smeserver/smeserver-apache
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Fri Dec 27 2024 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-8.sme

Browse Source 
- add X-Content-Type-Options nosniff [SME: 12835]
- add Strict Transport Security support HSTS [SME: 12815]
- add X-Frame-Options SAMEORIGIN Header to prevent clickjacking [SME: 12816]
- add referrer-Policy same-origin [SME: 12817]
- add OCSP Stapling support [SME: 12819]
- add CSP Content-Security-Policy support [SME: 9567]
- add .well-known and .well-known/security.txt [SME: 12818]
This commit is contained in:
Jean-Philippe Pialasse 2024-12-31 03:38:10 -05:00
parent 460bba0655
commit 86a394d1aa
4 changed files with 38 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/12HSTS
View File

@ -1,15 +0,0 @@
{
# return if not SSL
return " # skipping SSL certificate\n" unless $port eq "$httpsPort";
# return unless we have a real certificate (however, here we assume that one will not set manually a self signed one...)
# by the way accessing with an ip will fail.
#my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'} || "disabled";
#return " # HSTS incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt);
# return unless enabled for domain
return " # HSTS disabled\n"; unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled');
# if setting preload you need max-age>= 1years in second and includeSubDomains enabled.
my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : "";
# default to 1 years in second to access to preload; suggested 2 years.
my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000";
$OUT = 'Header always set Strict-Transport-Security "max-age=$age; includeSubDomains $preload' ;
}

2
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28security.txt
View File

@ -7,6 +7,6 @@
$OUT = '';
if (($port eq $httpPort) && ($haveSSL eq 'yes') && ($plainTextAccess ne 'yes'))
{
$OUT .= " RewriteRule ^/.well-known/security.txt\$) https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n";
$OUT .= " RewriteRule ^/.well-known/security.txt\$ https://%{HTTP_HOST}/.well-known/security.txt [L,R]\n";
}
}

26
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/29HSTS Normal file
View File

@ -0,0 +1,26 @@
{
use esmith::DomainsDB;
my $domains = esmith::DomainsDB->open_ro;
# return if not SSL
return " # skipping SSL certificate\n" unless $port eq "$httpsPort";
# return unless we have a real certificate (however, here we assume that one will not set manually a self signed one...)
# by the way accessing with an ip will fail.
my $ssl_file_crt = $domains->get_prop($virtualHost, "DomainSSLCertificateFile") || $modSSL{'crt'} || "disabled";
return " # HSTS incompatible with self signed certificate\n" unless ($ssl_file_crt ne "disabled" && -e $ssl_file_crt);
# return unless enabled for domain
return " # HSTS disabled\n" unless ( ($domains->get_prop($virtualHost, "HSTS") || "enabled") eq 'enabled');
# if setting preload you need max-age>= 1years in second and includeSubDomains enabled.
my $preload = (($domains->get_prop($virtualHost, "HSTSpreload") || "disabled") eq 'enabled')? "; preload" : "";
my $includeSubDomains = (${'httpd-e-smith'}{HSTSsubdomain} eq 'enabled')? "; includeSubDomains" : "";
$includeSubDomains = "; includeSubDomains" if ($preload eq "; preload");
# default to 1 years in second to access to preload; suggested 2 years.
my $age = ($domains->get_prop($virtualHost, "HSTSage") )? $domains->get_prop($virtualHost, "HSTSage") : "31536000";
$OUT = ' Header always set Strict-Transport-Security "max-age='.$age.' '.$includeSubDomains.' '.$preload.'"' ;
}

22
root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/30csp
View File

@ -1,11 +1,11 @@
{
use esmith::DomainsDB;
my $db = esmith::DomainsDB->open_ro;
my $CSP = $db->get_prop($virtualHost, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost; style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost ";
return " # CSP disabled for this host\n" if ($CSP eq "disabled");
if ($CSP ne '')
{
$OUT .= " # Content-Security-Policy; only if not set by content\n";
$OUT .= " Header setifempty Content-Security-Policy \"$CSP\"\n";
}
}
{
use esmith::AccountsDB;
my $accounts = esmith::AccountsDB->open_ro;
my $CSP = $accounts->get_prop($virtualHostContent, "CSP") || "default-src 'self' https://www.$virtualHost https://$virtualHost; style-src 'self' https://*.$virtualHost; script-src 'self' https://*.$virtualHost; worker-src 'self' https://*.$virtualHost; frame-ancestors 'self' https://*.$virtualHost; base-uri 'self' https://*.$virtualHost; form-action 'self' https://*.$virtualHost ";
return " # CSP disabled for this host\n" if ($CSP eq "disabled");
if ($CSP ne '')
{
$OUT .= " # Content-Security-Policy; only if not set by content\n";
$OUT .= " Header setifempty Content-Security-Policy \"$CSP\"\n";
}
}