diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4754c989fc..7ca36d1c17 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+16.05.2015
+
+* Security config update. Please replace all Location and RedirectMatch
+ in Admin, Registrar and Registrant Apache2 config. New one are in readme.
+
15.05.2015
* Refer to doc/certificates.md for ID card login, note that CRL files in Apache config are not paths to CRL directory. (SSLCARevocationFile -> SSLCARevocationPath)
diff --git a/README.md b/README.md
index 8a44eeb70e..c3fe459724 100644
--- a/README.md
+++ b/README.md
@@ -20,8 +20,8 @@ Documentation
### Updating documentation
- AUTODOC=true rspec spec/requests
- EPP_DOC=true rspec spec/epp --tag epp --require support/epp_doc.rb --format EppDoc > doc/epp-examples.md
+AUTODOC=true rspec spec/requests
+EPP_DOC=true rspec spec/epp --tag epp --require support/epp_doc.rb --format EppDoc > doc/epp-examples.md
Installation
------------
@@ -32,53 +32,49 @@ Registry based on Rails 4 installation (rbenv install is under Debian build doc)
Manual demo install and database setup:
- cd /home/registry
- git clone git@github.com:internetee/registry.git demo-registry
- cd demo-registry
- rbenv local 2.2.2
- bundle
- cp config/application-example.yml config/application.yml # and edit it
- cp config/database-example.yml config/database.yml # and edit it
- bundle exec rake db:all:setup # for production, please follow deployment howto
- bundle exec rake assets:precompile
+cd /home/registry
+git clone git@github.com:internetee/registry.git demo-registry
+cd demo-registry
+rbenv local 2.2.2
+bundle
+cp config/application-example.yml config/application.yml # and edit it
+cp config/database-example.yml config/database.yml # and edit it
+bundle exec rake db:all:setup # for production, please follow deployment howto
+bundle exec rake assets:precompile
### Apache with patched mod_epp (Debian 7/Ubuntu 14.04 LTS)
- sudo apt-get install apache2
+sudo apt-get install apache2
- sudo apt-get install apache2-threaded-dev # needed to compile mod_epp
- wget sourceforge.net/projects/aepps/files/mod_epp/1.10/mod_epp-1.10.tar.gz
- tar -xzvf mod_epp-1.10.tar.gz
- cd mod_epp-1.10
+sudo apt-get install apache2-threaded-dev # needed to compile mod_epp
+wget sourceforge.net/projects/aepps/files/mod_epp/1.10/mod_epp-1.10.tar.gz
+tar -xzvf mod_epp-1.10.tar.gz
+cd mod_epp-1.10
Patch mod_epp for Rack. Beacause Rack multipart parser expects specifically
formatted content boundaries, the mod_epp needs to be modified before building:
- wget https://github.com/internetee/registry/raw/master/doc/patches/mod_epp_1.10-rack-friendly.patch
- wget https://raw.githubusercontent.com/domify/registry/master/doc/patches/mod_epp_1.10-frame-size.patch
- patch < mod_epp_1.10-rack-friendly.patch
- patch < mod_epp_1.10-frame-size.patch
- sudo apxs2 -a -c -i mod_epp.c
+wget https://github.com/internetee/registry/raw/master/doc/patches/mod_epp_1.10-rack-friendly.patch
+wget https://raw.githubusercontent.com/domify/registry/master/doc/patches/mod_epp_1.10-frame-size.patch
+patch < mod_epp_1.10-rack-friendly.patch
+patch < mod_epp_1.10-frame-size.patch
+sudo apxs2 -a -c -i mod_epp.c
Enable ssl:
- sudo a2enmod proxy_http
- sudo mkdir /etc/apache2/ssl
- sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
- sudo a2enmod ssl
- sudo nano /etc/apache2/sites-enabled/epp_ssl.conf
+sudo a2enmod proxy_http
+sudo mkdir /etc/apache2/ssl
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
+sudo a2enmod ssl
+sudo nano /etc/apache2/sites-enabled/epp_ssl.conf
For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-enabled/registry.conf short example:
+
```
ServerName your-domain
ServerAdmin your@example.com
- # Rewrite /login to /admin/login
- RewriteEngine on
- RewriteCond %{REQUEST_URI} ^/login [NC]
- RewriteRule ^/(.*) /admin/$1 [PT,L,QSA]
-
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
PassengerRuby /home/registry/.rbenv/shims/ruby
PassengerEnabled on
@@ -89,12 +85,12 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
RailsEnv production # or staging
DocumentRoot /home/registry/registry/current/public
-
- # Possible values include: debug, info, notice, warn, error, crit,
+
+ # Possible values include: debug, info, notice, warn, error, crit,
LogLevel info
ErrorLog /var/log/apache2/registry.error.log
CustomLog /var/log/apache2/registry.access.log combined
-
+
SSLEngine On
SSLCertificateFile /etc/ssl/certs/your.crt
SSLCertificateKeyFile /etc/ssl/private/your.key
