From 8a9b4fe36f1bd9b358b20333956af5602eb48a6c Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 17 Jun 2014 09:13:38 -0400
Subject: Strenghten default Security options in IDP

Always deny access to the IDP if not using SSL by default.
Always turn on secure/httponly cookies by default.
Add a switch to disable all security options for testing.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 templates/install/idp.conf     | 1 +
 templates/install/ipsilon.conf | 2 ++
 2 files changed, 3 insertions(+)

(limited to 'templates')

diff --git a/templates/install/idp.conf b/templates/install/idp.conf
index c49992b..19af096 100644
--- a/templates/install/idp.conf
+++ b/templates/install/idp.conf
@@ -5,6 +5,7 @@ ${wsgi_socket}
 
 <Location /${instance}>
     WSGIProcessGroup ${instance}
+${sslrequiressl}
 </Location>
 
 <Directory ${ipsilondir}>
diff --git a/templates/install/ipsilon.conf b/templates/install/ipsilon.conf
index 357a3a7..8ab17d1 100644
--- a/templates/install/ipsilon.conf
+++ b/templates/install/ipsilon.conf
@@ -11,4 +11,6 @@ tools.sessions.on = True
 tools.sessions.storage_type = "file"
 tools.sessions.storage_path = "${datadir}/sessions"
 tools.sessions.timeout = 60
+tools.sessions.httponly = ${secure}
+tools.sessions.secure = ${secure}
 tools.protect.on = True
-- 
cgit