Difference between revisions of "Apache Hardening"

From EPrints Documentation
Jump to: navigation, search
(Added initial apache hardening page)
 
m
Line 4: Line 4:
 
The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's '''ssl/securevhost.conf'''):
 
The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's '''ssl/securevhost.conf'''):
 
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
The '''max-age=31536000''' is the recommended length in seconds (365 days, i.e. approx. 1 year).  '''includeSubDomains''' is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. ''www.example.eprints.org'' is a secondary hostname for ''example.eprints.org''').  '''preload''' is only really useful if your repository is the root of a domain (e.g. ''eprints.org'') as preloading can only be registered at this level.  However, there is no harm including this in the line above.
+
The '''max-age=31536000''' is the recommended length in seconds (365 days, i.e. approx. 1 year).  '''includeSubDomains''' is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. ''www.example.eprints.org'' is a secondary hostname for ''example.eprints.org'').  '''preload''' is only really useful if your repository is the root of a domain (e.g. ''eprints.org'') as preloading can only be registered at this level.  However, there is no harm including this in the line above.
  
 
[[Category:Howto]]
 
[[Category:Howto]]

Revision as of 22:20, 22 August 2022

There are various ways that Apache configuration can be hardened to make it more secure. The suggested configuration changes below are informed by https://securityheaders.com/ Much of this is quite generic and could be applied to an web host not just an EPrints repository but some needs be be specifically configured for an EPrints repository.

HTTP Strict Transport Security (HSTS)

The following line should be added to near the top of the HTTPS virtualhost, (i.e. in the archive's ssl/securevhost.conf):

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

The max-age=31536000 is the recommended length in seconds (365 days, i.e. approx. 1 year). includeSubDomains is not absolutely necessary unless the repository has alternative hostnames that are under the primary hostname (e.g. www.example.eprints.org is a secondary hostname for example.eprints.org). preload is only really useful if your repository is the root of a domain (e.g. eprints.org) as preloading can only be registered at this level. However, there is no harm including this in the line above.