From edae05a8a14755288483760354c352b50b655ef0 Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 11 Nov 2024 11:23:27 +0100 Subject: [PATCH] Add variables to control HSTS records In case of usage of domain-based endpoints, opening API in a client which respects HSTS will result in an error. This adds extra variables to make `haproxy_security_headers_csp` easier to partially override for most simple use-cases. Change-Id: I836eee3b7f9ae726483a8ac5c117d5a516abbfb7 --- inventory/group_vars/haproxy/haproxy.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/inventory/group_vars/haproxy/haproxy.yml b/inventory/group_vars/haproxy/haproxy.yml index 74e188ebb6..8212e22774 100644 --- a/inventory/group_vars/haproxy/haproxy.yml +++ b/inventory/group_vars/haproxy/haproxy.yml @@ -32,17 +32,26 @@ haproxy_package_state: "{{ package_state }}" haproxy_security_headers_max_age: 31536000 # Set CSP headers to report only for testing haproxy_security_headers_csp_report_only: False +haproxy_security_child_src_records: + - "{{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }}" + - "{{ external_lb_vip_address }}:{{ nova_novncproxy_port }}" + - "{{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}" +haproxy_security_frame_ancestors_records: [] +haproxy_security_frame_src_records: "{{ haproxy_security_child_src_records }}" +haproxy_security_connect_src_records: + - "{{ external_lb_vip_address }}:*" + - "wss://{{ external_lb_vip_address }}:{{ ironic_console_port }}" haproxy_security_headers_csp: > http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} " default-src 'self'; - frame-ancestors 'self'; + frame-ancestors 'self' {{ haproxy_security_frame_ancestors_records | join(' ') }}; form-action 'self'; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; - child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}; - frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }}; - connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }}; + child-src 'self' {{ haproxy_security_child_src_records | join(' ') }}; + frame-src 'self' {{ haproxy_security_frame_src_records | join(' ') }}; + connect-src 'self' {{ haproxy_security_connect_src_records | join(' ') }}; img-src 'self' data:; worker-src blob:; "