diff options
-rw-r--r-- | taler-merchant-manual.rst | 42 |
1 files changed, 25 insertions, 17 deletions
diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst index d9f3ddd3..52082b33 100644 --- a/taler-merchant-manual.rst +++ b/taler-merchant-manual.rst @@ -926,14 +926,6 @@ have TLS configured. Leave out the last line if your Nginx reverse proxy does not have HTTPS enabled. Make sure to restart the ``taler-merchant-httpd`` process after changing the ``SERVE`` configuration. -For higher security (by leaking less information), you can add to the configuration: - -.. code-block:: nginx - - error_page 404 =403 /empty.gif; - -This remaps all 404 response codes (Not found) to 403 (Forbidden). - Apache ^^^^^^ @@ -960,15 +952,6 @@ Note that the above again assumes your domain name is ``example.com`` and that you have TLS configured. Note that you must add the ``https`` header unless your site is not available via TLS. -For higher security (by leaking less information), you can add to the configuration: - -.. code-block:: apacheconf - - cond %{STATUS} =404 - set-status 403 - -This remaps all 404 response codes (Not found) to 403 (Forbidden). - The above configurations are both incomplete. You must still additionally set up access control! @@ -1120,6 +1103,31 @@ restrict access to the internal API to authorized clients. System administrators are strongly advised to test their access control setup before going into production! +Status code remapping +--------------------- + +Normal API usage leaks instance existence information. +Distinguishing between 404 (Not found) and 403 (Forbidden) +is useful for diagnostics. + +For higher security (by leaking less information), +you can add the following fragment, +which remaps all 404 response codes to 403. + +Nginx +^^^^^ + +.. code-block:: nginx + + error_page 404 =403 /empty.gif; + +Apache +^^^^^^ +.. code-block:: apacheconf + + cond %{STATUS} =404 + set-status 403 + Customization ============= |