From b6b336d9f96c0618885b587ebb2b4d85a9381afb Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 11 Jul 2013 17:01:02 -0700 Subject: config - add force_ssl to config, add configuration notes to README.md --- README.md | 39 +++++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 7817c0e..8e59c76 100644 --- a/README.md +++ b/README.md @@ -24,10 +24,14 @@ For more information, see these files in the ``doc`` directory: Known problems --------------------------- -* Client certificates are generated without a CSR. The problem is that this makes the web -application extremely vulnerable to denial of service attacks. This was not an issue until we -started to allow the possibility of anonymously fetching a client certificate without -authenticating first. +* Client certificates are generated without a CSR. The problem is that this makes the web + application extremely vulnerable to denial of service attacks. This was not an issue until we + started to allow the possibility of anonymously fetching a client certificate without + authenticating first. + +* By its very nature, the user database is vulnerable to enumeration attacks. These are + very hard to prevent, because our protocol is designed to allow query of a user database via + proxy in order to provide network perspective. Installation --------------------------- @@ -57,12 +61,27 @@ Typically, you run ``bundle`` as a normal user and it will ask you for a sudo pa Configuration ---------------------------- -The webapp can hand out certs for the EIP client. These certs are either picked from a pool in CouchDB or from a file. For now you can either run [Leap CA](http://github.com/leapcode/leap_ca) to fill the pool or you can put your certs file in config/cert. - -We also ship provider information through the webapp. For now please add your eip-service.json to the public/config directory. - -Copy the example configuration file and customize as appropriate: - cp config/config.yml.example config/config.yml +The configuration file `config/defaults.yml` providers good defaults for most +values. You can override these defaults by creating a file `config/config.yml`. + +There are a few values you should make sure to modify: + + production: + admins: ["myusername","otherusername"] + domain: example.net + force_ssl: true + secret_token: "4be2f60fafaf615bd4a13b96bfccf2c2c905898dad34..." + client_ca_key: "/etc/ssl/ca.key" + client_ca_cert: "/etc/ssl/ca.crt" + ca_key_password: nil + +* `admins` is an array of usernames that are granted special admin privilege. +* `domain` is your fully qualified domain name. +* `force_ssl`, if set to true, will require secure cookies and turn on HSTS. Don't do this if you are using a self-signed server certificate. +* `secret_token`, used for cookie security, you can create one with `rake secret`. Should be at least 30 characters. +* `client_ca_key`, the private key of the CA used to generate client certificates. +* `client_ca_cert`, the public certificate the CA used to generate client certificates. +* `ca_key_password`, used to unlock the client_ca_key, if needed. Running ----------------------------- -- cgit v1.2.3