GCS Default Apache VirtualHost Configuration
Globus Connect Server requires the Apache web server be enabled and running to provide access to its services. If a data transfer node does not have an existing Apache configuration, the default system-specific configuration is enabled. This default configuration often has undersirable properties, such as listening for unencrypted HTTP requests, using a self-signed certificate for the default VirtualHost and returning a default landing page. This document describes ways to improve the configuration of the default virtual host to reduce its impact and prevent security scanners to consider it a problem.
We recommend keeping a default virtualhost configured, even if it just returns 403 errors. This will keep network scanners from invoking Globus services and reduce load on the data transfer node.
1. Disable Non-encrypted HTTP service
Modify the ports that the Apache web server listens on by editing the file
/etc/apache2/ports.conf
. Change the line
Listen 80
to
# Listen 80
By default, the Apache web server configuration includes an http site. This must also be disabled when the port is turned off, or the Apache web server will not load. However, if there is no default site, the GCS Manager web service will be the default site. We recommend enabling the default ssl site and then use the following steps to disable all access on the default site.
Run these commands as root:
a2dissite 000-default
a2ensite default-ssl
systemctl restart apache2
Modify the default httpd configuration file at /etc/httpd/conf/httpd.conf
. Change
the line
Listen 80
to
# Listen 80
Restart the web server
systemctl restart httpd
2. Disable default VirtualHost data access
Modify the file /etc/apache2/sites-available.d/default-ssl
. Find the
VirtualHost section enclosed by the tags
<VirtualHost _default_:443>
and
</VirtualHost>
Add the following lines between those tags:
<LocationMatch /.*>
ErrorDocument 403 "Access denied"
Require all denied
</LocationMatch>
Restart the web server
systemctl restart apache2
Modify the file /etc/httpd/conf.d/ssl.conf
. Find the VirtualHost section enclosed
by the tags
<VirtualHost _default_:443>
and
</VirtualHost>
Add the following lines between those tags:
<LocationMatch /.*>
ErrorDocument 403 "Access denied"
Require all denied
</LocationMatch>
Restart the web server
systemctl restart httpd
3. Use a Valid Certificate
You can replace the default self-signed certificate with one signed by a valid certificate authority. Globus Connect Server obtains one on your behalf so that the Globus services can access it. You can use a subdomain of this certificate, or you can provide your own certificate and key.
These instructions assume you plan on using the Globus certificate; if you want to use a different one, replace the paths to those of your certificate, and set the ServerName appropriately.
Locate the certificate and private key to use. By default, Globus stores these
in a subdirectory of /var/lib/globus-connect-server/gcs-manager/etc/domains
,
with the name matching the domain_name
property of the endpoint you are
running the commands on.
The following script (run as root) will display the paths to the certificate and private key.
#! /bin/sh
info=/var/lib/globus-connect-server/info.json
domains_dir=/var/lib/globus-connect-server/gcs-manager/etc/domains
bad=0
if [ ! -s "$info" ]; then
echo "Run globus-connect-server node setup before running this script"
bad=1
fi
if [ ! -d "$domains_dir/." ]; then
echo "Unable to check existence of GCS cert directory, run this script as root."
bad=1
fi
if [ $bad = 1 ]; then
exit 1
fi
d=$(awk -F'"' '/domain_name/ {print $4}' $info)
if [ ! -f "$domains_dir/$d/cert.pem" ]; then
echo "Unable to find domain certificate for $d"
bad=1
fi
if [ ! -f "$domains_dir/$d/privkey.pem" ]; then
echo "Unable to find domain private key for $d"
bad=1
fi
if [ $bad = 1 ]; then
exit 1
fi
echo "domain: dummy-default.$d"
echo "cert : $domains_dir/$d/cert.pem"
echo "key : $domains_dir/$d/privkey.pem"
Modify the file /etc/apache2/sites-available/default-ssl
. Find the line
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
Replace /etc/ssl/certs/ssl-cert-snakeoil.pem
with the path to the cert.pem
file shown by the command above.
Find the line
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Replace the /etc/ssl/private/ssl-cert-snakeoil.key
with the path to
privatekey.pem file shown by the command above.
Finally, find the VirtualHost section enclosed by the tags
<VirtualHost _default_:443>
and
</VirtualHost>
Between the tags add a line
ServerName DOMAIN
where DOMAIN is the domain value printed in the above script. This will allow the Apache web server to respond to requests with a valid certificate.
Restart the web server
systemctl restart apache2
Modify the file /etc/httpd/conf.d/ssl.conf
. Find the line
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
Replace /etc/pki/tls/certs/localhost.crt
with the path to the cert.pem
file shown by the command above.
Find the line
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
Replace the /etc/pki/tls/certs/localhost.crt
with the path to privatekey.pem
file shown by the command above.
Finally, find the VirtualHost section enclosed by the tags
<VirtualHost _default_:443>
and
</VirtualHost>
Between the tags add a line
ServerName NAME
where NAME is the domain value printed in the above script. This will allow the Apache web server to respond to requests with a valid certificate.
Restart the web server
systemctl restart httpd