Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added web security headers for nginx configuration #5183

Merged
merged 12 commits into from
Mar 12, 2021
Merged

Added web security headers for nginx configuration #5183

Changes from 3 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
25cdd36
Added web security headers for nginx configuration
ashwini-orchestral Mar 8, 2021
594dd57
Removed unwanted server-tokens from config
ashwini-orchestral Mar 9, 2021
4862435
Added server_tokens in server and removed server_tokens from other pl…
ashwini-orchestral Mar 10, 2021
645db4e
Remove support for TLS v1.0 and v1.1.
Kami Mar 10, 2021
a8151bc
Removed Cache-control header as per review comment
ashwini-orchestral Mar 11, 2021
983f7f8
Merge branch 'nginx-conf' of https://github.com/ashwini-orchestral/st…
ashwini-orchestral Mar 11, 2021
410592b
Merge branch 'master' of github.com:StackStorm/st2 into nginx-conf
Kami Mar 11, 2021
1e73251
Add changelog entry for nginx.conf TLS v1.2 change.
Kami Mar 11, 2021
ce0e767
Modified Changelog entry
ashwini-orchestral Mar 12, 2021
6638f22
Update CHANGELOG.rst
Kami Mar 12, 2021
a936c2d
Merge branch 'master' into nginx-conf
Kami Mar 12, 2021
b092524
Update CHANGELOG.rst
Kami Mar 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions conf/nginx/st2.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ server {

server {
listen *:443 ssl;

server_tokens off;
ssl_certificate /etc/ssl/st2/st2.crt;
ssl_certificate_key /etc/ssl/st2/st2.key;
ssl_session_cache shared:SSL:10m;
Expand All @@ -40,6 +40,10 @@ server {

add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY always;
add_header Strict-Transport-Security "max-age=3153600;includeSubDomains";
add_header Cache-Control "no-store; no-cache; max-age=0; must-revalidate;";
Copy link
Member

@arm4b arm4b Mar 10, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While the security-focused headers are all good, I'm wondering what would be the user impact for the Cache-Control changes here and totally disabling the caching? @ashwini-orchestral what are the specific reasons behind hardening cache-control this way?

WDYT @StackStorm/maintainers @StackStorm/contributors? Any downsides, any behavior/UX changes you could think of?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, +1, I don't see much benefit security wise from cache control headers, it would just slow things down if we need to re-fetch all the static resources on each page (re)load...

But others (iframe, stric transport security, etc.) are indeed a good idea 👍

On that note, I believe we need to sync up multiple places (if they don't contain those headers already) - Docker, installer, etc. Or do those places use config from this repo?

Copy link
Member

@arm4b arm4b Mar 10, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, we're pulling in all the places nginx config from the st2 repo (this file).

I think only Puppet is different with the templating @nmaludy ? I guess you'll need to update that

Kami marked this conversation as resolved.
Show resolved Hide resolved
add_header X-XSS-Protection "1; mode=block";

location @apiError {
add_header Content-Type application/json always;
Expand All @@ -50,7 +54,7 @@ server {
error_page 502 = @apiError;

rewrite ^/api/(.*) /$1 break;

proxy_pass http://127.0.0.1:9101/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
Expand Down Expand Up @@ -91,7 +95,7 @@ server {
sendfile on;
tcp_nopush on;
tcp_nodelay on;

# Disable buffering and chunked encoding.
# In the stream case we want to receive the whole payload at once, we don't
# want multiple chunks.
Expand All @@ -110,7 +114,7 @@ server {
error_page 502 = @authError;

rewrite ^/auth/(.*) /$1 break;

proxy_pass http://127.0.0.1:9100/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
Expand Down