Best practice with vhosts at your server

zimny · January 27, 2018, 7:37pm

Hi guys,

First and always many thanks for NS soft and all your non-profit effort.

I like to secure all my websites with:

TRACE and/or TRACK methods - disabled for all my vhosts

Realise that probably I still need learn a lot about tampleting in NS.
But disable this option can be considered from security on your web server.

My question is
If we can add:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

to NS withouth using templates for each vhost.

In multidomain environment this can be a real pain in … neck to customasie all vhost templates.

mrmarkuz · January 27, 2018, 10:28pm

That should be possible with a vhost-extra custom template:

mkdir -p /etc/e-smith/templates-custom/httpd/vhost-extra/

Create /etc/e-smith/templates-custom/httpd/vhost-extra/15tracktrace with following content.

    #
    # 15tracktrace - Track and trace rewrite rule
    #

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]

Any virtual host should include the rewrite rule after expanding the template. I didn’t test if this works for your track and trace case but this should give you an idea about templating your virtual hosts.

After expand-template /etc/httpd/conf.d/virtualhosts.conf your virtualhost directives look like this:

<VirtualHost *:443>
    DocumentRoot "/var/lib/nethserver/vhost/vhost1"
    ServerName vhost1.domain.local
    #
    # 15tracktrace - Track and trace rewrite rule
    #

    RewriteEngine on
    RewriteCond %REQUEST_METHOD ^(TRACE|TRACK)
    RewriteRule .* - [F]

    # 20forcessl_redirect disabled



    # 30directory -- basic directory setup
    <Directory /var/lib/nethserver/vhost/vhost1>
      AllowOverride All
      Options None
      Options +Indexes
      Options +Includes
      <RequireAll>
        # access private
        Require ip 127.0.0.1 \
        192.168.1.0/255.255.255.0

        # authentication disabled

      </RequireAll>
    </Directory>

</VirtualHost>

zimny · January 27, 2018, 10:34pm

Thanks Marcus

I think that all security rules should be included in NS defaults.
What is your idea?

Thank you

mrmarkuz · January 27, 2018, 10:48pm

Honestly I don’t know much about this track and trace thing but setting default security settings may affect other apps and needs some discussion. For now I’d work with custom templates.

Maybe it’s enough to just add the rewrite rule to httpd.conf but I read the following:

Please note that by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host…

http://www.techstacks.com/howto/disable-tracetrack-in-apache-httpd.html

You may just add the rewrite rule to /etc/httpd/conf/httpd.conf, it’s not templated.

zimny · February 11, 2018, 10:18pm

Hi Marcus,

Sorry for the late ansver.

I done exacly the same so appache conf file sort it for all vhosts.

Just added:
TraceEnable Off

Hope this help for the others with the same concerns.

giacomo · February 12, 2018, 9:56am

Hi @zimny
I saw you’re raising few security concerns about NS default configuration and as @davidep any contribute to improve current situation is welcome!

We are following upstream defaults, but this doesn’t mean we couldn’t hardening it

Do you have a public document or procedure are you using to hardening your installation?
Maybe we could create a special section inside the manual.
Please, also feel free to the raising discussion about a very similar feature: GDPR and SSL hardening