You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/main/xar-resources/data/production_good_practice.xml
+58-18Lines changed: 58 additions & 18 deletions
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@
4
4
<productname>eXist-db – Open Source Native XML Database</productname>
5
5
<title>Production Good Practice</title>
6
6
<orgname>The eXist-db Project</orgname>
7
-
<date>September 2009</date>
7
+
<date>2017-12-20</date>
8
8
<author>
9
9
<firstname>Adam</firstname>
10
10
<surname>Retter</surname>
@@ -22,13 +22,13 @@
22
22
<section>
23
23
<title>The Server</title>
24
24
<para>Ensure that your server is up-to-date and patched with any necessary security fixes.</para>
25
-
<para>eXist-db is written in Java - so for performance and security reasons, please ensure that you have the latest and greatest Java JDK release installed. At present this is the 1.6 <!--1.7--> branch, details of the latest version can always be found here - <ulinkurl="http://java.sun.com">http://java.sun.com</ulink>
25
+
<para>eXist-db is written in Java - so for performance and security reasons, please ensure that you have the latest and greatest Java JDK release that is compatible with your version of eXist. The latest version can always be found here at: <ulinkurl="http://java.sun.com">http://java.sun.com</ulink> and the recommended major version for a given eXist release can be found at: <ulinkurl="https://bintray.com/existdb/releases/exist#read">https://bintray.com/existdb/releases/exist#read</ulink>
26
26
</para>
27
27
</section>
28
28
<section>
29
29
<title>Install from Source or Release?</title>
30
30
<para>Most users will install an officially released version of eXist-db on their production systems, usually this is perfectly fine. However there can be advantages to installing eXist-db from source code on a production system.</para>
31
-
<para>eXist-db may be installed from source code to a production system in one of two ways -</para>
31
+
<para>eXist-db may be installed from source code to a production system in one of two ways:</para>
32
32
<variablelist>
33
33
<varlistentry>
34
34
<term>via Local Build Machine (preferred)</term>
@@ -43,7 +43,7 @@
43
43
</listitem>
44
44
</varlistentry>
45
45
</variablelist>
46
-
<para>If you install eXist-db from source code, some advantages might be -</para>
46
+
<para>If you install eXist-db from source code, some advantages might be:</para>
47
47
<variablelist>
48
48
<varlistentry>
49
49
<term>patches</term>
@@ -68,7 +68,7 @@
68
68
</para>
69
69
<section>
70
70
<title>Upgrading</title>
71
-
<para>If you are upgrading the version of eXist-db that you use in your production system, please always follow these two points -</para>
71
+
<para>If you are upgrading the version of eXist-db that you use in your production system, please always follow these two points:</para>
72
72
<orderedlist>
73
73
<listitem>
74
74
<para>
@@ -83,7 +83,7 @@
83
83
</section>
84
84
<section>
85
85
<title>Configuring eXist</title>
86
-
<para>There are four main things to consider here -</para>
86
+
<para>There are four main things to consider here:</para>
87
87
<orderedlist>
88
88
<listitem>
89
89
<para>
@@ -106,15 +106,15 @@
106
106
<title>Permissions</title>
107
107
<section>
108
108
<title>eXist-db Permissions</title>
109
-
<para>At present eXist-db ships with fairly relaxed permissions to facilitate rapid application development, but for production systems these should be constrained -</para>
109
+
<para>At present eXist-db ships with fairly relaxed permissions to facilitate rapid application development, but for production systems these should be constrained:</para>
110
110
<variablelist>
111
111
<varlistentry>
112
112
<term>admin account</term>
113
113
<listitem><para>The password of the admin account is blank by default! Ensure that you set a decent password.</para></listitem>
114
114
</varlistentry>
115
115
<varlistentry>
116
116
<term>default-permissions</term>
117
-
<listitem><para>The default permissions for creating resources and collections in eXist-db are set in conf.xml. The current settings are fairly sane, but you may like to improve on them for your own application security.</para></listitem>
117
+
<listitem><para>The default permissions for creating resources and collections in eXist-db are set in <filename>conf.xml</filename>. The current settings are fairly sane, but you may like to improve on them for your own application security.</para></listitem>
118
118
</varlistentry>
119
119
<varlistentry>
120
120
<term>/db permissions</term>
@@ -128,22 +128,62 @@
128
128
<section>
129
129
<title>Operating System Permissions</title>
130
130
<para>eXist-db should be deployed and configured to run whilst following the security best practices of the operating system on which it is deployed.</para>
131
-
<para>Typically we would recommend creating an "exist" user account and "exist" user group with no login privileges (i.e. no shell and empty password), changing the permissions of the eXist-db installation to be owned by that user and group, and then running eXist-db using those credentials. An example of this on OpenSolaris might be -</para>
131
+
<para>Typically we would recommend creating an "exist" user account and "exist" user group with no login privileges (i.e. no shell and empty password), changing the permissions of the eXist-db installation to be owned by that user and group, and then running eXist-db using those credentials. An example of this on OpenSolaris might be:</para>
<para>For any live application it is recognised best practice to keep the attack surface of the application as small as possible. There are two aspects to this -</para>
