Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable trace functionality and enable HSTS headers in Apache #111

Merged
merged 7 commits into from
Oct 31, 2023
Merged

Disable trace functionality and enable HSTS headers in Apache #111

merged 7 commits into from
Oct 31, 2023

Conversation

jsf9k
Copy link
Member

@jsf9k jsf9k commented Oct 26, 2023
edited
Loading

🗣 Description

This pull request leverages some recent changes in cisagov/ansible-role-freeipa-server in order to make the following changes in the configuration of the Apache server that is in front of FreeIPA:

  • Disable trace/track functionality
  • Enable HSTS headers

💭 Motivation and context

The security folks are concerned that trace functionality is enabled on the Apache server that sits in front of FreeIPA. This is despite this note in the Apache documentation.

The security folks are also concerned that the same Apache server is not returning HSTS headers.

See cisagov/cool-system-internal#135 and cisagov/cool-system-internal#136 for more details.

🧪 Testing

All automated tests pass. I also built a new FreeIPA AMI for COOL staging that included these changes and verified that it functioned as expected.

📷 Screenshots

Here you can see on the left that:

  • The Strict-Transport-Security HTML header is present in the response from the web server.
  • The web server returns a 405 code in response to a TRACE HTTP method request, indicating that the method is disallowed.
    curl

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • Changes are limited to a single goal - eschew scope creep!
  • All relevant type-of-change labels have been added.
  • I have read the CONTRIBUTING document.
  • These code changes follow cisagov code standards.
  • All new and existing tests pass.
  • Build and test a staging AMI with these changes.

✅ Pre-merge checklist

✅ Post-merge checklist

  • Create a release.

@jsf9k jsf9k added hacktoberfest-accepted Pull request that should count toward Hacktoberfest participation security This issue or pull request addresses a security issue labels Oct 26, 2023
@jsf9k jsf9k self-assigned this Oct 26, 2023
@jsf9k jsf9k added the improvement This issue or pull request will add or improve functionality, maintainability, or ease of use label Oct 26, 2023
@jsf9k jsf9k force-pushed the feature/disable-trace-and-enable-hsts branch from 23ae371 to 2ebbce3 Compare October 30, 2023 14:32
@jsf9k jsf9k marked this pull request as ready for review October 31, 2023 17:49
@jsf9k jsf9k requested a review from a team October 31, 2023 17:49
dav3r
dav3r approved these changes Oct 31, 2023
View reviewed changes
Copy link
Member

@dav3r dav3r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strong work 👍

jsf9k added 2 commits October 31, 2023 16:27
@jsf9k
Revert "Temporarily use a non-default branch of cisagov/ansible-role-…
d03a5d4 
…freeipa-server"

This reverts commit ad1db20.

This change can be reverted now that
cisagov/ansible-role-freeipa-server#69 has been approved and merged.
@jsf9k
Finalize version from 0.7.4-rc.1 to 0.7.4
74d7e30
@jsf9k jsf9k enabled auto-merge October 31, 2023 20:29
@jsf9k jsf9k merged commit e794265 into develop Oct 31, 2023
8 checks passed
@jsf9k jsf9k deleted the feature/disable-trace-and-enable-hsts branch October 31, 2023 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dv4harr10 dv4harr10 dv4harr10 approved these changes

@dav3r dav3r dav3r approved these changes

@jasonodoom jasonodoom Awaiting requested review from jasonodoom

@mcdonnnj mcdonnnj Awaiting requested review from mcdonnnj mcdonnnj is a code owner

Assignees

@jsf9k jsf9k

Labels
hacktoberfest-accepted Pull request that should count toward Hacktoberfest participation improvement This issue or pull request will add or improve functionality, maintainability, or ease of use security This issue or pull request addresses a security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jsf9k @dav3r @dv4harr10