Closed choosehappy closed 4 years ago
Are you using an nginx proxy or just the DSA on port 8080?
On Fri, May 15, 2020, 1:21 PM choosehappy notifications@github.com wrote:
Hello,
Thanks for developing such a great tool.
We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points:
- SSL Server allows Anonymous Authentication
- SSL/TLS Server supports TLSv1.0
Their proposes solutions are, respectively
- Disable support for anonymous authentication to mitigate this vulnerability.
- Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
Is there a way to do implement these modifications for the DSA?
Thanks, Andrew
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/DigitalSlideArchive/digital_slide_archive/issues/113, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFODTVKW6MMLPUC2TODXTDRRV23FANCNFSM4NBX6EHA .
the latter, a standard "python deploy_docker.py" instance, except with forwarding of host port 80 to girder port 8080
i saw in the glimmer channel there was some mentions of nginx proxy with examples, but all the links provided there have died
the 2 items requested also seemed relatively trivial, a disable and an upgrade, so thought maybe they could be done in-project for ease of everyone's deployment
thoughts?
On Fri, May 15, 2020 at 11:19 PM dgutman notifications@github.com wrote:
Are you using an nginx proxy or just the DSA on port 8080?
On Fri, May 15, 2020, 1:21 PM choosehappy notifications@github.com wrote:
Hello,
Thanks for developing such a great tool.
We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points:
- SSL Server allows Anonymous Authentication
- SSL/TLS Server supports TLSv1.0
Their proposes solutions are, respectively
- Disable support for anonymous authentication to mitigate this vulnerability.
- Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.
Is there a way to do implement these modifications for the DSA?
Thanks, Andrew
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <https://github.com/DigitalSlideArchive/digital_slide_archive/issues/113 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAFODTVKW6MMLPUC2TODXTDRRV23FANCNFSM4NBX6EHA
.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/DigitalSlideArchive/digital_slide_archive/issues/113#issuecomment-629492343, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACJ3XTDHVFGXEG7INBU43FDRRWWWFANCNFSM4NBX6EHA .
setup an apache proxy on port 443 using SSL:
In base o/s: docker run -it --name apache_proxy -p443:443 ubuntu /bin/bash docker network connect dsa apache_proxy
Within docker: apt update apt install apache2 links nano a2enmod ssl a2enmod proxy a2enmod proxy_http
openssl req -x509 -nodes -days 358000 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
nano /etc/apache2/conf-available/ssl-params.conf
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
nano /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:443>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPass / http://172.19.0.6:8080/
ProxyPassReverse / http://172.19.0.6:8080/
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
</VirtualHost>
start apache
@dgutman @manthey can we capture this in your documentation somewhere?
Hello,
Thanks for developing such a great tool.
We’ve set up an instance which we would like to make public, but our university has run a threat assessment and cannot whitelist the post until we address two points:
Their proposes solutions are, respectively
Is there a way to do implement these modifications for the DSA?
Thanks, Andrew