Recent changes to Limit service availabilityhttps://sourceforge.net/p/guse/wiki/Limit%2520service%2520availability/Recent changes to Limit service availabilityenFri, 11 Apr 2014 06:22:59 -0000Limit service availability modified by Zoltán Farkashttps://sourceforge.net/p/guse/wiki/Limit%2520service%2520availability/<div class="markdown_content"><pre>--- v2 +++ v3 @@ -11,7 +11,7 @@ MySQL access ============ -Restrict access to the MySQL databases used by gUSE (called 'guse' and 'liferay' when installed using the install wizard) as much as possible: grant access only from hosts where gUSE services are running. +Restrict access to the MySQL databases used by gUSE (called <tt>guse</tt> and <tt>liferay</tt> when installed using the Install Wizard) as much as possible: grant access only from hosts where gUSE services are running. Applying firewalls ================== </pre> </div>Zoltán FarkasFri, 11 Apr 2014 06:22:59 -0000https://sourceforge.netbfe532642bc3413dcd34b714b73eee4462006d4dLimit service availability modified by Zoltán Farkashttps://sourceforge.net/p/guse/wiki/Limit%2520service%2520availability/<div class="markdown_content"><pre>--- v1 +++ v2 @@ -11,8 +11,85 @@ MySQL access ============ +Restrict access to the MySQL databases used by gUSE (called 'guse' and 'liferay' when installed using the install wizard) as much as possible: grant access only from hosts where gUSE services are running. + Applying firewalls ================== +Apply the drop input packet acceptance policy by default, enable connection tracking, and open up only ports really necessary (HTTP, 8080, Globus TCP port range, etc.). + + Putting Tomcat behind a web server ================================== + +By putting Apache Tomcat behind an HTTP server (e.g. Apache) not only enables you to easily configure SSL/TLS-based access to your services, but also enables to limit the set of publicly accessible gUSE services, and enables you to run gUSE through standard HTTP and HTTPS ports. + +For this, do the followings: +* enable the <tt>proxy_ajp</tt> Apache module (<tt>a2enmod proxy_ajp</tt>), +* disable Apache Tomcat connector listening on port 8080. For this, edit Apache Tomcat's <tt>server.xml</tt> file, and remove (or comment out) the <tt>Connector</tt> tag bind to port 8080, +* create a new site in Apache, that will proxy requests to Apache Tomcat's AJP. An example site setup is as follows (for HTTPS): + + + ServerName myportal.org + ServerAlias myportal.org + ServerAdmin admin@myportal.org + ServerSignature on + + ErrorLog /var/log/apache2/myportal.org/error.log + CustomLog /var/log/apache2/myportal.org/access.log combined + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + DocumentRoot /var/www/ + + Options FollowSymLinks + AllowOverride None + + + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/myportal.org.pem + SSLCertificateKeyFile /etc/ssl/private/myportal.org.key + SSLCertificateChainFile /etc/ssl/certs/myportal.org.chain.pem + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + RedirectMatch permanent ^/$ /liferay-portal-6.1.0 + + ProxyPass /liferay-portal-6.1.0 ajp://myportal.org:8009/liferay-portal-6.1.0 + ProxyPass /wspgrade ajp://myportal.org:8009/wspgrade + ProxyPass /wfs ajp://myportal.org:8009/wfs + ProxyPass /submitter ajp://myportal.org:8009/submitter + + + Order allow,deny + Allow from all + + + + +* Finally, enable the new site in Apache using <tt>a2ensite</tt>. + +As you can see, the following webapps must be proxied: +* <tt>liferay-portal-6.1.0</tt>: for Liferay +* <tt>wspgrade</tt>: for the portlets +* <tt>wfs</tt>: for the Graph Editor (<b>Note</b>: if you are operating a portal where users are not intented to use the Graph Editor, you can skip the <tt>wfs</tt> webapp) +* <tt>submitter</tt>: for some plugins of the DCI Bridge + +The other webapps (<tt>information</tt>, <tt>storage</tt>, <tt>wfi</tt>, ...) are used only internally, so it is not necessary to make them publicly available. </pre> </div>Zoltán FarkasFri, 11 Apr 2014 06:20:56 -0000https://sourceforge.netb95572fcbbb28ee7733eb6fe354d264ddb8687f3Limit service availability modified by Zoltán Farkashttps://sourceforge.net/p/guse/wiki/Limit%2520service%2520availability/<div class="markdown_content"><h1 id="about">About</h1> <p>This page gives some guidelines for gUSE administrators on how to limit their deployment's services' availability. The goal is to make as few services available as possible.</p> <h1 id="tomcat-admin-password">Tomcat admin password</h1> <p>The default Tomcat administrator username and password is <tt>admin</tt>. You can change this by editing the <tt>apache-tomcat-*/conf/tomcat-users.xml</tt> file under your deployment. The change will take effect once you restart Apache Tomcat.</p> <h1 id="mysql-access">MySQL access</h1> <h1 id="applying-firewalls">Applying firewalls</h1> <h1 id="putting-tomcat-behind-a-web-server">Putting Tomcat behind a web server</h1></div>Zoltán FarkasWed, 09 Apr 2014 05:14:53 -0000https://sourceforge.neta67f582100eba772345cba98937db4fff5e2765e