Configuration

All GreasySpoon configuration and administration tasks can be done using embeded web administration interface.

Using Firefox/IE, connect on: http://127.0.0.1:8088/ (default address and port).
Default login and passwords are admin/admin.



You can do a virtual tour of the version 0.5.x administration interface here (use Exit on right to return).

Web administration configuration

Web administration can be customized through Maintenance » Setup » Administration page.

This page allows to modify following parameters:

  • IP address: allows to restrict administration accesses on given address. This feature allows to run administration server on a dedicated network interface/VLAN.
  • Administration port (default:8088)
  • Administration page: directory containing administration html pages
  • Over SSL: requires specific installation with a certificate keystore. See Security guidelines chapter.
  • Administration password: allows to change current admin password
  • Scripts editor properties (code coloring, line numbering, ...)
User Accounts and Profiles
GreasySpoon administration supports several user accounts, with a basic rights management system. Three kind of profiles can be associated to users accounts:
  • Admin profile: provides complete access to all features.
  • User profile: can only access to script development/management interface. Scripts created by Admin users can be enabled/disabled but not modified nor deleted.
  • None profile (supervisor): has no write rights. Profile can only access to script interface, and cannot create/modify/delete scripts.

Note:

  • Rights management is still at a beta stage
  • scripts ownership is determined by adding a tag #rights=[ADMIN|USER] on top on scripts file. A script is automatically attributed to ADMIN when an administrator modify and save it. To downgrade rights to USER, edit manually the script to switch this flag.
Security guidelines

ICAP architecture is designed in a way so that ICAP services like GreasySpoon do not need to be visible except for the proxy.

Thus, security should mainly rely on the infrastructure design, with GreasySpoon deployed in a private DMZ and by allowing only connections from the proxy on the ICAP port (1344 per default).

GreasySpoon security can however be enforced using following guidelines:

  • Install & run GreasySpoon using a limited user account or a chrooted environment
  • If you have a network interface/IP dedicated to administration, configure GS administration to only accept connections from it (Maintenance>setup>Administration>Administrative Interface IP).
  • If you don't need web administration/development interface, turn it off ("admin.enabled" parameter in conf/icapserver.conf file)
  • run web admin/development server under https: under web interface, on Maintenance>setup>Administration, select "Administration over SSL" and apply change. Reconnect using https://{serverIP:serverport}/
  • Accounts can be created through the Web administration interface, with 3 possible associted rights: administrator, user (developper) and none (supervision).

    • Administrator have full access to GreasySpoon
    • Developpers only have access to the script page, and can create their own scripts but cannot modify scripts made by an administrator
    • Profiles with "none" rights have only access to the script page, and cannot modify anything

    Note: users rights feature is still in beta stage, and is mainly here to avoid erroneous manipulation. Don't create an account (even with NONE rights) to someone you don't trust.