From ceaccf20d8e4ba8e64fda43cc40d9bd873f81633 Mon Sep 17 00:00:00 2001 From: Thien-Thi Nguyen Date: Wed, 11 Aug 2021 09:16:04 -0400 Subject: factor status-code-remapping text into new subsection "Status code remapping" - Add front para re instance existence leak and its usefulness. - Move status code names from 2nd para to 1st. --- taler-merchant-manual.rst | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) (limited to 'taler-merchant-manual.rst') diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst index d9f3ddd3..52082b33 100644 --- a/taler-merchant-manual.rst +++ b/taler-merchant-manual.rst @@ -926,14 +926,6 @@ have TLS configured. Leave out the last line if your Nginx reverse proxy does not have HTTPS enabled. Make sure to restart the ``taler-merchant-httpd`` process after changing the ``SERVE`` configuration. -For higher security (by leaking less information), you can add to the configuration: - -.. code-block:: nginx - - error_page 404 =403 /empty.gif; - -This remaps all 404 response codes (Not found) to 403 (Forbidden). - Apache ^^^^^^ @@ -960,15 +952,6 @@ Note that the above again assumes your domain name is ``example.com`` and that you have TLS configured. Note that you must add the ``https`` header unless your site is not available via TLS. -For higher security (by leaking less information), you can add to the configuration: - -.. code-block:: apacheconf - - cond %{STATUS} =404 - set-status 403 - -This remaps all 404 response codes (Not found) to 403 (Forbidden). - The above configurations are both incomplete. You must still additionally set up access control! @@ -1120,6 +1103,31 @@ restrict access to the internal API to authorized clients. System administrators are strongly advised to test their access control setup before going into production! +Status code remapping +--------------------- + +Normal API usage leaks instance existence information. +Distinguishing between 404 (Not found) and 403 (Forbidden) +is useful for diagnostics. + +For higher security (by leaking less information), +you can add the following fragment, +which remaps all 404 response codes to 403. + +Nginx +^^^^^ + +.. code-block:: nginx + + error_page 404 =403 /empty.gif; + +Apache +^^^^^^ +.. code-block:: apacheconf + + cond %{STATUS} =404 + set-status 403 + Customization ============= -- cgit v1.2.3