141
+
<para>For any live application it is recognised best practice to keep the attack surface of the application as small as possible. There are three aspects to this:</para>
142
142
<orderedlist>
143
-
<listitem><para>Reducing the application itself to the absolute essentials.</para></listitem>
144
-
<listitem><para>Limiting access routes to the application.</para></listitem>
143
+
<listitem>
144
+
<para>Limiting means of arbitrary code execution.</para>
145
+
</listitem>
146
+
<listitem>
147
+
<para>Reducing the application itself to the absolute essentials.</para>
148
+
</listitem>
149
+
<listitem>
150
+
<para>Limiting access routes to the application.</para>
151
+
</listitem>
145
152
</orderedlist>
146
-
<para>eXist-db is no exception and should be configured for your production systems so that it provides only what you need and no more. For example, the majority of applications will be unlikely to require the WebDAV or SOAP Admin features for operation in a live environment, and as such these and other services can be disabled easily. Things to consider for a live environment -</para>
153
+
<para>eXist-db is no exception and should be configured for your production systems so that it provides only what you need and no more. For example, the majority of applications will be unlikely to require the WebDAV or SOAP Admin features for operation in a live environment, and as such these and other services can be disabled easily.</para>
154
+
<para>Means for anonymous users to execute arbitrary code require special attention. There are two means of code execution in eXist, which make sense during development, but should be reconsidered for production systems.</para>
155
+
<variablelist>
156
+
<varlistentry>
157
+
<term>Java binding</term>
158
+
<listitem>
159
+
<para>The ability to execute java code from inside the XQuery processor is disabled by default in the instances' <filename>conf.xml</filename>.<programlistinglanguage="xml"><xquery enable-java-binding="no" .../></programlisting> It is strongly recommended to keep it disabled on production systems.</para>
160
+
</listitem>
161
+
</varlistentry>
162
+
<varlistentry>
163
+
<term>REST server</term>
164
+
<listitem><para>We recommend to prevent eXist's REST server from directly recieving web requests, and use URL Rewriting to control code execution via URL instead. This feature is enabled by default in <filename>$EXIST_HOME/webapp/WEB-INF/web.xml</filename>. Changing the param-value to true, allows you to filter request via your own XQuery controller.</para>
165
+
<programlistinglanguage="xml"><init-param>
166
+
<param-name>hidden</param-name>
167
+
<param-value>true</param-value>
168
+
</init-param></programlisting>
169
+
<para>The following options allow a more fine-grained control over aspects of remote code execution:</para>
170
+
</listitem>
171
+
</varlistentry>
172
+
<varlistentry>
173
+
<term>XQuery submissions</term> <listitem><para>We recommend to restrict the REST servers ability to execute XQuery code to authenticated users, by modifying:<filename>$EXIST_HOME/webapp/WEB-INF/web.xml</filename>.</para>
<listitem><para>In addtion, we recommend to restrict the REST servers ability to execute XUpdate statements, because of the sensitive nature of update operation. Simply modify <filename>$EXIST_HOME/webapp/WEB-INF/web.xml</filename>by changing the param-value from enabled to disabled.</para>
<listitem><para>eXist-db loads several XQuery and Index extension modules by default. You should modify the builtin-modules section of conf.xml, to <emphasis>ONLY</emphasis> load what you need for your application.</para></listitem>
198
+
<listitem><para>eXist-db loads several XQuery and Index extension modules by default. You should modify the builtin-modules section of <filename>conf.xml</filename>, to <emphasis>ONLY</emphasis> load what you need for your application.</para></listitem>
<listitem><para>These two settings in the db-connection of conf.xml should be adjusted appropriately based on your -Xmx setting (above). See the <ulinkurl="tuning.xml">tuning guide</ulink> for advice on sensible values.</para></listitem>
212
+
<listitem><para>These two settings in the db-connection of <filename>conf.xml</filename> should be adjusted appropriately based on your -Xmx setting (above). See the <ulinkurl="tuning.xml">tuning guide</ulink> for advice on sensible values.</para></listitem>
<para>It has been reported by large scale users that keeping the eXist-db application, database data files and database journal on separate disks connected to different I/O channels can have a positive impact on performance. The location of the database data files and database journal can be changed in conf.xml.</para>
222
+
<para>It has been reported by large scale users that keeping the eXist-db application, database data files and database journal on separate disks connected to different I/O channels can have a positive impact on performance. The location of the database data files and database journal can be changed in <filename>conf.xml</filename>.</para>
<listitem><para>Snapshot of the database data files.</para></listitem>
194
234
</orderedlist>
195
-
<para>Each of these backup mechanisms is schedulable either with eXist-db or with your operating system scheduler. See the <ulinkurl="backup.xml">backup</ulink> page and conf.xml for further details.</para>
235
+
<para>Each of these backup mechanisms is schedulable either with eXist-db or with your operating system scheduler. See the <ulinkurl="backup.xml">backup</ulink> page and <filename>conf.xml</filename> for further details.</para>
0 commit comments