Hi All
Does anyone have a good checklist for security?
For document folder on server properties file configuration etc?
Any advice?
Thanks
Hi,
From my point of view :
- you need to use a server to host your DB and another one to host your tomcat
- you need to set the Axelor DB User as owner of the specific schema for the first boot/update and after remove this privilege and keep add/update/remove ones.
- you need to add a reverse-proxy behind your tomcat (apache/nginx) to add a protocol break and use filtering plugin like mod_security, fail2ban, etc.
- for the tomcat side, I advise you to put webapp and upload/download folder in separated folders as “/var/axelor/webapps”, “/var/axelor/upload”, “/var/axelor/download” while keeping tomcat binaries in /opt/tomcat
- Advise you to use SELinux to protect your folders
There are several things that should change on the Axelor Side to enhanced the security (as do not expose db password en encryption password in a file which is readable by Tomcat…) but this is some good points to start
Regards
Thanks again.
How did you configured tomcat to read application properties as external file? Currently on our test environment it’s still inside src/resource so we build and deploy properties internally.
external file is better that having it inside the WEB-INF/classes folder, but in both cases this file must be readble by the tomcat user so it’s the same security risk
1 « J'aime »
Yes I know, I was looking for some workaround, because that file store DB credential and also encryption password.