server: sessionTimeout: 5400
Typical Setups use a separate reverse proxy as SSL Endpoint instead of the integrated SSL functionality. See Deployment overview.
Generate a key:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name jetty -caname root
Make sure the keyAlias matches exactly - it is case sensitive.
To check the keystore, you may run
keytool(.exe) -list -v -keystore path\to\conf\keystore.p12
server: port: 8443 ssl: keyStore: /certificates/keystore.p12 keyStorePassword: secret keyAlias: jetty
Restricting Host Headers
It is possible to configure exactly which host headers the HTTP requests are allowed to have. If we don't configure this, the servers accepts all hosts.
The server checks the values of 'X-Forwarded-Host' and 'Host' header, where the header 'X-Forwarded-Host' takes priority. If no configured headers match the HTTP header value the servers responds with HTTP status 400. This also happens if the HTTP headers are missing.
To configure simply add the property 'hostHeaderAllowlist' to the config.yml, followed by a comma separated list of accepted domains.
hostHeaderAllowlist: mydomain1.com:8080, mydomain3.net
The domains must be configured to the value that is sent to the server, which may differ from the URL in the browser.
By default, the server is configured so that CSRF attacks are prevented by requiring a unique token to be send for form requests. The REST API requires the content type to be application/json. If needed, both security mechanism can be disabled via the config.yml using the following configuration.
disableCheckCSRF: contentTypeCheck: true tokenCheck: true
Unblocking Users and Password Reset
In case you need to reset a password for a user on startup, add the following to config.yml. The new_password must comply with the configured password rules. The respective user will also be unblocked and enabled.
unblock: password: new_password username: existing_user
Cross-Origin Resource Sharing (CORS) Allowlist
This adds a allowlist for the 'Origin' HTTP header in requests where the HTTP request's 'URL' and 'Origin' do not match.
This protects against CSWSH ( https://christian-schneider.net/CrossSiteWebSocketHijacking.html) attack and it should be set.
grails: cors: allowedOrigins: - http://www.allowedorigin1.com - http://www.allowedorigin2.com