From 460bba0655cef9daa6a22f02d63c6fa125d44e87 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Sat, 28 Dec 2024 23:07:10 -0500 Subject: [PATCH] * Fri Dec 27 2024 Jean-Philippe Pialasse 11.0.0-8.sme - add X-Content-Type-Options nosniff [SME: 12835] - add Strict Transport Security support HSTS [SME: 12815] - add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816] - add referrer-Policy same-origin [SME: 12817] - add OCSP Stapling support [SME: 12819] - add CSP Content-Security-Policy support [SME: 9567] - add .well-known and .well-known/security.txt [SME: 12818] --- additional/e-smith-apache.spec | 321 ------------------ contriborbase | 1 - createlinks | 8 + .../.well-known/acme-challenge/security.txt | 3 + .../httpd/conf/httpd.conf/35SSL36SSLStapling | 2 + .../etc/httpd/conf/httpd.conf/38nosniff | 1 + .../etc/httpd/conf/httpd.conf/38referer | 1 + .../etc/httpd/conf/httpd.conf/38xframe | 3 + .../etc/httpd/conf/httpd.conf/79well-known | 18 + .../httpd/conf/httpd.conf/VirtualHosts/12HSTS | 15 + .../httpd.conf/VirtualHosts/28security.txt | 12 + .../httpd/conf/httpd.conf/VirtualHosts/30csp | 11 + .../acme-challenge/security.txt/10contact | 9 + .../acme-challenge/security.txt/20encryption | 8 + .../acme-challenge/security.txt/30expires | 15 + .../acme-challenge/security.txt/40language | 8 + .../security.txt/template-begin | 0 .../lib/systemd/system/httpd-e-smith.service | 1 + .../.well-known/acme-challenge/.gitignore | 0 smeserver-apache.spec | 15 +- 20 files changed, 129 insertions(+), 323 deletions(-) delete mode 100755 additional/e-smith-apache.spec delete mode 100644 contriborbase create mode 100644 root/etc/e-smith/templates.metadata/var/www/html/.well-known/acme-challenge/security.txt create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38nosniff create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38referer create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38xframe create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/79well-known create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt create mode 100644 root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp create mode 100644 root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/10contact create mode 100644 root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/20encryption create mode 100644 root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/30expires create mode 100644 root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/40language create mode 100644 root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/template-begin create mode 100644 root/var/www/html/.well-known/acme-challenge/.gitignore diff --git a/additional/e-smith-apache.spec b/additional/e-smith-apache.spec deleted file mode 100755 index c300f01..0000000 --- a/additional/e-smith-apache.spec +++ /dev/null @@ -1,321 +0,0 @@ -Summary: e-smith server and gateway - apache module -%define name e-smith-apache -Name: %{name} -%define version 1.1.2 -%define release 01 -Version: %{version} -Release: %{release} -License: GPL -Vendor: Mitel Networks Corporation -Group: Networking/Daemons -Source: %{name}-%{version}.tar.gz -Packager: e-smith developers -BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot -BuildArchitectures: noarch -Requires: e-smith-base >= 4.15.1 -Requires: e-smith-daemontools >= 1.7.1-01 -Conflicts: e-smith-ibays < 1.0.2 -AutoReqProv: no -BuildRequires: e-smith-devtools >= 1.11.0-12 - -%description -e-smith server and gateway software - apache module. - -%changelog -* Wed Nov 17 2004 Mark Knox -- [1.1.2-01] -- Picking up new directory. MN00056429. - -* Wed Nov 17 2004 Mark Knox -- [1.1.1-03] -- Added empty ValidFrom defaults fragment [markk MN00056429] - -* Tue Nov 9 2004 Charlie Brady -- [1.1.1-02] -- Modify config and run script for compatibility with apache 2. Most of these - changes were contributed by Shad Lords. [charlieb MN00051144] - -* Mon Oct 4 2004 Charlie Brady -- [1.1.1-01] -- New development stream for apache 2 - 1.1.1 - -* Fri Sep 3 2004 Charlie Brady -- [1.1.0-23] -- Clean BuildRequires. [charlieb MN00043055] - -* Tue Jul 13 2004 Michael Soulier -- [1.1.0-22] -- Updated modPerl templates