UNIBASE

UNIBASE: How to Build Secure Web Applications

The primary use of Unibase today is building web applications. A single server can host many applications and every application can have many customers. In turn every customer can have many users.

This is done without the need for containers or virtual servers.

This is a technical explanation of how to set up these applications in a secure way. Unibase can make sure access to your application is secure but it is still up to the developers to make sure they comply with other security specifications.

The security of the application and customer data is guaranteed by an “airgap” between the user and the application and its data. ie the data can only be accessed through the Unibase gateway.

With only one path to the data Unibase puts all the security in that gateway and the developers don’t have to worry about backdoors or trojan software.

This article doesn’t discuss DNS configuration. That is a separate topic.

Apache configuration

The starting point is the web server.

Unibase uses Apache as the web server. Apache is used for guaranteeing secure access and encrypted access.

Application configurations are normally kept in /etc/httpd/applications to separate them from other uses of Apache.

In that directory we have one special file: app.00-macro.conf. The name of the file is not important except that it must be the first file in a directory listing.

Here is the file:

app.00-macro.conf – standard https requirements. This must be first file

#

Copyright 2022 – Zenucom Pty Ltd

#


ServerName $application.$domain Redirect permanent / https://$application.$domain/

# app.00-macro.conf - standard https requirements. This must be first file
#
# Copyright 2022 - Zenucom Pty Ltd
#

<Macro VHost $domain $application $admin>
	<VirtualHost *:80>
		ServerName $application.$domain
		Redirect permanent / https://$application.$domain/
		</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName $application.$domain
        ServerAdmin $admin
        DocumentRoot /usr/local/app/$application/htm
        DirectoryIndex index.html

        CustomLog logs/$application.$domain-access_log combined
        CustomLog logs/$application.$domain-agent_log agent
        CustomLog logs/$application.$domain-referer_log referer
        ErrorLog logs/$application.$domain-error_log

        Include /usr/local/app/httpdAlias
        Include /usr/local/app/httpdSecurity

        Alias "/$application/images" "/usr/local/app/$application/images"
        Alias "/css" "/usr/local/app/$application/css"
        Alias "/images" "/usr/local/lib/ub/images"
        Alias "/js" "/usr/local/app/$application/js"

        ScriptAlias /api/rest/  "/usr/local/app/$application/rest/"
        ScriptAlias /rest/  "/usr/local/app/$application/rest/"

        <Directory /usr/local/app/$application>
            Require all granted
            </Directory>

        <Directory /usr/local/app/$application/rest>
            Options ExecCGI
            # block HTTP methods: OPTIONS PUT DELETE TRACE CONNECT PATCH
            # AllowMethods GET POST HEAD
            SetHandler cgi-script
            AllowOverride None
            Require all granted
            </Directory>

        <Directory /usr/local/app/$application/rest/v1>
            Options ExecCGI
            # block HTTP methods: OPTIONS PUT DELETE TRACE CONNECT PATCH
            # AllowMethods GET POST HEAD
            SetHandler cgi-script
            AllowOverride None
            Require all granted
            </Directory>

        <Directory /usr/local/app/$application/rest/v2>
            Options ExecCGI
            # block HTTP methods: OPTIONS PUT DELETE TRACE CONNECT PATCH
            # AllowMethods GET POST HEAD
            SetHandler cgi-script
            AllowOverride None
            Require all granted
            </Directory>

        <Directory /usr/local/app/$application/htm/labels>
            AuthUserFile /etc/labelsDownloadPass
            AuthGroupFile /dev/null
            AuthName "Please Enter Password"
            AuthType Basic
            Require valid-user
            </Directory>

        SSLCertificateFile /etc/letsencrypt/live/$application.$domain/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/$application.$domain/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateChainFile /etc/letsencrypt/live/$application.$domain/chain.pem
        </VirtualHost>
    </IfModule>
</Macro>

This macro file can then be used by all the applications. A simple application conf file is all that is needed.

Use VHost unifacta.com unistore support@unifacta.com

Include this line as the last line /etc/httpd/conf/httpd.conf

IncludeOptional applications/*.conf

/usr/local/app

This is where all the application code lives. It is also where the table of customers and users is located along with a couple of files included in the httpd configuration by app.00-macro.conf

/usr/local/app/httpdAlias

Alias definitions for Unibase applications

Alias "/ckeditor" "/usr/share/ckeditor"
Alias "/images" "/usr/local/lib/ub/images"
Alias "/ub_menus" "/usr/local/lib/ub/modules/ub_menus"
Alias "/ub" "/usr/local/lib/ub"
Alias "/ckeditor" "/usr/share/ckeditor"
Alias "/images" "/usr/local/lib/ub/images"
Alias "/ub_menus" "/usr/local/lib/ub/modules/ub_menus"
Alias "/ub" "/usr/local/lib/ub"

ScriptAlias /cgi-bin/ "/usr/local/lib/ub/cgi-bin/"

<Directory /usr/local/lib/ub>
	Require all granted
	</Directory>

<Directory /usr/local/lib/ub/cgi-bin>
	DirectoryIndex NoIndex.html
	Options ExecCGI FollowSymLinks
	SetHandler cgi-script
	AllowOverride None
	Order allow,deny
	Allow from all
	Require all granted 
	</Directory>

<Directory "/ckeditor">
	DirectoryIndex NoIndex.html
	Options Indexes FollowSymLinks
	AllowOverride None
	Order allow,deny
	Allow from all
	Require all granted
	</Directory>

<Directory "/usr/local/lib/ub/css">
	DirectoryIndex NoIndex.html
	Options Indexes FollowSymLinks
	AllowOverride None
	Order allow,deny
	Allow from all
	Require all granted
	</Directory>

<Directory /usr/local/lib/images>
	DirectoryIndex NoIndex.html
	Require all granted
	</Directory>

<Directory "/usr/local/lib/ub/js">
	DirectoryIndex NoIndex.html
	Options Indexes FollowSymLinks
	AllowOverride None
	Order allow,deny
	Allow from all
	Require all granted
	</Directory>

<Directory /usr/local/lib/ub/modules/ub_menus>
	DirectoryIndex NoIndex.html
	Require all granted
	</Directory>

/usr/local/app/httpdSecurity

Common security settings. These can be changed over time as security standards change.

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header unset X-Powered-By
Header always unset X-Powered-By

/usr/local/app/dict.dat

Defines the global customer, users, and ssl keys tables.


* dict.dat - Unibase generic dictionary for user access
*
* Copyright 2014 - Zenucom Pty Ltd
*

: users

userId,                 6       S

name,                   30
email,                  50
application,            20
directory,              100
password,               200
consumer_key,           64
consumer_secret,        64
access_token,           64
token_secret,           64
realm,                  64
>
*userId
*name,application
>
>
>

: customers

customerId,     9       S

company,        30
email,          60
directory,      200
>
*customerId
*company
email
>
>
>

: keys
keyId,          6       S

url,            30
recaptchav3,    64
>
*keyId
*url
>
>
>

The most important table for operations is the users table. Th

Verified by MonsterInsights