From 293cdaee6db4a4d0b13a56fcd047819d60f38ce2 Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 16 Jun 2016 12:24:01 -0400 Subject: Disable the Trace method (#8195) The Trace method is enabled because of the Apache module, but it is not the default in Debian, and it should not be enabled, for more information see the following: https://www.kb.cert.org/vuls/id/867593 Change-Id: I06a06ae679dbf7049f26a017125b61e5e38f6268 --- puppet/modules/site_apache/files/conf.d/security | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security index a5ae5bdc..fdcf6270 100644 --- a/puppet/modules/site_apache/files/conf.d/security +++ b/puppet/modules/site_apache/files/conf.d/security @@ -45,8 +45,8 @@ ServerSignature Off # # Set to one of: On | Off | extended # -#TraceEnable Off -TraceEnable On +TraceEnable Off +#TraceEnable On # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. -- cgit v1.2.3 From 3df7a57d866cf1e6eda9bb9e3fe19c7387ec6c1d Mon Sep 17 00:00:00 2001 From: Micah Date: Tue, 21 Jun 2016 09:50:27 -0400 Subject: Fix hidden service static template (#8203). Change-Id: Iab9597f5f0336f66df9b73fea9d79c789cbb8302 --- puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 232b1577..697a7ff3 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -41,7 +41,7 @@ DocumentRoot "/srv/static/root/public" <% if scope.function_guess_apache_version([]) == '2.4' %> - AllowOverride None + AllowOverride FileInfo Indexes Options=All,MultiViews Require all granted <% end %> -- cgit v1.2.3 From b21a3e9126a1734b2cea975e57b5c9e8206f12fa Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 27 Jun 2016 15:49:30 -0700 Subject: Fix the permissions on the DOMAIN/provider.json file for static sites. --- puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 697a7ff3..b34bd189 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -47,7 +47,7 @@ <% end %> AccessFileName .htaccess - Alias /provider.json /srv/leap/provider.json + Alias /provider.json /srv/static/public/provider.json Header set X-Minimum-Client-Version 0.5 -- cgit v1.2.3 From 29d6b7dbbc3b9d8b11f0b215cad894fcfca9989c Mon Sep 17 00:00:00 2001 From: Micah Date: Thu, 23 Jun 2016 12:08:54 -0400 Subject: Make static tor hidden services work (#8212). When tor hidden services were enabled for static sites, only a very basic configuration was setup and it didn't take into account the different location configurations that can be configured for a static site. This commit resolves that by making a site_static::hidden_service class similar to the site_webapp::hidden_service class, and fixes up the apache vhost template to properly create the location blocks for the hidden service vhost. Change-Id: Ice3586f4173bd2d1bd3defca29d21c7403d5a03a --- .../templates/vhosts.d/hidden_service.conf.erb | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index b34bd189..1d19094e 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -37,19 +37,4 @@ <% end -%> -<% if (defined? @services) and (@services.include? 'static') -%> - DocumentRoot "/srv/static/root/public" - <% if scope.function_guess_apache_version([]) == '2.4' %> - - AllowOverride FileInfo Indexes Options=All,MultiViews - Require all granted - - <% end %> - AccessFileName .htaccess - - Alias /provider.json /srv/static/public/provider.json - - Header set X-Minimum-Client-Version 0.5 - -<% end -%> -- cgit v1.2.3 From 8116e007cfd4dbee8282247348cf45473dcde45e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 31 Aug 2016 14:54:46 -0700 Subject: added support for Let's Encrypt --- puppet/modules/site_apache/files/conf.d/acme.conf | 10 ++++++ puppet/modules/site_apache/manifests/common.pp | 2 ++ .../modules/site_apache/manifests/common/acme.pp | 38 ++++++++++++++++++++++ 3 files changed, 50 insertions(+) create mode 100644 puppet/modules/site_apache/files/conf.d/acme.conf create mode 100644 puppet/modules/site_apache/manifests/common/acme.pp (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/files/conf.d/acme.conf b/puppet/modules/site_apache/files/conf.d/acme.conf new file mode 100644 index 00000000..cdddf53e --- /dev/null +++ b/puppet/modules/site_apache/files/conf.d/acme.conf @@ -0,0 +1,10 @@ +# +# Allow ACME certificate verification if /srv/acme exists. +# + + Alias "/.well-known/acme-challenge/" "/srv/acme/" + + Require all granted + Header set Content-Type "application/jose+json" + + diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp index 8a11759a..208c15d5 100644 --- a/puppet/modules/site_apache/manifests/common.pp +++ b/puppet/modules/site_apache/manifests/common.pp @@ -27,4 +27,6 @@ class site_apache::common { } include site_apache::common::tls + include site_apache::common::acme + } diff --git a/puppet/modules/site_apache/manifests/common/acme.pp b/puppet/modules/site_apache/manifests/common/acme.pp new file mode 100644 index 00000000..eda4148b --- /dev/null +++ b/puppet/modules/site_apache/manifests/common/acme.pp @@ -0,0 +1,38 @@ +# +# Allows for potential ACME validations (aka Let's Encrypt) +# +class site_apache::common::acme { + # + # well, this doesn't work: + # + # apache::config::global {'acme.conf':} + # + # since /etc/apache2/conf.d is NEVER LOADED BY APACHE + # https://gitlab.com/shared-puppet-modules-group/apache/issues/11 + # + + file { + '/etc/apache2/conf-available/acme.conf': + ensure => present, + source => 'puppet:///modules/site_apache/conf.d/acme.conf', + require => Package[apache], + notify => Service[apache]; + '/etc/apache2/conf-enabled/acme.conf': + ensure => link, + target => '/etc/apache2/conf-available/acme.conf', + require => Package[apache], + notify => Service[apache]; + } + + file { + '/srv/acme': + ensure => 'directory', + owner => 'www-data', + group => 'www-data', + mode => '0755'; + '/srv/acme/ok': + owner => 'www-data', + group => 'www-data', + content => 'ok'; + } +} -- cgit v1.2.3 From 53ddc64b6aa98653b35b23c334df605ed26ea60b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Oct 2016 11:29:59 -0400 Subject: Set X-Content-Type-Options nosniff. Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. This will prevent the browser from MIME-sniffing a response away from the declared content-type. When this is not set, older versions of Internet Explorer and Chrome perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bfa5d04d..5e27a9e4 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -23,6 +23,7 @@ Listen 0.0.0.0:<%= @api_port %> <% end -%> Header always unset X-Powered-By Header always unset X-Runtime + Header always set X-Content-Type-Options: nosniff DocumentRoot /srv/leap/webapp/public -- cgit v1.2.3 From 4db1e7c4454ea05c524be4cc385ede1bab2e1be4 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Oct 2016 11:31:41 -0400 Subject: Set X-XSS-Protection HTTP response header to '1'. This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. This header is usually enabled by default anyway, so the role of this header is to re-enable the filter if it was disabled maliciously, or by accident. --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_apache') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 5e27a9e4..e68b9ebe 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -23,6 +23,7 @@ Listen 0.0.0.0:<%= @api_port %> <% end -%> Header always unset X-Powered-By Header always unset X-Runtime + Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options: nosniff -- cgit v1.2.3