Merge pull request #179 from Alfresco/develop

Add hsts header correctly

attributes/haproxy.rb

@@ -22,6 +22,8 @@
 default['haproxy']['stats_pwd'] = "changeme"
 
 default['haproxy']['log_level'] = "info"
+default['haproxy']['enable_ssl_header'] = true
+default['haproxy']['ssl_header'] = "http-response set-header Strict-Transport-Security max-age=15768000;\\ includeSubDomains;\\ preload;"
 
 #default['haproxy']['logging'] = "option httplog"
 default['haproxy']['logging_json_enabled'] = false
@@ -30,9 +32,10 @@
 
 default['haproxy']['ssl_chain_file'] = "#{node['alfresco']['certs']['ssl_folder']}/#{node['alfresco']['certs']['filename']}.chain"
 
+haproxy_logging = node['haproxy']['logging_json_enabled'] ? node['haproxy']['json_logformat'] : node['haproxy']['logformat']
+hsts_header = node['haproxy']['ssl_header'] if node['haproxy']['enable_ssl_header'] 
+
 default['haproxy']['general_config'] = [
-  "# -- global settings section --",
-  "global",
   "tune.ssl.default-dh-param 2048",
   # Logging should be handled with logstash-forwarder
   "log 127.0.0.1 local2 #{node['haproxy']['log_level']}",
@@ -41,23 +44,27 @@
   "user haproxy",
   "group haproxy",
   "tune.ssl.maxrecord 1419",
-  "spread-checks 5",
-  "# -- defaults settings section --",
-  "defaults",
+  "spread-checks 5"
+]
+
+default['haproxy']['default_config'] = [
   "mode http",
   "log global",
   "retries 3",
+  "",
   "# Options",
   "option httplog",
-node['haproxy']['logformat'],
+  haproxy_logging,
   "option dontlognull",
   "option forwardfor",
   "option http-server-close",
   "option redispatch",
+  "",
   "# Optimisations",
   "option tcp-smart-accept",
   "option tcp-smart-connect",
   "option contstats",
+  "",
   "# Timeouts",
   "timeout http-request 10s",
   "timeout queue 1m",
@@ -72,8 +79,8 @@
 ]
 
 default['haproxy']['frontends']['internal']['entries'] = [
-  "mode http",
   "bind #{node['haproxy']['bind_ip']}:#{node['alfresco']['internal_port']}",
+  "mode http",
   "capture request header X-Forwarded-For len 64",
   "capture request header User-agent len 128",
   "capture request header Cookie len 64",
@@ -106,22 +113,23 @@
 ]
 
 default['haproxy']['frontends']['external']['entries'] = [
-  "mode http",
   "bind #{node['haproxy']['bind_ip']}:#{node['alfresco']['internal_secure_port']}",
-  # Force HTTPS
-  # "redirect scheme https if !{ ssl_fc }",
+  "mode http",
   "capture request header X-Forwarded-For len 64",
   "capture request header User-agent len 128",
   "capture request header Cookie len 64",
   "capture request header Accept-Language len 64",
   "unique-id-format %{+X}o\\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid",
   "unique-id-header X-Unique-ID",
+  "",
   "#---- ddos protection -----",
   "tcp-request inspect-delay 5s",
   "acl HAS_X_FORWARDED_FOR hdr_cnt(X-Forwarded-For) eq 1",
   "acl HAS_JSESSIONID hdr_sub(cookie) JSESSIONID",
+  "",
   "# Don't track if the request has a JSESSIONID cookie",
   "tcp-request content track-sc0 hdr_ip(X-Forwarded-For,-1) if HTTP HAS_X_FORWARDED_FOR !HAS_JSESSIONID",
+  "",
   "# Stick Table Definitions",
   "#  - conn_cur: count active connections",
   "#  - conn_rate(3s): average incoming connection rate over 3 seconds",
@@ -137,6 +145,7 @@
   "# http-request tarpit if { sc0_http_err_rate() gt 5 }",
   "# TARPIT the connection if the client has passed the HTTP request rate (20 in 10s)",
   "# http-request tarpit if { sc0_http_req_rate() gt 20 }",
+  "",
   "acl FORBIDDEN_HDR hdr_cnt(host) gt 1",
   "acl FORBIDDEN_HDR hdr_cnt(content-length) gt 1",
   "acl FORBIDDEN_HDR hdr_val(content-length) lt 0",
@@ -147,12 +156,10 @@
   "http-request tarpit if FORBIDDEN_HDR",
   "acl WEIRD_RANGE_HEADERS hdr_cnt(Range) gt 10",
   "http-request tarpit if WEIRD_RANGE_HEADERS",
-  "#---- end ddos protection -----"
+  "#---- end ddos protection -----",
+  hsts_header
 ]
 
