Martini Runtime Server Configuration Security
Configuring encryption seed
Before you configure anything in your .properties
file, make sure to change the encryption seed inside the application.properties
file. This value is used as the seed to encrypt passwords in the dbxml file and triggers.
Password encryption
Passwords will only be encrypted after a restart of your Martini Runtime instance.
Running Martini with NGINX and TLS
You can run your Martini instances with NGINX to have a secure connection. This guide will help you set up your instance behind a proxy server. NGINX will act as a reverse proxy for Martini.
In this setup, the NGINX server is responsible for managing all SSL connections originating from users. Its primary role is to decrypt incoming requests to ensure they can be forwarded to the Martini server in a readable format. Once Martini processes these requests and generates responses, these responses are relayed back to the NGINX server. Here, they are encrypted before being dispatched to the client's browser. It's crucial to note that in this architecture, Martini is completely abstracted from the encryption/decryption process, focusing solely on handling the business logic and processing of the requests and responses. This delineation of responsibilities ensures a clear separation of concerns, allowing each server to specialize and optimize its designated tasks
Procedure
Note: Addresses of instance and server
* NGINX Server: 10.0.0.2
* Martini Instance: 10.0.0.3
* Domain assigned to the instance: martini.example.com
- In your NGINX server, go to the
/etc/nginx/conf.d/certs/
directory and create two directories calledssl_crt
andssl_key
. Copy your SSL certificate and key in these directories respectively.
1 2 3 4 5 |
|
- Create the
sites-available
andsites-enabled
directories inside the/etc/nginx/conf.d
directory. NGINXconfiguration files will be stored inside thesites-available
directory. Then later, a symbolic link will be created to point to thesites-enabled
directory for NGINX to load the configuration.
1 2 3 |
|
-
Edit the file named
/etc/nginx/nginx.conf
and include all.conf
files in the/etc/nginx/conf.d/sites-enabled
. By doing this, NGINX will be prompted to load all*.conf
files inside thesites-enabled
folder upon start or restart of its process. -
Create the configuration file for
martini.example.com
. In this case, the configuration file is namedmartini.example.com.conf
. It should reside in the directory/etc/nginx/conf.d/sites-available
.
The content of the file should be like this:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
|
- Create a symbolic link or symlink from the
sites-available
to thesites-enabled
directory.
1 2 3 4 |
|
1 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
|
APR Implementation
For APR protocol, you only need to configure the path of your SSL certificate and SSL key.
Required properties for HTTPS with APR:
-
server.https.port
The HTTPS port number, you can choose from any number between
80
and65535
. -
server.tomcat.https.protocol
Set the value of this property to
org.apache.coyote.http11.Http11AprProtocol
to command Martini to use the APR library. -
server.tomcat.https.SSLCertificateFile
Set the value of this property to the path of the SSL certificate.
-
server.tomcat.https.SSLCertificateKeyFile
Set the value of this property to the path of the SSL key.
After configuring everything you need for HTTPS, your .properties
file should like this:
1 2 3 4 |
|
SSL certificate storage
You should store your SSL certificates in another location besides <martini-home>
to prevent accidental deletion when upgrading Martini to the latest version.
HTTP Strict Transport Security (HSTS)
HSTS is another way to secure your Martini instances againsts attacks. Enabling HSTS adds a header named Strict-Transport-Security
to the responses from your server. When a user receives a response with this header, it will automatically be converted from HTTP to HTTPS. This upgrade will serve as a defense mechanism against man-in-the-middle attacks by ensuring that data transmitted between client and the server remains encrypted.
Required properties for HSTS:
-
hsts.enabled
Set to
true
to let Martini add theStrict-Transport-Security
header. -
hsts.include-subdomains
Set to
true
if all present and future sub-domains will be using HTTPS. -
hsts.preload
Set to
true
if the site owner would like their domain to be included in the HSTS preload list maintained by Chrome (and used by Firefox and Safari). -
hsts.max-age
The maximum time, in seconds, that a site is only to be accessed using HTTPS.
After configuring everything you need for HSTS, your .properties
file should like this:
1 2 3 4 |
|