GCS Default Apache VirtualHost Configuration

Globus Connect Server requires the Apache web server be enabled and running to provide access to its services. If a data transfer node does not have an existing Apache configuration, the default system-specific configuration is enabled. This default configuration often has undersirable properties, such as listening for unencrypted HTTP requests, using a self-signed certificate for the default VirtualHost and returning a default landing page. This document describes ways to improve the configuration of the default virtual host to reduce its impact and prevent security scanners to consider it a problem.

We recommend keeping a default virtualhost configured, even if it just returns 403 errors. This will keep network scanners from invoking Globus services and reduce load on the data transfer node.

1. Disable Non-encrypted HTTP service

Modify the ports that the Apache web server listens on by editing the file /etc/apache2/ports.conf. Change the line

Listen 80

to

# Listen 80

By default, the Apache web server configuration includes an http site. This must also be disabled when the port is turned off, or the Apache web server will not load. However, if there is no default site, the GCS Manager web service will be the default site. We recommend enabling the default ssl site and then use the following steps to disable all access on the default site.

Run these commands as root:

Disable default http site
a2dissite  000-default
Enable default https site
a2ensite  default-ssl
Restart apache
systemctl restart apache2

Modify the default httpd configuration file at /etc/httpd/conf/httpd.conf. Change the line

Listen 80

to

# Listen 80

Restart the web server

systemctl restart httpd

2. Disable default VirtualHost data access

Modify the file /etc/apache2/sites-available.d/default-ssl. Find the VirtualHost section enclosed by the tags

        <VirtualHost _default_:443>

and

        </VirtualHost>

Add the following lines between those tags:

<LocationMatch /.*>
    ErrorDocument 403 "Access denied"
    Require all denied
</LocationMatch>

Restart the web server

systemctl restart apache2

Modify the file /etc/httpd/conf.d/ssl.conf. Find the VirtualHost section enclosed by the tags

<VirtualHost _default_:443>

and

</VirtualHost>

Add the following lines between those tags:

<LocationMatch /.*>
    ErrorDocument 403 "Access denied"
    Require all denied
</LocationMatch>

Restart the web server

systemctl restart httpd

3. Use a Valid Certificate

You can replace the default self-signed certificate with one signed by a valid certificate authority. Globus Connect Server obtains one on your behalf so that the Globus services can access it. You can use a subdomain of this certificate, or you can provide your own certificate and key.

These instructions assume you plan on using the Globus certificate; if you want to use a different one, replace the paths to those of your certificate, and set the ServerName appropriately.

Locate the certificate and private key to use. By default, Globus stores these in a subdirectory of /var/lib/globus-connect-server/gcs-manager/etc/domains, with the name matching the domain_name property of the endpoint you are running the commands on.

The following script (run as root) will display the paths to the certificate and private key.

cert-for-default-domain.sh
#! /bin/sh

info=/var/lib/globus-connect-server/info.json
domains_dir=/var/lib/globus-connect-server/gcs-manager/etc/domains
bad=0
if [ ! -s "$info" ]; then
    echo "Run globus-connect-server node setup before running this script"
    bad=1
fi
if [ ! -d "$domains_dir/." ]; then
    echo "Unable to check existence of GCS cert directory, run this script as root."
    bad=1
fi
if [ $bad = 1 ]; then
    exit 1
fi

d=$(awk -F'"' '/domain_name/ {print $4}' $info)
if [ ! -f "$domains_dir/$d/cert.pem" ]; then
    echo "Unable to find domain certificate for $d"
    bad=1
fi
if [ ! -f "$domains_dir/$d/privkey.pem" ]; then
    echo "Unable to find domain private key for $d"
    bad=1
fi
if [ $bad = 1 ]; then
    exit 1
fi
echo "domain: dummy-default.$d"
echo "cert  : $domains_dir/$d/cert.pem"
echo "key   : $domains_dir/$d/privkey.pem"

Modify the file /etc/apache2/sites-available/default-ssl. Find the line

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem

Replace /etc/ssl/certs/ssl-cert-snakeoil.pem with the path to the cert.pem file shown by the command above.

Find the line

                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Replace the /etc/ssl/private/ssl-cert-snakeoil.key with the path to privatekey.pem file shown by the command above.

Finally, find the VirtualHost section enclosed by the tags

<VirtualHost _default_:443>

and

</VirtualHost>

Between the tags add a line

ServerName DOMAIN

where DOMAIN is the domain value printed in the above script. This will allow the Apache web server to respond to requests with a valid certificate.

Restart the web server

systemctl restart apache2

Modify the file /etc/httpd/conf.d/ssl.conf. Find the line

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Replace /etc/pki/tls/certs/localhost.crt with the path to the cert.pem file shown by the command above.

Find the line

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Replace the /etc/pki/tls/certs/localhost.crt with the path to privatekey.pem file shown by the command above.

Finally, find the VirtualHost section enclosed by the tags

<VirtualHost _default_:443>

and

</VirtualHost>

Between the tags add a line

ServerName NAME

where NAME is the domain value printed in the above script. This will allow the Apache web server to respond to requests with a valid certificate.

Restart the web server

systemctl restart httpd