leap_platform.git - [leap

Age	Commit message (Collapse)	Author
2013-08-22	add HSTS if hiera value for webapp['secure'] is set (#3514)	Micah Anderson
	Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
2013-08-21	Set apache header X-Frame-Options: "DENY"	Micah Anderson
	The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
2013-08-21	Disable verbose, identifying apache headers (#3462):	Micah Anderson
	. Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
2013-06-25	fix for #2986 - the services variable is no longer an array	Micah Anderson
	Change-Id: Ia6fc60c0c1fdfa50e1d6d981699c1d8010df63fc
2013-05-22	change paths for leap webapp to be under /srv/leap/webapp from /srv/leap-webapp	Micah Anderson

2013-04-18	webapp: removed "Alias /1" from apache config	elijah

2013-03-14	remove apache ssl proxy in preparation of replacing it with a stunnel setup	Micah Anderson
	This presents us with an interesting problem of deprecation. We need to manage the removal of something that we previously installed in any released code. How long we carry the puppet code that removes raises some interesting questions: do we require that someone who deployed version 1 (where the apache ssl proxy was deployed) of the platform upgrade first to version 2 (where we remove the apache ssl proxy) before they upgrade to version 3 (where the apache ssl proxy removal is no longer present) -- or do we allow people to skip versions?
2013-01-31	install an apache Directory override block to disable passenger for nagios, ↵	Micah Anderson
	if the node is a monitor node
2012-12-19	webapp api now uses a customizable port (so that we don't try to rely on SNI ↵	elijah
	for hosting two TLS domains on one IP).
2012-12-11	replace Documentroot path from - to _	Micah Anderson

2012-12-10	couchdb: use x509 module to deploy certs (fixes #1063)	varac

2012-11-27	fix location of SSLCertificateChainFile location	Micah Anderson

2012-11-27	map /1 -> document root	Micah Anderson

2012-11-27	add site_webapp class to install the certs/keys/CAs and virtual host ↵	Micah Anderson
	configurations
2012-11-03	configure apache ssl proxy for couchdb	varac