Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added web security headers for nginx configuration #5183

Merged
merged 12 commits into from
Mar 12, 2021
Merged

Added web security headers for nginx configuration #5183

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
25cdd36
Added web security headers for nginx configuration
ashwini-orchestral Mar 8, 2021
594dd57
Removed unwanted server-tokens from config
ashwini-orchestral Mar 9, 2021
4862435
Added server_tokens in server and removed server_tokens from other pl…
ashwini-orchestral Mar 10, 2021
645db4e
Remove support for TLS v1.0 and v1.1.
Kami Mar 10, 2021
a8151bc
Removed Cache-control header as per review comment
ashwini-orchestral Mar 11, 2021
983f7f8
Merge branch 'nginx-conf' of https://github.com/ashwini-orchestral/st…
ashwini-orchestral Mar 11, 2021
410592b
Merge branch 'master' of github.com:StackStorm/st2 into nginx-conf
Kami Mar 11, 2021
1e73251
Add changelog entry for nginx.conf TLS v1.2 change.
Kami Mar 11, 2021
ce0e767
Modified Changelog entry
ashwini-orchestral Mar 12, 2021
6638f22
Update CHANGELOG.rst
Kami Mar 12, 2021
a936c2d
Merge branch 'master' into nginx-conf
Kami Mar 12, 2021
b092524
Update CHANGELOG.rst
Kami Mar 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,17 @@ Changed

Contributed by @Kami.

* Default nginx config (``conf/nginx/st2.conf``) which is used by the installer and Docker
images has been updated to only support TLS v1.2 (support for TLS v1.0 and v1.1 has been
removed). #5183

Contributed by @Kami and @shital.

* Added web header settings for additional security hardening to nginx.conf: X-Frame-Options,
Strict-Transport-Security, X-XSS-Protection and server-tokens. #5183

Contributed by @shital.

3.4.0 - March 02, 2021
----------------------

Expand Down
13 changes: 8 additions & 5 deletions conf/nginx/st2.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@ server {

server {
listen *:443 ssl;

server_tokens off;
ssl_certificate /etc/ssl/st2/st2.crt;
ssl_certificate_key /etc/ssl/st2/st2.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @nmaludy @punkrokk

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

Expand All @@ -40,6 +40,9 @@ server {

add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY always;
add_header Strict-Transport-Security "max-age=3153600;includeSubDomains";
add_header X-XSS-Protection "1; mode=block";

location @apiError {
add_header Content-Type application/json always;
Expand All @@ -50,7 +53,7 @@ server {
error_page 502 = @apiError;

rewrite ^/api/(.*) /$1 break;

proxy_pass http://127.0.0.1:9101/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
Expand Down Expand Up @@ -91,7 +94,7 @@ server {
sendfile on;
tcp_nopush on;
tcp_nodelay on;

# Disable buffering and chunked encoding.
# In the stream case we want to receive the whole payload at once, we don't
# want multiple chunks.
Expand All @@ -110,7 +113,7 @@ server {
error_page 502 = @authError;

rewrite ^/auth/(.*) /$1 break;

proxy_pass http://127.0.0.1:9100/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
Expand Down