61 lines
2.3 KiB
Plaintext
61 lines
2.3 KiB
Plaintext
HTTP Strict Transport Security not enabled on Horizon Dashboard
|
|
---
|
|
|
|
### Summary ###
|
|
Deployers using Horizon for production or internet facing operations
|
|
should strongly consider configuring HTTP Strict Transport Security
|
|
(HSTS) for their deployment.
|
|
|
|
### Affected Services / Software ###
|
|
Horizon, SSL, TLS, Apache, Nginx
|
|
|
|
### Discussion ###
|
|
HTTP Strict Transport Security (HSTS) enforces that all communications
|
|
with a server go over SSL. This mitigates the threat from attacks such
|
|
as SSL-Strip which replaces links on the wire, stripping away https
|
|
prefixes and potentially allowing an attacker to view confidential
|
|
information on the wire.
|
|
|
|
HSTS can be enabled in Apache and Nginx, the two primary ways of serving
|
|
Horizon at scale.
|
|
|
|
### Recommended Actions ###
|
|
If using Apache httpd to host Horizon, add the following to the relevant
|
|
'VirtualHost' entry in your Apache httpd configuration file:
|
|
|
|
--- begin example httpd configuration snippet ---
|
|
Header add Strict-Transport-Security "max-age=15768000"
|
|
--- end example httpd configuration snippet ---
|
|
|
|
We suggest also using mod_rewrite to ensure all visitors to Horizon land
|
|
on a secure page. To accomplish this, add the following into your Apache
|
|
httpd configuration file:
|
|
|
|
--- begin example httpd configuration snippet ---
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} off
|
|
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
|
|
</IfModule>
|
|
--- end example httpd configuration snippet ---
|
|
|
|
If using Nginx to host Horizon, add the following to your Nginx
|
|
configuration file:
|
|
|
|
--- begin example Nginx configuration snippet ---
|
|
add_header Strict-Transport-Security max-age=15768000;
|
|
--- end example Nginx configuration snippet ---
|
|
|
|
As always, test these configuration settings before deploying them to
|
|
production in order to catch any bugs or errors.
|
|
|
|
### Contacts / References ###
|
|
Author: Robert Clark, HP
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0035
|
|
SSL Strip : http://www.thoughtcrime.org/software/sslstrip
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1191050
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
|
HTTP Strict Transport Security:
|
|
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
|