...
Blok kódu | ||||
---|---|---|---|---|
| ||||
<?xml version='1.0' encoding='UTF-8'?> <server xmlns="urn:jboss:domain:4.2"> ... <profile> <subsystem xmlns="urn:jboss:domain:logging:3.0"> ... <!-- Vypnutie zbytočných info hlášok o ukončení websocket spojenia --> <logger category="org.cometd.websocket.server.WebSocketTransport$WebSocketScheduler$1"> <level name="WARN"/> </logger> ... </subsystem> ... <subsystem xmlns="urn:jboss:domain:undertow:3.1"> <server name="default-server"> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="gzipFilter" predicate="not min-content-size(450)"/> <filter-ref name="Strict-Transport-Security-header"/> <filter-ref name="Vary-header"/> <filter-ref name="X-Frame-Options"/> <filter-ref name="X-Content-Type-Options"/> <filter-ref name="X-XSS-Protection"/> <filter-ref name="Referrer-Policy"/> <filter-ref name="Content-Security-Policy"/> </host> </server> ... <filters> <response-header name="Vary-header" header-name="Vary" header-value="Accept-Encoding"/> <response-header name="Strict-Transport-Security-header" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/> <!-- Nastavenia pre Cross-Origin Resource Sharing (nepoužívané/zakázané) --> <response-header name="Access-Control-Allow-Origin" header-name="Access-Control-Allow-Origin" header-value="*"/> <response-header name="Access-Control-Allow-Methods" header-name="Access-Control-Allow-Methods" header-value="GET, POST, OPTIONS, PUT"/> <response-header name="Access-Control-Allow-Headers" header-name="Access-Control-Allow-Headers" header-value="accept, authorization, content-type, x-requested-with"/> <response-header name="Access-Control-Allow-Credentials" header-name="Access-Control-Allow-Credentials" header-value="true"/> <response-header name="Access-Control-Max-Age" header-name="Access-Control-Max-Age" header-value="1"/> <!-- Zakázané vkladanie stránok do frame (starší spôsob) --> <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="DENY"/> <!-- Vynútené použitie MIME typu nastaveného v HTTP hlavičke --> <response-header name="X-Content-Type-Options" header-name="X-Content-Type-Options" header-value="nosniff"/> <!-- Zakázané zobrazenie stránky, ak bol detekovaný cross-site scripting (XSS) útok --> <response-header name="X-XSS-Protection" header-name="X-XSS-Protection" header-value="1; mode=block"/> <!-- Neodosielanie referrer informácií --> <response-header name="Referrer-Policy" header-name="Referrer-Policy" header-value="no-referrer"/> <!-- Nastavenie bezpečnostnej politiky obsahu: - zakázané vkladanie do frame (nový spôsob) - predvolene povolený zdroj obsahu z hostiteľskej domény - pre CSS štýly povolené aj zabezpečené https odkazy a inline - pre súbory písiem povolené aj google písma - pre skripty povolené inline aj evaluácia - zakázané plugin objekty (flash a pod.) - povolené pripájanie z ľubovolnej lokality --> <response-header name="Content-Security-Policy" header-name="Content-Security-Policy" header-value="frame-ancestors 'none'; default-src 'self'; style-src https: 'self' 'unsafe-inline'; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; connect-src *"/> <gzip name="gzipFilter"/> </filters> </subsystem> </profile> ... <interfaces> ... <interface name="public"> <!-- Nastavenie bind adresy na vsetky sietove interface, kvoli tomu aby bol Wildfly pristupny aj z vonku --> <inet-address value="${jboss.bind.address:0.0.0.0}"/> </interface> </interfaces> <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> ... <!-- Nastavenie portov pre HTTP a HTTPS na všeobecne používané hodnoty, pozor toto nemeniť pri inštalácii na Linuxe, viď kapitola o inštalácii na Linuxe nižšie --> <socket-binding name="http" port="${jboss.http.port:80}"/> <socket-binding name="https" port="${jboss.https.port:443}"/> ... </socket-binding-group> </server> |
Kotva | ||||
---|---|---|---|---|
|
Nasledujúce zmeny v standalone.xml konfigurujú zapnutie silných šifier pre HTTPS protokol. Podmienkou je inštalácia Java Cryptography Extensions popísaná v kapitole Inštalácia JRE 1.8 a Git klienta.
...
enabled-protocols="TLSv1.2,TLSv1.1,TLSv1"
enabled-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
...
Voliteľná konfigurácia automatického presmerovania HTTP na HTTPS
V prípade že Wildfly AS je dostupný z vonku priamo cez ním otvorené porty a doménu je potrebná nasledovná konfigurácia:
...