Majic Projects ~ [CLOSED] MAR-170 - Always enforce use of HTTPS for the web server and websites

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

You are not logged in

Majic Ansible Roles / Closed Enhancement MAR-170 Always enforce use of HTTPS for the web server and websites

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Enhancement Unknown issue type
Issue label

No label set
Category

Security Not determined
Targetted for

5.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 29, 2024 - 18:46

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Sep 29, 2024 - 18:46

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Oct 04, 2020
Last updated

Nov 16, 2020
Estimated time

2 hours Not estimated
Time spent

1 hour No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

Majic Ansible Roles enforces use of TLS for all services where possible.

In case of web server-related roles (web_server, php_website, wsgi_website), this is normally achieved by using the Strict-Transport-Security header, as well as redirection from HTTP to HTTPS. This way if the user at least once manages to hit one of the legitimate web servers set-up using these roles, the browser will get directed to HTTPS, and will remember to always use HTTPS for the website.

However, a parameter is provided for all three roles that makes it possible to disable enforcement of HTTPS. So far this parameter has seen no use in Majic Infrastructure, and is also undesirable from perspective of improving the security. Therefore the use of HTTPS should be mandated, and parameters that allow for disabling such behaviour should be dropped. This should also help reduce complexity a bit (in terms of available options).

The following should be done:

Update the web_server role.
- Drop the default_enforce_https parameter.
- Always redirect clients from HTTP to HTTPS.
- Always send out the Strict-Transport-Security header to connecting clients.
Update the php_website role.
- Drop the enforce_https parameter.
- Always redirect clients from HTTP to HTTPS.
- Always send out the Strict-Transport-Security header to connecting clients.
Update the wsgi_website role.
- Drop the enforce_https parameter.
- Always redirect clients from HTTP to HTTPS.
- Always send out the Strict-Transport-Security header to connecting clients.
Update tests.
Update test site configuration.
Update usage instructions.
Update role reference documentation.
Update release notes.

Todos (0 / 0)

Options

There are no comments

Welcome to The Bug Genie

Log in with your username and password