Securing your OSS

As of this writing (version 1.1r5), OSS does not have extraordinary built-in security measures. Users who prefer taking extra steps in securing their data against intrusions can apply the following, recommended steps. Those are intended as a useful reminder of basic security measures to be taken with any important application.

Contents 1 Basic recommendations 2 Linux 2.1 Adding firewall rules 2.1.1 Using iptables 3 Proxing OSS 3.1 Using nginx 4 editor notes

Basic recommendations

• Run your OSS within a DMZ. If that is not possible, restrict OSS access to the localhost
• Limit access to OSS files
• Set an authentication method to access the OSS interface

Linux

Adding firewall rules

Using iptables

These rules will authorize access to OSS only from the localhost.

iptables -A INPUT -s 127.0.0.0/8 -p tcp --destination-port 8005 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 8080 -j DROP

Don't forget to make these rules permanents by adding them to your distribution network startup file. Refer to your distribution documentation for more information.

If you do not happen to be familiar with those parameters, please refer to your iptables documentation.

Proxing OSS

Using nginx

Here a small excerpt of the nginx configuration file one of our users employs to secure his OSS data for http://nkubz.net

# Integration of Open Search Server
# Accessing the OSS Back Office using http://<server>/oss/

## Make sure the queries issued by the backoffice are passed through the proxy
if ($http_referer ~* "//oss/|//zkau/") {
	rewrite ^(.*)$ /oss/$1;
}

## Proxing all queries to the OSS back office server
location ^~ /oss/ {
	auth_basic            "Restricted";
	auth_basic_user_file  conf/htpasswd; # 
	proxy_pass http://localhost:8080/;
	proxy_redirect http://localhost:8080/ http://localhost:8080/oss/;
	proxy_set_header X-Real-IP $remote_addr;
}

Since this web site needs to publish its OSS search API to do run tests, our user further uses this:

# Publish the search API so that the web site can send queries using AJAX
location ^~ /search {
        # Fix a limit to prevent abusive usage
        limit_req zone=oss_search_api_call burst=10;
        # Limit to only GET method
        if ($request_method !~ ^GET$) {
                return 403;
        }
	# No delete, sorry
	if ($args ~* &delete=?) {
		return 403;
	}
	# Prevent the API to be called outside of the domain
	if ($http_referer !~* "http://nkubz.net/") {
		return 403;
	}
	# Sorry no dumping
	if ($args ~* &q=\*:\*) {
		return 403;
	}

	proxy_pass http://localhost:8080/search;
	proxy_set_header X-Real-IP $remote_addr;
}

If you are using the limit request, don't forget to add this line before the server { } section:

limit_req_zone $binary_remote_addr zone=oss_search_api_call:10m   rate=2r/s;

For more informations about limiting the rate, please consult the nginx wiki

editor notes

This is a draft with raw informations.

• Run you OSS using a specific user
• Add proxing with apache
•  ? Change some Catalina data ? (See if it's easy and possible)
• Add rules to prohibe any other method than GET (can still pass delete using posting)
• split this page in many chunks