Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
There are many locations for defining usernames and passwords:
activemq.xml
users.properties
groups.properties
credentials.properties
credentials-enc.properties
I am using authorizationPlugin in activemq.xml. I figure user/pass is for specific destinations
How do the groups in authorizationPlugin relate to groups.properties?
When are credentials.properties and credentials-enc.properties being used?
How will the password from user.properties be used in contrast to the credentials.properties and credentials-enc.properties?
Is it necessary that user/pass/group from files match (apart from users.properties/groups.properties)
Basically I want
user/pass on TCP port
user/pass on web console
user/pass per destination
A good reference here: ActiveMQ Security
I suggest starting with getting user+password how you want, and then add authorization. The authorization is generally done by group or role tied to a destination or a destination wildcard. Be sure to create a 'allusers' group or 'allrole' as you generally want to grant all users access to the topic://ActiveMQ.Advisory.> destination wildcard.
The different files in the distribution are provided by different sample setups.
Assuming the Apache ActiveMQ distribution
conf/login.config defines which files ActiveMQ uses for authenticating and authorizing users and groups
conf/jetty-realm.properties defines which files the web console uses for authenticating and authorizing web console access
Note for future readers-- there is a JIRA to consolidate all auth in ActiveMQ to one set of files. Follow JIRA AMQ-8391
Keep in mind-- many of these 'static' named users and groups are for developer-local testing or for running a broker in a unit test. Generally, production systems will want to use JAAS.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I have a dockerized web application deployed, and everything works just fine, logging every request, including a HUGE number of health checks, which are configured to hit the page /health, a blank page.
I think it's a common problem, and I found this question for a different stack (Elastic Beanstalk).
I'd like to have a solution that is completely automatic and possibly in the Dockerfile
First of all, I need an additional configuration file for Apache, let's call it apacheLogFilter.conf.
The content will be pretty easy, but it could be customized as much as we want, defining custom rules. The trick is defining a custom environment variable that, if present, will stop the logging for that request
SetEnvIf Request_URI "^/health$" dontlog
Once defined this new configuration, we need to plug it into apache directly in the Dockerfile, adding the following rows:
FROM php:7.2-apache
...
# Copy the log-filtering configuration in the right place
COPY apacheLogFilter.conf /etc/apache2/conf-enabled
# Change the standard logging entry of all the available sites to use the variable
RUN sed -ri -e 's!combined!combined env=\!dontlog!g' /etc/apache2/sites-available/*.conf
...
In this way, the configuration file will be loaded by apache at startup, each request will check the rules defined, and in case one of them will trigger, the request will not be logged
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Ive set up a new site with WHM but havent got the DNS set up yet. I want to be able to access the site via a browser so I can set up a CMS. Usually, I can just do this by entering the IP address into the browser, but this time I just get a page saying that Apache is working on the server.
Does anyone know a way round this?
Thanks!
The problem is that the request your browser is sending doesn't include the correct Host: in the HTTP header, so the web server replies with the a default catch-all page.
You can either
setup a private (local) authoritative DNS server with a yoursite.com zone, and set your system's DNS to point to this DNS server, or
temporarily trick the DNS resolution in your local system by registering whatever.yoursite.com with it's corresponding IP address in /etc/hosts file (in unix-like systems). There's an equivalent file in MS Windows systems, look for a file named hosts in C:\Windows\system32\drivers\etc.
I'd try with the latter first, as it's just a matter of adding a single line to a text file:
203.0.113.22 whatever.yoursite.com
You may need to restart your browser.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 months ago.
Improve this question
I'm doing some homework with LDAP that consists of creating LDIF files, adding them to the LDAP server, and afterwards performing some searches and viewing the results.
To avoid installing LDAP in my computer, I'm wondering if there exists some LDAP emulator online service where I can execute these instructions.
I've seen something similar with "online sql emulator", but not anything about LDAP.
Another alternative is the in-memory directory server provided by the UnboundID LDAP SDK, which I talk about here. There is no need to install a server. LdapListenerExample.java gives an example of how to use the in-memory directory server. The example shows how to create the server, start it listening, load schema files listed as command line options, and load a file containing LDIF into the server database.
