Changeset - 5b102c4afcb3
[Not reviewed]
0 10 0
Branko Majic (branko) - 4 years ago 2020-11-16 22:15:35
branko@majic.rs
MAR-170: Always enforce use of HTTPS in the php_server role:

- Dropped the enforce_https parameter.
- Updated tests.
- Updated release notes.
- Update role reference documentation.
- Update usage instructions.
10 files changed with 35 insertions and 55 deletions:
0 comments (0 inline, 0 general)
docs/releasenotes.rst
Show inline comments
 
@@ -60,6 +60,11 @@ Breaking changes:
 
    dropped. This could introduce incompatibility with older clients
 
    trying to connect to the IMAP/SMTP server.
 

	
 
* ``php_website`` role
 

	
 
  * Parameter ``enforce_https`` has been deprecated and
 
    removed. HTTPS is now mandatory in all cases.
 

	
 
* ``preseed`` role
 

	
 
  * Parameter ``ansible_key`` is now mandatory.
docs/rolereference.rst
Show inline comments
 
@@ -1474,6 +1474,12 @@ The role implements the following:
 

	
 
The role is implemented with the following layout/logic in mind:
 

	
 
* Clients are served with ``Strict-Transport-Security`` header with
 
  value of ``max-age=31536000; includeSubDomains``. This forces
 
  compliant clients to always connect using HTTPS to the web server
 
  when accessing its domain, as well as any subdomains served
 
  by this web server or any other. The (client-side) cached header
 
  value expires after one year.
 
* Website users are named after the ``FQDN`` (fully qualified domain name) of
 
  website, in format of ``web-ESCAPEDFQDN``, where ``ESCAPEDFQDN`` is equal to
 
  ``FQDN`` where dots have been replaced by underscores (for example,
 
@@ -1541,12 +1547,6 @@ Parameters
 
  compatible with regular expressions used by ``nginx`` for ``location ~``
 
  syntax.
 

	
 
**enforce_https** (boolean, optional, ``True``)
 
  Specify if HTTPS should be enforced for the website or not. If enforced,
 
  clients connecting via plaintext will be redirected to HTTPS, and clients will
 
  be served with ``Strict-Transport-Security`` header with value of
 
  ``max-age=31536000; includeSubDomains``.
 

	
 
**environment_indicator** (dictionary, optional, ``null``)
 
  Specify configuration for including environment indicator on all HTML
 
  pages. Indicator is a simple strip at bottom of a page with custom background
docs/usage.rst
Show inline comments
 
@@ -1237,8 +1237,7 @@ included, and also play nice with the web server role.
 
As mentioned before, all roles will enforce TLS by default. The web server roles
 
will additionaly implement HSTS policy by sending connecting clients
 
``Strict-Transport-Security`` header with value set to ``max-age=31536000;
 
includeSubDomains`` (if you disable enforcement of TLS, the header will not be
 
sent).
 
includeSubDomains``.
 

	
 
With all the above noted, let us finally move on to the next step.
 

	
roles/php_website/defaults/main.yml
Show inline comments
 
@@ -2,7 +2,6 @@
 

	
 
additional_nginx_config: {}
 
deny_files_regex: []
 
enforce_https: true
 
index: index.php
 
packages: []
 
php_file_regex: \.php$
roles/php_website/molecule/default/playbook.yml
Show inline comments
 
@@ -27,7 +27,6 @@
 
      admin_uid: 5000
 
      deny_files_regex:
 
        - '^/secretfile.txt'
 
      enforce_https: false
 
      environment_indicator:
 
        background_colour: "#ff0000"
 
        text_colour: "#00ff00"
roles/php_website/molecule/default/tests/test_default.py
Show inline comments
 
import os
 

	
 
import pytest
 

	
 
import testinfra.utils.ansible_runner
 

	
 

	
 
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
 
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
 

	
 

	
 
@pytest.mark.parametrize('fqdn', [
 
    'parameters-mandatory',
 
    'parameters-optional.local',
 
])
 
def test_https_enforcement(host, fqdn):
 
    """
 
    Tests if HTTPS is being enforced.
 
