search

DigitalSlideArchive / digital_slide_archive

The official deployment of the Digital Slide Archive and HistomicsTK.
https://digitalslidearchive.github.io
Apache License 2.0
108 stars 49 forks source link

Remove SSL anonymous authentication a+ upgrade SSL version #113

Closed choosehappy closed 4 years ago

choosehappy commented 4 years ago

Hello,

Thanks for developing such a great tool.

We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points:

  1. SSL Server allows Anonymous Authentication
  2. SSL/TLS Server supports TLSv1.0

Their proposes solutions are, respectively

  1. Disable support for anonymous authentication to mitigate this vulnerability.
  2. Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

Is there a way to do implement these modifications for the DSA?

Thanks, Andrew

dgutman commented 4 years ago

Are you using an nginx proxy or just the DSA on port 8080?

On Fri, May 15, 2020, 1:21 PM choosehappy notifications@github.com wrote:

Hello,

Thanks for developing such a great tool.

We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points:

  1. SSL Server allows Anonymous Authentication
  2. SSL/TLS Server supports TLSv1.0

Their proposes solutions are, respectively

  1. Disable support for anonymous authentication to mitigate this vulnerability.
  2. Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

Is there a way to do implement these modifications for the DSA?

Thanks, Andrew

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/DigitalSlideArchive/digital_slide_archive/issues/113, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFODTVKW6MMLPUC2TODXTDRRV23FANCNFSM4NBX6EHA .

choosehappy commented 4 years ago

the latter, a standard "python deploy_docker.py" instance, except with forwarding of host port 80 to girder port 8080

i saw in the glimmer channel there was some mentions of nginx proxy with examples, but all the links provided there have died

the 2 items requested also seemed relatively trivial, a disable and an upgrade, so thought maybe they could be done in-project for ease of everyone's deployment

thoughts?

On Fri, May 15, 2020 at 11:19 PM dgutman notifications@github.com wrote:

Are you using an nginx proxy or just the DSA on port 8080?

On Fri, May 15, 2020, 1:21 PM choosehappy notifications@github.com wrote:

Hello,

Thanks for developing such a great tool.

We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points:

  1. SSL Server allows Anonymous Authentication
  2. SSL/TLS Server supports TLSv1.0

Their proposes solutions are, respectively

  1. Disable support for anonymous authentication to mitigate this vulnerability.
  2. Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

Is there a way to do implement these modifications for the DSA?

Thanks, Andrew

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <https://github.com/DigitalSlideArchive/digital_slide_archive/issues/113 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAFODTVKW6MMLPUC2TODXTDRRV23FANCNFSM4NBX6EHA

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/DigitalSlideArchive/digital_slide_archive/issues/113#issuecomment-629492343, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACJ3XTDHVFGXEG7INBU43FDRRWWWFANCNFSM4NBX6EHA .

choosehappy commented 4 years ago

setup an apache proxy on port 443 using SSL:

In base o/s: docker run -it --name apache_proxy -p443:443 ubuntu /bin/bash docker network connect dsa apache_proxy

Within docker: apt update apt install apache2 links nano a2enmod ssl a2enmod proxy a2enmod proxy_http

openssl req -x509 -nodes -days 358000 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

nano /etc/apache2/conf-available/ssl-params.conf

    # from https://cipherli.st/
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    # Requires Apache >= 2.4
    SSLCompression off 
    SSLSessionTickets Off
    SSLUseStapling on 
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

    SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

nano /etc/apache2/sites-enabled/000-default.conf

NOTE, replace ip address with IP address of docker girder instance

    <VirtualHost *:443>
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

            ProxyPass / http://172.19.0.6:8080/
            ProxyPassReverse / http://172.19.0.6:8080/

                    SSLEngine on

                    SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
                 SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key

    </VirtualHost>

start apache

cooperlab commented 4 years ago

@dgutman @manthey can we capture this in your documentation somewhere?