81a28142a0
Adds the following headers as static:
X-Content-Type-Options "nosniff"
X-XSS-Protection "1; mode=block"
append Content-Security-Policy "default-src 'self' https: wss:;"
nosniff prevents non-executable mime times from becoming executable.
The X-XSS-Protection header will prevent the loading of a page if the
browser detects an xss attack. The Content-Security-Policy declares
what dynamic resources are allowed to load.
Adds the following header as user-setable via the
keystone_x_frame_options variable.
X-Frame-Options "DENY"
By default the X-Frame-Options header denies embedding in an iframe.
Change-Id: Iadd3e93bdb7e9d41ae1d027196367448dbce19f1
Partial-Bug: 1717321
96 lines
2.5 KiB
YAML
96 lines
2.5 KiB
YAML
---
|
|
# Copyright 2016, Rackspace US, Inc.
|
|
# Copyright 2017, SUSE LINUX GmbH.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
keystone_distro_packages:
|
|
- ca-certificates
|
|
- cronie
|
|
- cyrus-sasl-devel
|
|
- git-core
|
|
- libffi-devel
|
|
- libxml2-devel
|
|
- libxslt-devel
|
|
- openldap2
|
|
- openldap2-devel
|
|
- openssl
|
|
- python-devel
|
|
- rsync
|
|
- which
|
|
|
|
keystone_apache_distro_packages:
|
|
- apache2
|
|
- apache2-utils
|
|
- apache2-mod_proxy_uwsgi
|
|
|
|
keystone_mod_wsgi_distro_packages:
|
|
- apache2-mod_wsgi
|
|
|
|
keystone_mod_proxy_uwsgi_distro_packages:
|
|
- apache2-mod_uwsgi
|
|
|
|
keystone_nginx_distro_packages:
|
|
- nginx
|
|
|
|
keystone_idp_distro_packages:
|
|
- xmlsec1
|
|
|
|
keystone_sp_distro_packages:
|
|
- shibboleth-sp
|
|
|
|
keystone_developer_mode_distro_packages:
|
|
- patterns-openSUSE-devel_basis
|
|
|
|
keystone_apache_default_sites:
|
|
- "/etc/apache2/conf.d/gitweb.conf"
|
|
|
|
keystone_apache_conf: "/etc/apache2/httpd.conf"
|
|
keystone_apache_default_log_folder: "/var/log/apache2"
|
|
keystone_apache_default_log_owner: "root"
|
|
keystone_apache_default_log_grp: "root"
|
|
keystone_apache_security_conf: "{{ keystone_apache_conf }}"
|
|
|
|
keystone_apache_configs:
|
|
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/conf.d/ports.conf" }
|
|
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/conf.d/keystone-httpd.conf" }
|
|
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mod_{{ keystone_httpd_mpm_backend }}.conf" }
|
|
|
|
keystone_apache_modules:
|
|
- name: "authz_host"
|
|
state: "present"
|
|
- name: "access_compat"
|
|
state: "present"
|
|
- name: "version"
|
|
state: "present"
|
|
- name: "ssl"
|
|
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
|
- name: "shib2"
|
|
state: "{{ ( keystone_sp != {} ) | ternary('present', 'absent') }}"
|
|
- name: "proxy"
|
|
state: "present"
|
|
- name: "proxy_http"
|
|
state: "present"
|
|
- name: "proxy_fcgi"
|
|
state: "present"
|
|
- name: "proxy_wstunnel"
|
|
state: "present"
|
|
- name: "proxy_uwsgi"
|
|
state: "present"
|
|
- name: "headers"
|
|
state: "present"
|
|
|
|
keystone_nginx_conf_path: 'conf.d'
|
|
|
|
keystone_system_service_name: apache2
|