Server-wide security.txt

Discussion in 'Tips/Tricks/Mods' started by remkoh, Feb 7, 2023.

  1. remkoh

    remkoh Active Member HowtoForge Supporter

    More and more websites contain a security.txt file.
    Basically it's intended to supply contact info to who researchers can report found security vulnerabilities in your (hosted) website(s).

    You can find more information about security.txt here:
    https://www.digitaltrustcenter.nl/securitytxt (Dutch)
    https://securitytxt.org/
    https://www.rfc-editor.org/rfc/rfc9116

    I've created a PHP based way to dynamically create the file and implement it into all your hosted websites.
    It uses a config file so you can easily set the desired contact info.
    Your customers will still be able to overrule the file with one of their own in their documentroot.
    It can be installed into both Apache and Nginx.

    Here you find my files and how to install them onto your webserver:
    https://github.com/remkohat/dynamic-security.txt

    The last part of the installation "Server-wide", both Apache and Nginx, will now be explained for ISPConfig:

    Apache:

    Copy vhost.conf.master to create your own custom vhost template for your websites.
    Code:
    cp /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf-custom/
    
    !Skip this step if you already have your own custom vhost template!

    Find these lines in /usr/local/ispconfig/server/conf-custom/vhost.conf.master:
    Code:
    <tmpl_if name="rewrite_enabled">
                    RewriteEngine on
    
    Insert this next line:
    Code:
                    RewriteOptions Inherit
    
    Nginx:

    Copy nginx_vhost.conf.master to create your own custom vhost template for your websites.
    Code:
    cp /usr/local/ispconfig/server/conf/nginx_vhost.conf.master /usr/local/ispconfig/server/conf-custom/
    
    !Skip this step if you already have your own custom vhost template!

    Find these lines in /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master:
    Code:
            root   <tmpl_var name='web_document_root_www'>;
                    disable_symlinks if_not_owner from=$document_root;
    
    Insert this next line:
    Code:
            include /etc/nginx/snippets/securitytxt.conf;
    
    ISPConfig:

    To also implement security.txt into already existing websites you need to resync them.

    Go to:
    Tools >> Sync Tools >> Resync

    Check Websites, select your webserver and click Start.

    Test your website:

    You can test your website at https://en.internet.nl/ to see if the installation was successful.
    If on the result page Security.txt is checked green under Security options >> Other security options then all has gone well.
     
    Last edited: Feb 7, 2023
    30uke, till, ahrasis and 2 others like this.
  2. remkoh

    remkoh Active Member HowtoForge Supporter

    I've made some minor changes in a few files and the readme.

    A side note about testing your website:
    If you don't sign security.txt (with an OpenPGP key) the test results will give you a blue "i" instead of a green check, meaning the file is found and there are one or more recommendations.
     
    ahrasis likes this.
  3. remkoh

    remkoh Active Member HowtoForge Supporter

    At least under Apache it is possible to combine the server-wide deployment with a site-specific deployment using the same files.
    Obviously in another folder though.

    Copy the securitytxt folder to /var/www/<websitedomain>/private/ for example.
    Change the settings in /var/www/<websitedomain>/private/securitytxt/conf/config.php to your liking.

    Add this in your website settings under Options tab and Apache directives:
    Code:
    Alias /.well-known/security.php /var/www/<websitedomain>/private/securitytxt/securitytxt.php
    
    <Directory /var/www/<websitedomain>/private/securitytxt>
        Options SymLinksIfOwnerMatch
        Require all granted
    </Directory>
    
    # Disallow web access to directories that don't need it
    <Directory /var/www/<websitedomain>/private/securitytxt/conf>
        Require all denied
    </Directory>
    
    <Directory /var/www/<websitedomain>/private/securitytxt/sign>
        Require all denied
    </Directory>
    
    <Directory /var/www/<websitedomain>/private/securitytxt/snippet>
        Require all denied
    </Directory>
    
    Rewrite rules can be left out as they are already inherited from the server-wide deployment.

    If you want to sign with an OpenPGP key:

    Create a .gnupg folder and change ownership. For example:
    Code:
    mkdir /var/www/<websitedomain>/private/.gnupg
    chown www-data:www-data /var/www/<websitedomain>/private/.gnupg
    
    And add this line in /var/www/<websitedomain>/private/securitytxt/sign/sign.php as first line within the If statement:
    Code:
        putenv('GNUPGHOME=/var/www/<websitedomain>/private/.gnupg');
    

    The same steps can be followed when there's no server-wide deployment active and you want to use the script standalone.
    You do then have to add the rewrite rules you can find in /var/www/<websitedomain>/private/securitytxt/conf/apache.conf in your website settings under Options tab and Apache directives.

    I'll check Nginx at a later date.
     
    Last edited: Feb 26, 2023
    ahrasis likes this.
  4. Johan Seutens

    Johan Seutens New Member

    this file can't be under the root , it needs to be under the .well-known directory (these are new rules)
     
    ahrasis likes this.
  5. remkoh

    remkoh Active Member HowtoForge Supporter

    Root is still accepted as legacy according to https://www.rfc-editor.org/rfc/rfc9116#name-location-of-the-securitytxt
    And as my Apache and Nginx configs on GitHub redirect both /security.txt and /.well-known/security.txt to the same PHP script, so both its content is exactly the same, there wasn't any breach of rfc.

    Never the less, because root is considered legacy I deleted it from the configs.
     
    Th0m and ahrasis like this.
  6. remkoh

    remkoh Active Member HowtoForge Supporter

    Published a new release, v1.2.0, with a small fix in apache.conf
     
    ahrasis and till like this.
  7. remkoh

    remkoh Active Member HowtoForge Supporter

    Another update, v2.0.0 (final version, at least for the near future)

    Rewrite /.well-known/security.txt to HTTPS if HTTP is used as HTTPS is required by RFC9116
    Bugfix in apache.conf

    Tested up to PHP8.3
     
    ahrasis likes this.
  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    @remkoh Hi remkoh,
    have you tested this on sites using apache with chrooted php?

    i've got it working on ubuntu 24.04 with nginx, and it works fine with both non-chrooted and chrooted php.
    with apache, i've got it working fine when the site is not using a chrooted php, but when i enable 'chroot php-fpm' the only response i get from the server is 'File not found'.

    and from the sites error log:
    Code:
    [Mon Nov 25 11:00:54.974048 2024] [proxy_fcgi:error] [pid 531403:tid 279558135804192] [remote 86.129.39.99:54862] AH01071: Got error 'Primary script unknown'
    
     
  9. remkoh

    remkoh Active Member HowtoForge Supporter

    No I haven't tested chrooted php at all.

    Call to the script in Apache is completely different then Nginx.
    So I can't say I'm completely surprised.
     

Share This Page