The primary use of Unibase today is building web applications. A single server can host many applications and every application can have many customers. In turn every customer can have many users.
This is done without the need for containers or virtual servers.
This is a technical explanation of how to set up these applications in a secure way. Unibase can make sure access to your application is secure but it is still up to the developers to make sure they comply with other security specifications.
The security of the application and customer data is guaranteed by an “airgap” between the user and the application and its data. ie the data can only be accessed through the Unibase gateway.
With only one path to the data Unibase puts all the security in that gateway and the developers don’t have to worry about backdoors or trojan software.
This article doesn’t discuss DNS configuration. That is a separate topic.
Apache configuration
The starting point is the web server.
Unibase uses Apache as the web server. Apache is used for guaranteeing secure access and encrypted access.
Application configurations are normally kept in /etc/httpd/applications to separate them from other uses of Apache.
In that directory we have one special file: app.00-macro.conf. The name of the file is not important except that it must be the first file in a directory listing.
Here is the file:
app.00-macro.conf – standard https requirements. This must be first file
#
Copyright 2022 – Zenucom Pty Ltd
#
ServerName $application.$domain Redirect permanent / https://$application.$domain/
# app.00-macro.conf - standard https requirements. This must be first file
#
# Copyright 2022 - Zenucom Pty Ltd
#
<Macro VHost $domain $application $admin>
<VirtualHost *:80>
ServerName $application.$domain
Redirect permanent / https://$application.$domain/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName $application.$domain
ServerAdmin $admin
DocumentRoot /usr/local/app/$application/htm
DirectoryIndex index.html
CustomLog logs/$application.$domain-access_log combined
CustomLog logs/$application.$domain-agent_log agent
CustomLog logs/$application.$domain-referer_log referer
ErrorLog logs/$application.$domain-error_log
Include /usr/local/app/httpdAlias
Include /usr/local/app/httpdSecurity
Alias "/$application/images" "/usr/local/app/$application/images"
Alias "/css" "/usr/local/app/$application/css"
Alias "/images" "/usr/local/lib/ub/images"
Alias "/js" "/usr/local/app/$application/js"
ScriptAlias /api/rest/ "/usr/local/app/$application/rest/"
ScriptAlias /rest/ "/usr/local/app/$application/rest/"
<Directory /usr/local/app/$application>
Require all granted
</Directory>
<Directory /usr/local/app/$application/rest>
Options ExecCGI
# block HTTP methods: OPTIONS PUT DELETE TRACE CONNECT PATCH
# AllowMethods GET POST HEAD
SetHandler cgi-script
AllowOverride None
Require all granted
</Directory>
<Directory /usr/local/app/$application/rest/v1>
Options ExecCGI
# block HTTP methods: OPTIONS PUT DELETE TRACE CONNECT PATCH
# AllowMethods GET POST HEAD
SetHandler cgi-script
AllowOverride None
Require all granted
</Directory>
<Directory /usr/local/app/$application/rest/v2>
Options ExecCGI
# block HTTP methods: OPTIONS PUT DELETE TRACE CONNECT PATCH
# AllowMethods GET POST HEAD
SetHandler cgi-script
AllowOverride None
Require all granted
</Directory>
<Directory /usr/local/app/$application/htm/labels>
AuthUserFile /etc/labelsDownloadPass
AuthGroupFile /dev/null
AuthName "Please Enter Password"
AuthType Basic
Require valid-user
</Directory>
SSLCertificateFile /etc/letsencrypt/live/$application.$domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/$application.$domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/$application.$domain/chain.pem
</VirtualHost>
</IfModule>
</Macro>
This macro file can then be used by all the applications. A simple application conf file is all that is needed.
Use VHost unifacta.com unistore support@unifacta.com
Include this line as the last line /etc/httpd/conf/httpd.conf
IncludeOptional applications/*.conf
/usr/local/app
This is where all the application code lives. It is also where the table of customers and users is located along with a couple of files included in the httpd configuration by app.00-macro.conf
/usr/local/app/httpdAlias
Alias definitions for Unibase applications
Alias "/ckeditor" "/usr/share/ckeditor"
Alias "/images" "/usr/local/lib/ub/images"
Alias "/ub_menus" "/usr/local/lib/ub/modules/ub_menus"
Alias "/ub" "/usr/local/lib/ub"
Alias "/ckeditor" "/usr/share/ckeditor"
Alias "/images" "/usr/local/lib/ub/images"
Alias "/ub_menus" "/usr/local/lib/ub/modules/ub_menus"
Alias "/ub" "/usr/local/lib/ub"
ScriptAlias /cgi-bin/ "/usr/local/lib/ub/cgi-bin/"
<Directory /usr/local/lib/ub>
Require all granted
</Directory>
<Directory /usr/local/lib/ub/cgi-bin>
DirectoryIndex NoIndex.html
Options ExecCGI FollowSymLinks
SetHandler cgi-script
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
<Directory "/ckeditor">
DirectoryIndex NoIndex.html
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
<Directory "/usr/local/lib/ub/css">
DirectoryIndex NoIndex.html
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
<Directory /usr/local/lib/images>
DirectoryIndex NoIndex.html
Require all granted
</Directory>
<Directory "/usr/local/lib/ub/js">
DirectoryIndex NoIndex.html
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Require all granted
</Directory>
<Directory /usr/local/lib/ub/modules/ub_menus>
DirectoryIndex NoIndex.html
Require all granted
</Directory>
/usr/local/app/httpdSecurity
Common security settings. These can be changed over time as security standards change.
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "sameorigin"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header unset X-Powered-By
Header always unset X-Powered-By
/usr/local/app/dict.dat
Defines the global customer, users, and ssl keys tables.
* dict.dat - Unibase generic dictionary for user access
*
* Copyright 2014 - Zenucom Pty Ltd
*
: users
userId, 6 S
name, 30
email, 50
application, 20
directory, 100
password, 200
consumer_key, 64
consumer_secret, 64
access_token, 64
token_secret, 64
realm, 64
>
*userId
*name,application
>
>
>
: customers
customerId, 9 S
company, 30
email, 60
directory, 200
>
*customerId
*company
email
>
>
>
: keys
keyId, 6 S
url, 30
recaptchav3, 64
>
*keyId
*url
>
>
>
The most important table for operations is the users table. Th