Unfortunately, I'm not aware of such a thing.
As an alternative, I'd suggest you use OpenDS, which is very easy to deploy (e.g. via Install with QuickSetup) and to get rid of afterwards. It's import-ldif, make-ldif and export-ldif commands could be useful for your work.
I recently wrote godap - a very minimalistic LDAP server library in Go. It doesn't read LDIFs, but you can easily make it response to bind and search operations. (It also may provide insight into the LDAP protocol.)
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've got a LAMP dev server at something like dev.example.com. Eventually this will be replicated to something like www.example.com where we will have root access.
I'd like to have the sys admin set up a few subdomains (e.g., subdomain1.example.com) such that they will work on both the dev server and the production server without the references to those subdomains having to be rewritten.
Can Apache be configured on the dev and production servers such that my code can reference something like subdomain1.localhost? Is there some other way of doing this?
(The servers will run recent versions of CentOS and the AMP stack.)
I finally found the answer in the CDN module. As the name implies, this is intended to be used with content delivery networks but essentially all it does is a rule-based re-writing of the URLs that Drupal outputs. I've used it to re-write URLs so that different file types can be served from unique hostnames (again, to maximize parallel downloads).
reading your question again, I think that you want your code to always return subdomain1.localhost, and you want apache to somehow change this to subdomain1.example.com on your production server.
You could do this with ProxyPassReverse, although you might have to run two copies of Apache if the subdomain1 is on the same machine. (I don't know if Apache will cope with talking to itself here). This is an expensive solution.
Instead, I recommend your parameterize your code.
On rails stacks, the easiest way to do this with the production.rb cp that capistrano recommends, and you might want to investigate similar ways of deploying your PHP code.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
Sometimes I want to allow users to upload files through Apache. There are two different ways I could set the permissions so that Apache can write the uploaded files to the directory.
I can make the user Apache is running as the owner of the directory so that it looks like this:
drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles
I can give write permission to "others" where Apache is one of the others:
drwxr-xrwx 35 egbert admin 1190 Mar 9 13:17 uploadedfiles
Is one of these safer than the other?
The most restrictive access, in this case exclusive access to www/admin with permission 0750, is always the safest. Note that, in the permission mask above, users who are neither www nor members of admin are not allowed to access the contents of the directory at all; this is in order to reduce the possibility that an unauthorized party logged into the system gain access to potentially confidential information uploaded by users.
Do not forget that on most *nix platforms you also have a third, extremely flexible option, that is, setting ACLs using setfacl. ACLs are a superset of what can be achieved with the regular permission bits and ownership methods. ACLs are the option of choice when confronted with complex security setups (including per-user permissions, default ownerships, etc. - but you may need to first add acl to /etc/fstab in the mount options of the volume hosting your directory, see man mount.) You may choose to use ACLs if two or more users need access to the directory in question without being members of, say, the admin group.
There are 2 questions to ask here - first, who else (if anyone) needs to access those files? If there are other processes that act on those files, who are they running as, and how will that interact with the chosen solution? If there aren't other processes or users accessing the files, I'd go with making the apache user the owner, as that's all that is needed, and it follows one of the oldest principles in security - only let people who need access to something have it.
If the system is being used for other purposes you should probably avoid giving permissions via the 'others'. Allowing permissions here would basically mean anything else running on that computer, or with access to that computer would have rights to those files.
Also, you could create an additional group, and make apache a group member, and whoever is in admin, and change the group ownership to that group, and give permissions to that group. If you use a group, you will probably also need set the 'setgid' bit on the directory. When the setgid bit is set any files created will get the same group membership of the parent directory.
The general rule with security is that of least privilidge. You want to use as minimal permissions as possible. In this case, the first option (writable by apache) means that the directory can only be written to if your system is compromised through the apache user, whereas with option two (writable by everyone), any account can be compromised and write to that directory. In this case, I would go with option one:
drwxr-xr-x 2 www admin 68 Sep 24 2007 uploadedfiles
Giving read access to others is also a security risk. Wordpress for example, has a file containing the username and password of the database.