Securing existdb - kwantu/platformconfiguration GitHub Wiki
#Securing Exist-db
First we need to create a password file for nginx. https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-centos-7
sudo yum install -y httpd-tools
# sudo htpasswd -c /etc/nginx/.htpasswd <name>
sudo htpasswd -c /etc/nginx/.htpasswd kwantuexistdb
cd /etc/nginx/conf.d/
vim kwantu_8888.conf
## then insert the following
server {
listen 8888;
keepalive_timeout 0;
server_name <ip address where exist is running>;
access_log /var/log/nginx/access_8888.log;
error_log /var/log/nginx/error_8888.log;
client_max_body_size 200M;
proxy_read_timeout 10m;
ignore_invalid_headers off;
# any call coming in with the /exist first part redirect it to the exist server
}
location /exist {
proxy_pass http://exist8080/exist;
include /etc/nginx/proxy_default.conf;
auth_basic "Basic Auth";
auth_basic_user_file "/etc/nginx/.htpasswd";
}
# any call coming in with the /local first part redirect it to the lucene server
location / {
deny all;
}
}Then review each of the entries that calls exist and set the following
...
# any call coming in with the /exist first part redirect it to the exist server
location /exist/apps/ {
deny all;
}
location /exist/rest/db/kwantu-resource/modules {
proxy_pass http://exist8080/exist/rest/db/kwantu-api/modules;
include /etc/nginx/proxy_default.conf;
}
location /exist/rest/db/kwantu-resource/api {
proxy_pass http://exist8080/exist/rest/db/kwantu-api;
include /etc/nginx/proxy_default.conf;
}
location /exist {
proxy_pass http://exist8080/exist;
include /etc/nginx/proxy_default.conf;
}
Run /db/kwantu-resource/_tools/updatePermissions.xq, after making sure that all the /db/... collections are "rw-------" only. Use the user manager to make sure that the user guest does not have access to any groups except the guest accounts.