cloudflare: improve cloudflare security (#347)

thekcsam · web-flow · commit 28f18f8bc395 · 2024-07-11T19:58:51.000+08:00
diff --git a/aws/multi-stack/app/cloudflare.tf b/aws/multi-stack/app/cloudflare.tf
@@ -14,5 +14,6 @@ module "cloudflare" {
   # optional
   bastion_enabled    = false
   tls_settings       = var.tls_settings
+  hsts_settings      = var.hsts_settings
   bastion_public_dns = module.ecs.nlb_dns_name
 }
diff --git a/aws/multi-stack/app/variables.tf b/aws/multi-stack/app/variables.tf
@@ -43,7 +43,7 @@ variable "project_settings" {
       worker_script_name = string
     })), {})
     host_header       = optional(list(string), null)
-    health_check_path = optional(string, null)
+    health_check_path = optional(string, "/livez")
     health_check_options = optional(
       object({
         healthy_threshold   = optional(number, 2)  # The number of consecutive health checks successes required before considering an unhealthy target healthy.
@@ -59,12 +59,39 @@ variable "project_settings" {
 
 variable "tls_settings" {
   type = object({
-    tls_1_3                  = optional(string, "on")     # "on/off"
+    min_tls_version          = optional(string, "1.2")    # 1.0, 1.1, 1.2, 1.3
+    tls_1_3                  = optional(string, "off")    # "on/off"
     automatic_https_rewrites = optional(string, "on")     # "on/off"
     ssl                      = optional(string, "strict") # "strict"
     always_use_https         = optional(string, "on")     # "on/off"
   })
-  default = null
+  default = {
+    min_tls_version          = "1.2"
+    tls_1_3                  = "off"
+    automatic_https_rewrites = "on"
+    ssl                      = "strict"
+    always_use_https         = "on"
+  }
+}
+
+# HSTS protects HTTPS web servers from downgrade attacks.
+# These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
+# https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/
+variable "hsts_settings" {
+  type = object({
+    enabled            = optional(bool, null)
+    preload            = optional(bool, null)
+    max_age            = optional(number, null)
+    include_subdomains = optional(bool, null)
+    nosniff            = optional(bool, null)
+  })
+  default = {
+    enabled            = true
+    preload            = true
+    max_age            = 31536000 # Set it to least value for validating functionality.
+    include_subdomains = true
+    nosniff            = true
+  }
 }
 
 variable "kms_deletion_window_in_days" {
diff --git a/aws/stack/app/cloudflare.tf b/aws/stack/app/cloudflare.tf
@@ -14,5 +14,6 @@ module "cloudflare" {
   # optional
   bastion_enabled    = true
   tls_settings       = var.tls_settings
+  hsts_settings      = var.hsts_settings
   bastion_public_dns = module.ecs.nlb_dns_name
 }
diff --git a/aws/stack/app/variables.tf b/aws/stack/app/variables.tf
@@ -50,12 +50,39 @@ variable "s3_cloudflare_records" {
 
 variable "tls_settings" {
   type = object({
-    tls_1_3                  = string # "on/off"
-    automatic_https_rewrites = string # "on/off"
-    ssl                      = string # "strict"
-    always_use_https         = string # "on/off"
+    min_tls_version          = optional(string, "1.2")    # 1.0, 1.1, 1.2, 1.3
+    tls_1_3                  = optional(string, "off")    # "on/off"
+    automatic_https_rewrites = optional(string, "on")     # "on/off"
+    ssl                      = optional(string, "strict") # "strict"
+    always_use_https         = optional(string, "on")     # "on/off"
   })
-  default = null
+  default = {
+    min_tls_version          = "1.2"
+    tls_1_3                  = "off"
+    automatic_https_rewrites = "on"
+    ssl                      = "strict"
+    always_use_https         = "on"
+  }
+}
+
+# HSTS protects HTTPS web servers from downgrade attacks.
+# These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
+# https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/
+variable "hsts_settings" {
+  type = object({
+    enabled            = optional(bool, null)
+    preload            = optional(bool, null)
+    max_age            = optional(number, null)
+    include_subdomains = optional(bool, null)
+    nosniff            = optional(bool, null)
+  })
+  default = {
+    enabled            = true
+    preload            = true
+    max_age            = 31536000 # Set it to least value for validating functionality.
+    include_subdomains = true
+    nosniff            = true
+  }
 }
 # =============== Cloudflare ================ #
 
diff --git a/cloudflare/tls.tf b/cloudflare/tls.tf
@@ -9,8 +9,17 @@ resource "cloudflare_zone_settings_override" "tls" {
 
   settings {
     tls_1_3                  = var.tls_settings.tls_1_3
+    min_tls_version          = var.tls_settings.min_tls_version
     automatic_https_rewrites = var.tls_settings.automatic_https_rewrites
     ssl                      = var.tls_settings.ssl
     always_use_https         = var.tls_settings.always_use_https
+
+    security_header {
+      enabled            = var.hsts_settings.enabled
+      include_subdomains = var.hsts_settings.include_subdomains
+      max_age            = var.hsts_settings.max_age
+      nosniff            = var.hsts_settings.nosniff
+      preload            = var.hsts_settings.preload
+    }
   }
 }
diff --git a/cloudflare/variables.tf b/cloudflare/variables.tf
@@ -14,10 +14,25 @@ variable "bastion_enabled" {
 
 variable "tls_settings" {
   type = object({
-    tls_1_3                  = string # "on/off"
-    automatic_https_rewrites = string # "on/off"
-    ssl                      = string # "strict"
-    always_use_https         = string # "on/off"
+    min_tls_version          = optional(string, "1.2") # 1.0, 1.1, 1.2, 1.3
+    tls_1_3                  = string                  # "on/off"
+    automatic_https_rewrites = string                  # "on/off"
+    ssl                      = string                  # "strict"
+    always_use_https         = string                  # "on/off"
+  })
+  default = null
+}
+
+# HSTS protects HTTPS web servers from downgrade attacks.
+# These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
+# https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/
+variable "hsts_settings" {
+  type = object({
+    enabled            = optional(bool, true)
+    preload            = optional(bool, true)       # Initially disable until you are sure about your configuration
+    max_age            = optional(number, 31536000) # Set it to least value for validating functionality.
+    include_subdomains = optional(bool, true)
+    nosniff            = optional(bool, true)
   })
   default = null
 }

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,6 @@ module "cloudflare" {`
`14`	`14`	`# optional`
`15`	`15`	`bastion_enabled = false`
`16`	`16`	`tls_settings = var.tls_settings`
	`17`	`+ hsts_settings = var.hsts_settings`
`17`	`18`	`bastion_public_dns = module.ecs.nlb_dns_name`
`18`	`19`	`}`