to remove use of esmith::config. - [msoulier MN00039579] - -* Tue Jun 22 2004 Michael Soulier -- [1.1.0-21] -- Added RewriteCond statements to previous RewriteRules to exclude localhost, - so ssh port-forwarding is not broken. [msoulier MN00020885] - -* Fri Jun 18 2004 Tony Clayton -- [1.1.0-20] -- Fix LoadModule fragment from last patch [tonyc 11348] - -* Mon Jun 14 2004 Tony Clayton -- [1.1.0-19] -- Add modPerl service and httpd.conf templates [tonyc 11348] - -* Mon May 10 2004 Michael Soulier -- [1.1.0-18] -- Adding rewrite rules to prevent plaintext access to the server manager. - [msoulier MN00020885] - -* Thu May 6 2004 Michael Soulier -- [1.1.0-17] -- Added httpd-admin's remoteaccess list to permissible networks for - server-resources. [msoulier MN00024949] - -* Mon Feb 23 2004 Michael Soulier -- [1.1.0-16] -- Backing-out last change. [msoulier dpar-21489] - -* Mon Feb 23 2004 Michael Soulier -- [1.1.0-15] -- Added restart-httpd-graceful to domain-* events. [msoulier dpar-21489] - -* Wed Feb 18 2004 Michael Soulier -- [1.1.0-14] -- Updating requires to e-smith-daemontools. [msoulier 7629] - -* Wed Feb 18 2004 Michael Soulier -- [1.1.0-13] -- Updating restart-httpd-graceful to use new daemontools sigusr1 option. - [msoulier 7629] - -* Wed Jan 21 2004 Michael Soulier -- [1.1.0-12] -- Staggering the symlinks a little farther. [msoulier 9955] - -* Wed Jan 21 2004 Michael Soulier -- [1.1.0-11] -- Adding symlinks to the service-domain-create event for httpd restart. - [msoulier 9955] - -* Tue Dec 9 2003 Michael Soulier -- [1.1.0-10] -- Fixed another error in the specfile, resulting in incorrect file - permissions. [msoulier 7629] -- Updated action scripts for supervise. [msoulier 7629] - -* Tue Dec 9 2003 Michael Soulier -- [1.1.0-09] -- Fixed an error in the specfile. [msoulier 7629] - -* Tue Dec 9 2003 Michael Soulier -- [1.1.0-08] -- Updated createlinks for daemontools. [msoulier 7629] - -* Tue Dec 9 2003 Michael Soulier -- [1.1.0-07] -- Putting httpd-e-smith under supervision. [msoulier 7629] - -* Thu Sep 18 2003 Michael Soulier -- [1.1.0-06] -- Added a null-string return value to the end of 00Setup, ensure no output - from that fragment. [msoulier 9803] - -* Wed Sep 3 2003 Charlie Brady -- [1.1.0-05] -- Use implementation class, not virtual class in VirtualHosts/00Setup fragment. - [charlieb 9803] - -* Wed Sep 3 2003 Michael Soulier -- [1.1.0-04] -- Added a 75AddType05.exe fragment to specify a proper mime-type for .exe - files. [msoulier 9866] - -* Fri Aug 29 2003 Charlie Brady -- [1.1.0-03] -- Allow TemplatePath property in domain record to specify an alternate template - subdir for virtual host content specification (e.g. to proxypass a domain). - [charlieb 8409] - -* Fri Aug 29 2003 Charlie Brady -- [1.1.0-02] -- Changed the VirtualHosts subtemplate to pass the domain object instead of db handle, - and modified VirtualHosts/00Setup fragment to convert it to the right class. - Fix scoping problem with the blessed object. [charlieb 9803] - -* Fri Aug 29 2003 Michael Soulier -- [1.1.0-01] -- rolling to dev stream - 1.1.0 - -* Fri Aug 29 2003 Michael Soulier -- [1.0.0-04] -- Added a 00Setup fragment to VirtualHosts to process the %domainsdb hash back - into an esmith::DomainsDB object. [msoulier 9803] - -* Mon Aug 25 2003 Michael Soulier -- [1.0.0-03] -- Added a reference to the domains db in the extra data for processing the - VirtualHosts fragments. [msoulier 9803] - -* Fri Aug 1 2003 Michael Soulier -- [1.0.0-02] -- Fixed a precedence error that broke virtual hosts in apache. - [msoulier 9640] - -* Wed Jul 9 2003 Charlie Brady -- [1.0.0-01] -- Setting to release version number - 1.0.0 - -* Wed Jul 9 2003 Michael Soulier -- [0.2.0-04] -- Fixed breakage in admin web server when a local network with a 32-bit subnet - mask is used. [msoulier 9259] - -* Thu Jul 3 2003 Charlie Brady -- [0.2.0-03] -- Fix log noise problem in expansion of httpd.conf template. [charlieb 9269] - -* Wed Jul 2 2003 Charlie Brady -- [0.2.0-02] -- List primary domain as first (default) virtual domain in apache config. - Include $SystemName.domain.name in ServerAlias directive. [charlieb 9241] - -* Thu Jun 26 2003 