Differences

This shows you the differences between two versions of the page.

--- administration:security [2018/05/21 15:53] – [Changing the Solr Port Number] demiankatz
+++ administration:security [2018/12/19 17:32] – demiankatz
@@ Line 57: / Line 57: @@
 [[administration:starting_and_stopping_solr#restarting_solr_manually|Restart the Solr process]] so the changes can take effect.
-===== Locking Down the Admin Panel (VuFind 1.x) =====
+===== Locking Down the Admin Panel =====
-VuFind 1.x includes an administration module (accessible through http://your_vufind_url/Admin/Home).  This is useful, but it can be dangerous in the wrong hands.  To protect yourself, consider these points:
+VuFind includes an administration module (accessible through <nowiki>http://your_vufind_url/Admin/Home</nowiki>).  This is useful, but it should not be exposed to the general public. The access.AdminModule [[configuration:permission_options|permission]] can be used to grant granular control to the module. The entire module can still be disabled using the System/admin_enabled setting if desired.
-  * By default, this has an administrative password of "admin."  The username is also "admin."  You should change this by modifying the web/services/Admin/.htpasswd file (see this [[http://httpd.apache.org/docs/2.0/programs/htpasswd.html|Apache documentation page]] for more details on htpasswd).
-  * There is a rule in the http-vufind.conf Apache configuration file in the root of your VuFind installation which specifies which directory needs to be password-protected.  If you have installed VuFind at a path other than "/vufind", you will need to change this rule to reflect the correct path in order to avoid security gaps!  The section to change begins with: <Location ~ "/vufind/Admin/.+"> or <Location ~ "/[Vv][Uu][Ff][Ii][Nn][Dd]/[Aa][Dd][Mm][Ii][Nn]/.+">.  Simply change the regular expression here to match your layout; more details on the Location directive can be found in the [[http://httpd.apache.org/docs/2.0/mod/core.html#location|Apache manual]].  In a Windows or other environment with case-insensitive filenames, be sure to make your regular expression case-insensitive (i.e. like the second of the two example <Location> settings above).
-  * The Admin module is a good candidate for SSL protection (to prevent your access password from being guessed).  See the SSL section earlier in this document for details.
-  * If you do not plan on using the Admin module, you can disable it completely by removing the code in web/services/Admin from your server.  This is the safest option by far!
-  * Starting with VuFind version 1.1, it is possible to disable the Admin module from within config.ini, and the module is disabled by default.
-===== Locking Down the Admin Panel (VuFind 2.x) =====
-The admin module in VuFind 2.x is less dangerous than the one found in VuFind 1.x.  It no longer uses the Apache-based password protection scheme.  Instead, a new [AdminAuth] section in [[configuration:files:config.ini]] allows access to be restricted by IP range and/or VuFind username.  The entire module can still be disabled using the System/admin_enabled setting if desired.
 ===== Securing User Credentials =====
-VuFind stores some user information in its database.  Starting with VuFind 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials.  The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind's auto-configuration pages.  Enabling security is highly recommended, but since it breaks backward-compatibility with VuFind 1.x, it should only be done after you are committed to moving forward permanently to 2.x.
+VuFind stores some user information in its database.  Starting with VuFind 2.0RC1, you have the option to perform extra hashing/encryption to protect these credentials.  The settings are off by default in [[configuration:files:config.ini]], but they can be enabled through VuFind's auto-configuration pages.  Enabling security is highly recommended.
 ---- struct data ----
 ----