https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230711#M183841 <HTML><HEAD></HEAD><BODY><SPAN>Another way to solve this security loophole is via an Apache HTTP server in front of the Alfresco installation (Tomcat).</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; &lt;Location "/alfresco/jbpm/deployprocess" &gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Deny from all</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; &lt;/Location&gt;</SPAN><BR /><BR /><SPAN>I always install and configure a separate Apache server which connects to Alfresco on tomcat via mod_proxy_ajp (binary protocol). Normally I even disable the HTTP connector on port 8080. And I also configure Apache to serve the static files using Aliasses on the static directories.</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/images !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/css !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/scripts !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/swf !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/yui !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco ajp://localhost:8009/alfresco</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPassReverse /alfresco ajp://localhost:8009/alfresco</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/images "/opt/alfresco/tomcat/webapps/alfresco/images"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/css "/opt/alfresco/tomcat/webapps/alfresco/css"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/scripts "/opt/alfresco/webapps/alfresco/scripts"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/swf "/opt/alfresco/webapps/alfresco/swf"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/yui "/opt/alfresco/webapps/alfresco/yui"</SPAN><BR /><BR /><SPAN>Advantages:</SPAN><BR /><SPAN>- Tomcat does not have to serve static files. Apache does that a lot better and faster</SPAN><BR /><SPAN>- Use port 80 by default</SPAN><BR /><SPAN>- Using a rewrite rule, I can add /alfresco automatically.</SPAN><BR /><SPAN>- A lot more secure to offer your end users an Apache interface and keep the Tomcat interface including the management console separate. Only open port 80 (and 443) in the firewall.</SPAN><BR /><SPAN>- Very easy to implement SSL on Apache</SPAN><BR /><SPAN>…</SPAN><BR /><BR /><SPAN>In short, just use a Web Server for what it's built and use the Application Server to serve the application, and nothing more.</SPAN><BR /><BR /><SPAN>Implementing this security fix took me only one minute and no restart of Alfresco was required. Even more, the Alfresco war is still original.</SPAN></BODY></HTML> Wed, 04 Aug 2010 12:28:23 GMT heydenb 2010-08-04T12:28:23Z https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230710#M183840 All-Thanks to Jeff Potts at Metaversant ( http://www.metaversant.com), Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, Fri, 23 Jul 2010 13:54:14 GMT https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230710#M183840 nancyg 2010-07-23T13:54:14Z https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230711#M183841 <HTML><HEAD></HEAD><BODY><SPAN>Another way to solve this security loophole is via an Apache HTTP server in front of the Alfresco installation (Tomcat).</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; &lt;Location "/alfresco/jbpm/deployprocess" &gt;</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Deny from all</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; &lt;/Location&gt;</SPAN><BR /><BR /><SPAN>I always install and configure a separate Apache server which connects to Alfresco on tomcat via mod_proxy_ajp (binary protocol). Normally I even disable the HTTP connector on port 8080. And I also configure Apache to serve the static files using Aliasses on the static directories.</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/images !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/css !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/scripts !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/swf !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco/yui !</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPass /alfresco ajp://localhost:8009/alfresco</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; ProxyPassReverse /alfresco ajp://localhost:8009/alfresco</SPAN><BR /><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/images "/opt/alfresco/tomcat/webapps/alfresco/images"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/css "/opt/alfresco/tomcat/webapps/alfresco/css"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/scripts "/opt/alfresco/webapps/alfresco/scripts"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/swf "/opt/alfresco/webapps/alfresco/swf"</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Alias /alfresco/yui "/opt/alfresco/webapps/alfresco/yui"</SPAN><BR /><BR /><SPAN>Advantages:</SPAN><BR /><SPAN>- Tomcat does not have to serve static files. Apache does that a lot better and faster</SPAN><BR /><SPAN>- Use port 80 by default</SPAN><BR /><SPAN>- Using a rewrite rule, I can add /alfresco automatically.</SPAN><BR /><SPAN>- A lot more secure to offer your end users an Apache interface and keep the Tomcat interface including the management console separate. Only open port 80 (and 443) in the firewall.</SPAN><BR /><SPAN>- Very easy to implement SSL on Apache</SPAN><BR /><SPAN>…</SPAN><BR /><BR /><SPAN>In short, just use a Web Server for what it's built and use the Application Server to serve the application, and nothing more.</SPAN><BR /><BR /><SPAN>Implementing this security fix took me only one minute and no restart of Alfresco was required. Even more, the Alfresco war is still original.</SPAN></BODY></HTML> Wed, 04 Aug 2010 12:28:23 GMT https://connect.hyland.com/t5/alfresco-archive/please-read-important-message-regarding-security/m-p/230711#M183841 heydenb 2010-08-04T12:28:23Z