Charlie Brady -- [0.2.0-01] -- Changing version to stable stream number - 0.2.0 - -* Thu Jun 12 2003 Gordon Rowell -- [0.1.2-01] -- Add order to migrate fragments [gordonr 9015] - -* Wed Jun 11 2003 Gordon Rowell -- [0.1.1-02] -- Fixed Conflicts header - should be <, not <= [gordonr 8903] - -* Fri Jun 6 2003 Gordon Rowell -- [0.1.1-01] -- Shuffled some httpd.conf fragments to e-smith-ibays [gordonr 8903] - -* Wed May 28 2003 Michael Soulier -- [0.1.0-19] -- Moving httpd-e-smith init script to e-smith-apache. [msoulier 8852] - -* Tue Apr 29 2003 Gordon Rowell -- [0.1.0-18] -- Do an explicit die if the httpd-e-smith record is missing from the - config db, rather than an implicit die due to an invalid object - reference [gordonr 8609] - -* Wed Apr 9 2003 Gordon Rowell -- [0.1.0-17] -- Relocated conf-httpd from e-smith-base [gordonr 8150] - -* Fri Apr 4 2003 Mark Knox -- [0.1.0-16] -- Moved restart-httpd-* actions from base [markk 5509] - -* Fri Apr 4 2003 Mark Knox -- [0.1.0-15] -- Moved db config fragments here from e-smith-base [markk 5509] - -* Tue Apr 1 2003 Gordon Rowell -- [0.1.0-14] -- Make /server-resources/ browsable from LAN [gordonr 6620] - -* Tue Apr 1 2003 Gordon Rowell -- [0.1.0-13] -- Delete Apache ReadmeName directive [gordonr 6313] - -* Tue Apr 1 2003 Gordon Rowell -- [0.1.0-12] -- Fixed broken conf-httpd-e-smith links in post-{install,upgrade} [gordonr 7960] - -* Tue Mar 18 2003 Lijie Deng -- [0.1.0-11] -- Deleted ./etc/httpd/conf/httpd.conf/template-begin - deleted ./etc/httpd/conf/srm.conf/template-begin - deleted ./etc/httpd/conf/access.conf/template-begin [lijied 3295] - -* Mon Mar 17 2003 Lijie Deng -- [0.1.0-10] -- Delete empty template-end file [lijied 3295] - -* Wed Mar 12 2003 Charlie Brady -- [0.1.0-09] -- Remove more references to primary and wwwpublic in favour - of the "Primary" i-bay. There is still some special case code, - which might go later if it turns out not to be needed. - [charlieb 5652] - -* Tue Mar 11 2003 Mark Knox -- [0.1.0-08] -- Fixed a missing quote in 27ManagerProxyPass [markk 7635] - -* Tue Mar 11 2003 Gordon Rowell -- [0.1.0-07] -- Pass externalSSLAccess and localAccess to VirtualDomains fragments so they don't - need to recalculate these values [gordonr 7635] -- Use early return from 27ManagerProxyPass and new DB interface [gordonr 7635] - -* Mon Mar 10 2003 Charlie Brady -- [0.1.0-06] -- Remove special case handling for /home/e-smith/files/primary in Apache - configuration. Migrate code and db entries for wwwpublic to Public. - [charlieb 5652] - -* Fri Mar 7 2003 Charlie Brady -- [0.1.0-05] -- Replace deprecated CONFREF with MORE_DATA in processTemplate call in - VirtualHosts fragment of httpd.conf templates. Fixes template - expansion breakage (I'm not sure what broke it, but this fixes it.) - [charlieb] -- Add default config db fragments to set type and status. Remove redundant - conf-httpd-e-smith script. [charlieb 1507] - -* Fri Jan 24 2003 Gordon Rowell -- [0.1.0-04] -- Move SSL initialisation to global context [gordonr 1432] - -* Fri Jan 24 2003 Gordon Rowell -- [0.1.0-03] -- Use default SSL certificate of $SystemName.$DomainName [gordonr 4874] - -* Wed Jan 8 2003 Mark Knox -- [0.1.0-02] -- Added conf-httpd-e-smith action linked to the same events as conf-startup - in e-smith-base [markk 6428] - -* Mon Jan 06 2003 Mark Knox -- [0.1.0-01] -- Initial release, split out from e-smith-base [markk 6428] - -%prep -%setup - -%pre - -%post - -%build -perl createlinks -mkdir -p root/service -ln -s /var/service/httpd-e-smith root/service/httpd-e-smith -mkdir -p root/var/service/httpd-e-smith/supervise -touch root/var/service/httpd-e-smith/down - -%install -rm -rf $RPM_BUILD_ROOT -(cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT) - -/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ - --dir /var/service/httpd-e-smith 'attr(01755,root,root)' \ - --file /var/service/httpd-e-smith/down 'attr(0644,root,root)' \ - --file /var/service/httpd-e-smith/run 'attr(0755,root,root)' \ - > e-smith-%{version}-filelist - -echo "%doc COPYING" >> e-smith-%{version}-filelist - -%clean -rm -rf $RPM_BUILD_ROOT - -%files -f e-smith-%{version}-filelist -%defattr(-,root,root) diff --git a/contriborbase b/contriborbase deleted file mode 100644 index ef36a67..0000000 --- a/contriborbase +++ /dev/null @@ -1 +0,0 @@ -sme10 diff --git a/createlinks b/createlinks index c26a393..c50d485 100755 --- a/createlinks +++ b/createlinks @@ -6,6 +6,7 @@ use esmith::Build::CreateLinks qw(:all); #-------------------------------------------------- my $event = "smeserver-apache-update"; templates2events("/etc/httpd/conf/httpd.conf", $event); +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); event_link("systemd-reload", $event, "89"); event_link("systemd-default", $event, "88"); @@ -16,6 +17,7 @@ templates2events("/etc/logrotate.d/httpd", $event); #-------------------------------------------------- my $event = "console-save"; +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); templates2events("/etc/httpd/conf/httpd.conf", $event); safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); @@ -143,6 +145,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s $event = "remoteaccess-update"; +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); templates2events("/etc/httpd/conf/httpd.conf", $event); safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); @@ -152,6 +155,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s $event = "email-update"; +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); templates2events("/etc/httpd/conf/httpd.conf", $event); safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); @@ -161,6 +165,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s $event = "logrotate"; +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); #-------------------------------------------------- @@ -168,6 +173,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s #-------------------------------------------------- $event = "ssl-update"; +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); templates2events("/etc/httpd/conf/httpd.conf", $event); safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-smith"); @@ -176,6 +182,7 @@ safe_symlink("reload", "root/etc/e-smith/events/$event/services2adjust/httpd-e-s #-------------------------------------------------- $event = "post-install"; +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); templates2events("/etc/logrotate.d/httpd", $event); #-------------------------------------------------- @@ -183,5 +190,6 @@ templates2events("/etc/logrotate.d/httpd", $event); #-------------------------------------------------- $event = "post-upgrade"; +templates2events("/var/www/html/.well-known/acme-challenge/security.txt", $event); templates2events("/etc/logrotate.d/httpd", $event); diff --git a/root/etc/e-smith/templates.metadata/var/www/html/.well-known/acme-challenge/security.txt b/root/etc/e-smith/templates.metadata/var/www/html/.well-known/acme-challenge/security.txt new file mode 100644 index 0000000..20984ee --- /dev/null +++ b/root/etc/e-smith/templates.metadata/var/www/html/.well-known/acme-challenge/security.txt @@ -0,0 +1,3 @@ +UID="root" +GID="apache" +PERMS=0640 diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling new file mode 100644 index 0000000..8474e70 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL36SSLStapling @@ -0,0 +1,2 @@ +SSLUseStapling On +SSLStaplingCache dbm:/run/httpd/ssl_stapling(32768) diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38nosniff b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38nosniff new file mode 100644 index 0000000..22816ba --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38nosniff @@ -0,0 +1 @@ +Header setifempty X-Content-Type-Options nosniff diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38referer b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38referer new file mode 100644 index 0000000..5da77c3 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38referer @@ -0,0 +1 @@ +Header setifempty Referrer-Policy "same-origin" diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38xframe b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38xframe new file mode 100644 index 0000000..8383eb1 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/38xframe @@ -0,0 +1,3 @@ +# prevent clickjacking attacks +Header unset X-Frame-Options +Header set X-Frame-Options SAMEORIGIN diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/79well-known b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/79well-known new file mode 100644 index 0000000..9179227 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/79well-known @@ -0,0 +1,18 @@ +# Alias for letsencrypt, security.txt and mailconfig ... +Alias /.well-known/ /var/www/html/.well-known/ +# do not proxy request to acme-challenge and security.txt +ProxyPass /.well-known/security.txt ! +ProxyPass /.well-known/acme-challenge ! + + + Options None + AllowOverride None + Require all granted + AddDefaultCharset off + Satisfy any + + + Header set Content-Type "application/jose+json" + Require all granted + Satisfy any + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS new file mode 100644 index 0000000..4762ad9 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS @@ -0,0 +1,15 @@ +{ + # return if not SSL + return " # skipping SSL certificate\n" unless $port eq "$httpsPort"; + # return unless we have a real certificate (however, here we assume that one will not set manually a self signed one...) + # by the way accessing with an ip will fail. + #my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'} || "disabled"; + #return " # HSTS incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt); + # return unless enabled for domain + return " # HSTS disabled\n"; unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled'); + # if setting preload you need max-age>= 1years in second and includeSubDomains enabled. + my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : ""; + # default to 1 years in second to access to preload; suggested 2 years. + my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000"; + $OUT = 'Header always set Strict-Transport-Security "max-age=$age; includeSubDomains $preload' ; +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt new file mode 100644 index 0000000..c2ce376 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt @@ -0,0 +1,12 @@ +{ + # vim: ft=perl: + + $haveSSL = (exists ${modSSL}{status} and ${modSSL}{status} eq "enabled") ? 'yes' : 'no'; + $plainTextAccess = ${'httpd-admin'}{PermitPlainTextAccess} || 'no'; + + $OUT = ''; + if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes')) + { + $OUT .= " RewriteRule ^/.well-known/security.txt\$) https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n"; + } +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp new file mode 100644 index 0000000..fb966a4 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp @@ -0,0 +1,11 @@ +{ + use esmith::DomainsDB; + my $db = esmith::DomainsDB->open_ro; + my $CSP = $db->get_prop($virtualHost, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost; style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost "; + return " # CSP disabled for this host\n" if ($CSP eq "disabled"); + if ($CSP ne '') + { + $OUT .= " # Content-Security-Policy; only if not set by content\n"; + $OUT .= " Header setifempty Content-Security-Policy \"$CSP\"\n"; + } +} diff --git a/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/10contact b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/10contact new file mode 100644 index 0000000..60618a1 --- /dev/null +++ b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/10contact @@ -0,0 +1,9 @@ +# Our security address +Contact: { +# some examples +# Contact: mailto:security@example.com +# Contact: mailto:security%2Buri%2Bencoded@example.com +# Contact: tel:+1-201-555-0123 +# Contact: https://example.com/security-contact.html +${'httpd-e-smith'}{'SecurityContact'}||"mailto:admin@$DomainName"} + diff --git a/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/20encryption b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/20encryption new file mode 100644 index 0000000..46bbd21 --- /dev/null +++ b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/20encryption @@ -0,0 +1,8 @@ +# Our openPGP key +Encryption: { +# some example +# Encryption: https://example.com/pgp-key.txt +# Encryption: dns:5d2d37ab76d47d36._openpgpkey.example.com?type=OPENPGPKEY +# Encryption: