How to secure my LabCollector on a selfhosted server? - LabCollector
How Can We Help?

Support | Manuals | Changelogs

How to secure my LabCollector on a selfhosted server?

You are here:
← All Topics

When running LabCollector on your own server, proper security setup is essential. This article outlines actions to secure both the server configuration and LabCollector-specific directories.


🛡️ 1. Web Root Security (/.htaccess at the root of your site)

This .htaccess file protects shared directories like files/, backup/, documents/, and maps/ from unauthorized external access.

Options -Indexes

RewriteEngine On

# Block direct external access unless referred from your domain
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com/ [NC]
RewriteRule ^files/(.+)$ - [F]
RewriteRule ^documents/(.+)$ - [F]
RewriteRule ^backup/(.+)$ - [F]
RewriteRule ^maps/(.+)$ - [F]

From LabCollector v6.0, a .htaccess-example file is available. Customize and rename it as needed.
🔄 Replace yourdomain.com with your real domain.

🔐 2. Lab Folder-Level Protection (/<lab_name>/.htaccess)

Each individual lab inside LabCollector (e.g., /my_lab) may have its own .htaccess. Use it to block access to sensitive files like composer.lock and .env.

Add this inside /your_lab/.htaccess:

<FilesMatch "(composer\.lock|\.env)">
Order Deny,Allow
Deny from all
</FilesMatch>

This prevents leaking secrets or configuration data often stored in .env or dependency files like composer.lock.

⚙️ 3. Apache Configuration File (httpd.conf or main config)

At the server configuration level, you can improve security and enable features globally.

Recommended directive inside httpd.conf:

<Directory "${path}/www/httpd">
Options -Indexes +FollowSymLinks +Includes
httpd.conf is typically found in /etc/httpd/conf/ or /usr/local/apache2/conf/ depending on your Linux distribution.

Additional Security Recommendations

  • Enable HTTPS: Use SSL certificates and redirect all HTTP traffic to HTTPS. Refer to our HTTPS guide.
  • Restrict IP access: Limit access to trusted networks only. Use Apache/Nginx rules to define IP allow/deny lists.
  • Enable 2FA and CAPTCHA: Go to Admin > Setup > Login options and activate:
    • Two-Factor Authentication (2FA)
    • CAPTCHA on login screens
  • Set correct file permissions:
    chmod -R 755 /path/to/labcollector
    chown -R www-data:www-data /path/to/labcollector
  • Secure and encrypt backups: Store backups offsite or encrypted using tools like GPG or AES.
  • Keep systems updated: Regularly patch LabCollector, your OS, Apache/Nginx, PHP, and MySQL.

 

Related topics: