diff options
author | Thien-Thi Nguyen <ttn@gnuvola.org> | 2021-08-11 09:16:04 -0400 |
---|---|---|
committer | Thien-Thi Nguyen <ttn@gnuvola.org> | 2021-08-11 09:16:04 -0400 |
commit | ceaccf20d8e4ba8e64fda43cc40d9bd873f81633 (patch) | |
tree | 0b928e4830f8c1be10d0b75490563d72f536fb2a /taler-merchant-manual.rst | |
parent | ba209bbe9fb8d5b0017548443d0d68b70adc1016 (diff) | |
download | docs-ceaccf20d8e4ba8e64fda43cc40d9bd873f81633.tar.gz docs-ceaccf20d8e4ba8e64fda43cc40d9bd873f81633.tar.bz2 docs-ceaccf20d8e4ba8e64fda43cc40d9bd873f81633.zip |
factor status-code-remapping text into new subsection "Status code remapping"
- Add front para re instance existence leak and its usefulness.
- Move status code names from 2nd para to 1st.
Diffstat (limited to 'taler-merchant-manual.rst')
-rw-r--r-- | taler-merchant-manual.rst | 42 |
1 files changed, 25 insertions, 17 deletions
diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst index d9f3ddd3..52082b33 100644 --- a/taler-merchant-manual.rst +++ b/taler-merchant-manual.rst @@ -926,14 +926,6 @@ have TLS configured. Leave out the last line if your Nginx reverse proxy does not have HTTPS enabled. Make sure to restart the ``taler-merchant-httpd`` process after changing the ``SERVE`` configuration. -For higher security (by leaking less information), you can add to the configuration: - -.. code-block:: nginx - - error_page 404 =403 /empty.gif; - -This remaps all 404 response codes (Not found) to 403 (Forbidden). - Apache ^^^^^^ @@ -960,15 +952,6 @@ Note that the above again assumes your domain name is ``example.com`` and that you have TLS configured. Note that you must add the ``https`` header unless your site is not available via TLS. -For higher security (by leaking less information), you can add to the configuration: - -.. code-block:: apacheconf - - cond %{STATUS} =404 - set-status 403 - -This remaps all 404 response codes (Not found) to 403 (Forbidden). - The above configurations are both incomplete. You must still additionally set up access control! @@ -1120,6 +1103,31 @@ restrict access to the internal API to authorized clients. System administrators are strongly advised to test their access control setup before going into production! +Status code remapping +--------------------- + +Normal API usage leaks instance existence information. +Distinguishing between 404 (Not found) and 403 (Forbidden) +is useful for diagnostics. + +For higher security (by leaking less information), +you can add the following fragment, +which remaps all 404 response codes to 403. + +Nginx +^^^^^ + +.. code-block:: nginx + + error_page 404 =403 /empty.gif; + +Apache +^^^^^^ +.. code-block:: apacheconf + + cond %{STATUS} =404 + set-status 403 + Customization ============= |