Parameters in /tlwebadm/

In this section, we will describe all the parameters currently used by the ThinLinc Web Administration. These configuration parameters reside in /opt/thinlinc/etc/conf.d/tlwebadm.hconf.

/tlwebadm/username

The username to authenticate with when accessing the web interface.

/tlwebadm/password

The password for the above user. The tool tl-gen-auth may be used to create hashes of the format required for use with this parameter.

/tlwebadm/cert

The path to the certificate file to be used for TLS encryption.

/tlwebadm/certkey

The path to the certificate private key file.

/tlwebadm/listen_port

The local port for the web server to listen on.

/tlwebadm/gnutls_priority

The GnuTLS priority string is used to select the order and availability of TLS versions, ciphers, key exchange, MAC, compression, signature and elliptic curve algorithms for TLS sessions. See GnuTLS priority strings for possible values.

/tlwebadm/server_tokens

If set to true, Web Administration includes the ThinLinc version, as well as Python version information in the “Server” response header field. If set to false, the “Server” response header will not include any version information. The default value is true.

Note

Disabling server_tokens might make it easier to work with some security scanners that raise alerts when this type of version information is included. But note that hiding version information does nothing to make your server more secure.

/tlwebadm/hsts/policy

Note the warnings about enabling HSTS policy, see Configuring HSTS headers. The results should be considered permanent once enabled and are difficult to reverse. The only way to disable the HSTS policy is to wait for the specified duration, as described below, to pass until visiting the domain again.

  • Off: The default value. The HSTS header will not be sent.

  • Testing: Before setting the policy to permanent, it is recommended to test if the policy works for the intended domains to verify they support HTTPS. This value indicates to the browser that it should only remember this domain for 10 minutes.

  • Permanent: This value indicates that browsers will remember this domain for 2 years. This duration is refreshed every time a domain is revisited, which is why it should be viewed as permanent.

/tlwebadm/hsts/subdomains_included

The HSTS policy will be applied to the included subdomains of the ThinLinc host if enabled.

Note

It is recommended to verify that all subdomains support HTTPS before enabling this. In order to verify, set policy=testing, restart the service and then visit Web Administration in the browser to enable the HSTS policy.

/tlwebadm/hsts/allow_browser_preload

Requirements: policy=permanent and subdomains_included=true

With allow_browser_preload enabled, it is indicated to the browser that the intention is to add the domain, and subdomains, to the browsers’ lists. This would result in the HSTS policy being enabled at the first visit to the domain or subdomain.

Note

Only use this option if you are sure to support HTTPS for domains and subdomains. It may be difficult to remove domains and subdomains from the preload list.

/tlwebadm/logging/logfile

The file to use for logging tlwebadm messages. By default, this is /var/log/tlwebadm.log.