WebUI

The WebUI is configured in client.d/service/webui/default.yaml.

Realm Routing

The WebUI supports the path routing mode, where the URL path segment determines the realm:

realm:
    mode: path
    map:
        democa: democa
        rootca: rootca

The key on the left is the URL path segment (/webui/democa/), the value on the right is the internal realm name. Every new realm must be added here (see Creating a Realm).

Session Handler

The session handler manages frontend sessions. Configuration is in the session section of client.d/service/webui/default.yaml.

Filesystem-based (default):

session:
    params:
        Directory: /tmp

Database-based (recommended for multi-node deployments):

session:
    driver: driver:openxpki
    params:
        DataSource: dbi:MariaDB:dbname=openxpki;host=localhost
        User: openxpki_session
        Password: mysecret

Note: The package openxpki-cgi-session-driver is required for database-based sessions. It is strongly recommended to use a dedicated database user with access only to the frontend_session table:

CREATE USER 'openxpki_session'@'localhost' IDENTIFIED BY 'mysecret';
GRANT SELECT, INSERT, UPDATE, DELETE ON openxpki.frontend_session
TO 'openxpki_session'@'localhost';

Session data encryption:

Encrypts data using AES before storing it in the selected backend so it is opaque to administrators:

session:
   EncryptKey: SessionSecret

Session cookie encryption:

Encrypt the value of the session cookie holding the internal session id:

session:
   cookey: TheCookieMonster

Session fingerprinting prevents session hijacking by cookie theft. All listed variables must match, otherwise the session is discarded:

session:
    fingerprint:
      - HTTP_ACCEPT_ENCODING
      - HTTP_USER_AGENT
      - HTTP_ACCEPT_LANGUAGE
      - REMOTE_USER
      - SSL_CLIENT_CERT

Variables that are not set or empty are ignored. When using X.509 client certificate authentication, include SSL_CLIENT_CERT so that the session is automatically invalidated when the external certificate expires.

Additional WebUI Options

global:
    staticdir: /var/www/static/    # directory for per-realm static content

# Security HTTP headers
header:
    Strict-Transport-Security: max-age=31536000;
    X-Frame-Options: SAMEORIGIN;
    X-XSS-Protection: "1; mode=block"

The staticdir directory must contain one subdirectory per realm (named after the realm) or a _global directory as a fallback.