openpgp4fpr:5f2de5521c63a801ab59ccb603d49de44b29100f +${'httpd-e-smith'}{'SecurityEncryption'}||'none'} + diff --git a/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/30expires b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/30expires new file mode 100644 index 0000000..04607bd --- /dev/null +++ b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/30expires @@ -0,0 +1,15 @@ +# Expiration date of this policy +Expires: { + use strict; + use warnings; + use esmith::ConfigDB; + use DateTime; + my $db = esmith::ConfigDB->open or die "Could not open config db"; + # Obtain the TimeZone configuration database value + my $timezone = $db->get("TimeZone")->value||"US/eastern"; + my $dt = DateTime->now(time_zone => $timezone); + $dt->set_year($dt->year()+1); + $dt->set_time_zone('UTC'); + $OUT = $dt."z" ; +} + diff --git a/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/40language b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/40language new file mode 100644 index 0000000..19a452b --- /dev/null +++ b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/40language @@ -0,0 +1,8 @@ +# Prefered Languages +Preferred-Languages: { substr( ($sysconfig{Language}||"en"),0,2) } +{ +# see https://securitytxt.org/ for more fields +# Acknowledgments : https:// +# Policy : https:// +# Hiring : https:// +} diff --git a/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/template-begin b/root/etc/e-smith/templates/var/www/html/.well-known/acme-challenge/security.txt/template-begin new file mode 100644 index 0000000..e69de29 diff --git a/root/usr/lib/systemd/system/httpd-e-smith.service b/root/usr/lib/systemd/system/httpd-e-smith.service index 5812768..1c0c0f2 100644 --- a/root/usr/lib/systemd/system/httpd-e-smith.service +++ b/root/usr/lib/systemd/system/httpd-e-smith.service @@ -8,6 +8,7 @@ Documentation=man:apachectl(8) Type=notify ExecStartPre=/sbin/e-smith/service-status httpd-e-smith ExecStartPre=/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf +ExecStartPre=-/sbin/e-smith/expand-template /var/www/html/.well-known/acme-challenge/security.txt ExecStartPre=/sbin/e-smith/systemd/httpd-e-smith-prepare ExecStart=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND ExecReload=/usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -k graceful diff --git a/root/var/www/html/.well-known/acme-challenge/.gitignore b/root/var/www/html/.well-known/acme-challenge/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/smeserver-apache.spec b/smeserver-apache.spec index 98a8572..1cd5b84 100644 --- a/smeserver-apache.spec +++ b/smeserver-apache.spec @@ -4,7 +4,7 @@ Summary: smeserver server and gateway - apache module %define name smeserver-apache Name: %{name} %define version 11.0.0 -%define release 7 +%define release 8 Version: %{version} Release: %{release}%{?dist} License: GPL @@ -18,6 +18,7 @@ Requires: smeserver-lib >= 1.15.1-19 Requires: smeserver-daemontools >= 1.7.1-01 Requires: mod_ssl Requires: mod_authnz_external +Requires: perl-DateTime Obsoletes: distcache <= 1.4.5 Obsoletes: mod_auth_external Obsoletes: e-smith-proxypass @@ -51,6 +52,9 @@ rm -rf $RPM_BUILD_ROOT --dir /var/service/httpd-e-smith 'attr(01755,root,root)' \ --file /var/service/httpd-e-smith/down 'attr(0644,root,root)' \ --file /var/service/httpd-e-smith/run 'attr(0755,root,root)' \ + --ignoredir /var/www/html/ --ignoredir /var/www/ \ + --dir /var/www/html/.well-known 'attr(0701,root,root)' \ + --dir /var/www/html/.well-known/acme-challenge 'attr(0755,root,root)' \ > e-smith-%{version}-filelist echo "%doc COPYING" >> e-smith-%{version}-filelist @@ -70,6 +74,15 @@ if [ $1 -gt 1 ] ; then fi %changelog +* Fri Dec 27 2024 Jean-Philippe Pialasse 11.0.0-8.sme +- add X-Content-Type-Options nosniff [SME: 12835] +- add Strict Transport Security support HSTS [SME: 12815] +- add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816] +- add referrer-Policy same-origin [SME: 12817] +- add OCSP Stapling support [SME: 12819] +- add CSP Content-Security-Policy support [SME: 9567] +- add .well-known and .well-known/security.txt [SME: 12818] + * Thu Apr 04 2024 Brian Read 11.0.0-7.sme - Update createlinks to create smeserver-package-update event[SME: 12579]