From 25cdd367ff9da3b5416787950cf260aae8e8d483 Mon Sep 17 00:00:00 2001
From: ashwini-orchestral <ashwini@orchestral.ai>
Date: Mon, 8 Mar 2021 15:07:55 +0000
Subject: [PATCH 1/9] Added web security headers for nginx configuration

---
 conf/nginx/st2.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 2d9b8b925c..cabd96e7ae 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -20,6 +20,7 @@ server {
 
   access_log /var/log/nginx/st2webui.access.log combined;
   error_log /var/log/nginx/st2webui.error.log;
+  server_tokens off;
 }
 
 server {
@@ -40,6 +41,10 @@ server {
 
   add_header              Front-End-Https on;
   add_header              X-Content-Type-Options nosniff;
+  add_header              X-Frame-Options DENY always;
+  add_header              Strict-Transport-Security "max-age=3153600;includeSubDomains";
+  add_header              Cache-Control "no-store; no-cache; max-age=0; must-revalidate;";
+  add_header              X-XSS-Protection "1; mode=block";
 
   location @apiError {
     add_header Content-Type application/json always;
@@ -50,6 +55,7 @@ server {
     error_page 502 = @apiError;
 
     rewrite ^/api/(.*)  /$1 break;
+    server_tokens off;
 
     proxy_pass            http://127.0.0.1:9101/;
     proxy_read_timeout    90;
@@ -91,6 +97,7 @@ server {
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
+    server_tokens off;
 
     # Disable buffering and chunked encoding.
     # In the stream case we want to receive the whole payload at once, we don't
@@ -110,6 +117,7 @@ server {
     error_page 502 = @authError;
 
     rewrite ^/auth/(.*)  /$1 break;
+    server_tokens off;
 
     proxy_pass            http://127.0.0.1:9100/;
     proxy_read_timeout    90;
@@ -135,5 +143,6 @@ server {
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
+    server_tokens off;
   }
 }

From 594dd57f4cfe21a02752cb9cc21e3845f5cca91a Mon Sep 17 00:00:00 2001
From: ashwini-orchestral <ashwini@orchestral.ai>
Date: Tue, 9 Mar 2021 15:23:53 +0000
Subject: [PATCH 2/9] Removed unwanted server-tokens from config

---
 conf/nginx/st2.conf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index cabd96e7ae..38a1a93b33 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -20,7 +20,6 @@ server {
 
   access_log /var/log/nginx/st2webui.access.log combined;
   error_log /var/log/nginx/st2webui.error.log;
-  server_tokens off;
 }
 
 server {
@@ -143,6 +142,5 @@ server {
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
-    server_tokens off;
   }
 }

From 48624350421aee37f5dc7f22372e032b594ed800 Mon Sep 17 00:00:00 2001
From: ashwini-orchestral <ashwini@orchestral.ai>
Date: Wed, 10 Mar 2021 14:18:07 +0000
Subject: [PATCH 3/9] Added server_tokens in server and removed server_tokens
 from other places

---
 conf/nginx/st2.conf | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 38a1a93b33..118c00c71b 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -24,7 +24,7 @@ server {
 
 server {
   listen       *:443 ssl;
-
+  server_tokens off;
   ssl_certificate           /etc/ssl/st2/st2.crt;
   ssl_certificate_key       /etc/ssl/st2/st2.key;
   ssl_session_cache         shared:SSL:10m;
@@ -54,8 +54,7 @@ server {
     error_page 502 = @apiError;
 
     rewrite ^/api/(.*)  /$1 break;
-    server_tokens off;
-
+    
     proxy_pass            http://127.0.0.1:9101/;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
@@ -96,8 +95,7 @@ server {
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
-    server_tokens off;
-
+    
     # Disable buffering and chunked encoding.
     # In the stream case we want to receive the whole payload at once, we don't
     # want multiple chunks.
@@ -116,8 +114,7 @@ server {
     error_page 502 = @authError;
 
     rewrite ^/auth/(.*)  /$1 break;
-    server_tokens off;
-
+    
     proxy_pass            http://127.0.0.1:9100/;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;

From 645db4e80b20036289e1816863002f0a6a30c225 Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Wed, 10 Mar 2021 18:21:49 +0100
Subject: [PATCH 4/9] Remove support for TLS v1.0 and v1.1.

