line 11: | ||
| ===== Protect the Manager ===== | ===== Protect the Manager ===== | ||
| - | By default, the manager is restricted to localhost in its Apache configuration file, but no accounting is done. To change this, you can choose one of the following: | + | By default, the manager is restricted to the user 'dwho' (default backend is Demo). To protect the manager, you have to choose one or both of : |
| * protect the manager by Apache configuration | * protect the manager by Apache configuration | ||
| * protect the manager by LL::NG | * protect the manager by LL::NG | ||
| Line 138: | Line 138: | ||
| * **Force authentication**: set to 'On' to force authentication when user connects to portal, even if he has a valid session | * **Force authentication**: set to 'On' to force authentication when user connects to portal, even if he has a valid session | ||
| * **Encryption key**: key used to crypt some data, should not be known by other applications | * **Encryption key**: key used to crypt some data, should not be known by other applications | ||
| - | * **Trusted domains**: domains on which the user can be redirected after login on portal : e.g. '.example.net example.org' for the whole domain *.example.net and the single domain name example.org. Set '*' to accept all. | + | * **Trusted domains**: domains on which the user can be redirected after login on portal. Domains must be separated with spaces and look like : |
| + | * 'app.example.net' for the only name app.example.net (names in subdomain app.example.net as test.app.example.net are excluded) | ||
| + | * '.example.net' for names in subdomain example.net, as app.example.net and test.app.example.net (but example.net is excluded) | ||
| + | * '*' for all domain names - but be aware that a hacker can easily retrieve someone's session id. | ||
| * **Use Safe jail**: set to 'Off' to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues. | * **Use Safe jail**: set to 'Off' to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues. | ||
| + | * **Check XSS Attacks**: Set to 'Off' to disable XSS checks. XSS checks will still be done with warning in logs, but this will not prevent the process to continue. | ||
| ===== Fail2ban ===== | ===== Fail2ban ===== | ||
