Age | Commit message (Collapse) | Author |
|
This HTTP response header enables the Cross-site scripting (XSS) filter
built into some modern web browsers. This header is usually enabled by
default anyway, so the role of this header is to re-enable the filter
if it was disabled maliciously, or by accident.
|
|
Setting this header will prevent the browser from interpreting files as
something else than declared by the content type in the HTTP
headers. This will prevent the browser from MIME-sniffing a response
away from the declared content-type.
When this is not set, older versions of Internet Explorer and Chrome
perform MIME-sniffing on the response body, potentially causing the
response body to be interpreted and displayed as a content type other
than the declared content type.
|
|
|
|
When tor hidden services were enabled for static sites, only a very
basic configuration was setup and it didn't take into account the
different location configurations that can be configured for a
static site.
This commit resolves that by making a site_static::hidden_service class
similar to the site_webapp::hidden_service class, and fixes up the
apache vhost template to properly create the location blocks for the
hidden service vhost.
Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a
|
|
|
|
Change-Id: Iab9597f5f0336f66df9b73fea9d79c789cbb8302
|
|
The Trace method is enabled because of the Apache module, but it is not the
default in Debian, and it should not be enabled, for more information see the
following:
https://www.kb.cert.org/vuls/id/867593
Change-Id: I06a06ae679dbf7049f26a017125b61e5e38f6268
|
|
|
|
Change-Id: I20a28ae77c98071aefc1933e0ea73e5f3b895acb
|
|
Change-Id: If493b8a1f06a786df36a28aa1fc592e270eba639
|
|
|
|
The apache_version() fact only works if apache is
already installed. So we use the guess_apache_version()
function from the apache module to determine which apache
version is to be installed.
- Resolves: #7681
|
|
Puppet 3 shows now deprecation warnings if the "@" is missing.
see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n]
|
|
Using $::apache_version won't work because the facts are
evaluated before compiling the catalog and with this, before
the installation of apache. so on an install from scratch, this
fact won't contain anything.
|
|
- Resolves: #7580
|
|
- Related: #6920
|
|
- Related: #6920
|
|
Without this configuration, a very basic, and non-functional virtualhost
is created, making the hidden service not work
Change-Id: Ibe87c6acf5c21cff2388247c4ba320a5b6af7933
|
|
This is needed for webapp when running on a subdomain.
|
|
Make the server-status information unavailable by putting the vhost on a
port that isn't configured as available to the tor hidden-service.
Change-Id: Idd3bfefb5b7fc26fb0a8cf48cdf6afc68a4192bb
|
|
This is a first step mitigation until we can have a newer apache that
will allow us to specify dh parameters other than the default.
Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
|
|
Change-Id: I21e9af3ef76f19924e58df5b40f4097d42fbf1cd
|
|
|
|
Change-Id: If63aac60e44c4a68f030f93e20e8dc071f9df610
|
|
#5103)
Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea
|
|
Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5
|
|
Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d
|
|
Change-Id: I66384ae4a723be063790362f70e57228a0f1539b
|
|
. We want to allow for TLS1.2 to be enabled (supported in wheezy)
. Explicitly disable SSLCompression. This aids in protecting
against the BREACH attack: see http://breachattack.com), and SPDY
version 3 is vulnerable to the CRIME attack when compression is
on
. Switch the cipher suites to match
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
these reasons:
. Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
implementations support this, and there are no known attacks).
. Prefer AES128 to AES256 because the key schedule in
AES256 is considered weaker, and maybe AES128 is more
resistant to timing attacks
. Prefer AES to RC4. BEAST attacks on AES are mitigated in
>=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
likely to become more dangerous
. RC4 is on the path to removal, but still present for backward compatibility
Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
|
|
nagios and webapp node (#5096)
|
|
|
|
for custom git source, improve apache config.
|
|
Nagios won't work with setting this option to "DENY",
as set in conf.d/security (#4169). Therefor we allow
it here, only for nagios.
|
|
|
|
|
|
|
|
(fixing #3384)
node name and dns fqdn could be different
Also note that on local deploys that warning from #3384 will continue to exist (because of dns)
|
|
|
|
|
|
more than once in different locations, depending on what services are configured on a node (#3612)
Change-Id: Iff064d3d67baa132fb5198fea741522ab4e71770
|
|
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
|
|
The LEAP web application can be displayed inside other pages using an HTML
iframe. Therefore, an attacker can embed parts of the LEAP application inside
of a webpage they control. They can then use special style properties to
disguise the embedded page. By tricking a user in to clicking in the iframe, the
attacker can coerce the user in to performing unintended actions within the LEAP
web application.
An attacker creates a website that embeds the LEAP web application in an iframe.
They then create an HTML /JavaScript game on the same page that involves
clicking and dragging sprites. When a user plays the game, they are in fact
dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app,
which is hidden behind the game using
As long as iframe embedding is not required in the normal usage of the
application, the X-Frame-Options header should be added to prevent browsers from
displaying the web application in frames on other origins.
This has also been set in the webapp
Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
|
|
. Disable ServerSignature
. Set ServerTokens Prod
. unset the X-Powered-By and X-Runtime apache headers
Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
|
|
Change-Id: Ia6fc60c0c1fdfa50e1d6d981699c1d8010df63fc
|
|
|
|
|
|
This presents us with an interesting problem of deprecation. We need to manage
the removal of something that we previously installed in any released code. How
long we carry the puppet code that removes raises some interesting questions: do
we require that someone who deployed version 1 (where the apache ssl proxy was
deployed) of the platform upgrade first to version 2 (where we remove the apache
ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal
is no longer present) -- or do we allow people to skip versions?
|
|
if the node is a monitor node
|
|
for hosting two TLS domains on one IP).
|
|
|