Web Security
We use an Apache web server for Ensemble. If you install Ensemble on another web server application, please let us know about your experience or any issues you encounter. We don't expect any web server compatibility issues.
The following is a description of our Apache Ensemble configuration. Apache does this through a set of tags called "directives." Note that the following information on Apache configuration is for informational purposes and is not required to have a working installation for Ensemble. We highly recommend that you secure your Ensemble installation, however.
More information on using Apache directives can be found on the Apache site.
The following directive requires that only SSL (secure connections via https) be allowed to access the start.php page (which is the link provided to subjects). All other pages accessed by subjects are in subdirectories of ensemble. We don't wish to require SSL to the ensemble parent directory since we redirect requests for this URL to the user documentation.
<Files /var/www/html/ensemble/start.php>
SSLRequireSSL
Options +ExecCGI
Order Allow,Deny
Allow from All
</Files>
All PHP scripts (except for the start.php script above) are in subdirectories of ensemble. The following only allows SSL connections to all subdirectories of ensemble except the doc subdirectory. Note that if you add another subdirectory to ensemble that starts with a 'd' that you will need to change the way this directive is specified.
<Directory /var/www/html/ensemble/[^d]*>
SSLRequireSSL
Options +ExecCGI
Order Allow,Deny
Allow from All
</Directory>
The following directive also requires SSL connections, but further denies access to the admin subdirectory except from specific subnets. The IP addresses we use were replaced by 'x's here. The admin subdirectory contains all pages used for the QEI. Note that a username and password is also needed to access these pages. The network access restriction is for an extra measure of security.
<Directory /var/www/html/ensemble/admin>
SSLRequireSSL
Options +ExecCGI
Order Deny,Allow
Deny from All
#replace the following 'x's with appropriate TCP/IP domains
#this is used to only allow access from specific computer networks
Allow from xxx.xxx
Allow from xxx.xxx
Allow from xxx.xxx
</Directory>