leap_platform.git/puppet/modules/site_apache, branch 0.3.0rc3 [leap_platform] Webapp doesn't serve commercial cert (Bug #3916) 2013-09-24T09:01:19+00:00 varac varacanero@zeromail.org 2013-09-24T09:01:19+00:00 02f17c426e6288f898a66a1a687b413ffe9a9b95 






move commercial x509 deployment to site_x509 (Feature #3889)
2013-09-24T08:06:22+00:00

varac
varacanero@zeromail.org

2013-09-24T07:23:54+00:00

9fae612bd8d147321e0cb553610fcaf0140e84eb












Merge branch 'api-crt-3384' into develop fixes #3384
2013-09-21T22:13:13+00:00

kwadronaut
kwadronaut@leap.se

2013-09-21T22:13:13+00:00

5e582cbf9e2cd135009965433b4cd2a7747732ed












adding fqdn as default servername and moving service.domain to ServerAlias (fixing #3384)
2013-09-21T22:08:05+00:00

kwadronaut
kwadronaut@leap.se

2013-09-17T18:09:10+00:00

a95e00f78e07d515b49de563ca5fbcd83be0d015

node name and dns fqdn could be different
Also note that on local deploys that warning from #3384 will continue to exist (because of dns)





node name and dns fqdn could be different
Also note that on local deploys that warning from #3384 will continue to exist (because of dns)







fix whitespace issues from https://review.leap.se/r/82
2013-09-20T16:58:13+00:00

varac
varacanero@zeromail.org

2013-09-20T16:58:13+00:00

486a9cd3b7bd8d643a9623fd40db2286cdf52fc8












tidy webapp api x509 definitions (#3840)
2013-09-19T11:48:07+00:00

varac
varacanero@zeromail.org

2013-09-19T11:48:07+00:00

55578fec453d6b090f623fd3368138f9e322c9f5












create individual classes for the apache modules so they can be included more than once in different locations, depending on what services are configured on a node (#3612)
2013-08-29T19:37:11+00:00

Micah Anderson
micah@leap.se

2013-08-29T19:05:15+00:00

323ceff1ea60bd3463821fc2295ffb790d822165

Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770





Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770







add HSTS if hiera value for webapp['secure'] is set (#3514)
2013-08-22T13:40:51+00:00

Micah Anderson
micah@leap.se

2013-08-21T00:44:21+00:00

613f7f12f4c907ea07e79e3e73da8f2b71d3436d

Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab





Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab







Set apache header X-Frame-Options: "DENY"
2013-08-21T16:26:24+00:00

Micah Anderson
micah@leap.se

2013-08-21T00:53:58+00:00

538fe40239c59c186099fa7e1a026969fba4ae36

The LEAP web application can be displayed inside other pages using an HTML
iframe.  Therefore, an attacker can embed parts of the LEAP application inside
of a webpage they control. They can then use special style properties to
disguise the embedded page. By tricking a user in to clicking in the iframe, the
attacker can coerce the user in to performing unintended actions within the LEAP
web application.

An attacker creates a website that embeds the LEAP web application in an iframe.
They then create an HTML /JavaScript game on the same page that involves
clicking and dragging sprites. When a user plays the game, they are in fact
dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app,
which is hidden behind the game using

As long as iframe embedding is not required in the normal usage of the
application, the X-Frame-Options header should be added to prevent browsers from
displaying the web application in frames on other origins.

This has also been set in the webapp

Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d





The LEAP web application can be displayed inside other pages using an HTML
iframe.  Therefore, an attacker can embed parts of the LEAP application inside
of a webpage they control. They can then use special style properties to
disguise the embedded page. By tricking a user in to clicking in the iframe, the
attacker can coerce the user in to performing unintended actions within the LEAP
web application.

An attacker creates a website that embeds the LEAP web application in an iframe.
They then create an HTML /JavaScript game on the same page that involves
clicking and dragging sprites. When a user plays the game, they are in fact
dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app,
which is hidden behind the game using

As long as iframe embedding is not required in the normal usage of the
application, the X-Frame-Options header should be added to prevent browsers from
displaying the web application in frames on other origins.

This has also been set in the webapp

Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d







Disable verbose, identifying apache headers (#3462):
2013-08-21T16:24:39+00:00

Micah Anderson
micah@leap.se

2013-08-21T00:36:12+00:00

e3a1c5d0c8f644bc0956758a8832d2f586556cf6

 . Disable ServerSignature
 . Set ServerTokens Prod
 . unset the X-Powered-By and X-Runtime apache headers

Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a





 . Disable ServerSignature
 . Set ServerTokens Prod
 . unset the X-Powered-By and X-Runtime apache headers

Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a