bike/Yellow-Bike-Database-Mirror
1
0
Fork 0
mirror of https://github.com/fspc/Yellow-Bike-Database.git synced 2025-02-22 08:53:23 -05:00
Code Issues Projects Releases Wiki Activity

Adds more detail about fine tuning access, and improves apache setup instructions.

Browse Source
This commit is contained in:
Jonathan Rosenbaum 2018-01-06 07:36:49 +00:00
parent 5edc4f97c2
commit 5b490e18e7
1 changed files with 41 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
examples/secure-terminals.txt
View File

@ -78,8 +78,12 @@ II. cp device.key /etc/ssl/private/ssl-cert-snakeoil.key
cp mysite.com.csr /etc/ssl/certs/ssl-cert-snakeoil.pem
III. a2enmod ssl;
a2ensite default-ssl.conf; (standard on debian-based distributions .. add <Directory> stanza above)
a2ensite default-ssl.conf; (standard on debian-based distributions)
add certs to the SSLCertificateFile and SSLCertificateKeyFile directives in default-ssl.conf
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
a2dissite 000-default.conf;
service apache2 restart
In the Chromium broswer: chrome://settings/certificates
Choose IMPORT in AUTHORITIES
@ -102,7 +106,7 @@ Firefox (IceWeasel); note that Chrome below, provides the most recent instructio
6. mv KeePass.config.xml KeePass.config.enforced.xml
7. sudo chown root:root KeePass.config.enforced.xml (and database/key file)
8. sudo chmod 0400 KeePass.config.enforced.xml
9. See Chrome for KeePass.config.enforced.xml policy changes.
9. See Chrome for KeePass.config.enforced.xml policy changes.
10. In Debian/Ubuntu: apt-get install mono-runtime mono-devel
11. Install KeeFox extension from https://addons.mozilla.org/en-us/firefox/addon/keefox/
12. KeeFox will tell you where to copy KeePassRPC.plgx from into the plugins directory
@ -229,6 +233,38 @@ SPECIAL NOTES
contact_add_edit.php, and another computer for volunteer staff allowing access to almost everything,
including transaction_log.php, perhaps with the exclusion of certain reports that should only be available
to the volunteer coordinator.
https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements provides good details how this is done:
E.g., we want paid_members.php to be accessible via a completely different password under Apache for our paid members team:
<FilesMatch "\.(php|paid_members\.php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /var/www/html/js>
Order allow,deny
Allow from all
Satisfy any
</Directory>
<Directory /var/www/html/css>
Order allow,deny
Allow from all
Satisfy any
</Directory>
<Directory /var/www/html>
Authtype Basic
Authname "Amazing Community Bike Shop Login"
Require user someuser
AuthUserFile /var/htpasswd
</Directory>
<Files "paid_members.php">
Authtype Basic
Authname "Paid Members Login"
Require user paid_members_team
AuthUserFile /var/htpasswd
</Files>
How to get that working with keepass2 should be obvious.
SUSPENDING COMPUTER
@ -244,7 +280,7 @@ it is not always straight-forward, e.g., resetting the CMOS.
GRUB2 PASSWORD PROTECT (mandatory)
You don't want individuals casually booting into single mode or a shell, therefore,
In order to prevent individuals from casually booting into single mode or a shell,
password protecting GRUB with an encrypted password is mandatory.
https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
@ -256,7 +292,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
to
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
2. Create an encrypted password with grub-mkpasswd-pbkdf2, producing something like
grub.pbkdf2.sha512.10000.80E702585F80C8D70D4BC75
@ -270,7 +306,7 @@ https://help.ubuntu.com/community/Grub2/Passwords gives good instructions
5. update-grub2
SSD or HD Encryption (optional)
SSD or HD ENCRYPTION (optional)
If a sign-in computers unencrypted drive goes missing (or is stolen), it should (in most cases)
be pretty obvious, and you would want to change YBDB's htpasswd and root password. However, if you