[Horizon] Hide OS and Apache version in error messages

This PS allows to customize (and disable) information about OS and Apache version displayed on pages with error messages. Change-Id: Ic4d19bcc90dadf5cf26faa5c8fb39de00a6f3212
2019-01-15 15:42:05 -08:00 · 2019-01-15 15:42:05 -08:00 · 1173ef79a1
commit 1173ef79a1
parent 5b86825680
3 changed files with 75 additions and 0 deletions
--- a/horizon/templates/configmap-etc.yaml
+++ b/horizon/templates/configmap-etc.yaml
@ -25,6 +25,9 @@ type: Opaque
 data:
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.apache "key" "horizon.conf" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.local_settings.template "key" "local_settings" "format" "Secret" ) | indent 2 }}
+{{- if .Values.conf.horizon.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
 {{- range $key, $value := .Values.conf.horizon.policy }}
  {{ printf "%s_policy.json" $key }}: {{ $value | toPrettyJson | b64enc }}
 {{- end }}
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@ -102,6 +102,12 @@ spec:
              mountPath: /etc/apache2/sites-enabled/000-default.conf
              subPath: horizon.conf
              readOnly: true
+            {{- if .Values.conf.horizon.security }}
+            - name: horizon-etc
+              mountPath: /etc/apache2/conf-available/security.conf
+              subPath: security.conf
+              readOnly: true
+            {{- end }}
            - name: horizon-bin
              mountPath: /var/www/cgi-bin/horizon/django.wsgi
              subPath: django.wsgi
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -97,6 +97,72 @@ conf:
          CustomLog /dev/stdout combined env=!forwarded
          CustomLog /dev/stdout proxy env=forwarded
      </Virtualhost>
+    security: |
+      #
+      # Disable access to the entire file system except for the directories that
+      # are explicitly allowed later.
+      #
+      # This currently breaks the configurations that come with some web application
+      # Debian packages.
+      #
+      #<Directory />
+      #   AllowOverride None
+      #   Require all denied
+      #</Directory>
+
+      # Changing the following options will not really affect the security of the
+      # server, but might make attacks slightly more difficult in some cases.
+
+      #
+      # ServerTokens
+      # This directive configures what you return as the Server HTTP response
+      # Header. The default is 'Full' which sends information about the OS-Type
+      # and compiled in modules.
+      # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+      # where Full conveys the most information, and Prod the least.
+      ServerTokens Prod
+
+      #
+      # Optionally add a line containing the server version and virtual host
+      # name to server-generated pages (internal error documents, FTP directory
+      # listings, mod_status and mod_info output etc., but not CGI generated
+      # documents or custom error documents).
+      # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+      # Set to one of:  On | Off | EMail
+      ServerSignature Off
+
+      #
+      # Allow TRACE method
+      #
+      # Set to "extended" to also reflect the request body (only for testing and
+      # diagnostic purposes).
+      #
+      # Set to one of:  On | Off | extended
+      TraceEnable Off
+
+      #
+      # Forbid access to version control directories
+      #
+      # If you use version control systems in your document root, you should
+      # probably deny access to their directories. For example, for subversion:
+      #
+      #<DirectoryMatch "/\.svn">
+      #   Require all denied
+      #</DirectoryMatch>
+
+      #
+      # Setting this header will prevent MSIE from interpreting files as something
+      # else than declared by the content type in the HTTP headers.
+      # Requires mod_headers to be enabled.
+      #
+      #Header set X-Content-Type-Options: "nosniff"
+
+      #
+      # Setting this header will prevent other sites from embedding pages from this
+      # site as frames. This defends against clickjacking attacks.
+      # Requires mod_headers to be enabled.
+      #
+      #Header set X-Frame-Options: "sameorigin"
    local_settings:
      config:
        # Use "True" and "False" as Titlecase strings with quotes, boolean