From e3a1c5d0c8f644bc0956758a8832d2f586556cf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:36:12 -0400 Subject: Disable verbose, identifying apache headers (#3462): . Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 4b051699..9108caff 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,6 +21,11 @@ RequestHeader set X_FORWARDED_PROTO 'https' + + Header always unset X-Powered-By + Header always unset X-Runtime + + DocumentRoot /srv/leap/webapp/public RewriteEngine On -- cgit v1.2.3 From 613f7f12f4c907ea07e79e3e73da8f2b71d3436d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:44:21 -0400 Subject: add HSTS if hiera value for webapp['secure'] is set (#3514) Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 +++ 1 file changed, 3 insertions(+) (limited to 'puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 9108caff..5e3960c2 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,6 +22,9 @@ RequestHeader set X_FORWARDED_PROTO 'https' +<% if @webapp['secure'] -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> Header always unset X-Powered-By Header always unset X-Runtime -- cgit v1.2.3 From a95e00f78e07d515b49de563ca5fbcd83be0d015 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 17 Sep 2013 20:09:10 +0200 Subject: adding fqdn as default servername and moving service.domain to ServerAlias (fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns) --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 5e3960c2..3b376839 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -6,7 +6,8 @@ - ServerName <%= domain %> + ServerName <%= domain_name %> + ServerAlias <%= domain %> ServerAlias www.<%= domain %> SSLEngine on -- cgit v1.2.3 From 9fae612bd8d147321e0cb553610fcaf0140e84eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:23:54 +0200 Subject: move commercial x509 deployment to site_x509 (Feature #3889) --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3b376839..6059453b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -16,9 +16,9 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem - SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key - SSLCertificateFile /etc/x509/certs/leap_webapp.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3 From 9074a7bce264d64f467bc628f06e37a5802043bd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 17 Oct 2013 23:09:49 +0200 Subject: "Header set X-Frame-Options: Allow" only for nagios (Bug #4169) Nagios won't work with setting this option to "DENY", as set in conf.d/security (#4169). Therefor we allow it here, only for nagios. --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 6059453b..afc19782 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -18,7 +18,7 @@ SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' @@ -49,6 +49,10 @@ PassengerEnabled off AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" <% end -%> -- cgit v1.2.3 From 289a00a149ac08d01b8ee638620d8c2928966fa3 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 15 Nov 2013 01:02:25 -0800 Subject: improvements to webapp deployment: allow for greater customization, allow for custom git source, improve apache config. --- .../modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index afc19782..a001552a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -45,6 +45,14 @@ PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + + <% if (defined? @services) and (@services.include? 'monitor') -%> PassengerEnabled off -- cgit v1.2.3 From 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 15:36:12 +0100 Subject: move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) --- .../templates/vhosts.d/leap_webapp.conf.erb | 67 ---------------------- 1 file changed, 67 deletions(-) delete mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb (limited to 'puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb deleted file mode 100644 index a001552a..00000000 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ /dev/null @@ -1,67 +0,0 @@ - - ServerName <%= domain %> - ServerAlias www.<%= domain %> - RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] - - - - ServerName <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> - - SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - SSLHonorCipherOrder on - - SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt - - RequestHeader set X_FORWARDED_PROTO 'https' - - -<% if @webapp['secure'] -%> - Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" -<% end -%> - Header always unset X-Powered-By - Header always unset X-Runtime - - - DocumentRoot /srv/leap/webapp/public - - RewriteEngine On - # Check for maintenance file and redirect all requests - RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f - RewriteCond %{SCRIPT_FILENAME} !maintenance.html - RewriteCond %{REQUEST_URI} !/images/maintenance.jpg - RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] - - # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt - AllowEncodedSlashes on - PassengerAllowEncodedSlashes on - PassengerFriendlyErrorPages off - SetEnv TMPDIR /var/tmp - - # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) - - Header unset ETag - FileETag None - ExpiresActive On - ExpiresDefault "access plus 1 year" - - - <% if (defined? @services) and (@services.include? 'monitor') -%> - - PassengerEnabled off - AllowOverride all - # Nagios won't work with setting this option to "DENY", - # as set in conf.d/security (#4169). Therefor we allow - # it here, only for nagios. - Header set X-Frame-Options: "ALLOW" - - <% end -%> - - -- cgit v1.2.3