summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2013-08-27updated submodule stdlib to obtain 'obfuscate_email' function (#3479)varac
2013-08-27updated submodule couchdbvarac
2013-08-27updated submodule couchdbvarac
2013-08-22Merge branch 'bug/3339' into developMicah Anderson
2013-08-22install a preliminary firewall that blocks everything, except ssh for the ↵Micah Anderson
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38
2013-08-22add HSTS if hiera value for webapp['secure'] is set (#3514)Micah Anderson
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
2013-08-22Merge branch 'bug/3342' into developMicah Anderson
2013-08-21Set apache header X-Frame-Options: "DENY"Micah Anderson
The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
2013-08-21Disable verbose, identifying apache headers (#3462):Micah Anderson
. Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
2013-08-21update couchdb module to resolve #3459Micah Anderson
Change-Id: Icad17de812392d7c587e5bcbf60cd5242c1241e9
2013-08-16update couchdb submodule to fix #3481Micah Anderson
Change-Id: I474cc691fcfc892b7aff4a3a0e3954155bf5ee30
2013-08-15Revert "temp hack: deploy the webapp as couch user 'admin'"Micah Anderson
This reverts commit 8c038fea91adc87adf9e408c16e2f0ec9838e3d2.
2013-08-15Because both soledad and leap-mx do not function with twisted 12, we had to ↵Micah Anderson
backport twisted 13. In order to install the backported dependencies we need an apt preferences_snippet installed for the backported twisted packages Change-Id: I886bb735eeb3abe7955c7cf054b749554ab84746
2013-08-14add START=yes to /etc/default/soledad to start the daemon, new package ↵Micah Anderson
requires this to start. Closes: #3474 Change-Id: I921dcf0d6571cd60d2705ae4925d0a4318c84fa2
2013-08-14Merge branch 'feature/webapp_production_log' into developMicah Anderson
2013-08-14require that the couchdb::query::setup has been run before any attempts are ↵Micah Anderson
made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0
2013-08-14update couchdb submodule to the latest version - fixes #3447Micah Anderson
Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7
2013-08-14Fix problem where webapp production.log had the wrong permissions - #3471Micah Anderson
Change-Id: I20a6ecc43e36fc1e8416c46f7e4d14726995d2f2
2013-08-14vagrant: Install squid-deb-proxy on clients (optional) (Feature #3330)varac
squashed commits: site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy updated submodule squid_deb_proxy use squid_deb_proxy::client
2013-08-13require that the couchdb::query::setup has been run before any attempts are ↵Micah Anderson
made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0
2013-08-13update couchdb submodule to the latest version - fixes #3447Micah Anderson
Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7
2013-08-01run soledad daemon using the configured port.elijah
2013-08-01make site_shorewall::soledad use the hiera value for the soledad portMicah Anderson
Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920
2013-08-01add a requirement to soledad.json that soledad service is found on a couchdbMicah Anderson
node, if it is not, it will fail to compile this requires a newer leap_cli, so I've bumped the compatibility requirement Change-Id: Ie1061798d058087126163793b216dd5938eb95a6
2013-08-01For now, soledad will only exist on couchdb nodes (but not every couchdb hasMicah Anderson
soledad), so fix the port to be the local couchdb port. In the future, we may want to separate them out. There is no need to do haproxy with soledad, because the client is supposed to try a different soledad node if it can't connect Change-Id: I87e2c5079ba361634336316721c4358a0917fb09
2013-08-01fix #3291: set the soledad port properly in the json and as a temporary ↵Micah Anderson
work-around, use the couchdb admin/passwd Change-Id: Ibb1cd8416d00552f8ca1716e42a08137a4b461aa
2013-08-01Merge branch 'feature/issue/3278' into developvarac
2013-08-01Merge branch 'feature/issue/3347' into developvarac
2013-07-31add haproxy servers to services/mx.jsonvarac
2013-07-31 use smtpd_tls_security_level = may in postfix config (Bug #3348)varac
2013-07-31fix /etc/leap/mx.conf doesn't contain any user credentials (Feature #3347)varac
2013-07-31fix Could not find dependent Service[leap-mx] (Bug #3331)varac
2013-07-31Revert "Site_webapp/Try::File: Could not find command 'git' (Bug #3202)"varac
This reverts commit 9e83de3497ec55f4910de099917387d500b8f4b4.
2013-07-31Site_webapp/Try::File: Could not find command 'git' (Bug #3202)varac
2013-07-30webapp - use hiera config "webapp.admins" for the list of admin usernames, ↵elijah
default to empty list.
2013-07-30added webapp.secure flag (turns on secure cookies and HSTS)elijah
2013-07-30site_webapp - add support for haproxy weights and backup servers (resolves ↵elijah
#3278)
2013-07-29site_webapp bugfix - get compile_assets to run by ensuring .scss files are ↵elijah
created beforehand and have the correct permissions.
2013-07-29try::file bugfixes -- add refreshonly to chmod/chown, ensure old file is ↵elijah
replaced even if it is a link
2013-07-26Merge branch 'feature/mx' into developMicah Anderson
2013-07-26Merge branch 'feature/soledad' into feature/leap_mxMicah Anderson
2013-07-26Merge branch 'varac/feature/mx' into feature/leap_mxMicah Anderson
Conflicts: provider_base/services/mx.json puppet/manifests/site.pp puppet/modules/site_mx/manifests/init.pp puppet/modules/site_postfix/manifests/mx.pp Change-Id: Ib2952f6cb972c40a998f20d7bbdb23bb35bef419
2013-07-26added haproxy weights to webapp hiera (at haproxy.servers)elijah
2013-07-26fix cert generation bug: was creating 2024 bit keys instead of 2048 bit keys ↵elijah
by default.
2013-07-25initial leap_mx configurationMicah Anderson
Change-Id: Iddca4cf52706bf2f612d20ba19a53fbbe6b28479
2013-07-25initial soledad configurationMicah Anderson
Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190
2013-07-25updated submodule apachevarac
2013-07-25updated submodule couchdbvarac
2013-07-25updated submodule aptvarac
2013-07-25beginning of smtp_auth config with client certsvarac