@@ -105,22 +101,30 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
-
- # for Apache older than version 2.4
- Allow from all
+ RewriteEnginriteEngine on
+ RedirectMatch ^/$ /admin
+ RedirectMatch ^/login$ /admin/login
- # for Apache verison 2.4 or newer
- # Require all granted
-
- Options -MultiViews
-
+
+ # for Apache older than version 2.4
+ Allow from all
+
+ # for Apache verison 2.4 or newer
+ # Require all granted
+ Options -MultiViews
+
+
+
+ Allow from none
+ Deny from all
+
-
- Deny from all
+
+ Allow from all
-
- Allow from all
+
+ Allow from all
```
@@ -131,11 +135,6 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
ServerName your-registrar-domain
ServerAdmin your@example.com
- # Rewrite /login to /registrar/login
- RewriteEngine on
- RewriteCond %{REQUEST_URI} ^/login [NC]
- RewriteRule ^/(.*) /registrar/$1 [PT,L,QSA]
-
PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
PassengerRuby /home/registry/.rbenv/shims/ruby
PassengerEnabled on
@@ -146,12 +145,12 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
RailsEnv production # or staging
DocumentRoot /home/registry/registrar/current/public
-
+
# Possible values include: debug, info, notice, warn, error, crit,
LogLevel info
ErrorLog /var/log/apache2/registrar.error.log
CustomLog /var/log/apache2/registrar.access.log combined
-
+
SSLEngine On
SSLCertificateFile /etc/ssl/certs/your.crt
SSLCertificateKeyFile /etc/ssl/private/your.key
@@ -162,22 +161,31 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
+ RewriteEngine on
+ RedirectMatch ^/$ /registrar
+ RedirectMatch ^/login$ /registrar/login
+
- # for Apache older than version 2.4
- Allow from all
+ # for Apache older than version 2.4
+ Allow from all
- # for Apache verison 2.4 or newer
- # Require all granted
-
- Options -MultiViews
+ # for Apache verison 2.4 or newer
+ # Require all granted
+
+ Options -MultiViews
-
- Deny from all
+
+ Allow from none
+ Deny from all
-
- Allow from all
+
+ Allow from all
+
+
+
+ Allow from all
SSLVerifyClient none
@@ -189,8 +197,8 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
- SSLVerifyClient require
- RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+ SSLVerifyClient require
+ RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
@@ -205,111 +213,116 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as follows:
```
- ServerName your-registrant-domain
- ServerAdmin your@example.com
-
- # Rewrite /login to /registrant/login
- RewriteEngine on
- RewriteCond %{REQUEST_URI} ^/login [NC]
- RewriteRule ^/(.*) /registrant/$1 [PT,L,QSA]
-
- PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
- PassengerRuby /home/registry/.rbenv/shims/ruby
- PassengerEnabled on
- PassengerMinInstances 10
- PassengerMaxPoolSize 10
- PassengerPoolIdleTime 0
- PassengerMaxRequests 1000
+ ServerName your-registrant-domain
+ ServerAdmin your@example.com
+
+ PassengerRoot /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini
+ PassengerRuby /home/registry/.rbenv/shims/ruby
+ PassengerEnabled on
+ PassengerMinInstances 10
+ PassengerMaxPoolSize 10
+ PassengerPoolIdleTime 0
+ PassengerMaxRequests 1000
+
+ RailsEnv production # or staging
+ DocumentRoot /home/registry/registrant/current/public
+
+ # Possible values include: debug, info, notice, warn, error, crit,
+ LogLevel info
+ ErrorLog /var/log/apache2/registrant.error.log
+ CustomLog /var/log/apache2/registrant.access.log combined
+
+ SSLEngine On
+ SSLCertificateFile /etc/ssl/certs/your.crt
+ SSLCertificateKeyFile /etc/ssl/private/your.key
+ SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
+ SSLCACertificateFile /etc/ssl/certs/ca.pem
+
+ SSLProtocol TLSv1
+ SSLHonorCipherOrder On
+ SSLCipherSuite RC4-SHA:HIGH:!ADH
+
+ RewriteEngine on
+ RedirectMatch ^/$ /registrant
+ RedirectMatch ^/login$ /registrant/login
+
+
+ # for Apache older than version 2.4
+ Allow from all
+
+ # for Apache verison 2.4 or newer
+ # Require all granted
+
+ Options -MultiViews
+
- RailsEnv production # or staging
- DocumentRoot /home/registry/registrant/current/public
+
+ Allow from none
+ Deny from all
+
- # Possible values include: debug, info, notice, warn, error, crit,
- LogLevel info
- ErrorLog /var/log/apache2/registrant.error.log
- CustomLog /var/log/apache2/registrant.access.log combined
+
+ Allow from all
+
- SSLEngine On
- SSLCertificateFile /etc/ssl/certs/your.crt
- SSLCertificateKeyFile /etc/ssl/private/your.key
- SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
- SSLCACertificateFile /etc/ssl/certs/ca.pem
-
- SSLProtocol TLSv1
- SSLHonorCipherOrder On
- SSLCipherSuite RC4-SHA:HIGH:!ADH
+
+ Allow from all
+
-
- # for Apache older than version 2.4
- Allow from all
-
- # for Apache verison 2.4 or newer
- # Require all granted
-
- Options -MultiViews
-
-
-
- Deny from all
-
-
-
- Allow from all
-
-
- SSLVerifyClient none
- SSLVerifyDepth 1
- SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
- SSLCARevocationPath /home/registry/registry/shared/ca/crl
- # Uncomment in Apache 2.4
- # SSLCARevocationCheck chain
+ SSLVerifyClient none
+ SSLVerifyDepth 1
+ SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.cert.pem
+ SSLCARevocationPath /home/registry/registry/shared/ca/crl
+ # Uncomment in Apache 2.4
+ # SSLCARevocationCheck chain
- RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-
- SSLVerifyClient require
RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-
-
-
- SSLVerifyClient require
- Options Indexes FollowSymLinks MultiViews
- SSLVerifyDepth 2
- SSLOptions +StdEnvVars +ExportCertData
-
+
+ SSLVerifyClient require
+ RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+
+
+
+ SSLVerifyClient require
+ Options Indexes FollowSymLinks MultiViews
+ SSLVerifyDepth 2
+ SSLOptions +StdEnvVars +ExportCertData
+
```
For Apache, REPP goes to port 443 in production, /etc/apache2/sites-enabled/repp.conf short example:
```
- ServerName your-repp-domain
- SSLEngine on
- #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- SSLCertificateFile /etc/apache2/ssl/apache.crt
- SSLCertificateKeyFile /etc/apache2/ssl/apache.key
+ ServerName your-repp-domain
+ SSLEngine on
+ #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ SSLCertificateFile /etc/apache2/ssl/apache.crt
+ SSLCertificateKeyFile /etc/apache2/ssl/apache.key
- ProxyPass / http://localhost:8080/
- ProxyPassReverse / http://localhost:8080/
- ProxyPreserveHost on
- RequestHeader set X_FORWARDED_PROTO 'https'
+ ProxyPass / http://localhost:8080/
+ ProxyPassReverse / http://localhost:8080/
+ ProxyPreserveHost on
+ RequestHeader set X_FORWARDED_PROTO 'https'
- SSLVerifyClient none
- SSLVerifyDepth 1
- SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
- SSLCARevocationPath /home/registry/registry/shared/ca/crl
- SSLCARevocationCheck chain
+ SSLVerifyClient none
+ SSLVerifyDepth 1
+ SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+ SSLCARevocationPath /home/registry/registry/shared/ca/crl
+ SSLCARevocationCheck chain
- RequestHeader set SSL_CLIENT_S_DN_CN ""
+ RequestHeader set SSL_CLIENT_S_DN_CN ""
-
- Deny from all
-
+
+ Allow from none
+ Deny from all
+
-
- Allow from all
- SSLVerifyClient require
- RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-
+
+ Allow from all
+ SSLVerifyClient require
+ RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+
```
@@ -318,33 +331,33 @@ Be sure to update paths to match your system configuration.
/etc/apache2/sites-enabled/epp.conf short example:
```apache
- Listen 700
-
- SSLEngine on
- SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- SSLCertificateFile /etc/apache2/ssl/apache.crt
- SSLCertificateKeyFile /etc/apache2/ssl/apache.key
-
- SSLVerifyClient require
- SSLVerifyDepth 1
- SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
- SSLCARevocationPath /home/registry/registry/shared/ca/crl
- # Uncomment this when upgrading to apache 2.4:
- # SSLCARevocationCheck chain
+ Listen 700
+
+ SSLEngine on
+ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ SSLCertificateFile /etc/apache2/ssl/apache.crt
+ SSLCertificateKeyFile /etc/apache2/ssl/apache.key
- RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
-
- EPPEngine On
- EPPCommandRoot /proxy/command
- EPPSessionRoot /proxy/session
- EPPErrorRoot /proxy/error
- EPPRawFrame raw_frame
+ SSLVerifyClient require
+ SSLVerifyDepth 1
+ SSLCACertificateFile /home/registry/registry/shared/ca/certs/ca.crt.pem
+ SSLCARevocationPath /home/registry/registry/shared/ca/crl
+ # Uncomment this when upgrading to apache 2.4:
+ # SSLCARevocationCheck chain
+
+ RequestHeader set SSL_CLIENT_S_DN_CN "%{SSL_CLIENT_S_DN_CN}s"
+
+ EPPEngine On
+ EPPCommandRoot /proxy/command
+ EPPSessionRoot /proxy/session
+ EPPErrorRoot /proxy/error
+ EPPRawFrame raw_frame
- ProxyPass /proxy/ http://localhost:8080/epp/
+ ProxyPass /proxy/ http://localhost:8080/epp/
- EPPAuthURI implicit
- EPPReturncodeHeader X-EPP-Returncode
-
+ EPPAuthURI implicit
+ EPPReturncodeHeader X-EPP-Returncode
+
```