This is an administrative interface for servers that could be directly accessible on Internet.
Even with mitigation of access by filtering ip addreses, “secure by default” should be the key point.
Therefore, i don’t think that these defaults are secure enough.
I understand also the point for “backward compatibility”, but in this case the approach used on TLS policies does not fit. This is not a service available to people or user, it’s an interface where people should know why it’s there and why it’s should be secure.
IMO, security first, then the accessibility or backward compatibility.
Yes, I agree: we will be there soon. As 7.5 is behind the corner I’d start by releasing a backward-compatible default. Starting from 7.5 we can adjust the default values for new installations.
I will not release an UI immediately. The first release will be based on a DB prop setup or a configuration file.
Instead of config setprop httpd-admin MaxSessionIdleTime '' MaxSessionLifeTime '' to disable the timeouts, I wonder whether it might be better to do config delprop httpd-admin MaxSessionIdleTime, etc., but it generally looks good and clear. I hope that when we get a panel for it, we won’t be stuck with typing in numbers of seconds to set the values, though.
Sorry, kind of a pet peeve of mine, but localinstall is inappropriate here for two reasons: (1) you aren’t, in fact, installing a package that’s local to the machine; and (2) it’s been deprecated in any event, so really it should never be used at all. yum install is the droid you’re looking for.