Skip to content

Secure your Tatin registry

How to authorise users and secure your Tatin server from attack

Issue and require credentials for publishing packages on your server. Encrypt internet communications by installing security certificates; or (better) use a reverse proxy to shield your Tatin registry behind an industrial-strength webserver such as Apache or Nginx.

Credentials

The server requires and accepts API keys according to Credentials.csv in the server’s home folder.

Create a UUID and use that as an API key.

Add an API key

To add an API key to the stored credentials, put it in a file Credentials.txt in the server’s home folder as either

<group-name>,<api-key>
*,<api-key>

The server:

  • deletes from Credentials.csv rules with matching group names
  • creates a Salt for each API key in Credentials.txt
  • converts each key and its Salt into a hash and records the rule in Credentials.csv
  • deletes file Credentials.txt

Credential rules

Rules in Credentials.csv have syntax:

[group-name | *] [,api-key-hash[,salt]]
; just a comment

Some rule examples:

; require hash1 key for group1
group1,hash1,salt1

; require hash2 key for everything else
*,hash2,salt2

; allow no-key publication for everything else
*

Having * (or *, or *=) as the only rule is the same as having no credentials file.

The rules are read in sequence and can mix different scenarios.

Some credential file examples

Require individual keys for group1 and group2, and a ‘master’ key for other groups:

group1,hash1,salt1
group2,hash2,salt2
*,hash3,salt3

Require keys for group1 and group2 only group1,hash1 group2,hash2 *

Allow no-key publication for a specific group:

group1,hash1,salt1
group2,
*,hash3,salt3

Delete a rule

To delete a rule for a group, edit the file Credentials.csv.

Security certificates

Encrypting communications (HTTPS) requires security certificates. The server download includes two:

Assets/Runtime/Certificates/ca-[cert|key].pem
Assets/Runtime/Certificates/localhost-[cert|key].pem

GitHub blocks downloads of certificates. If the PEMs are missing, you should see eponymous files with a further extension .RemoveMe.

Removing that extension should produce what you need.

Instead of enabling HTTPS, shield the server with a reverse proxy.

Reverse proxy

If your registry serves requests from the internet, shield it behind an industrial-strength web server like Apache or Nginx.

This improves security and defences against e.g. DDoS attacks. It also offers an easy way to implement load balancing.

Apache can be used as a reverse-proxy server, a.k.a. gateway server.

Suppose Tatin is listening on port 8081.

Add the following lines to the web server’s configuration file, typically /etc/apache2/sites-available.

ProxyPreserveHost on
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/

In /etc/apache2/sites-enabled there should be just a link pointing to /etc/apache2/sites-available.

The ProxyPass directive forwards incoming requests to the Tatin server.

The ProxyPassReverse directive ensures the Location: headers generated by your Tatin server are modified to point instead to the web server.

Apache guides: Reverse Proxy and Module mod_proxy