Secure your Tatin registry¶
How to authorise users and secure your Tatin server from attack
Issue and require credentials for publishing packages on your server. Encrypt internet communications by installing security certificates; or (better) use a reverse proxy to shield your Tatin registry behind an industrial-strength web server such as Apache or Nginx.
Credentials¶
The server requires and accepts API keys according to Credentials.csv in the server’s home folder.
Create a UUID and use that as an API key
⍝ One way to create a UUID:
]LoadPackages APLTreeUtils2
1 package loaded into #
APLTreeUtils2.Create_UUID
...
Add an API key¶
To add an API key to the stored credentials, put it in a file Credentials.txt in the server’s home folder as either
<group-name>,<api-key>
*,<api-key>
At the next house-keeping event, the server will detect the file and then:
- delete from
Credentials.csvrules with matching group names - create a Salt for each API key in
Credentials.txt - convert each key and its Salt into a hash and record the rule in
Credentials.csv - delete file
Credentials.txt
Credential rules¶
Rules in Credentials.csv have syntax:
[group-name | *] [,api-key-hash[,salt]]
; just a comment
Some rule examples:
; require hash1 key for group1
group1,hash1,salt1
; require hash2 key for everything else
*,hash2,salt2
; allow no-key publication for everything else
*
Having * (or *, or *=) as the only rule
is the same as having no credentials file.
The rules are read in sequence and can mix different scenarios.
Some credential file examples
Require individual keys for group1 and group2, and a ‘master’ key for other groups:
group1,hash1,salt1
group2,hash2,salt2
*,hash3,salt3
Require keys for group1 and group2 only
group1,hash1
group2,hash2
*
Allow no-key publication for a specific group:
group1,hash1,salt1
group2,
*,hash3,salt3
Delete a rule¶
To delete a rule for a group, edit the file Credentials.csv.
Security certificates¶
Encrypting communications (HTTPS) requires security certificates. The server download includes two:
Assets/Runtime/Certificates/ca-[cert|key].pem
Assets/Runtime/Certificates/localhost-[cert|key].pem
GitHub blocks downloads of certificates.
If the PEMs are missing, look for files with the same names but with a .RemoveMe extension appended.
Removing that extension should produce what you need.
To activate HTTPS, set [CONFIG]Secure to 1 in Plodder's INI file; this switches Plodder from port 80 to port 443.
Instead of enabling HTTPS, shield the server with a reverse proxy.
Reverse proxy¶
If your registry serves requests from the internet, shield it behind an industrial-strength web server like Apache or Nginx.
This improves security and defences against e.g., DDoS attacks. It also offers an easy way to implement load balancing.
Apache can be used as a reverse-proxy server, a.k.a. gateway server.
Suppose Tatin is listening on port 8081.
Add the following lines to the web server’s configuration file, typically /etc/apache2/sites-available.
ProxyPreserveHost on
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
In /etc/apache2/sites-enabled, there should be just a link pointing to /etc/apache2/sites-available.
The ProxyPass directive forwards incoming requests to the Tatin server.
The ProxyPassReverse directive ensures the Location: headers generated by your Tatin server are modified to point instead to the web server.
Apache guides: Reverse Proxy and Module mod_proxy