khanh.pndc/nextcloud-docs
1
0
Fork 0
mirror of https://github.com/nextcloud/documentation.git synced 2026-01-03 02:09:45 +07:00
Code Issues Packages Projects Releases Wiki Activity

Harden Server grammar

Browse Source
This commit is contained in:
Phil Davis
2015-08-16 14:02:33 +05:45
parent fe1e7589ed
commit 0aede3a828
1 changed files with 16 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
admin_manual/configuration_server/harden_server.rst
View File

@@ -4,12 +4,12 @@ Hardening and Security Guidance
ownCloud aims to ship with secure defaults that do not need to get modified by
administrators. However, in some cases some additional security hardening can
only be applied in scenarios were the administrator have complete control over
only be applied in scenarios were the administrator has complete control over
the ownCloud instance.
This document lists some security hardenings which require manual interaction by
administrators. The whole document content is based on the assumption that you
run ownCloud Server on Apache2 on a Linux environment.
run ownCloud Server on Apache2 in a Linux environment.
.. note:: ownCloud will warn you in the administration interface if some
critical security-relevant options are missing. However, it is still up to
@@ -78,7 +78,7 @@ ownCloud is able to generate preview images of common filetypes such as images
or text files. By default the preview generation for some file types that we
consider secure enough for deployment is enabled by default. However,
administrators should be aware that these previews are generated using PHP
libraries written in C which might be vulnerable to vulnerable attack vectors.
libraries written in C which might be vulnerable to attack vectors.
For high security deployments we recommend disabling the preview generation by
setting the ``enable_previews`` switch to ``false`` in ``config.php``. As an
@@ -100,7 +100,7 @@ HTTPS.
Redirect all unencrypted traffic to HTTPS
*****************************************
To redirect all HTTP traffic to HTTPS administrators are encouraged to issue a
permanent redirect using the 301 status code, when using Apache this can be
permanent redirect using the 301 status code. When using Apache this can be
achieved by a setting such as the following in the Apache VirtualHosts config:
.. code-block:: none
@@ -118,7 +118,7 @@ While redirecting all traffic to HTTPS is already a good start it will often not
completely prevent man-in-the-middle attacks for a regular user. Thus
administrators are encouraged to set the HTTP Strict Transport Security header
which will instruct browsers to not allow any connection to the ownCloud
instance anymore using HTTPS and a invalid certificate warning will often not be
instance anymore using HTTPS and an invalid certificate warning will often not be
able to get bypassed.
This can be achieved by setting the following settings within the Apache
@@ -131,7 +131,7 @@ VirtualHost file:
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</VirtualHost>
Be aware that above policy will also apply for all subdomains, if you don't
Be aware that the above policy will also apply for all subdomains. If you don't
have HTTPS properly configured on all subdomains you mut remove the ``includeSubdomains``
part.
@@ -142,12 +142,12 @@ Proper SSL configuration
************************
Default SSL configurations by web servers are often not state of the art and
require fine-tuning for an optimal performance and security experience. The
available SSL ciphers and options depends completely on your environment and
available SSL ciphers and options depend completely on your environment and
thus giving a generic recommendation is not really possible.
We recommend to use the `Mozilla SSL Configuration Generator`_ to generate a
suitable configuration suited for your environment, furthermore the free `Qualys
SSL Labs Tests`_ give a good guidance whether the SSL server was correctly
SSL Labs Tests`_ give good guidance about whether the SSL server was correctly
configured.
Use a dedicated domain for ownCloud
@@ -158,16 +158,16 @@ Same-Origin-Policy.
Serve security related Headers by the web server
------------------------------------------------
Basic security headers are served by ownCloud already in a default environment. These includes:
Basic security headers are served by ownCloud already in a default environment. These include:
- ``X-Content-Type-Options: nosniff``
- Instructs some browsers to not sniff the mimetype of files. This is used for example to prevent browsers to interpret text files as JavaScript.
- Instructs some browsers to not sniff the mimetype of files. This is used for example to prevent browsers from interpreting text files as JavaScript.
- ``X-XSS-Protection: 1; mode=block``
- Enforces the browsers to enable their browser side Cross-Site-Scripting filter.
- Instructs browsers to enable their browser side Cross-Site-Scripting filter.
- ``X-Robots-Tag: none``
- Instructs search machines to not index these page.
- Instructs search machines to not index these pages.
- ``X-Frame-Options: SAMEORIGIN``
- Prevents to embed the ownCloud instance within an iframe from other domains to prevent Clickjacking and other similiar attacks.
- Prevents embedding of the ownCloud instance within an iframe from other domains to prevent Clickjacking and other similiar attacks.
However, these headers are added by the applications code in PHP and thus not
served on static resources and rely on the fact that there is no way to bypass
@@ -176,8 +176,8 @@ the intended response code path.
For optimal security, administrators are encouraged to serve these basic HTTP
headers by the web server to enforce them on response.
Apache has to be configured to use the ``.htaccess`` file as well as the following Apache
modules needs to be enabled:
Apache has to be configured to use the ``.htaccess`` file and the following Apache
modules need to be enabled:
- mod_headers
- mod_env
@@ -185,7 +185,7 @@ modules needs to be enabled:
For nginx, please see the nginx configuration example :ref:`nginx_configuration_example`
Administrators can verify whether this security change is active by accessing a
static resource served by the web server and verify that above mentioned
static resource served by the web server and verify that the above mentioned
security headers are shipped.
.. _Mozilla SSL Configuration Generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/