In the past couple of weeks a number of security patches have been made to openstack-ansible, this patch documents these changes. Hopefully the level of the documentation gives the users enough background on what the changes are and how to use them, without going into the detailed specifics of each feature. Regarding the upgrade to TLS for haproxy internal VIP and backends in existing deployments, I have some ideas on how this could be done without causing downtime but have not had chance to test this yet. The idea is to use a TCP frontend that accepts both HTTP and HTTPS traffic and redirects to correct frontend for each. Change-Id: Idc7b1c8908b150eaaf12980612083d31d3a5b669
5.1 KiB
Security Headers
Security headers are HTTP headers that can be used to increase the security of a web application by restricting what modern browsers are able to run.
In OpenStack-Ansible, security headers are implemented in haproxy as all the public endpoints reside behind it.
The following headers are enabled by default on all the haproxy interfaces that implement TLS, but only for the Horizon service. The security headers can be implemented on other haproxy services, but only services used by browsers will make use of the headers.
HTTP Strict Transport Security
The OpenStack TLS Security Guide recommends that all production deployments use HTTP strict transport security (HSTS).
By design, this header is difficult to disable once set. It is recommended that during testing you set a short time of 1 day and after testing increase the time to 1 year.
To change the default max age to 1 day, override the variable
haproxy_security_headers_max_age
in the
/etc/openstack_deploy/user_variables.yml
file:
haproxy_security_headers_max_age: 86400
If you would like your domain included in the HSTS preload list,
which is built into browsers, before submitting your request to be added
to the HSTS preload list you must add the preload
token to
your response header. The preload
token indicates to the
maintainers of HSTS preload list that you are happy to have your site
included.
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains; preload;\""
X-Content-Type-Options
The X-Content-Type-Options
header prevents MIME type
sniffing.
This functionality can be changed by overriding the list of headers
in haproxy_security_headers
variable in the
/etc/openstack_deploy/user_variables.yml
file.
Referrer Policy
The Referrer-Policy
header controls how much referrer
information is sent with requests. It defaults to
same-origin
, which does not send the origin path for
cross-origin requests.
This functionality can be changed by overriding the list of headers
in haproxy_security_headers
variable in the
/etc/openstack_deploy/user_variables.yml
file.
Permission Policy
The Permissions-Policy
header allows you to selectively
enable, disable or modify the use of browser features and APIs,
previously known as Feature Policy.
By default this header is set to block access to all features apart from the following from the same origin; fullscreen, clipboard read, clipboard write and spatial navigation.
This functionality can be changed by overriding the list of headers
in haproxy_security_headers
variable in the
/etc/openstack_deploy/user_variables.yml
file.
Content Security Policy (CSP)
The Content-Security-Policy
header allows you to control
what resources a browser is allowed to load for a given page, which
helps to mitigate the risks from Cross-Site Scripting (XSS) and data
injection attacks.
By default, the Content Security Policy (CSP) enables a minimum set
of resources to allow Horizon to work, which includes access the Nova
console. If you require access to other resources these can be set by
overriding the haproxy_security_headers_csp
variable in the
/etc/openstack_deploy/user_variables.yml
file.
Report Only
Implementing CSP could lead to broken content if a browser is blocked
from accessing certain resources, therefore it is recommended that when
testing CSP you use the Content-Security-Policy-Report-Only
header, instead of Content-Security-Policy
, this reports
CSP violations to the browser console, but does not enforce the
policy.
To set the CSP policy to report only by overriding the
haproxy_security_headers_csp_report_only
variable to
True
in the
/etc/openstack_deploy/user_variables.yml
file:
haproxy_security_headers_csp_report_only: True
Reporting Violations
It is recommended that you monitor attempted CSP violations in
production, this is achieved by setting the report-uri
and
report-to
tokens.
Federated Login
When using federated login you will need to override the default
Content Security Policy to allow access to your authorisation server by
overriding the haproxy_horizon_csp
variable in the
/etc/openstack_deploy/user_variables.yml
file:
haproxy_horizon_csp: "http-response set-header Content-Security-Policy \"default-src 'self'; frame-ancestors 'self'; form-action 'self' {{ external_lb_vip_address }}:5000 <YOUR-AUTHORISATION-SERVER-ORIGIN>; upgrade-insecure-requests; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }}; frame-src 'self' {{ external_lb_vip_address }}:{{ nova_console_port }};\""