openstack/openstack-ansible
Code Issues Proposed changes
openstack-ansible/doc/source/user/security/security-txt.rst
James Gibson 8ad37b254d Add documentation of security improvements made to Openstack Ansible 
In the past couple of weeks a number of security patches have
been made to openstack-ansible, this patch documents these
changes. Hopefully the level of the documentation gives the users
enough background on what the changes are and how to use them,
without going into the detailed specifics of each feature.

Regarding the upgrade to TLS for haproxy internal VIP and backends
in existing deployments, I have some ideas on how this could be
done without causing downtime but have not had chance to test
this yet. The idea is to use a TCP frontend that accepts both
HTTP and HTTPS traffic and redirects to correct frontend for each.

Change-Id: Idc7b1c8908b150eaaf12980612083d31d3a5b669
2021-12-08 10:24:43 +00:00

1.8 KiB
Raw Blame History

Security.txt

security.txt is a proposed IETF standard to allow independent security researchers to easily report vulnerabilities. The standard defines that a text file called security.txt should be found at "/.well-known/security.txt". For legacy compatibility reasons the file might also be placed at "/security.txt".

In OpenStack-Ansible, security.txt is implemented in haproxy as all public endpoints reside behind it and the text file is hosted by keystone. It defaults to directing any request paths that end with /security.txt to the text file using an ACL rule in haproxy.

Enabling security.txt

Use the following process to add a security.txt file to your deployment using OpenStack-Ansible:

  1. Write the contents of the security.txt file in accordance with the standard.
  2. Define the contents of security.txt in the variable keystone_security_txt_content in the /etc/openstack_deploy/user_variables.yml file:
keystone_security_txt_content: |
    # This is my example security.txt file
    # Please see https://securitytxt.org/ for details of the specification of this file
  1. Update keystone
# openstack-ansible os-keystone-install.yml
  1. Update haproxy
# openstack-ansible haproxy-install.yml

Advanced security.txt ACL

In some cases you may need to change the haproxy ACL used to redirect requests to the security.txt file, such as adding extra domains.

The haproxy ACL is updated by overriding the variable haproxy_security_txt_acl in the /etc/openstack_deploy/user_variables.yml file.