summaryrefslogtreecommitdiff
path: root/puppet/modules/site_apache
AgeCommit message (Collapse)Author
2015-09-30Fix server-status availability to tor hidden services (#7456)Micah Anderson
Make the server-status information unavailable by putting the vhost on a port that isn't configured as available to the tor hidden-service. Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
2015-05-26Implement weakdh recommendations for cipher suites (#7024)Micah Anderson
This is a first step mitigation until we can have a newer apache that will allow us to specify dh parameters other than the default. Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
2015-04-08Disable passenger when pnp4nagios is being fetched, this is part ofMicah Anderson
Change-Id: I21e9af3ef76f19924e58df5b40f4097d42fbf1cd
2015-03-30Adds apache support for webapp.domain if defined on :80, completes fix for #6632guido
2015-01-12Adds apache support for webapp.domain if defined. Fixes #6632guido
Change-Id: If63aac60e44c4a68f030f93e20e8dc071f9df610
2014-12-22Adds a ssl_common.inc file to use inside vhosts for the SSL config (solves ↵guido
#5103) Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea
2014-11-04Adds support for Tor hidden service on webapp (Feature #6273)guido
Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5
2014-10-15Disable SSLv3, and RC4 ciphersMicah Anderson
Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d
2014-09-25stop logging user-agent in apache, fixes #6129Micah Anderson
Change-Id: I66384ae4a723be063790362f70e57228a0f1539b
2014-04-02Update TLS apache vhost TLS configuration (#5137):Micah Anderson
. We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
2014-02-10move leap_webapp.conf template to common.conf which is included by the ↵varac
nagios and webapp node (#5096)
2014-01-22anonymize webapp ips (Bug #4896)varac
2013-11-22improvements to webapp deployment: allow for greater customization, allow ↵elijah
for custom git source, improve apache config.
2013-10-18"Header set X-Frame-Options: Allow" only for nagios (Bug #4169)varac
Nagios won't work with setting this option to "DENY", as set in conf.d/security (#4169). Therefor we allow it here, only for nagios.
2013-09-24Webapp doesn't serve commercial cert (Bug #3916)varac
2013-09-24move commercial x509 deployment to site_x509 (Feature #3889)varac
2013-09-22Merge branch 'api-crt-3384' into develop fixes #3384kwadronaut
2013-09-22adding fqdn as default servername and moving service.domain to ServerAlias ↵kwadronaut
(fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns)
2013-09-20fix whitespace issues from https://review.leap.se/r/82varac
2013-09-19tidy webapp api x509 definitions (#3840)varac
2013-08-29create individual classes for the apache modules so they can be included ↵Micah Anderson
more than once in different locations, depending on what services are configured on a node (#3612) Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770
2013-08-22add HSTS if hiera value for webapp['secure'] is set (#3514)Micah Anderson
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
2013-08-21Set apache header X-Frame-Options: "DENY"Micah Anderson
The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
2013-08-21Disable verbose, identifying apache headers (#3462):Micah Anderson
. Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
2013-06-25fix for #2986 - the services variable is no longer an arrayMicah Anderson
Change-Id: Ia6fc60c0c1fdfa50e1d6d981699c1d8010df63fc
2013-05-22change paths for leap webapp to be under /srv/leap/webapp from /srv/leap-webappMicah Anderson
2013-04-18webapp: removed "Alias /1" from apache configelijah
2013-03-14remove apache ssl proxy in preparation of replacing it with a stunnel setupMicah Anderson
This presents us with an interesting problem of deprecation. We need to manage the removal of something that we previously installed in any released code. How long we carry the puppet code that removes raises some interesting questions: do we require that someone who deployed version 1 (where the apache ssl proxy was deployed) of the platform upgrade first to version 2 (where we remove the apache ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal is no longer present) -- or do we allow people to skip versions?
2013-01-31install an apache Directory override block to disable passenger for nagios, ↵Micah Anderson
if the node is a monitor node
2012-12-19webapp api now uses a customizable port (so that we don't try to rely on SNI ↵elijah
for hosting two TLS domains on one IP).
2012-12-11replace Documentroot path from - to _Micah Anderson
2012-12-10couchdb: use x509 module to deploy certs (fixes #1063)varac
2012-11-27fix location of SSLCertificateChainFile locationMicah Anderson
2012-11-27map /1 -> document rootMicah Anderson
2012-11-27add site_webapp class to install the certs/keys/CAs and virtual host ↵Micah Anderson
configurations
2012-11-03configure apache ssl proxy for couchdbvarac