Majic Projects
Majic Ansible Roles
Go to the previous open issue
Go to the previous issue (open or closed)
star_faded.png
Please log in to bookmark issues
icon_project.png Majic Ansible Roles / Closed Enhancement MAR-170 Always enforce use of HTTPS for the web server and websites
Go to the next issue (open or closed)
Go to the next open issue
There are no more issues in that direction.
This issue has been closed with status "Closed" and resolution "RESOLVED".
Issue basics
  • Type of issue
    Enhancement
  • Category
    Security
  • Targetted for
    5.0.0
  • Status
    Closed
  • Progress
  • Priority
    Not determined
User pain
  • Type of bug
    Not triaged
  • Likelihood
    Not triaged
  • Effect
    Not triaged
Affected by this issue (0)
There are no items
People involved
Times and dates
  • Posted at
  • Last updated
  • Estimated time
    2 hours
  • Time spent
    1 hour
    Click here to see time logged against this issue
Issue details
  • Resolution
    RESOLVED
Attachments (0)
There is nothing attached to this issue
Duplicate issues (0)
This issue does not have any duplicates
Description

Majic Ansible Roles enforces use of TLS for all services where possible.

In case of web server-related roles (web_server, php_website, wsgi_website), this is normally achieved by using the Strict-Transport-Security header, as well as redirection from HTTP to HTTPS. This way if the user at least once manages to hit one of the legitimate web servers set-up using these roles, the browser will get directed to HTTPS, and will remember to always use HTTPS for the website.

However, a parameter is provided for all three roles that makes it possible to disable enforcement of HTTPS. So far this parameter has seen no use in Majic Infrastructure, and is also undesirable from perspective of improving the security. Therefore the use of HTTPS should be mandated, and parameters that allow for disabling such behaviour should be dropped. This should also help reduce complexity a bit (in terms of available options).

The following should be done:

  • Update the web_server role.
    • Drop the default_enforce_https parameter.
    • Always redirect clients from HTTP to HTTPS.
    • Always send out the Strict-Transport-Security header to connecting clients.
  • Update the php_website role.
    • Drop the enforce_https parameter.
    • Always redirect clients from HTTP to HTTPS.
    • Always send out the Strict-Transport-Security header to connecting clients.
  • Update the wsgi_website role.
    • Drop the enforce_https parameter.
    • Always redirect clients from HTTP to HTTPS.
    • Always send out the Strict-Transport-Security header to connecting clients.
  • Update tests.
  • Update test site configuration.
  • Update usage instructions.
  • Update role reference documentation.
  • Update release notes.
Todos (0 / 0)
There are no comments