Go to file

James Gibson b6fe07ecf8 Add security headers to HAProxy Horizon service

Security headers are HTTP response headers, that when set increase
the security of your application by restricting modern browsers from
running easily preventable vulnerabilities.

You can inspect your site using https://securityheaders.com/

This patch implements the following headers:
- strict-transport-security - HSTS enforces the use of HTTPS
- x-content-type-options - Stops the browser from changing the Content-Type
- referrer-policy - Control what information a browser includes
when it navigates from a page
- content-security-policy - CSP protects sites from XSS attacks by
controlling what resources a browser is able to load

Only enabled if HTTPS in use.

There is the option to extend to all haproxy services in the
future, but as the headers are only used by browser there maybe
limited benefit to doing this other than for keystone and
console services.

Each of the headers set should have no effect on the operation of
the site apart from the CSP header. As the CSP header restricts
what resources a browser is allowed to load, if for example a
Openstack instance is using federated login, CSP will block the
redirect. To fix the the admin will need to override the CSP,
using `haproxy_horizon_csp` to set the allowed list of resources.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-lxc_hosts/+/818532

Change-Id: Ia99da8e4687b0a1d440f86d1c8be723ce2bfe061

2021-12-01 16:56:38 +00:00

deploy-guide/source

Deprecate os-panko role

2021-07-22 20:09:51 +03:00

doc

Merge "Remove note about metal/horizon compatability"

2021-11-16 18:45:50 +00:00

etc

[doc] Fix netplan sample

2021-10-19 13:26:43 +00:00

inventory

Add security headers to HAProxy Horizon service

2021-12-01 16:56:38 +00:00

osa_toolkit

Rename black/white list variables

2021-06-18 08:35:55 +00:00

playbooks

Merge "Add playbook to generate any user defined certificates"

2021-11-12 22:52:41 +00:00

releasenotes

Add security headers to HAProxy Horizon service

2021-12-01 16:56:38 +00:00

scripts

Bump ansible and collection versions

2021-11-10 11:57:31 +02:00

tests

Implements framework for ironic_neutron_agent and Neutron 'baremetal' plugin

2021-10-07 08:39:15 -05:00

zuul.d

Merge "Revert "Add integrated build job to use in sahara repo""

2021-10-06 11:03:27 +00:00

.ansible-lint

Bump ansible-lint version

2021-05-31 10:03:26 +00:00

.gitignore

Remove non-working dynamic build of AIO scenario table

2018-09-16 10:49:29 +02:00

.gitreview

OpenDev Migration Patch

2019-04-19 19:48:42 +00:00

ansible-collection-requirements.yml

Minor update of openstack collection

2021-11-15 11:07:09 +00:00

ansible-role-requirements.yml

Switch ceph-ansible to Pacific

2021-08-20 12:06:49 +00:00

ansible-role-requirements.yml.example

Convert existing roles into galaxy roles

2015-02-18 10:56:25 +00:00

bindep.txt

Remove python2 packages from bindep.txt

2020-09-30 06:53:58 +00:00

CONTRIBUTING.rst

[ussuri][goal] Update contributor documentation

2020-05-14 18:05:24 +03:00

global-requirement-pins.txt

Bump ansible and collection versions

2021-11-10 11:57:31 +02:00

LICENSE.txt

Correct path to callback plugins in gate script

2016-02-01 16:52:54 +00:00

README.rst

Update contributors guide to reflect IRC network change

2021-06-01 09:24:04 +00:00

requirements.txt

Re-adding PrettyTable dependency

2021-04-03 06:08:03 +00:00

run_tests.sh

Remove Centos-7 support

2020-10-16 15:51:59 +00:00

setup.cfg

setup.cfg: Replace dashes with underscores

2021-04-27 23:03:52 +08:00

setup.py

Updated from global requirements

2017-03-02 11:51:03 +00:00

test-requirements.txt

Bump ansible-lint version

2021-05-31 10:03:26 +00:00

tox.ini

skip -W on sphinx-build for translation.

2021-08-18 08:43:06 +00:00

Vagrantfile

Remove Centos-7 support

2020-10-16 15:51:59 +00:00

README.rst

Team and repository tags

OpenStack-Ansible

OpenStack-Ansible is an official OpenStack project which aims to deploy production environments from source in a way that makes it scalable while also being simple to operate, upgrade, and grow.

For an overview of the mission, repositories and related Wiki home page, please see the formal Home Page for the project.

For those looking to test OpenStack-Ansible using an All-In-One (AIO) build, please see the Quick Start guide.

For more detailed Installation and Operator documentation, please see the Deployment Guide.

If OpenStack-Ansible is missing something you'd like to see included, then we encourage you to see the Developer Documentation for more details on how you can get involved.

Developers wishing to work on the OpenStack-Ansible project should always base their work on the latest code, available from the master GIT repository at Source.

If you have some questions, or would like some assistance with achieving your goals, then please feel free to reach out to us on the OpenStack Mailing Lists (particularly openstack-discuss) or on IRC in #openstack-ansible on the OFTC network.

OpenStack-Ansible Roles

OpenStack-Ansible offers separate role repositories for each individual role that OpenStack-Ansible supports. For individual role configuration options, see the Role Documentation.

An individual role's source code can be found at: https://opendev.org/openstack/openstack-ansible-<ROLENAME>.

Resources

License: Apache License, Version 2.0
Documentation: https://docs.openstack.org/openstack-ansible/latest/
Source: https://opendev.org/openstack/openstack-ansible
Bugs: https://bugs.launchpad.net/openstack-ansible
Release notes: https://docs.openstack.org/releasenotes/openstack-ansible/