    """
 

	
 
    https_enforcement = host.run('curl -I http://%s/', fqdn)
 

	
 
    assert https_enforcement.rc == 0
 
    assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
 
    assert 'Location: https://%s/' % fqdn in https_enforcement.stdout
 

	
 
    https_enforcement = host.run('curl -I https://%s/', fqdn)
 

	
 
    assert https_enforcement.rc == 0
 
    assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout
roles/php_website/molecule/default/tests/test_parameters_mandatory.py
Show inline comments
 
@@ -208,23 +208,6 @@ def test_website_enabled(host):
 
    assert config.linked_to == '/etc/nginx/sites-available/parameters-mandatory'
 

	
 

	
 
def test_https_enforcement(host):
 
    """
 
    Tests if HTTPS is being enforced.
 
    """
 

	
 
    https_enforcement = host.run('curl -I http://parameters-mandatory/')
 

	
 
    assert https_enforcement.rc == 0
 
    assert 'HTTP/1.1 301 Moved Permanently' in https_enforcement.stdout
 
    assert 'Location: https://parameters-mandatory/' in https_enforcement.stdout
 

	
 
    https_enforcement = host.run('curl -I https://parameters-mandatory/')
 

	
 
    assert https_enforcement.rc == 0
 
    assert 'Strict-Transport-Security: max-age=31536000; includeSubDomains' in https_enforcement.stdout
 

	
 

	
 
def test_index_page(host):
 
    """
 
    Tests if index page is served correctly.
roles/php_website/molecule/default/tests/test_parameters_optional.py
Show inline comments
 
@@ -202,24 +202,6 @@ def test_website_enabled(host):
 
    assert config.linked_to == '/etc/nginx/sites-available/parameters-optional.local'
 

	
 

	
 
def test_https_enforcement(host):
 
    """
 
    Tests if HTTPS is (not) being enforced.
 
    """
 

	
 
    https_enforcement = host.run('curl -I http://parameters-optional.local/')
 

	
 
    assert https_enforcement.rc == 0
 
    assert 'HTTP/1.1 200 OK' in https_enforcement.stdout
 
    assert 'HTTP/1.1 301 Moved Permanently' not in https_enforcement.stdout
 
    assert 'Location: https://parameters-optional/' not in https_enforcement.stdout
 

	
 
    https_enforcement = host.run('curl -I https://parameters-optional.local/')
 

	
 
    assert https_enforcement.rc == 0
 
    assert 'Strict-Transport-Security' not in https_enforcement.stdout
 

	
 

	
 
def test_index_page(host):
 
    """
 
    Tests if index page is served correctly (should be php file served statically).
roles/php_website/templates/nginx_site.j2
Show inline comments
 
{% if enforce_https -%}
 
server {
 
    # HTTP (plaintext) configuration.
 
    listen 80;
 
@@ -8,29 +7,21 @@ server {
 
    return 301 https://$host$request_uri;
 
}
 

	
 
{% endif -%}
 
server {
 
    # Base settings.
 
    root {{ home }}/htdocs/;
 
    index {{ index }};
 
    server_name {{ fqdn }};
 
{% if not enforce_https %}
 

	
 
    # HTTP (plaintext) configuration.
 
    listen 80;
 

	
 
{% endif %}
 
    # HTTPS (TLS) configuration.
 
    listen 443 ssl;
 
    listen [::]:443 ssl;
 
    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
 
    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 

	
 
{% if enforce_https -%}
 
    # Set-up HSTS header for preventing downgrades for users that visited the
 
    # site via HTTPS at least once.
 
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
{% endif -%}
 

	
 
    {% for config in additional_nginx_config -%}
 
    # {{ config.comment }}
testsite/playbooks/roles/phpinfo/meta/main.yml
Show inline comments
 
@@ -7,7 +7,6 @@ dependencies:
 
      - ^(.*) /index.php
 
    admin_uid: 3000
 
    uid: 2000
 
    enforce_https: false
 
    https_tls_key: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.key') }}"
 
    https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.pem') }}"
 
    additional_fpm_config:
0 comments (0 inline, 0 general)