73a8bdde58
Currently security.txt file is stored and served from keystone. It's not necessary as haproxy is able to serve static files[1]. This patch creates security_txt haproxy service responsible for serving security.txt static file using recently implemented maps feature. [1] https://sleeplessbeastie.eu/2020/05/11/how-to-serve-single-file-using-haproxy/ Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/880088 Change-Id: If0ec375055abedceb13a035b9c8f5107f4659f86
1.6 KiB
Security.txt
security.txt is a proposed IETF
standard to allow independent security researchers to easily report
vulnerabilities. The standard defines that a text file called
security.txt should be found at
"/.well-known/security.txt". For legacy compatibility reasons the file
might also be placed at "/security.txt".
In OpenStack-Ansible, security.txt is implemented in
haproxy as all public endpoints reside behind it. It defaults to
directing any request paths that end with /security.txt to
the text file using an ACL rule in haproxy.
Enabling security.txt
Use the following process to add a security.txt file to
your deployment using OpenStack-Ansible:
- Write the contents of the
security.txtfile in accordance with the standard. - Define the contents of
security.txtin the variablehaproxy_security_txt_contentin the/etc/openstack_deploy/user_variables.ymlfile:
haproxy_security_txt_content: | # This is my example security.txt file # Please see https://securitytxt.org/ for details of the specification of this file
- Update haproxy
# openstack-ansible haproxy-install.yml
Advanced security.txt ACL
In some cases you may need to change the haproxy ACL used to redirect
requests to the security.txt file, such as adding extra
domains.
The haproxy ACL is updated by overriding the variable
haproxy_map_entries inside
haproxy_security_txt_service.