Age | Commit message (Collapse) | Author | |
---|---|---|---|
2013-08-22 | install a preliminary firewall that blocks everything, except ssh for the ↵ | Micah Anderson | |
cases when shorewall doesn't properly come up, ensuring that it fails safe (#3339) Change-Id: Id4f0bf6cf25f420aa2ad67635b37ae95f54e3d38 | |||
2013-08-22 | add HSTS if hiera value for webapp['secure'] is set (#3514) | Micah Anderson | |
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab | |||
2013-08-22 | Merge branch 'bug/3342' into develop | Micah Anderson | |
2013-08-21 | Set apache header X-Frame-Options: "DENY" | Micah Anderson | |
The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d | |||
2013-08-21 | Disable verbose, identifying apache headers (#3462): | Micah Anderson | |
. Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a | |||
2013-08-21 | update couchdb module to resolve #3459 | Micah Anderson | |
Change-Id: Icad17de812392d7c587e5bcbf60cd5242c1241e9 | |||
2013-08-16 | update couchdb submodule to fix #3481 | Micah Anderson | |
Change-Id: I474cc691fcfc892b7aff4a3a0e3954155bf5ee30 | |||
2013-08-15 | Revert "temp hack: deploy the webapp as couch user 'admin'" | Micah Anderson | |
This reverts commit 8c038fea91adc87adf9e408c16e2f0ec9838e3d2. | |||
2013-08-15 | Because both soledad and leap-mx do not function with twisted 12, we had to ↵ | Micah Anderson | |
backport twisted 13. In order to install the backported dependencies we need an apt preferences_snippet installed for the backported twisted packages Change-Id: I886bb735eeb3abe7955c7cf054b749554ab84746 | |||
2013-08-14 | add START=yes to /etc/default/soledad to start the daemon, new package ↵ | Micah Anderson | |
requires this to start. Closes: #3474 Change-Id: I921dcf0d6571cd60d2705ae4925d0a4318c84fa2 | |||
2013-08-14 | Merge branch 'feature/webapp_production_log' into develop | Micah Anderson | |
2013-08-14 | require that the couchdb::query::setup has been run before any attempts are ↵ | Micah Anderson | |
made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0 | |||
2013-08-14 | update couchdb submodule to the latest version - fixes #3447 | Micah Anderson | |
Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7 | |||
2013-08-14 | Fix problem where webapp production.log had the wrong permissions - #3471 | Micah Anderson | |
Change-Id: I20a6ecc43e36fc1e8416c46f7e4d14726995d2f2 | |||
2013-08-14 | vagrant: Install squid-deb-proxy on clients (optional) (Feature #3330) | varac | |
squashed commits: site_squid_deb_proxy::client: include shorewall::rules::mdns for avahi discovery added submodule squid_deb_proxy from git://code.leap.se/puppet_squid_deb_proxy updated submodule squid_deb_proxy use squid_deb_proxy::client | |||
2013-08-13 | require that the couchdb::query::setup has been run before any attempts are ↵ | Micah Anderson | |
made to create databases or add users as these would fail otherwise. Closes: #3466 Change-Id: Ifa8b3da5858ce858fd319c4a659e70d20a65d3e0 | |||
2013-08-13 | update couchdb submodule to the latest version - fixes #3447 | Micah Anderson | |
Change-Id: Ib6458b962c624fdb75f514dbd4c2129581fc2bb7 | |||
2013-08-01 | run soledad daemon using the configured port. | elijah | |
2013-08-01 | make site_shorewall::soledad use the hiera value for the soledad port | Micah Anderson | |
Change-Id: I923f15de807f907d6246c3a83df1e59c39d4e920 | |||
2013-08-01 | add a requirement to soledad.json that soledad service is found on a couchdb | Micah Anderson | |
