Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

securityheaders op http redirect hosts #402

Closed
baszoetekouw opened this issue Jan 19, 2023 · 3 comments · Fixed by #504
Closed

securityheaders op http redirect hosts #402

baszoetekouw opened this issue Jan 19, 2023 · 3 comments · Fixed by #504
Milestone
v32

Comments

@baszoetekouw
Copy link
Member

De hosts die nu in haproxy redirecten naar https hebben geen security headers. Uitzoeken of dat zinnig is.
@baszoetekouw baszoetekouw self-assigned this Jan 19, 2023
@baszoetekouw baszoetekouw mentioned this issue Jan 20, 2023
Closed
@baszoetekouw baszoetekouw moved this from New to Todo in SRAM development Jan 20, 2023
@sram-project-automation sram-project-automation bot moved this from Todo to To be tested in SRAM development Feb 27, 2024
@baszoetekouw baszoetekouw added this to the v32 milestone Mar 11, 2024
@mrvanes mrvanes moved this from To be tested to Being tested in SRAM development Mar 11, 2024
@mrvanes
Copy link
Contributor

mrvanes commented Mar 11, 2024

Zowel TEST als ACC redirect op http bevat geen security headers, is daarmee de kous af?

$ curl -v http://test.sram.surf.nl/
* processing: http://test.sram.surf.nl/
*   Trying 35.156.146.38:80...
* Connected to test.sram.surf.nl (35.156.146.38) port 80
> GET / HTTP/1.1
> Host: test.sram.surf.nl
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0
< Date: Mon, 11 Mar 2024 11:10:47 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Location: https://test.sram.surf.nl/
< X-Content-Type-Options: nosniff

@mrvanes mrvanes reopened this Mar 12, 2024
@github-project-automation github-project-automation bot moved this from Being tested to New in SRAM development Mar 12, 2024
@mrvanes mrvanes moved this from New to Todo in SRAM development Mar 12, 2024
@mrvanes mrvanes moved this from Todo to To be tested in SRAM development Mar 12, 2024
@mrvanes mrvanes linked a pull request Mar 12, 2024 that will close this issue
Add security headers to LB nginx http_redirect #504
Merged
@mrvanes
Copy link
Contributor

mrvanes commented Mar 12, 2024 

$ curl -v http://sbs.scz-vm.net/
* processing: http://sbs.scz-vm.net/
*   Trying 172.20.1.24:80...
* Connected to sbs.scz-vm.net (172.20.1.24) port 80
> GET / HTTP/1.1
> Host: sbs.scz-vm.net
> User-Agent: curl/8.2.1
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.18.0
< Date: Tue, 12 Mar 2024 14:29:49 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Location: https://sbs.scz-vm.net/
< X-Content-Type-Options: nosniff
< X-Frame-Options: sameorigin
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: strict-origin-when-cross-origin
< Content-Security-Policy: default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.scz-vm.net; frame-ancestors 'none'; block-all-mixed-content;
< Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
* Connection #0 to host sbs.scz-vm.net left intact

@baszoetekouw
Copy link
Member Author

confirmed:

╰─▶ curl -I http://acc.sram.surf.nl/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Fri, 15 Mar 2024 10:40:59 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://acc.sram.surf.nl/
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'; base-uri 'self'; frame-src 'none'; form-action 'self' https://*.acc.sram.surf.nl; frame-ancestors 'none'; block-all-mixed-content;
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=()

@baszoetekouw baszoetekouw moved this from To be tested to To be deployed in SRAM development Mar 15, 2024
@sram-deploy-tools-automation sram-deploy-tools-automation bot moved this from To be deployed to Done in SRAM development Apr 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
SRAM development
Archived in project
Milestone
v32
Development

Successfully merging a pull request may close this issue.

Add security headers to LB nginx http_redirect SURFscz/SRAM-deploy
2 participants
@baszoetekouw @mrvanes