fixup! fixup! fixup! fixup! fixup! fixup! Fixes #21877: Hardening gui…

…de for Rudder

Fixes #21877: Hardening guide for Rudder

src/reference/modules/administration/pages/security.adoc

@@ -7,19 +7,19 @@ add additional configurations to make your Rudder installation more secure.
 
 === HTTPS
 
-* By default, all HTTPS traffic is handled by the same virtual host in Apache httpd. To allow hardening the connection security, a first step is to split public Web/API from internal node-server communication. You can do so by commenting the default virtual host in `/etc/apache2/sites-enabled/rudder.conf` or `/etc/httpd/conf.d/rudder.conf` (depending on the distribution), and uncommenting the two separate configurations. You only need a way to make a difference in the configuration, in general with a different port (which allows applying different firewall rules too) or a specific domain for Web/API.
+* By default, all HTTPS traffic is handled by the same virtual host in Apache httpd. To allow hardening the connection security, a first step is to split public Web/API from internal node-server communication. You can do so by commenting the default virtual host in `/etc/apache2/sites-enabled/rudder.conf` or `/etc/httpd/conf.d/rudder.conf` (depending on the distribution), and uncommenting the two separate configurations. You need to define a method to distinguish both configurations, in general with a different port (which allows applying different firewall rules too) or a specific domain for Web/API.
 
 * Once your virtual hosts are split, set up a valid certificate for the Web/API. This allows validating the server identity from Web browsers and API clients. You can use an internal PKI or a publicly trusted certificate, like with _Let's Encrypt_. The certificate configuration is done in `/etc/apache2/sites-enabled/rudder.conf` or `/etc/httpd/conf.d/rudder.conf` depending on your distribution, in the Web/API virtual host. To configure the TLS settings of the Web/API virtual hosts depending on your requirements and platform, we recommend using https://ssl-config.mozilla.org/[Mozilla SSL configurator generator].
 
-* _HTTP Strict Transport Security_ (HSTS) allows ensuring the user's browser will always use HTTPS to connect to your server. It is not enabled by default as it may conflict with other services served from the same domain (e.g. package repositories). If you only use HTTPS with your Rudder's server domain, you can enable the HSTS header in `/opt/rudder/etc/rudder-web.properties` by modifying or adding the following properties (and restarting the `rudder-jetty` service to apply it):
+* _HTTP Strict Transport Security_ (HSTS) ensures the user's browser will always use HTTPS to connect to your server. It is not enabled by default as it may conflict with other services served from the same domain (e.g. package repositories). If you only use HTTPS with your Rudder's server domain, you can enable the HSTS header in `/opt/rudder/etc/rudder-web.properties` by modifying or adding the following properties (and restarting the `rudder-jetty` service to apply it):
 
 [source,ini]
 ----
 rudder.server.hsts=true
 rudder.server.hstsIncludeSubDomains=true
 ----
 
-* You may want to hide the Apache httpd version from the headers. It cannot be done inside Rudder's configuration as it is a global parameter. To do so, you need to set the `ServerTokens` parameter to the `Prod` value (in `/etc/httpd` or `/etc/apache` depending on your distribution).
+* You may want to hide the Apache httpd version from the headers. It cannot be done inside Rudder's configuration as it is a global httpd setting. To do so, you need to set the `ServerTokens` parameter to the `Prod` value (in `/etc/httpd` or `/etc/apache` depending on your distribution).
 
 === Authentication and user management
 
@@ -123,4 +123,5 @@ the node's identity, you can use the https://docs.rudder.io/api/#tag/Nodes/opera
 You can make a call to this API in your node provisioning process, and provide
 the `agentKey` parameter (which should contain the content of `/opt/rudder/etc/ssl/agent.cert` on the node), and the `accepted` status.
 
-This way, once the node sends its first inventory, if it matched the node id and certificate, it will be automatically accepted. Note that this creation call also allows pre-setting node properties.
+This way, once the node sends its first inventory, if the node id and certificate match the pre-provisioned entry, the node inventory will be updated.
+Please note that you can also pre-defined node properties using this API, to ensure that the pre-provisionned node is already in the correct groups