From: Andrew W. <viv...@gm...> - 2007-08-29 21:47:02
|
On 8/29/07, Tom Bostelmann <tbo...@gm...> wrote: > > Rather than trying to infer from the code which will get confusing pretty > quickly, I would suggest putting together a restrictive setup like the one I > described for testing. If you restrict traffic only to https then you're > enforcing the level of security that you're looking for. A simple way to do what Tom suggests would be to configure Mifos to run on localhost:8080 as per default, and firewall off port 8080 from anything but localhost... then configure Apache to use a self-signed SSL cert. With Apache's mod_proxy and mod_rewrite, all http: traffic can be rerouted to use https:, and then proxied to localhost for interaction with Mifos. Then a spider program like wget can be used to search for broken links. I'll include the steps for the above on the Adelante-specifid implementation page when we get to that point in our installation. In the mean time, more info on how to do the above can be found here: How to proxy Apache httpd traffic to Tomcat with mod_proxy: http://tomcat.apache.org/tomcat-5.0-doc/proxy-howto.html How to filter out specific ports using Linux ipchains (sorry Windows folks): http://www.flounder.net/ipchains/ipchains-howto.html How to force http traffic to https using Apache mod_rewrite: http://www.whoopis.com/howtos/apache-rewrite.html A secure Linux installation should include a lot of ipchains filters (e.g. limit source IP range of ssh logins), and additionally any .war applications on JBoss other than Mifos ought likely to be disabled or removed. -Andrew |