Age | Commit message (Collapse) | Author |
|
This HTTP response header enables the Cross-site scripting (XSS) filter
built into some modern web browsers. This header is usually enabled by
default anyway, so the role of this header is to re-enable the filter
if it was disabled maliciously, or by accident.
|
|
Setting this header will prevent the browser from interpreting files as
something else than declared by the content type in the HTTP
headers. This will prevent the browser from MIME-sniffing a response
away from the declared content-type.
When this is not set, older versions of Internet Explorer and Chrome
perform MIME-sniffing on the response body, potentially causing the
response body to be interpreted and displayed as a content type other
than the declared content type.
|
|
When tor hidden services were enabled for static sites, only a very
basic configuration was setup and it didn't take into account the
different location configurations that can be configured for a
static site.
This commit resolves that by making a site_static::hidden_service class
similar to the site_webapp::hidden_service class, and fixes up the
apache vhost template to properly create the location blocks for the
hidden service vhost.
Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a
|
|
|
|
Change-Id: Iab9597f5f0336f66df9b73fea9d79c789cbb8302
|
|
|
|
Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb
|
|
Change-Id: If493b8a1f06a786df36a28aa1fc592e270eba639
|
|
The apache_version() fact only works if apache is
already installed. So we use the guess_apache_version()
function from the apache module to determine which apache
version is to be installed.
- Resolves: #7681
|
|
Puppet 3 shows now deprecation warnings if the "@" is missing.
see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n]
|
|
- Resolves: #7580
|
|
- Related: #6920
|
|
Without this configuration, a very basic, and non-functional virtualhost
is created, making the hidden service not work
Change-Id: Ibe87c6acf5c21cff2388247c4ba320a5b6af7933
|
|
This is needed for webapp when running on a subdomain.
|
|
Change-Id: I21e9af3ef76f19924e58df5b40f4097d42fbf1cd
|
|
|
|
Change-Id: If63aac60e44c4a68f030f93e20e8dc071f9df610
|
|
#5103)
Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea
|
|
Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5
|
|
Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d
|
|
Change-Id: I66384ae4a723be063790362f70e57228a0f1539b
|
|
. We want to allow for TLS1.2 to be enabled (supported in wheezy)
. Explicitly disable SSLCompression. This aids in protecting
against the BREACH attack: see http://breachattack.com), and SPDY
version 3 is vulnerable to the CRIME attack when compression is
on
. Switch the cipher suites to match
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
these reasons:
. Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
implementations support this, and there are no known attacks).
. Prefer AES128 to AES256 because the key schedule in
AES256 is considered weaker, and maybe AES128 is more
resistant to timing attacks
. Prefer AES to RC4. BEAST attacks on AES are mitigated in
>=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
likely to become more dangerous
. RC4 is on the path to removal, but still present for backward compatibility
Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
|
|
nagios and webapp node (#5096)
|
|
for custom git source, improve apache config.
|
|
Nagios won't work with setting this option to "DENY",
as set in conf.d/security (#4169). Therefor we allow
it here, only for nagios.
|
|
|
|
|
|
|
|
(fixing #3384)
node name and dns fqdn could be different
Also note that on local deploys that warning from #3384 will continue to exist (because of dns)
|
|
|
|
|
|
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
|
|
. Disable ServerSignature
. Set ServerTokens Prod
. unset the X-Powered-By and X-Runtime apache headers
Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
|
|
Change-Id: Ia6fc60c0c1fdfa50e1d6d981699c1d8010df63fc
|
|
|
|
|
|
if the node is a monitor node
|
|
for hosting two TLS domains on one IP).
|
|
|
|
|
|
|
|
configurations
|