majic-ansible-roles Changeset

Changeset - 5b102c4afcb3

Parent rev.

Child rev.

[Not reviewed]

0 10 0

Branko Majic (branko) - 3 years ago 2020-11-16 22:15:35
branko@majic.rs

MAR-170: Always enforce use of HTTPS in the php_server role:

- Dropped the enforce_https parameter.
- Updated tests.
- Updated release notes.
- Update role reference documentation.
- Update usage instructions.

10 files changed with 35 insertions and 55 deletions:

docs/releasenotes.rst

docs/rolereference.rst

docs/usage.rst

roles/php_website/defaults/main.yml

roles/php_website/molecule/default/playbook.yml

roles/php_website/molecule/default/tests/test_default.py

roles/php_website/molecule/default/tests/test_parameters_mandatory.py

roles/php_website/molecule/default/tests/test_parameters_optional.py

roles/php_website/templates/nginx_site.j2

testsite/playbooks/roles/phpinfo/meta/main.yml

0 comments (0 inline, 0 general)

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -60,6 +60,11 @@ Breaking changes: @@
     dropped. This could introduce incompatibility with older clients
     trying to connect to the IMAP/SMTP server.
 * ``php_website`` role
   * Parameter ``enforce_https`` has been deprecated and
     removed. HTTPS is now mandatory in all cases.
 * ``preseed`` role
   * Parameter ``ansible_key`` is now mandatory.

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1474,6 +1474,12 @@ The role implements the following: @@
 The role is implemented with the following layout/logic in mind:
 * Clients are served with ``Strict-Transport-Security`` header with
   value of ``max-age=31536000; includeSubDomains``. This forces
   compliant clients to always connect using HTTPS to the web server
   when accessing its domain, as well as any subdomains served
   by this web server or any other. The (client-side) cached header
   value expires after one year.
 * Website users are named after the ``FQDN`` (fully qualified domain name) of
   website, in format of ``web-ESCAPEDFQDN``, where ``ESCAPEDFQDN`` is equal to
   ``FQDN`` where dots have been replaced by underscores (for example,
@@ @@ -1541,12 +1547,6 @@ Parameters @@
   compatible with regular expressions used by ``nginx`` for ``location ~``
   syntax.
 **enforce_https** (boolean, optional, ``True``)
   Specify if HTTPS should be enforced for the website or not. If enforced,
   clients connecting via plaintext will be redirected to HTTPS, and clients will
   be served with ``Strict-Transport-Security`` header with value of
   ``max-age=31536000; includeSubDomains``.
 **environment_indicator** (dictionary, optional, ``null``)
   Specify configuration for including environment indicator on all HTML
   pages. Indicator is a simple strip at bottom of a page with custom background

docs/usage.rst

➞

Show inline comments

@@ @@ -1237,8 +1237,7 @@ included, and also play nice with the web server role. @@
 As mentioned before, all roles will enforce TLS by default. The web server roles
 will additionaly implement HSTS policy by sending connecting clients
 ``Strict-Transport-Security`` header with value set to ``max-age=31536000;
 includeSubDomains`` (if you disable enforcement of TLS, the header will not be
 sent).
 includeSubDomains``.
 With all the above noted, let us finally move on to the next step.

roles/php_website/defaults/main.yml

➞

Show inline comments

@@ @@ -2,7 +2,6 @@ @@
 additional_nginx_config: {}
 deny_files_regex: []
 enforce_https: true
 index: index.php
 packages: []
 php_file_regex: \.php$

roles/php_website/molecule/default/playbook.yml

➞

Show inline comments

@@ @@ -27,7 +27,6 @@ @@
       admin_uid: 5000
       deny_files_regex:
         - '^/secretfile.txt'
       enforce_https: false
       environment_indicator:
         background_colour: "#ff0000"
         text_colour: "#00ff00"

roles/php_website/molecule/default/tests/test_default.py

➞

Show inline comments

 import os
 import pytest
 import testinfra.utils.ansible_runner
 testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
     os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
 @pytest.mark.parametrize('fqdn', [
     'parameters-mandatory',
     'parameters-optional.local',
 ])
 def test_https_enforcement(host, fqdn):
     """
     Tests if HTTPS is being enforced.
     """
     https_enforcement = host.run('curl -I http://%s/', fqdn)
     assert https_enforcement.rc == 0
     assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
     assert 'Location: https://%s/' % fqdn in https_enforcement.stdout
     https_enforcement = host.run('curl -I https://%s/', fqdn)
     assert https_enforcement.rc == 0
     assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout

roles/php_website/molecule/default/tests/test_parameters_mandatory.py

➞

Show inline comments

@@ @@ -208,23 +208,6 @@ def test_website_enabled(host): @@
     assert config.linked_to == '/etc/nginx/sites-available/parameters-mandatory'
 def test_https_enforcement(host):
     """
     Tests if HTTPS is being enforced.
     """
     https_enforcement = host.run('curl -I http://parameters-mandatory/')
     assert https_enforcement.rc == 0
     assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
     assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout
     https_enforcement = host.run('curl -I https://parameters-mandatory/')
     assert https_enforcement.rc == 0
     assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout
 def test_index_page(host):
     """
     Tests if index page is served correctly.

roles/php_website/molecule/default/tests/test_parameters_optional.py

➞

Show inline comments

@@ @@ -202,24 +202,6 @@ def test_website_enabled(host): @@
     assert config.linked_to == '/etc/nginx/sites-available/parameters-optional.local'
 def test_https_enforcement(host):
     """
     Tests if HTTPS is (not) being enforced.
     """
     https_enforcement = host.run('curl -I http://parameters-optional.local/')
     assert https_enforcement.rc == 0
     assert 'HTTP/1.1 200 OK' in https_enforcement.stdout
     assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout
     assert 'Location: https://parameters-optional/' not in https_enforcement.stdout
     https_enforcement = host.run('curl -I https://parameters-optional.local/')
     assert https_enforcement.rc == 0
     assert 'Strict-Transport-Security' not in https_enforcement.stdout
 def test_index_page(host):
     """
     Tests if index page is served correctly (should be php file served statically).

roles/php_website/templates/nginx_site.j2

➞

Show inline comments

 {% if enforce_https -%}
 server {
     # HTTP (plaintext) configuration.
     listen 80;
@@ @@ -8,29 +7,21 @@ server { @@
     return 301 https://$host$request_uri;
+}
 {% endif -%}
 server {
     # Base settings.
     root {{ home }}/htdocs/;
     index {{ index }};
     server_name {{ fqdn }};
 {% if not enforce_https %}
     # HTTP (plaintext) configuration.
     listen 80;
 {% endif %}
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;
     ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
     ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 {% if enforce_https -%}
     # Set-up HSTS header for preventing downgrades for users that visited the
     # site via HTTPS at least once.
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 {% endif -%}
     {% for config in additional_nginx_config -%}
     # {{ config.comment }}

testsite/playbooks/roles/phpinfo/meta/main.yml

➞

Show inline comments

@@ @@ -7,7 +7,6 @@ dependencies: @@
       - ^(.*) /index.php
     admin_uid: 3000
     uid: 2000
     enforce_https: false
     https_tls_key: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.key') }}"
     https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.pem') }}"
     additional_fpm_config:

0 comments (0 inline, 0 general)