-default['haproxy']['enable_ssl_header'] = true
-default['haproxy']['ssl_header'] = "http-response set-header Strict-Transport-Security max-age=15768000;\\ includeSubDomains;\\ preload;"
-
 default['haproxy']['frontends']['external']['headers'] = []
 
 default['haproxy']['frontends']['stats']['entries'] = [

templates/default/haproxy/haproxy.cfg.erb

@@ -1,104 +1,107 @@
 # This file was generated by chef-alfresco
 
-# General Configurations: global, timeouts
-<% node['haproxy']['general_config'].each do |line| -%>
-<%= line %>
+global
+<% if node['haproxy']['general_config'] -%>
+    <% node['haproxy']['general_config'].each do |line| -%>
+    <%= line %>
+    <% end -%>
 <% end -%>
-# Log format
-<%= node['haproxy']['logformat'] %>
 
-# Frontends
+defaults
+<% if node['haproxy']['default_config'] -%>
+    <% node['haproxy']['default_config'].each do |line| -%>
+    <%= line %>
+    <% end -%> 
+<% end -%>
 
 <% if node['haproxy']['frontends'] -%>
+# Frontends
   <% node['haproxy']['frontends'].each do |frontendName,frontend| -%>
-# START frontend <%= frontendName %>
 frontend <%= frontendName %>
     <% if frontend['entries'] -%>
       <% frontend['entries'].each do |entry| -%>
-<%= entry %>
+    <%= entry %>
       <% end -%>
     <% end -%>
     <% if frontend['headers'] -%>
       <% frontend['headers'].each do |header| -%>
-<%= header %>
+    <%= header %>
       <% end -%>
     <% end -%>
-# Backend ACLs
     <% if frontend['acls'] -%>
+
+    # Backend ACLs
       <% frontend['acls'].each do |backendName,acls| -%>
         <% if acls -%>
           <% acls.each do |acl| -%>
-acl is_<%= backendName %> <%= acl %>
+    acl is_<%= backendName %> <%= acl %>
           <% end -%>
         <% end -%>
       <% end -%>
     <% end -%>
-# Free formed ACLs
     <% if frontend['acl_lines'] -%>
+
+    # Free formed ACLs
       <% frontend['acl_lines'].each do |acl| -%>
-acl <%= acl %>
+    acl <%= acl %>
       <% end -%>
     <% end -%>
-# Other Configurations
     <% if frontend['other_config'] -%>
+
+    # Other Configurations
       <% frontend['other_config'].each do |other_config| -%>
-<%= other_config %>
+    <%= other_config %>
       <% end -%>
     <% end -%>
-# Redirects
     <% if frontend['redirects'] -%>
+
+    # Redirects
       <% frontend['redirects'].each do |redirect| -%>
-<%= redirect %>
+    <%= redirect %>
       <% end -%>
     <% end -%>
-# Use backends
     <% if frontend['acls'] -%>
+
+    # Use backends
       <% frontend['acls'].each do |backendName,acls| -%>
-use_backend <%= backendName %> if is_<%= backendName %>
+    use_backend <%= backendName %> if is_<%= backendName %>
       <% end -%>
     <% end -%>
-# Default Backend
-default_backend <%= node['haproxy']['default_backend'] %>
-# END frontend <%= frontendName %>
+
+    # Default Backend
+    default_backend <%= node['haproxy']['default_backend'] %>
 
   <% end -%>
 <% end -%>
 
-# Backends
-
 <% if @haproxy_backends -%>
+# Backends
   <% @haproxy_backends.each do |roleName,role| -%>
-# START <%= roleName %> backend
 backend <%= roleName %>
     <% if role['entries'] -%>
       <% role['entries'].each do |entry| -%>
-<%= entry %>
+    <%= entry %>
       <% end -%>
     <% end -%>
     <% if role['balanced'] -%>
-balance leastconn
-cookie JSESSIONID prefix
+    balance leastconn
+    cookie JSESSIONID prefix
     <% end -%>
     <% if role['secure_entries'] -%>
       <% role['secure_entries'].each do |secure_entry| -%>
-<%= secure_entry %>
+    <%= secure_entry %>
       <% end -%>
     <% end -%>
-
     <% if role['ordered_az'] -%>
       <% role['ordered_az'].each do |az| -%>
         <% az['id'].each do |instanceName,instance| -%>
-# Instance <%= instanceName %>, az <%= instance['az'] %>
-server <%= instanceName %> <%= instance['ip'] %>:<%= role['port'] %> <%= instance['options'] %>
+
+    # Instance <%= instanceName %>, az <%= instance['az'] %>
+    server <%= instanceName %> <%= instance['ip'] %>:<%= role['port'] %> <%= instance['options'] %>
         <% end -%>
       <% end -%>
     <% end -%>
-# END <%= roleName %> backend
 
   <% end -%>
 <% end -%>
 
-<% if node['haproxy']['enable_ssl_header'] -%>
-# Changes to header responses
-<%= node['haproxy']['ssl_header'] %>
-<% end -%>

test/integration/community/inspec/haproxy_spec.rb

@@ -0,0 +1,10 @@
+control "alfresco-04" do
+  impact 0.5
+  title "HA Proxy Configuration Check"
+
+  describe file('/etc/haproxy/haproxy.cfg') do
+    it { should exist }
+    it { should be_file }
+    its('content') { should match 'http-response set-header Strict-Transport-Security' }
+  end
+end