node, if it is not, it will fail to compile this requires a newer leap_cli, so I've bumped the compatibility requirement Change-Id: Ie1061798d058087126163793b216dd5938eb95a6 | |||
2013-08-01 | For now, soledad will only exist on couchdb nodes (but not every couchdb has | Micah Anderson | |
soledad), so fix the port to be the local couchdb port. In the future, we may want to separate them out. There is no need to do haproxy with soledad, because the client is supposed to try a different soledad node if it can't connect Change-Id: I87e2c5079ba361634336316721c4358a0917fb09 | |||
2013-08-01 | fix #3291: set the soledad port properly in the json and as a temporary ↵ | Micah Anderson | |
work-around, use the couchdb admin/passwd Change-Id: Ibb1cd8416d00552f8ca1716e42a08137a4b461aa | |||
2013-08-01 | Merge branch 'feature/issue/3278' into develop | varac | |
2013-08-01 | Merge branch 'feature/issue/3347' into develop | varac | |
2013-07-31 | add haproxy servers to services/mx.json | varac | |
2013-07-31 | use smtpd_tls_security_level = may in postfix config (Bug #3348) | varac | |
2013-07-31 | fix /etc/leap/mx.conf doesn't contain any user credentials (Feature #3347) | varac | |
2013-07-31 | fix Could not find dependent Service[leap-mx] (Bug #3331) | varac | |
2013-07-31 | Revert "Site_webapp/Try::File: Could not find command 'git' (Bug #3202)" | varac | |
This reverts commit 9e83de3497ec55f4910de099917387d500b8f4b4. | |||
2013-07-31 | Site_webapp/Try::File: Could not find command 'git' (Bug #3202) | varac | |
2013-07-30 | webapp - use hiera config "webapp.admins" for the list of admin usernames, ↵ | elijah | |
default to empty list. | |||
2013-07-30 | added webapp.secure flag (turns on secure cookies and HSTS) | elijah | |
2013-07-30 | site_webapp - add support for haproxy weights and backup servers (resolves ↵ | elijah | |
#3278) | |||
2013-07-29 | site_webapp bugfix - get compile_assets to run by ensuring .scss files are ↵ | elijah | |
created beforehand and have the correct permissions. | |||
2013-07-29 | try::file bugfixes -- add refreshonly to chmod/chown, ensure old file is ↵ | elijah | |
replaced even if it is a link | |||
2013-07-26 | Merge branch 'feature/mx' into develop | Micah Anderson | |
2013-07-26 | Merge branch 'feature/soledad' into feature/leap_mx | Micah Anderson | |
2013-07-26 | Merge branch 'varac/feature/mx' into feature/leap_mx | Micah Anderson | |
Conflicts: provider_base/services/mx.json puppet/manifests/site.pp puppet/modules/site_mx/manifests/init.pp puppet/modules/site_postfix/manifests/mx.pp Change-Id: Ib2952f6cb972c40a998f20d7bbdb23bb35bef419 | |||
2013-07-26 | added haproxy weights to webapp hiera (at haproxy.servers) | elijah | |
2013-07-26 | fix cert generation bug: was creating 2024 bit keys instead of 2048 bit keys ↵ | elijah | |
by default. | |||
2013-07-25 | initial leap_mx configuration | Micah Anderson | |
Change-Id: Iddca4cf52706bf2f612d20ba19a53fbbe6b28479 | |||
2013-07-25 | initial soledad configuration | Micah Anderson | |
Change-Id: I19e91887c3f8e90764b4baef8c5e29e25658e190 | |||
2013-07-25 | updated submodule apache | varac | |
2013-07-25 | updated submodule couchdb | varac | |
2013-07-25 | updated submodule apt | varac | |
2013-07-25 | beginning of smtp_auth config with client certs | varac | |
2013-07-25 | smtpd_recipient_restrictions: +permit_tls_all_clientcerts | varac | |
2013-07-25 | smtpd_checks: smtpd_data_restrictions | varac | |
2013-07-25 | using alias resolver | varac | |
2013-07-25 | fixed provider_base/services/mx.json syntax | varac | |