Only support TLS v1.2 which is the recommended and safe choice at this point.
---
 conf/nginx/st2.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 118c00c71b..d7a9b903fd 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -29,7 +29,7 @@ server {
   ssl_certificate_key       /etc/ssl/st2/st2.key;
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
-  ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+  ssl_protocols             TLSv1.2;
   ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;
 

From a8151bcf53ad36d0a2fc20c17c99c3c0b1b02779 Mon Sep 17 00:00:00 2001
From: ashwini-orchestral <ashwini@orchestral.ai>
Date: Thu, 11 Mar 2021 12:37:35 +0000
Subject: [PATCH 5/9] Removed Cache-control header as per review comment

---
 conf/nginx/st2.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 118c00c71b..381023a363 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -42,7 +42,6 @@ server {
   add_header              X-Content-Type-Options nosniff;
   add_header              X-Frame-Options DENY always;
   add_header              Strict-Transport-Security "max-age=3153600;includeSubDomains";
-  add_header              Cache-Control "no-store; no-cache; max-age=0; must-revalidate;";
   add_header              X-XSS-Protection "1; mode=block";
 
   location @apiError {

From 1e73251c91e51b55ef7cac801f8b85e978972430 Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Thu, 11 Mar 2021 22:55:00 +0100
Subject: [PATCH 6/9] Add changelog entry for nginx.conf TLS v1.2 change.

---
 CHANGELOG.rst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 4de2c33ad7..1df18b6283 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -18,6 +18,15 @@ Changed
 
   Contributed by @Kami.
 
+* Default nginx config (``conf/nginx/st2.conf``) which is used by the installer and Docker
+  images has been updated to only support TLS v1.2 (support for TLS v1.0 and v1.1 has been
+  removed).
+
+  If someone still needs to support those versions, they can modify the nginx config
+  accordingly. #5183
+
+  Contributed by @Kami and @ashwini.
+
 3.4.0 - March 02, 2021
 ----------------------
 

From ce0e767a293b424e6b0efeb12a112d4f6fbf626b Mon Sep 17 00:00:00 2001
From: ashwini-orchestral <ashwini@orchestral.ai>
Date: Fri, 12 Mar 2021 08:43:21 +0000
Subject: [PATCH 7/9] Modified Changelog entry

---
 CHANGELOG.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 1df18b6283..39485103fa 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -22,10 +22,13 @@ Changed
   images has been updated to only support TLS v1.2 (support for TLS v1.0 and v1.1 has been
   removed).
 
+* Added web header settings for possible security issues, X-Frame-Options,
+  Strict-Transport-Security, X-XSS-Protection and server-tokens.
+
   If someone still needs to support those versions, they can modify the nginx config
   accordingly. #5183
 
-  Contributed by @Kami and @ashwini.
+  Contributed by @Kami and @shital.
 
 3.4.0 - March 02, 2021
 ----------------------

From 6638f221b3824eee2ed2ae494695c096712002e1 Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Fri, 12 Mar 2021 11:01:10 +0100
Subject: [PATCH 8/9] Update CHANGELOG.rst

---
 CHANGELOG.rst | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 39485103fa..00332eaab8 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -20,15 +20,14 @@ Changed
 
 * Default nginx config (``conf/nginx/st2.conf``) which is used by the installer and Docker
   images has been updated to only support TLS v1.2 (support for TLS v1.0 and v1.1 has been
-  removed).
-
-* Added web header settings for possible security issues, X-Frame-Options,
-  Strict-Transport-Security, X-XSS-Protection and server-tokens.
+  removed). #5183
+  
+  Contributed by @Kami and @shital.
 
-  If someone still needs to support those versions, they can modify the nginx config
-  accordingly. #5183
+* Added web header settings for additional security hardening to nginx.conf: X-Frame-Options,
+  Strict-Transport-Security, X-XSS-Protection and server-tokens. #5183
 
-  Contributed by @Kami and @shital.
+  Contributed by @shital.
 
 3.4.0 - March 02, 2021
 ----------------------

From b0925246d2e8913186a4a9a2a58cca70fec38935 Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Fri, 12 Mar 2021 11:11:15 +0100
Subject: [PATCH 9/9] Update CHANGELOG.rst

---
 CHANGELOG.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 00332eaab8..2d05286071 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -21,7 +21,7 @@ Changed
 * Default nginx config (``conf/nginx/st2.conf``) which is used by the installer and Docker
   images has been updated to only support TLS v1.2 (support for TLS v1.0 and v1.1 has been
   removed). #5183
-  
+
   Contributed by @Kami and @shital.
 
 * Added web header settings for additional security hardening to nginx.conf: X-Frame-Options,